MEETING OF THE LIVERPOOL CITY REGION AUDIT AND GOVERNANCE COMMITTEE
To: The Members of the Audit and Governance Committee
You are requested to attend a meeting of the Audit and Governance Committee to be held on Wednesday, 23rd September 2020 at 2.00 pm via Teams. The meeting will be live webcast. To access the webcast please go to the Combined Authority’s website at the time of the meeting and follow the instructions on the page.
If you have any queries regarding this meeting, please contact Shauna Phillips on telephone number (0151) 330 1086.
Yours faithfully
Chief Executive
WEBCASTING NOTICE
This meeting will be filmed by the Combined Authority for live and/or subsequent broadcast on the Combined Authority’s website. The whole of the meeting will be filmed, except where there are confidential or exempt items.
If you do not wish to have your image captured or if you have any queries regarding the webcasting of the meeting please contact the Democratic Services Officer on the above number or email [email protected].
A Fair Processing Notice is available on the Combined Authority’s website at https://www.liverpoolcityregion-ca.gov.uk/wp-content/uploads/Fair-Processing- Notice-CA-Meeting-Video-Recording.pdf
(Established pursuant to section 103 of the Local Democracy, Economic Development and Construction Act 2009 as the Halton, Knowsley, Liverpool, St Helens, Sefton and Wirral Combined Authority)
AUDIT AND GOVERNANCE COMMITTEE
AGENDA
1. APPOINTMENT OF CHAIR FOR 2020-21
2. APPOINTMENT OF VICE CHAIR FOR 2020-21
3. APOLOGIES
4. DECLARATIONS OF INTEREST
5. MINUTES OF THE LAST MEETING To consider the minutes of the last meeting held on 11 July 2020.
(Pages 1 - 8) GOVERNANCE
6. PROCESS FOR DEALING WITH COMPLAINTS AGAINST MEMBERS To consider the establishing of a working group to form a procedure on dealing with complaints against members to be recommended to the Liverpool City Region Combined Authority.
7. SAFEGUARDING PROTOCOL To consider a report of the Monitoring Officer providing an update on the work the Liverpool City Region Combined Authority is undertaking in relation to updating its Safeguarding Protocol and associated practices.
(Pages 9 - 50) 8. INSURANCE CLAIMS REVIEW - JULY 2020 To consider a report of the Monitoring Officer providing details of insurance claims.
(Pages 51 - 54) 9. AUDIT & GOVERNANCE ANNUAL REPORT To consider a report of the Monitoring Officer providing an overview of the Audit and Governance Committee’s work for 2019-20 and a proposed work programme for 2020-21.
(Pages 55 - 70) INTERNAL AUDIT
10. HEAD OF INTERNAL AUDIT ANNUAL REPORT AND OPINION 2019-20 To consider a report of the Head of Internal Audit providing the Head of Internal Audit’s Annual Report and Opinion in respect of Liverpool City Region Combined Authority for the financial year 2019-20.
(Pages 71 - 102) 11. INTERNAL AUDIT PERFORMANCE To consider a report of the Head of Internal Audit providing the Liverpool City Region Combined Authority (LCRCA) Audit and Governance Committee with an overview of the internal audit work completed in respect of the Combined Authority in the fourth quarter of 2019-20 and the first quarter of 2020-21, in accordance with the Internal Audit Plans 2019- 20 and 2020-21.
(Pages 103 - 140) 12. INTERNAL AUDIT PLAN AND CHARTER 2020-21 To consider a report of the Head of Internal Audit providing the Liverpool City Region Combined Authority (LCRCA) Audit and Governance Committee with the updated Internal Audit Plan of work and Internal Audit Charter for 2020-21.
(Pages 141 - 184) 13. RISK MANAGEMENT UPDATE To consider a report of the Head of Internal Audit providing an update in respect of the system of corporate risk management and the activity that has been undertaken in embedding this system during the fourth quarter of 2019-20 and first quarter of 2020-21.
(Pages 185 - 226) FINANCE
14. EXTERNAL AUDIT PLAN 2019-20 To consider a report of the Director of Corporate Resources providing members of the Committee with details of the External Auditors, Mazars, proposed Audit Strategy for the audit of the 2019-20 annual statement of accounts.
(Pages 227 - 250)
Agenda Item 5
AUDIT & GOVERNANCE COMMITTEE
At an inquorate meeting of the Audit & Governance Committee held in the Authority Chamber - No.1 Mann Island, Liverpool, L3 1BP on Wednesday, 11th March, 2020 the following Members were
P r e s e n t:
Councillor E Finneran Overview and Scrutiny Knowsley MBC Councillor L Whitley Overview and Scrutiny Halton BC Councillor P Hackett LCRCA Wirral BC Martin McDonagh Independent Member
35. APOLOGIES FOR ABSENCE
Apologies were received from Councillors David Baines, Helen Cameron, Graham Morgan and Sir Ron Watson.
36. INQOURACY
Deputy Monitoring Officer of the Liverpool City Region Combined Authority, Louise Outram, advised the Audit and Governance Committee that the meeting was inquorate as at least two thirds of the voting members needed to be present. Due to a disruption on the rail network a member had been prevented from attending the meeting. As a number of the reports on the agenda were for noting it was agreed that the meeting continue to allow discussion of the items though it was noted no decisions could be made.
37. DECLARATIONS OF INTEREST
No declarations of interest were received for this meeting.
38. MINUTES OF THE LAST MEETING HELD ON 2 OCTOBER 2019
RESOLVED that the minutes of the last meeting held on 9 October 2019 were agreed as an accurate record.
39. RISK MANAGEMENT UPDATE
Laura Williams, Head of Internal Audit provided an update on the organisation‟s risk management and the improvements that had been made since the last Audit and Governance Committee in October 2019. The report included the amended risk management policy and the updated corporate risk register as well as risk management activities during the third and fourth quarters.
The Committee were advised that a risk had been removed from the corporate register relating to „Failure to establish an appropriate spatial
Page 1 framework‟ as great progress had been made and the level of risk had reduced. There had also been the addition of risk 11 “Failure to deliver a medium-term financial strategy”, which had been transferred across from the Transport Risk Register so as to reflect the overarching nature of the risk regarding funding of the organisation‟s activities. Reference was also made in the register to the Metro Mayor‟s bus powers and their significance to the city region.
Since the last update, the Internal Audit department had made progress in terms of articulating the organisation‟s risk appetite outlined in Section 3 of the report. Section 4 of the report portrayed how service risk registers had been established and kept up to date across the organisation by liaising with directors and reviewing their contents regularly. Laura Williams explained that the organisation had been successful in embedding effective risk management as a result of members‟ feedback at the last Audit and Governance Committee meeting.
With regard to the risk register, it was noted that a section had been added to include the benefits of effective management and the report reflected a change in the group that considered risk matters across the organisation. Previously risk had been considered by the Performance, Assurance and Risk Group however a new group had been established with the terms of reference included in the appendices of the report.
Martin McDonough queried whether COVID-19 was considered within the risk register and what the effect of a potential lockdown would be to the organisation if the offices were to close and if operations were to cease. It was explained that although it was not referenced specifically, risk 8 addressed responding to major incidents of this nature. Laura Williams provided assurance that if COVID-19 were to develop into a major incident, the contingency planning within the risk register would come into effect. Discussions had already taken place to ensure that the contingency plan was fit for purpose and it was incumbent on all services within the organisation to plan for unforeseen circumstances of this nature. Furthermore, it was noted that a national pandemic would be a risk for the organisation in terms of providing services for the public, but also a risk internally to the staff. The LCRCA provided transport services to the public as well as the Housing First programme and Households into Work programme that the public relied upon. It was therefore key that these services had contingency plans in place.
Director of Corporate Resources, John Fogarty explained that the LCRCA were part of the Merseyside Resilience Forum which was led by Government Advice and other bodies in the city region. Internally there was also a Resilience Group within the Combined Authority comprising of Heads of Service and key officers. Current advice was that COVID-19 was not yet a major incident but the LCRCA were preparing for any escalation in the level of risk, whilst assuring the Committee that the organisation had evolved business continuity measures in place.
Page 2 With regards to potential funding streams for 2020-21, the Committee heard that there had been a budget update from Government which included funding for „ambitious‟ Mayors though further details on this were needed on the amount and what was considered „ambitious‟. There was little detail with regards to combined authorities however, an announcement on transport infrastructure funding had been made.
Notably the Comprehensive Spending Review (which was originally due before the last election) had been brought forward to July. Further clarity on funding and information on the CSR was expected over the coming weeks and would provide insight into how this would relate to the LCRCA.
RESOLVED that the inquorate Audit and Governance Committee:
(a) note the progress made in embedding the system of corporate risk management into the organisation;
(b) note the refreshed Corporate Risk Register; and
(c) approve the updated Risk Management Policy.
40. INTERNAL AUDIT PERFORMANCE
Laura Williams presented the Internal Audit Performance report which outlined the work of Internal Audit during the third and fourth quarters of 2019. It was noted that the performance level of the department had increased positively since the last report was presented to the Committee in October.
Laura Williams explained that Section 2 of the report detailed the 34 pieces of work completed by Internal Audit; some of which were providing advice and some attracting audit recommendations.
The Committee heard that the report included information on the corporate systems provided by Merseytravel to the LCRCA and that those systems had attracted minor or negligible audit opinions. All audits relating to those corporate systems had been completed.
Section 4 of the report drew attention to the LCRCA specific systems and set out the Internal Audit opinions provided. Laura Williams stated that a high priority recommendation had been issued and that measures to address this were progressing positively.
The report covered he grant certification work completed by Internal Audit and Section 5 of the report featured Merseytravel specific systems that although were of no great relevance to the LCRCA, were included for transparency.
It was reported that Internal Audit were on target for percentage of plan completed and the performance indicators were very positive. Furthermore, Section 7 of the report included detail on self-assessments which had been completed on fraud, bribery and corruption.
Page 3
The report concluded with an update on how Internal Audit were able to ensure 100% conformity with the Public Sector Internal Audit standards and it was noted that good progress had been made against the actions outlined in the plan.
RESOLVED that the inquorate Audit and Governance Committee:
(a) noted the progress made in the delivery of the approved Internal Audit Plan in respect of the Combined Authority; and
(b) noted the outcomes of the audit work undertaken during the period of the report.
41. INTERNAL AUDIT PLAN AND CHARTER 2020-21
Laura Williams, Head of Internal Audit, provided an update on the Internal Audit Plan and Charter for 2020-21 which outlined the arrangements for the next financial year.
The plan highlighted the proposed items that Internal Audit planned to cover, noting that the list had resulted from cross department consultation with a focus on senior management. The plan had been informed by a management review of the risk register as well as a review of the previous years plan. Laura Williams explained that it was imperative that the plan took into consideration the LCRCA‟s growth and increased devolution and that Internal Audit‟s level of assurance cold flex commensurately with it.
In keeping with this principle, Internal Audit had built up the role of advice and guidance in the plan so that they could be involved in systems as they developed, in order to add value and provide assurance.
The Plan provided a breakdown of audit days alongside the areas of focus noting that the plan was flexible. Laura Williams explained that she felt the plan was reflective of the risks presenting themselves in the coming 12 months.
The Committee‟s attention was drawn to Section 8 of the report which considered the proposed performance indicators for the coming year, noting they had changed slightly from the previous year and that they would aid the Committee in scrutinising the performance of the organisation. It was advised that Internal Audit had made great progress on the fifth performance indicator which was „implementation of recommendations within a reasonable timescale‟. Officers were in a better position to challenge and question departments to ensure that they implemented recommendations in a timely manner, and it was hoped this would provide the Committee with more assurance on this issue moving forward for 2020-21.
The Committee also considered the Internal Audit Charter which set out the role, purpose and authority of Internal Audit. The charter was prescribed
Page 4 under the Public Sector Internal Audit Standards and set out the key responsibilities and core principles of Internal Audit.
RESOLVED that the inquorate Audit and Governance Committee:
(a) approved the Internal Audit Plan 2020-21 and;
(b) approved the Internal Audit Charter 2020-21.
42. EXTERNAL AUDIT PROGRESS UPDATE
Chris Whittingham, Mazars, provided an external audit progress update, highlighting the key elements of work already completed.
It was explained that Mazars had undertaken a review of the corporate governance framework and they had identified and confirmed the key financial systems used to create the statement of accounts for the LCRCA. Controls within the financial systems were documented and Mazars performed a walk- through test to confirm that the controls were operating as expected. The Committee were advised that this test had allowed Mazars to confirm that the figures in the accounts were robust and accurate.
Chris Whittingham explained that Mazars were also undertaking a test of key transactional systems on pay and non-pay expenditure as part of the external audit. Any findings from that testing process would be brought before the Audit and Governance Committee for consideration.
The Committee were advised that Mazars had started their work on value for money with regard to the risks identified in the External Audit Plan. Discussions were ongoing to ascertain whether group accounts were required or not and if so what the format for group accounts would be.
It was explained that because of the work already undertaken and the early governance considerations, there were no issues that needed to be brought to the Committee‟s attention at this time.
Finally, it was highlighted that the report included a list of national issues and hyperlinks to articles of interest to keep members in formed of the audit environment nationally.
The Chair thanked officers for their report.
RESOLVED that the inquorate Audit and Governance Committee noted the contents of the report.
Page 5 43. EXTERNAL AUDIT LETTER 2018/19
The Committee were provided with an overview of the External Audit Letter 2018/19 which formed the final element of the External Audit Report and also provided a summary of the External Audit Plan.
It was recalled that a draft order completion report was brought before the Committee on 24 July 2019 which had explained that the external audit was ongoing and a challenge had been raised over the historical way cash and bank transactions between Merseytravel and the LCRCA were accounted for. As a result, management had decided to apply a change in accounting policy that necessitated a number of material amendments to the accounts and a subsequent review from Mazars. An updated completion letter and report were provided to the Committee on 1 November 2019 highlighting these changes.
An unqualified opinion was signed on 7 November 2019 which considered the change to the accounts with Mazars advising that a true and accurate reflection of the financial position and transactions of the LCRCA had been provided. The second main element of Mazars audit was centred around value for money and they had provided an „except for‟ opinion. This meant that all of the arrangements to deliver value for money that they had reviewed were satisfactory, except for the issues around key decision making which was reflected by the absence of quoracy at key decision-making meetings. The LCRCA were aware that more work and development was needed to embed effective risk management and had made progress on this issue.
The Committee were advised that during the external audit, Mazars had not needed to exercise any statutory powers and it was pleasing that the only critical issues identified were national risks such as the McCloud case.
It was noted that the audit fee has been £40,284 and a slight variation had been agreed due to the additional work that was required to consider the amendments made to the accounts and to consider the implications of national issues.
The Chair thanked Chris Whittingham for his report.
RESOLVED that the inquorate Audit and Governance Committee noted the contents of the report.
44. EXTERNAL AUDIT PLAN 2019/20
Mark Dalton presented the External Audit Plan for 2019/20 and led the Committee through the key messages.
The plan described Mazars approach to the audit of the LCRCA‟s financial statement and it included Mazars assessment of the significant risks of material misstatements in the financial statements whilst outlining the proposed testing strategy in relation to the risks highlighted.
Page 6
It was explained that „management override of control‟ has been highlighted as a significant risk as mandated by Mazars auditing standards. Risks relating to the valuation of property, plant and equipment were also identified as well as pension liability; both of which were common risks in the public sector.
It was explained that the audit strategy memorandum set out the approach to the Auditor‟s value for money conclusion developed from the findings from 2018-19. He Committee were advised that Mazars would be reviewing the governance arrangements and risk management arrangements and that the findings of this work would be reported to the Audit and Governance Committee at the summer meeting via the Audit completion report.
RESOLVED that the inquorate Audit and Governance Committee:
(a) approved the external audit plan of work for 2019/20 proposed by Mazars; and
(b) requested that further updates are provided as appropriate
45. LCRCA ACCOUNTING POLICIES 2019/20
Sarah Johnston, Assistant Director for Finance, provided an overview of the LCRCA Accounting Policies for 2019/20 as the authority was required on an annual basis to review its accounting policies and also to ensure that they were applied to the closure of accounts appropriately.
As part of this review, officers considered any changes to the accounting standards, new transactions or types of transactions that the authority would undertake that hadn‟t been undertaken in previous years to determine whether any changes to the accounting policy were required.
The Committee were advised that last year, there had been a significant change for accounting standards in respect of financial instruments which necessitated a rewrite of the accounting policies for the financial year 2019- 2020.
The Chair thanked officers for the report.
RESOLVED that the inquorate Audit and Governance Committee:
(a) noted the attached accounting policies and provide any comments thereon; and
(b) approved the attached accounting policies.
Page 7 46. WORK PROGRAMME AND SCHEDULE OF MEETINGS 2019-20
Lisa Backstrom, Senior Democratic Services Officer presented the work programme and schedule of meetings for the Audit and Governance Committee for 2020/21. The Head of Internal Audit and Assistant Director for Finance had provided input into the work programme which included similar topics to the previous year whilst aligning with the key statutory deadlines for the submission of reports.
The Committee where asked to note the recommendations in section 2 of the report and were advised that any changes to the work programme would be made in consultation with the Chair of the Committee and Monitoring Officer.
RESOLVED that the inquorate Audit and Governance Committee agreed the proposed Work Programme for 2020/21 as set out at Appendix A and that any amendments during the course of the municipal year be made in consultation with the Chair and the Monitoring Officer.
Minutes 35 to 46 received as a correct record on the 23 day of September 2020.
Chairperson of the Combined Authority
(The meeting closed at 2.45 pm)
Page 8 Agenda Item 7
LIVERPOOL CITY REGION COMBINED AUTHORITY
To: Members of the Audit and Governance Committee
Meeting: 23 September 2020
Authority/Authorities Affected: All
EXEMPT/CONFIDENTIAL ITEM: No
REPORT OF THE MONITORING OFFICER
SAFEGUARDING PROTOCOL
1. PURPOSE OF REPORT
1.1 This report is intended to apprise the Audit and Governance Committee of the work undertaken to update the previously titled “Children, Young Persons & Vulnerable Adults Safeguarding Policy”, now titled the „Safeguarding Protocol‟, and implement practices associated with this Protocol to ensure its effective implementation.
2. RECOMMENDATIONS
2.1 It is recommended that the Audit and Governance Committee:
(a) note the contents of this report (b) approve the revised Safeguarding Protocol.
3. BACKGROUND
3.1 On the 29 May 2019, the Children, Young Persons & Vulnerable Adults Safeguarding Policy was implemented as an official policy of the Liverpool City Region Combined Authority (the “LCRCA”).
This policy was introduced in recognition of the LCRCA‟s moral duty to assist its local authority partners in safeguarding vulnerable groups within the Liverpool City Region, despite being outside the scope of specific legislative duties within this sphere, imposed by the Care Act 2014 and other similar legislation.
3.2 This policy was subject to an annual review by a working group of employees from the Legal, Policy and HR Departments. The review was designed to analyse its implementation and practical application, as well as to ensure that the content is continually reviewed, reflects current structures and and functions and aspires to best practice. The updated protocol is attached as Appendix 1.
3.3 Colleagues from Sefton Council have provided assistance as a “critical friend” in identifying any necessary updates to this protocol. As a result, the protocol has been updated to include greater reference to the Care Act 2014 and associated Page 9 guidance, terminology and the categories of abuse have been updated, as well as edits being made to the LCRCA‟s reporting forms to make them better align with best practice.
3.4 In addition to these updates, and in compliance with the expectations of the Safeguarding Protocol, the LCRCA has identified a tiered-package of training to be delivered to its workforce. The training received by employees will be proportionate to their interaction with vulnerable groups, ranging from completion of an e-learning module for generally office-based workers, to an intensive half-day course for employees whose work will likely involve interaction with potentially vulnerable individuals. The training team at Sefton Council have been engaged to prepare and deliver the necessary training, with delivery expected before the end of the calendar year. This engagement is being formalised in a Service Level Agreement.
3.5 The LCRCA has also identified multiple „Designated Safeguarding Leads‟ (DSLs) from across the organisation, as per the requirements of the Safeguarding Protocol. These DSLs are nominated individuals, responsible for acting as the champion of safeguarding within their respective directorates. Such individuals will receive a higher standard of training than the majority of the workforce and will be responsible for being the first point of contact for their colleagues when safeguarding concerns arise. The DSL will then be responsible for liaising with the appropriate Heads of Service to correctly log and report these concerns internally, as well as to escalate the matter to any external agencies as appropriate in the circumstances.
3.6 The DSLs will also attend the newly-proposed „Safeguarding Forum‟. This body will meet four times a year and will be responsible for monitoring the continuing practical application of the Safeguarding Protocol, by identifying trends in relation to safeguarding incidents and sharing lessons learnt from dealing with such incidents among colleagues. All information will be anonymised before being shared in order to sufficiently protect the individuals concerned. The Safeguarding Forum will also be responsible for submitting regular reports to the Audit & Governance Committee to ensure the Members are kept apprised of any pertinent information relating to safeguarding incidents. The Safeguarding Forum will be chaired by John Fogarty as the Director responsible for safeguarding, or the Chief Legal Officer ( Monitoring Officer) as his deputy. Membership includes the following or their nominated deputy:
The Head of Audit; Head of IT; Head of Legal, Democratic Services & Procurement; Senior Information Officer; Head of People & Organisational Development; Corporate Communications Manager; Assistant Director for Customer Delivery; and DSLs, unless their Head of Service is one of the individuals listed above who can appropriately represent their directorate in the discussion.
3.7 There will also be a sub-forum established, convening as a „crisis group‟ to review specific safeguarding incidents, at the time of any incident, to address any specific issues that may arise as a result of the issue. The membership of this sub-forum will differ according to the perceived matters at issue of each incident and will be chaired by John Fogarty, or the Chief Legal Officer acting as his deputy. Standing Page 10 members will include the Head of Legal, the Head of People & Organisational Development, as well the DSL or Head of Service from the directorate where the incident has been reported. Other members may be invited to facilitate an effective discussion, for example the Data Protection Officer, a member of the Communications or Audit team as appropriate. This sub-forum will in turn report confidentially to the Safeguarding Forum to assist in the analysis of trends and the application of the Safeguarding Protocol in practice.
3.8 Terms of reference for the above forums will be developed and provided for information in a subsequent report.
4. RESOURCE IMPLICATIONS
4.1 Financial
As a result of the package of training to be delivered by Sefton Council, there will be a financial cost to the LCRCA which has not been accounted for within any existing and established budgets.
The exact costs of this training have not been determined at this stage, as the numbers of the employees allocated to each tier of training, and therefore the number of training sessions required, as well as the cost for developing this training have not yet been finalised.
These costs are being calculated as a matter of urgency in order to formalise the arrangements between both parties.
4.2 Human Resources
There are no additional Human Resource implications identified as a result of this report.
Certain members of staff will be assume additional responsibility as Designated Safeguarding Leads but given the seniority of these staff this role is considered to be commensurate with their grade for their substantive role.
Any breach of this protocol will be addressed using existing and agreed employment policies
4.3 Physical Assets
No Physical Asset issues are identified as a result of this report.
4.4 Information Technology
Sefton are creating the e-learning training module for all staff will be available through the Learning Portal. It has not yet been determined as to whether the higher level training will also be delivered electronically, in light of the coronavirus pandemic, or in socially distanced workshops.
IT will also be enlisted to ensure that any information recorded about safeguarding incidents are kept securely. Page 11
5. LEGAL IMPLICATIONS
5.1 As aforementioned, the LCRCA is not specifically responsible for carrying out the statutory duties contained within the Care Act 2014. However, the LCRCA recognises the vision of the Care Act 2014 that safeguarding vulnerable groups is the responsibility of all.
5.2 The LCRCA therefore is committed to assisting its local authority partners, through the identification and referral of safeguarding concerns, in the exercise of their statutory duties to safeguard these groups. The LCRCA, through its Safeguarding Protocol, is also committed to acting in a manner compliant with best practice in order to effectively safeguard these vulnerable groups.
5.3 Should the LCRCA, or individuals acting on its behalf, be found to have breached the Safeguarding Protocol then there may well be legal repercussions that follow, depending on the nature and severity of the breach. This risk is not deemed to be any greater than an employee acting on behalf of the LCRCA committing other forms of behaviour that can be considered either through the disciplinary process or referred to external agencies such as the police.
6. RISKS AND MITIGATION
6.1 There are no additional risks identified as a result of noting the contents of this report. In reality, any existing risks are mitigated by the contents of this report, as the provision of robust processes, supported by the training of nominated individuals within the organisation should better equip all employees with the necessary knowledge and resources to comply with the requirements of the Safeguarding Protocol.
7. EQUALITY AND DIVERSITY IMPLICATIONS
7.1 Individuals that the LCRCA seeks to safeguard through the Safeguarding Protocol may well be vulnerable by virtue of any of the statutory protected characteristics.
7.2 Whilst the majority of LCRCA employees will not have direct dealings with these vulnerable groups, the content of the Safeguarding Protocol is intended to ensure that those who are vulnerable, including those vulnerable are most effectively safeguarded. Any equality and diversity impacts of this report on individuals within the Liverpool City Region are therefore considered to be positive.
8. PRIVACY IMPLICATIONS
8.1 The Safeguarding Protocol contains reporting forms in order for employees to log specific safeguarding concerns. These forms require the names and personal information of victims and / or alleged perpetrators to be recorded. Such information is to be stored securely by the Human Resources department and will be held in a manner consistent with all applicable data protection legislation.
8.2 A Data Protection Impact Assessment is not deemed necessary as this and related work has previously been carried out by the Human Resources department in line with established and secure working practices.
Page 12
9. COMMUNICATION ISSUES
9.1 There are no communication issues identified as a result of this report.
10. CONCLUSION
10.1 This report seeks to inform the Audit & Governance Committee of the steps that have been taken to update the revised and renamed Safeguarding Protocol as well as any associated practices.
10.2 As aforementioned, the Audit & Governance Committee will remain closely involved and informed of the measures employed in relation to the Safeguarding Protocol and the Safeguarding Forums.
JILL COULE CHIEF LEGAL OFFICER & MONITORING OFFICER
Contact Officer(s): Jill Coule, Chief Legal Officer & Monitoring Officer – 0151 330 1855 – [email protected] Edward Wrightson, Trainee Solicitor – 0151 330 1440 – [email protected]
Appendices: Appendix One – Safeguarding Protocol
Background Documents: None.
Page 13 This page is intentionally left blank
Safeguarding Protocol
Document Owner John Fogarty
Author John Fogarty
Approval Date xxxx
Review Date xxxx
1 Page 15 Contents Glossary ...... 3 1. Background ...... 4 2. What is Safeguarding? ...... 5 3. Where is this Protocol Applicable? ...... 6 4. Children & Young People ...... 6 4.1 Abuse and Risks ...... 6 4.2 Legal Framework ...... 6 5. Adults at Risk ...... 7 5.1 Abuse and Risks ...... 7 5.2 Legal Framework ...... 7 5.3 Values ...... 8 6. General Principles Affecting Both Groups ...... 9 6.1 LCRCA Roles and Responsibilities ...... 9 6.1.1 LCRCA Attendance at External Events ...... 11 6.2 LCRCA’s Commitment to Safeguarding ...... 11 6.3 Information & Advice ...... 12 6.4 Confidentiality & Information Sharing...... 13 6.5 Record Retention ...... 13 6.6 Safe Recruitment (DBS Checks) ...... 14 6.7 Allegations against LCRCA Employees ...... 15 6.8 Reporting Incidents ...... 15 7. General Duties of Employees ...... 15 7.1 Expectations on LCRCA Employees and Agents ...... 15 7.2 Employee Conduct ...... 17 7.3 Website/Online Safety ...... 17 8. Consequences of Non-Compliance ...... 18 9. Appendices ...... 19 APPENDIX A - Types of Abuse and Physical/Behavioural Indicators of Abuse ...... 19 APPENDIX B – Outline of Safeguarding Reporting Pathway ...... 23 APPENDIX C – SAFEGUARDING REPORT FORMS ...... 24 APPENDIX D – Employee Reporting Procedure ...... 30 APPENDIX E - Useful Contacts ...... 32
2 Page 16 Glossary
Adult at risk - A person aged 18 or over who is in need of care and support, regardless of whether they are receiving them, and because of those needs are unable to protect themselves against abuse or neglect.
Adult safeguarding - Protecting a person‟s right to live in safety, free from abuse and neglect. Advocacy – Support for people who have difficultly expressing their concerns and the outcomes they want during the safeguarding process. Best interest – The Mental Capacity Act 2005 states that if a person lacks mental capacity to make a particular decision then whoever is making that decision or taking any action on that person‟s behalf must do so in the person‟s best interest. Concern - Describes when there is or might be an incident of abuse or neglect. Enquiry - An enquiry is the action taken or instigated by the Local Authority in response to a concern that abuse or neglect may be taking place. The purpose of the enquiry is to establish whether or not the local authority or another organisation, or person needs to do something to stop or prevent the abuse or neglect. Equality Act 2010 – Protects people from discrimination in the workplace and in wider society. It replaced previous anti-discrimination laws making the law easier to understand and strengthening protection in some situations. General Data Protection Regulations 2018 – These regulations govern how and why personal data is processed and are intended to strengthen and unify data protection. Article 9(h) in particular allows the processing of special categories of personal data necessary to provide health and social care.
Independent Mental Capacity Advocate (IMCA) - Established by the Mental Capacity Act 2005. IMCAs are mainly instructed to represent people who lack mental capacity when there is no-one outside of services, such as a family member or a friend, who can represent them. IMCAs are a legal safeguard who will help people make important decisions about where they live, serious medical treatment options, care reviews, or adult safeguarding concerns. Making Safeguarding Personal – This refers to person-centred and outcome- focused practice. It is about empowering individuals to express what is important to them by whatever means appropriate. Practitioners must demonstrate through their practice that they have carefully listened to the individual and those important to them and how they want matters to progress. Outcomes of interventions should be meaningful to the person at the centre of the enquiry and reflect their original wishes wherever practicable.
Person/organisation alleged to have caused harm - The person/organisation suspected to be the source of risk to an adult at risk, child or young person.
3 Page 17 Person in position of trust – When a person holds a position of authority and uses that position to his or her advantage to commit a crime or to intentionally abuse or neglect someone who is vulnerable and unable to protect him or herself. Safeguarding Adults Board (SAB) – Each local authority must have a SAB to assure itself that local safeguarding arrangements and partners act to help and protect adults at risk. SABs will oversee and lead adult safeguarding and will be interested in all matters that contribute to the prevention of abuse and neglect. Safeguarding Adults Review (SAR) – Undertaken when an individual with care and support needs dies or suffers unnecessarily as a result of abuse or neglect and there is a concern that the local authority or a partner organisation could have done more to protect them. 1. Background
With the introduction of the Care Act 2014, adult safeguarding was given a statutory footing. All local authority areas were now obliged to:
Establish and lead on a multi-agency safeguarding system that seeks to prevent abuse and neglect and stop it quickly when it found to be happening; Make enquiries, or request others to make them when they consider an adult with care and support needs may be at risk of abuse or neglect and they need to find out what actions may be needed; Establish a Safeguarding Adults Board with the local authority, NHS and police as core members and develop share and implement a joint safeguarding strategy; Carry out a Safeguarding Adults Review (SAR) when someone with care and support needs dies as a result of neglect or abuse or suffers harm and there is a concern that the local authority or its partners could have done more to protect them; and Arrange for an independent advocate to represent and support someone who is subject of a safeguarding of a safeguarding enquiry or review, if required.
The Liverpool City Region Combined Authority (LCRCA) recognises the vision of the Care Act 2014 and the Children Act 1989, that safeguarding vulnerable groups is vital and is the responsibility of all agencies. Whilst the LCRCA is not subject to the same statutory duties under these Acts as its constituent local authorities, it nonetheless acknowledges that it has a responsibility to promote the wellbeing and safety of all people it comes into contact with in the exercise of all of its devolved functions.
In particular the LCRCA is committed to practices that protect children, young people and adults at risk from harm and recognises its duty to ensure that appropriate action is taken where someone is, or is suspected of, either experiencing harm or at risk of harm.
4 Page 18 All employees of Merseytravel are to be interpreted as LCRCA employees for the purposes of this protocol.
The purpose of this protocol is to:
Ensure the safety and wellbeing of children and adults at risk who access services provided by the LCRCA; Provide assurance that the LCRCA takes reasonable steps to manage risk and keep these vulnerable groups safe; Ensure all employees and agents of the LCRCA understand their roles and responsibilities in respect of safeguarding and are provided where necessary with the correct information, training and support on safeguarding matters to most effectively safeguard these vulnerable groups; Ensure appropriate action is taken in the event of any allegations, concerns or suspicions regarding harm or potential harm of individuals and or vulnerable groups accessing services provided by the LCRCA; and Work in partnership with Local Safeguarding Boards and authorities with a statutory duty in relation to safeguarding.
2. What is Safeguarding?
Safeguarding is the action taken to promote the welfare of children, young people and adults at risk and protect them from harm. Safeguarding is everyone‟s business.
For the purpose of this protocol, children are individuals under the age of 16 and young people are any individuals between the ages of 16 and 18.
An adult at risk is any individual over the age of 18 who:
Has care and support needs; and Is experiencing, or is at risk of, harm, abuse or neglect; and As a result of those care and support needs is unable to protect themselves from either the risk of, or the experience of harm, abuse or neglect.
This may include, but is not limited to, any adult who may:
Have an illness affecting their mental or physical health; Have a physical disability, learning disability or sensory impairment; Misuse substances or alcohol to the extent that it affects their ability to manage day to day living; or Have a degree of frailty.
Safeguarding adults at risk means protecting their right to live in safety and free from harm, abuse and neglect.
The Care Act 2014 and accompanying guidance state that safeguarding should:
5 Page 19 Be person led; Engage the person all the way through the process and address their needs; Be outcome-focused; Be based upon a community approach from all partners and providers.
Making Safeguarding Personal is the notion of empowering individuals to express what is important to them by whatever means appropriate. It is about seeing people as experts in their own lives and working alongside them with the aim of enabling them to resolve their circumstances and support their recovery. Outcomes of safeguarding enquiries should be meaningful to the person at the centre of the enquiry and reflect their own wishes wherever practicable. There should be “no decision about me without me” 3. Where is this Protocol Applicable?
This protocol applies to anyone working for, or on behalf of, the LCRCA including its agents undertaking work on the authority‟s behalf in any capacity and any setting.
It is not the responsibility of any employee or agent of the LCRCA to conclusively determine whether abuse is actually taking place, has previously taken place or that there is a risk of imminent abuse through undertaking enquiries. However, it is their responsibility to take the actions set out in line with the agreed protocols as appended to this protocol if there are concerns that harm, abuse or neglect is or could be taking place.
Equally it is the responsibility of LCRCA employees and agents to ensure that they do not cause harm to any child, young person or adult at risk whilst discharging the duties of their post or fulfilling their contractual obligations. 4. Children & Young People
4.1 Abuse and Risks
Everyone has a right to be safeguarded from harm, abuse and neglect. We believe that children and young people should never experience abuse of any kind and we as the LCRCA have a responsibility to promote the welfare of these groups, to keep them safe and to excise our duties and activities in ways that protect them. Employees should remain aware that children and young people may be hesitant to disclose instances of abuse and therefore employees should remain alert to any potential indicators of abuse and ensure that any suspicions are escalated through the appropriate channels according to this protocol without delay.
4.2 Legal Framework
6 Page 20 This protocol has been drafted on the basis of relevant legislation and guidance that seek to protect children and young people in England. This includes but is not limited to: The Children Act 1989 (as amended by section 53 of the Children Act 2004). The Safeguarding Vulnerable Groups Act 2006. Working Together to Safeguard Children (2018). Safeguarding Disabled Children Practice Guidance (2009). What to do if you‟re worried a child is being abused (Dept of Education, 2015).
The LCRCA does not have a statutory duty to comply with the key arrangements listed in Working Together to Safeguard Children (2018), however as a public body with devolved functions, we recognise that we should have in place arrangements that reflect the importance of safeguarding whilst promoting the welfare of these groups. 5. Adults at Risk
5.1 Abuse and Risks
There are 10 categories of abuse listed within the Care Act 2014 that are applicable to adults at risk. Employees should be aware of these different forms of abuse and be vigilant in identifying the different behavioural or physical indicators that may indicate that abuse is taking or has taken place, contained in Appendix A. Employees should be aware that adults at risk may have a number of highly complex social and psychological needs which may affect their willingness to disclose information relating to abuse and that will impact upon the way any safeguarding concerns are dealt with.
Employees should be aware that whilst this protocol relates to adults with care and support needs it is not always possible to identify what the care and support needs of an individual are by casual observation. When there are concerns relating to an adult they should always be reported using the procedures contained within this Protocol.
5.2 Legal Framework
This protocol has been drafted having given due consideration to the relevant legislation and guidance that seeks to protect adults at risk in England. This includes but is not limited to:
The Care Act 2014 Statutory Guidance (Department of Health 2016); The Safeguarding Vulnerable Groups Act 2006; The Mental Capacity Act 2005 Code of Practice; NHS Accountability and Assurance Framework (Department of Health 2015); The Human Rights Act 1998;
7 Page 21 The Equality Act 2010; Modern Slavery Act 2015.
The legislation within this sphere does not impose any specific statutory duties upon the LCRCA. However, the six local authorities making up the LCRCA in the Liverpool City Region are subject to statutory obligations to promote the safeguarding of adults at risk within their districts. The LCRCA is committed to fostering positive working relationships with each local authority and to assist these local authorities in fulfilling their statutory obligations in safeguarding adults.
5.3 Values
All dealings with adults at risk should be based on The Six Principles of Safeguarding that underpin all adult safeguarding work. These are:
1. Empowerment – adults are encouraged to make their own decisions and are provided with support and information; 2. Prevention – strategies are developed to prevent abuse and neglect and that promote resilience and self-determination; 3. Proportionate – a proportionate and least intrusive response is made balanced with the level of risk; 4. Protection – adults are offered ways to protect themselves, and there is a co- ordinated response to adult safeguarding; 5. Partnerships – finding local solutions through services working together within their communities; 6. Accountable – accountability and transparency in delivering a safeguarding response.
The following values should also be considered during the safeguarding of vulnerable adults at risk:
People should be able to access support and protection to live independently and have control over their lives; Appropriate safeguarding options should be discussed with the adult taking into account additional factors associated with the person‟s disability, age, gender, sexual orientation, race, religion, culture or lifestyle; Where possible, the adult at risk should maintain choice and control in their care; All action should begin with the assumption that the adult at risk is best placed to judge their own situation; The adult at risk‟s views, wishes, feelings and beliefs should be paramount and are critical to a personalised way of working with them; All adults at risk should be assisted through the provision of advice, information and support to enable them to be as involved in decision-making that affects them as possible.
8 Page 22 6. General Principles Affecting Both Groups
6.1 LCRCA Roles and Responsibilities
Whilst the LCRCA does not have any specific statutory obligations to safeguard children, young persons and adults at risk, we believe firmly that we nevertheless have a duty and responsibility to assist our local authority partners in safeguarding vulnerable groups within the Liverpool City Region.
The LCRCA will meet its responsibilities to safeguard children, young people and adults at risk by nominating one of the Directors to champion safeguarding throughout the organisation, to have overall responsibility for ensuring adherence to the relevant protocols.
Multiple Designated Safeguarding Leads (DSLs) have been appointed across the organisation, detailed in Form 2 of Appendix C, whose responsibilities will include:
Possessing a higher level of safeguarding knowledge as befits their position; Ensuring they have completed a suitably comprehensive package of training, including refresher courses as required; Being the first point of contact for all LCRCA employees and agents to approach for advice; Providing safeguarding procedures and guidance for all operational employees who come into regular contact with children, young people and adults at risk, or who may observe safeguarding concerns during the discharge of their duties; Participating in regular „Safeguarding Forums‟ with other DSLs and Heads of Service (HoS) at least four times per calendar year to review the implementation of this protocol and to identify, reflect upon and address trends within its application by LCRCA employees; Ensuring that concerns are logged and stored securely; Promoting a safe environment for children, young people and adults at risk; Liaising with key individuals in the relevant statutory agencies e.g. Children‟s Social Work Services, Police, Local Safeguarding Children Boards and, in the event of allegations being made against LCRCA employees, the Local Authority Designated Officers (LADO) for concerns relating to children. For adults at risk, Safeguarding Adults Boards; Providing support and advice to managers and all employees and agents; Ensuring all relevant employees have training on child protection and safeguarding as part of their induction and ongoing continuous professional development; Maintaining an overview of safeguarding issues and monitoring the implementation of this protocol, in conjunction with the HR lead; and Liaising with HoS and other DSLs regularly to reflect on lessons learnt.
The HR department will undertake the following actions and review and update the existing recruitment procedures as required:
9 Page 23 Appropriate vetting checks for all employees who work primarily or directly with children, young persons and vulnerable people will be implemented; Appropriate vetting checks for all employees whose role provides an opportunity for contact or places them in a position of trust with children, young persons and adults at risk will be implemented; Determine an appropriate training programme for all employees within the LCRCA; Ensure compliance with safe recruitment procedures for new employees and their induction; Assist with the necessary DBS checks identified for key employees; and Develop and maintain an internal procedure in relation to work placements.
Each HoS within the organisation will ensure that employees they manage:
Have access to appropriate training and information to ensure an understanding of their individual role in the safeguarding of the people that they serve;
Enable all employees to have a sound understanding of the LCRCA Safeguarding Protocol and associated procedures and consistently work within the parameters;
Receive role-specific training in safeguarding at a level appropriate to their role to ensure that they can discharge their duties effectively and safely;
Are aware, and are comfortable and able to raise concerns about poor practice through the LCRCA whistle blowing policy; and
Have access to safe systems of work. HoS will also:
Lead on all concerns raised with HR and the DSL in relation to their work area, ensuring that safeguarding concerns raised amongst their teams are reported to the relevant LA area without delay; Update the Corporate Risk Register process to it considers safeguarding as a subsidiary risk in their area of the business; Identify key team members requiring Disclosure and Barring Service Checks (DBS checks) and ensure these checks are kept up to date; Ensure sufficient opportunities for participation in training is available for all; Monitor training needs for employees in relation to safeguarding and ensure these are reviewed as part of the internal IPP process; Work with HR on ensuring agents working on behalf of the LCRCA in their area of responsibility adhere to and are compliant with this protocol; and Follow HR department guidance is followed during any work placement period in their service area.
10 Page 24 HoS responsible for commissioned services throughout the LCRCA will ensure that the safeguarding of children, young people and adults is embedded in all services they are contractually obligated to deliver as part of their service area function.
6.1.1 LCRCA Attendance at External Events
There are a number of activities undertaken by the LCRCA in which our employees and agents work with children, young people and adults at risk at events. In such circumstances the lead officer / HoS for such activities should approach the organisers at the point of booking to receive, digest and share their protocols and policies relating to safeguarding with all employees and agents taking part in the activities. If the event organisers have no policy/procedure, the lead officer for this event from the LCRCA should undertake a risk assessment of it based on this protocol and guidance from the LCRCA DSL which should then be disseminated amongst all employees taking part.
Reviewing event participation in relation to safeguarding is best practice and senior officers can use this as a tool to identify risks associated with key employees who may require DBS checks as part of their role.
If employees are attending events at schools, colleges or other centres for learning they should access the relevant protocols and risk assessments for these organisations. For clarity, employees do not necessarily require a DBS check for such events, but a responsible adult or lead for the relevant school/college/other centres should provide supervision for the event whilst our employees discharge their duties. 6.2 LCRCA’s Commitment to Safeguarding
We will demonstrate our commitment by:
Appointing and supporting nominated DSLs; Developing policies and procedures which reflect best practice; Using our policies and procedures to share concerns and relevant information with agencies who have statutory duties in regard to safeguarding within the Liverpool City Region within an acceptable timeframe; Recruiting employees and appointing agents of the LCRCA ensuring all necessary checks are made whilst providing effective management for employees and agents through performance management, supervision, support, training and quality assurance measures; Implementing a code of conduct for all employees; Using policies and procedures to manage any concerns raised involving employees or agents of the LCRCA appropriately; Ensuring we have effective comments and whistleblowing measures in place;
11 Page 25 Ensuring we have a safe physical environment for our employees and agents by applying health and safety measures in accordance with law and regulatory guidance; Recording and storing all information professionally and securely with regard to the GDPR; and Ensuring all LCRCA employees have a basic awareness of safeguarding issues including being alert to the potential for abuse and neglect, having enough knowledge to recognise abusive or potentially abusive events or set of circumstances, knowing who internally to raise concerns with and being competent to take the appropriate action required within an acceptable timeframe.
If any employee of the LCRCA has a concern in relation to safeguarding they must alert the DSL immediately. If grounds for concern are then are agreed, appropriate action must be taken immediately. This will include contacting the relevant local authority, social care service and / or Merseyside Police. Should an employee be certain that there is a safeguarding concern and they are aware of the relevant local authority‟s reporting procedures, the employee should report their concern to this authority immediately. The employee should then inform the relevant LCRCA DSL without delay for this incident to be processed internally in accordance with this protocol.
If a child, young person or adult at risk is in immediate danger the employee who first becomes aware of the danger should dial 999 for the police.
Please refer to Appendices A to E for further guidance in addition to the notes below regarding identifying, reporting and collating information relating to a potential safeguarding issue.
6.3 Information & Advice
Information and advice is critical in preventing or delaying the need for services and, in relation to safeguarding, can be the first step to responding to a concern. This includes information and advice about safeguarding and should include: How to raise concerns about the safety or well-being of an adult who has care and support needs; Awareness of different types of abuse and neglect; How people can keep safe, and how to support people to keep safe.
Whereas information may be generic to a lesser or greater extent, advice needs to be tailored to the person seeking it, recognising people may communicate in different ways. Advice and information should, where possible, be provided in the manner preferred by the person and in a format they can understand.
The LCRCA may have a number of direct opportunities to provide, or signpost people to information and advice, in particular of safeguarding.
12 Page 26
6.4 Confidentiality & Information Sharing
In any work with children, young persons and adults at risk it is important to be clear about confidentiality. Whilst personal information held by professionals and agencies is subject to a legal duty of confidence, it is essential that employees respond quickly where they have concerns or suspicions of harm, abuse or neglect. Concerns over confidentiality should not override the protection of vulnerable individuals. Information sharing must be done in a way that is compliant with the General Data Protection Regulation (GDPR) and Data Protection Act 2018, The Human Rights Act 1998 and the common law of duty of confidentiality. However a concern for confidentiality must never be used as a justification for withholding information when it would be in the child‟s, young person‟s or adults at risk‟s best interests to share information. The GDPR and the Data Protection Act 2018 allow for the sharing of personal data for the purposes of „safeguarding children and individuals at risk‟. This includes allowing practitioners to share information without consent if:
It is not possible to gain consent;
It cannot reasonably be expected that a practitioner gains consent; or
If to gain consent would place an individual at risk. Decisions about sharing information must be clearly recorded with reasons for sharing clearly stated and these decisions must be open and explicitly discussed at every stage. 6.5 Record Retention
It is essential to keep a clear and comprehensive record of any concern or allegation made regarding safeguarding. Any information relating to an individual, including specific detail of the concern(s) or the allegation(s) made, how the matter was followed up and resolved, details of any decision(s) reached as well as any action taken should be written up as a record in order to:
Enable accurate information to be given in relation to this safeguarding concern or allegation in the future;
Ensure that the LCRCA has fulfilled its obligation to have robust procedures in place to safeguard children, young people and adults at risk within its remit;
Enable the LCRCA to cooperate fully and effectively with any other authorities or public bodies who may assume responsibility for undertaking further enquiries around a safeguarding concern;
Provide clarification in cases where future DBS disclosure reveals information from the police that an allegation was made against a member of employees but did not result in a prosecution or a conviction;
Prevent unnecessary re-investigation should an allegation against an employee resurface after time;
13 Page 27 Provide evidence and information if a decision is made to refer an employee for consideration to be barred from working with children, young people and / or adults at risk;
Enable the LCRCA to review and improve policies, procedures and practice based on learning and feedback. The DSL, in conjunction with the relevant HoS, HR Lead and Legal Representative, is responsible for creating and maintaining this record during the course of managing an identified safeguarding concern or allegation against an employee of the LCRCA. All the information relating to a safeguarding concern, and any subsequent action taken must be recorded using the appropriate safeguarding protocols and report forms, together with an additional log of actions and any accompanying emails. This information should be processed in line with the LCRCA‟s duties under the GDPR and the Data Protection Act 2018. Any report forms relating to a safeguarding concern should be stored in line with the LCRCA‟s duty under the Limitation Act 1980 and stored for a minimum of six years. In the case of a child or young person, this six-year period does not begin until their 18th birthday. Where a safeguarding allegation has been made against an employee, any information or documentation relating to this allegation and the reasons for pursuing / not pursuing a specific course of action is to be retained on the employee‟s HR file. Upon an employee‟s departure from employment with the LCRCA, information relating to a safeguarding allegation against that employee will be retained on their HR file for a minimum of six years from their date of departure. Once this minimum retention period has been reached, all records should be destroyed using shredding and confidential waste disposal or be electronically purged.
6.6 Safe Recruitment (DBS Checks)
The Safeguarding and Vulnerable Groups Act 2006 (as amended by The Protection of Freedoms Act 2012) sets out that it is an offence for an employer to knowingly employ someone in a regulated position if they are barred from doing so. Some roles within the LCRCA whilst not “regulated positions”, may involve working directly with children, young people and / or adults at risk. Instances where this may occur could include (but are not limited to) convening meetings, holding focus groups or engagement events and conducting interviews. Where direct work with vulnerable groups is to take place in instances similar to those listed, the relevant employee may be subject to DBS checks before commencing these activities. Where a criminal conviction is disclosed by an applicant to a post at the LCRCA or discovered through a DBS check, the employees‟ line manager and the HR Manager will consider this objectively and, where the check indicates that the level of risk is too high to allow the individual to start or continue working in a particular role or activity, the consequences of this for the individual will depend on:
The check concerned;
The reason for the check;
14 Page 28 Relevant legislation;
The post concerned; and
Whether the employee is suitable for other employment opportunities available within the LCRCA. Possible outcomes could include amended duties, redeployment, withdrawal of an employment offer or dismissal. 6.7 Allegations against LCRCA Employees
Any suspicion, allegation or actual abuse of a child, young person or adult at risk by an employee, volunteer, agent or contractor of the LCRCA must be reported to the DSL and HR manager immediately. If there are concerns abuse has taken place against a child or young person, the DSL will pass on the information to the LADO for investigation. The DSL will work with the employee‟s line manager and with HR to conduct an internal investigation of the safeguarding allegation made against the employee. Where necessary it may be required to refer to the Disciplinary procedures and decide whether the employee should be suspended pending full investigation. 6.8 Reporting Incidents
If any employees are involved in an actual or suspected safeguarding incident, or if a serious safeguarding incident takes place within any LCRCA workplace or working context, in addition to following this protocol, it should be reported formally. In addition, immediate action should be taken by the DSL, Head of Service and HR Manager to:
Prevent and minimise any further harm to the child, young person or adult at risk;
If appropriate, report it to the police;
In consultation with the internal communications team and the relevant Director(s), plan what to say to employees, the public and media; and
Review what happened and consider any steps that could be taken to prevent it from happening again. Safe recruitment practice of checking an applicant‟s work history, identity and, in relation to roles where a DBS check is required, obtaining explanations for any gaps in employment, must be followed for all employees working within the LCRCA. 7. General Duties of Employees
7.1 Expectations on LCRCA Employees and Agents
It is important that our employees, agents and contractors work to a high standard of professional conduct and act with integrity at all times. It is important to create a work
15 Page 29 environment where the risk of abuse is minimised and all concerns are reported expediently to the appropriate authorities.
Employees and agents of the LCRCA should make sure they have read the relevant safeguarding procedures in full. They should highlight and discuss any issues requiring clarification and any further training needs with their line manager. Employees should ensure they understand the different forms of abuse, as set out in Appendix A as well as possible indicators of it. Regardless of position or grade, safeguarding is a duty on all employees of the LCRCA. It is everyone‟s responsibility to take the actions set out in line with the agreed protocols, as appended to this protocol, if they are concerned harm, abuse or neglect is taking place. Equally, all employees are required to ensure that they do not cause harm to any child, young person or adult at risk whilst discharging the duties of their post.
It is the responsibility of all employees to:
Read and understand this protocol, seek further guidance appropriately as required and undertake any compulsory training on its application, context and impact on their role; Raise awareness of the need to protect children, young people and adults at risk and reduce risks to them as part of their role; Maintain an organisation that is safe for all and an environment where poor practice is legitimately and robustly challenged; Ensure that when harm, abuse or neglect is suspected, witnessed or disclosed they are clear on what action must be taken and who to contact immediately; Ensure they feel competent and fully informed on safeguarding matters in relation to children, young people and adults at risk so they have the requisite knowledge, skill, expertise and qualifications to carry out their roles safely and effectively; and Ensure safe working practice in relation to safeguarding when working in partnership with other organisations off site, understanding what safeguarding policies and procedures these partners have in place so they can be followed.
Concerns for the safety and wellbeing of children, young people and adults at risk could arise in a variety of ways and in a variety of situations. There are multiple forms of abuse, which are outlined in Appendix A. It is not easy to recognise a situation where abuse may occur or has taken place and LCRCA employees and their agents are not experts in such recognition. However, each person has a responsibility to act if they have concerns about someone‟s behaviour toward a child, young person or adult at risk. It is important that the recipient of any complaint or accusation that a child, young person or adult at risk has been or is being abused listens carefully without making or implying any judgement as to the truth of the complaint or accusation. You should not probe, letting the person talk without
16 Page 30 interrupting, and try to provide assurance that you will seek help to resolve the situation. You should not pass judgement. To ensure all the details of any disclosure or concern are captured for any future investigation, a detailed record should always be made at the time of the matter being raised. See Appendix C. All customer facing employees should be aware of the potential indicators of abuse and neglect as set out in the Appendices and if they are in any doubt, they should inform their team leader or HoS immediately, who can seek advice from the DSL, if necessary.
7.2 Employee Conduct
Where an LCRCA employee is suspected of behaving inappropriately or abusively towards children, young people or adults at risk, employees who become aware of this should inform their Team Leader/line manager in line with the organisation‟s whistleblowing policy. The LCRCA also expects employees not to act in an inappropriate or abusive manner to these vulnerable groups in their private lives. Where an employee is suspected or found to have behaved in such a manner, this will be investigated internally and a decision will be made on whether taking disciplinary action is appropriate. In performing their contractual duties, all employees should ensure that they are not placing themselves, children, young people or adults at risk in situations where harm could, or is likely to, occur. All employees who work with vulnerable groups as defined within this protocol have a duty to safeguard these groups through their conduct and should ensure that they comply with any policies relevant to the exercise of their contractual functions. For example, any LCRCA employees who might reasonably and entirely appropriately be expected to work on a 1:1 basis with members of vulnerable groups should have regard to the guidance on Lone Working 7.3 Website/Online Safety
Employees should take care when communicating with others online, particularly when identifying themselves as LCRCA employees and when in contact with children, young people and adults at risk.
Any project or work that provides service users with direct access to the internet must have protocols in place to ensure safe use. LCRCA would consider employees distributing indecent materials or making personal contact inappropriate activity and gross misconduct; this could ultimately lead to dismissal and referral for police investigation. If an employee inadvertently accesses inappropriate material whilst online and performing their duties, they should remove themselves from the website and report the matter to their line manager, the DSL and HR. Breach of this could be treated as gross misconduct.
17 Page 31 8. Consequences of Non-Compliance
Employees, volunteers, agents or contractors who work on behalf of the LCRCA are required to comply with this protocol and its associated protocols.
Failure to comply with the content of this protocol may result in disciplinary proceedings being commenced against the employee in question in accordance with the Disciplinary Procedures. Whilst proceedings are ongoing, the employee may be suspended pending an investigation which may ultimately result in their dismissal. Depending on the severity of the breach of this protocol, the employee‟s conduct may be referred for a police investigation.
Where an individual fails to comply with the content of this protocol, and that individual is not an „employee‟ of the LCRCA under employment law, the legal department should be contacted to advise on the most appropriate remedy or course of action.
18 Page 32 9. Appendices
APPENDIX A - Types of Abuse and Physical/Behavioural Indicators of Abuse
Abuse is an act of ill treatment that can harm or is likely to harm a person‟s safety, wellbeing and development. Abuse is never acceptable. Abuse can consist of a single act or repeated acts. It may be an act of neglect or an omission to act, or it may occur where a adult at risk is persuaded to enter into a financial or sexual transaction to which they do not, or cannot, consent. Abuse can also be harm that an individual causes to themselves through act or omission. Intent is not an issue at the point of deciding whether an act or a failure to act is abuse; it is the impact of the act on the person and the harm or risk of harm to that person. The Care Act 2014 categorises 10 types of abuse, which are set out below. Some of these categories are more likely to be encountered than others by employees of the LCRCA, however it is important to remain aware of all of them. Physical Abuse
Deliberate physical harm to a child, young person or adult at risk or any other form of harm which causes illness in child, young person or adult at risk. This may also include domestic violence.
Sexual Abuse
Forcing or manipulating a child, young person or adult at risk to take part in, or observe, sexual activities.
Sexual Exploitation is a type of sexual abuse aside that those who are vulnerable may be susceptible to. Children, young people and adults at risk in exploitative situations and relationships often receive something such as gifts, money or affection as a result of performing sexual activities or others performing sexual acts on them. This form of grooming for the purposes of sexual exploitation happens both online and in person. Groomers will hide their true intentions and may spend long periods of time gaining the trust of their victim. They often pretend to be someone or something they are not, offering advice, guidance, support or buying gifts.
In particular, transport hubs and public places are frequently locations that can be chosen by paedophiles or those seeking to groom children, young people or adults at risk for the purposes of sexual exploitation. These environments with public facilities offer an opportunity to observe and seek out potential victims. Employees should remain aware of this when discharging their contractual duties at transport hubs or public places owned by the LCRCA and refer to this protocol where safeguarding concerns are identified at these locations.
Emotional Abuse
19 Page 33 This involves the emotional maltreatment of a child, young person or adult at risk such as to cause severe and persistent adverse effects on the child, young person or adults at risk‟s emotional wellbeing and/or development. This can be very difficult to identify as it can go unrecognised for a long time. A person does not have to be shouting and screaming at another, it may be that they are ignoring or dismissing individuals as if they have no worth. It may appear as a form of verbal abuse, where an individual is threatened with a risk of harm, isolation or seclusion, but can include anything that alters the individual‟s behaviour. Financial Abuse This is a form of abuse where an individual controls and/or uses the finances of another for their own material gain and/or to control the individual. Organisational Abuse This is defined as a service, agency or care home putting its own needs before those of the service users. It may include elements of other forms of abuse, for example neglect, financial, sexual, physical or discriminatory abuse. It includes any acts or omissions by those with a degree of responsibility for the individual which is detrimental to that individual. Domestic Violence Domestic abuse may often include elements of other categories, for example physical, sexual, emotional or financial abuse. It involves any incident or pattern of incidents of controlling, coercive or threatening behaviour, violence or abuse, between family members or those who are intimate partners. Female Genital Mutilation (FGM) is also covered within the Domestic Abuse category. This is a practice that is often imposed upon children and is now widely regarded as a form of child abuse which is punishable under criminal employees will encounter a child who they may believe to have been subject to FGM Additionally, honour-based abuse would also constitute domestic abuse. This refers to crimes or incidents of threatening, coercive or violent behaviour often committed with the view of protecting or defending the honour of a family and/or community. This is frequently committed by families or communities in response to a perceived contravention of religious or cultural beliefs or values. Individuals subject to honour-based abuse may have physical signs of abuse and be very strictly controlled by family members or acquaintances. Modern Slavery This practice most commonly affects adults and includes working for little or no wages where they are subject to the control of another. This form of abuse may commonly be found where an adult is vulnerable by virtue of their citizenship or economic status.
20 Page 34 Modern Slavery may therefore also be linked with human trafficking in certain circumstances. Human trafficking is the action or practice of illegally transporting people from one country or area to another, typically for the purposes of forced labour or sexual exploitation.
Discriminatory Abuse
Similarly, discriminatory abuse is where those in a position of responsibility refuse to acknowledge that the individual has specific care needs, distinct from another. For example, it may include purposefully ignoring that individual‟s religion, personal beliefs, dietary views or other personal preference. Neglect
This involves the persistent failure to meet a child, young person or adults at risk‟s basic physical and/or psychological needs, likely to result in serious impairment of the child, young person or adults at risk‟s health or development.
Self-Neglect
The Care Act also recognises self-neglect as a form of abuse. This is where an individual fails to attend to their personal care and hygiene to their detriment. There could be multiple reasons for this including low self-worth, depression or mental health issues.
Other Forms of Abuse Radicalisation Radicalisation is not detailed within the Care Act, but is defined by the Government‟s „PREVENT‟ duty guidance as „the process by which a person comes to support terrorism and extremist ideologies associated with terrorist groups‟. Similar to sexual exploitation, radicalisation is frequently initiated online; individuals may target vulnerable groups and provide them with affection or friendship, drugs or alcohol in order to manipulate them for their own gain. As part of radicalisation, children, young persons or adults at risk may seek to isolate themselves, they may espouse radical or extreme views that were not previously held and they may become particularly secretive around their internet use. Physical/Behavioural Indicators of Abuse Some of the more obvious signs of abuse may include the following:
Unexplained or suspicious injuries such as bruising, cuts or burns, particularly if situated on a part of the body not normally prone to such injuries; An injury for which the explanation seems inconsistent; The individual describes what appears to be an abusive act having occurred; Someone else expresses concern about the welfare of the individual; Unexplained changes in behaviour (e.g. becoming very quiet, withdrawn or displaying sudden outbursts of temper); Engagement in uncharacteristically sexually explicit behaviour;
21 Page 35 The individual having difficulty in making friends or appears to be prevented from socialising with others; Displays variations in eating patterns including overeating or loss of appetite; Loses weight for no apparent reason; Becomes increasingly dirty or unkempt; Changes in dress/style of clothing; Shows signs of fear or emotional distress; Demonstrates self-harming behaviour; Unexplained sudden inability to pay bills or manage finances; or Espousing explicit extremist views or visiting extremist websites.
It should be recognised that the above is not an exhaustive list. Similarly, the presence of one or more of the indicators listed above is not definitive proof that abuse is taking place. It is not the responsibility of employees to decide whether or not abuse is taking place, however it is their responsibility to act on any concerns they may have by reporting it using the prescribed procedures contained in this protocol. Patterns of Abuse Those working with adults at risk, children and young people need to look beyond single incidents or people to identify patterns of harm. In order to see these patterns it is important that information is recorded and appropriately shared. Patterns of abuse vary and include:
Serial abusing in which the abuser actively and routinely targets vulnerable groups. Sexual abuse sometimes falls into this pattern as do some forms of financial abuse;
Long-term abuse in the context of a continuing family such as domestic violence between spouses or generations, or persistent psychological abuse;
Opportunistic abuse such as theft occurring because money may have been left lying around.
22 Page 36 APPENDIX B – Outline of Safeguarding Reporting Pathway
Employee made aware of/identifies safeguarding concern/incident/allegation(s)
If certain that child, young person or adult at risk is at risk of suffering immediate harm, or The employee completes Form 1 of
is currently suffering harm, dial 999 without Appendix C and passes this on to their delay. Contact the relevant Local Authority‟s identified DSL without delay or, if that DSL is Safeguarding Team (Appendix E) and inform unavailable, to a DSL in another directorate. them of this concern and then alert their identified DSL. If this DSL is unavailable, a
DSL in another directorate should be alerted.
HoS and DSL liaise with each other and arrange for Form 2 is completed by all relevant
employees. HoS/DSL will continue to liaise with emlpoyees who have reported safeguarding concern/incident/allegation. A decision will be made on whether a referral to the relevant local authority, LADO or Police is appropriate at this
Referral time. Referral not made made
If the allegation revolves around a LCRCA member of staff, HoS and DSL to consider also utilising other internal procedures, e.g. disciplinary processes.
File Case kept under Closed review. Liaise with local authority
partners/Police as required.
HoS and DSL review lessons learnt. All paperwork connected with this case must be stored centrally
23 Page 37 and retained for the minimum period required by law.
APPENDIX C – SAFEGUARDING REPORT FORMS Case No:
STRICTLY PRIVATE AND CONFIDENTIAL
Form 1 - ‘Front Sheet’
This form should be completed by an employee in immediate response to identifying a safeguarding concern. Please complete as much of this form as possible.
This form must be kept up to date as the case progresses.
SECTION A: INITIAL DETAILS
Your Name:
Your Position:
Your Line Manager:
Date and Time of am/pm Incident:
Date and Time of am/pm
24 Page 38
Report:
SECTION B: PERSONAL DETAILS OF CHILD, YOUNG PERSON OR ADULT AT RISK (IF KNOWN)
Full Name:
Person Type: Child Young Person Adult at risk
(please circle)
Gender: M F Prefer Not to Say
(Please circle)
Other (please specify):
Date of Birth:
Location of Incident:
Is the Perpetrator: A member of the Public An LCRCA employee From another organisation (please circle)
Perpetrator Information (if known):
Home Address/Contact Information:
25 Page 39
Contact info for Parent/Guardian/Next of Kin
Contact details of any Lead Agency/Worker:
Case No:
Child‟s School (if applicable)
STRICTLY PRIVATE AND CONFIDENTIAL
Form 2 - ‘Statement Sheet’
This form should be completed by any employee in relation to an identified safeguarding concern. Where an individual is experiencing, or is at risk of experiencing imminent harm, this should be passed to your DSL, or any other available DSL, immediately.
Separate statement sheets are required to be completed by every person who has safeguarding concerns about a child, young person or adult at risk, who has witnessed an incident in relation to them or who has received information about an allegation regarding them.
SECTION A - DETAILS OF CONCERN
Please record, in as much detail as possible, the safeguarding concern that you have become aware of. Please include details of anyone else who witnessed this event if applicable. (Attach extra blank paper if necessary and attach to the rear of this form).
Details of concern:
26 Page 40
It may be helpful to answer the following questions in your account; Where exactly did this concern/incident/allegation occur and at what time? What happened? Is the identity of the suspected/alleged perpetrator known to you? Was anything specific said? Who else witnessed this event) (please include contact details where possible)
Action taken, if any, by the person reporting the incident:
Incident reported to Emergency Services? (please tick) Yes ☐ No ☐ If yes, enter log number:
Incident reported to relevant agency? (please tick)
Yes ☐ No ☐
If yes, enter log number:
Serious Incident Form (SIF) competed with the relevant Local Authority? (please tick)
Yes ☐ No ☐
27 Page 41
Please pass this form on to the Designated Safeguarding Lead (DSL) or your Team Leader as soon as possible. If they are not available, pass this to a DSL in another area. As aforementioned, where the individual is experiencing, or is at risk of experiencing, imminent harm, this concern must be raised immediately.
The Designated Safeguarding Leads within the LCRCA are:
Michael Cloherty – Customer Operations Manager Debbie Biglowe – HRD Strategy & Systems Manager Lynne Gogerty – HRD Operations Manager Alastair Ramsay – Head of People & Organisational Development Monica Thornton – Learning & Organisational Development Manager Sam Graham – Investment Analyst Tony McDonough – Bus Network Performance Manager Liam Phelan – Mersey Tunnels’ Police Inspector David Poole – Customer Operations Manager Nicola Swanson – Travelsafe Officer John White – Households into Work - Programme Manager Katie Owen – Interim Homelessness Strategic Lead Jill Coule – Chief Legal Officer, Monitoring Officer
Signed: Date:
Please do not discuss this safeguarding referral with anyone other than those directly involved in this referral process and only then in a professional capacity. SECTION B – TO BE COMPLETE BY DESIGNATED SAFEGUARDING LEAD OR HEAD OF SERVICE ONLY
Please sign and date below to confirm receipt of this form. This form should be stored securely in line with our obligations under the GDPR and the Data Protection Act 1998. This form should be retained in accordance with the statutory provisions of the Limitation Act 1980.
If you believe that a child, young person or adult at risk is in immediate danger, you should dial 999 as soon as you receive this form.
Signed: Date Received:
28 Page 42
Is a referral required to other services?
YES NO
If yes, specify:
Rationale for the above decision:
SECTION C – TO BE COMPLETED BY DESIGNATED SAFEGUARDING LEAD OR HEAD OF SERVICE ONLY
Details of any action taken:
If the matter was referred, was a response received?
YES NO
(if no, follow up within 48hrs)
29 Page 43
(if applicable)
Date response received:
Nature of Response:
Contact who responded (including contact information):
APPENDIX D – Employee Reporting Procedure
This Appendix is designed to provide all employees with a reporting procedure to adhere to in the event that they become aware of an individual requiring safeguarding during their daily activities. The end of this Appendix outlines further actions that those working in identified „High Risk‟ areas of the organisation may have to take, in addition to steps 1-4 outlined below, in fulfilment of their contractual duties.
This procedure must be followed regardless of whether a decision is made to report or not.
This procedure should also be completed alongside any local authority reporting requirements (of which, any paperwork generated should be copied and stored with the corresponding local documents) and in conjunction with the Liverpool City Region Combined Authority‟s Safeguarding Protocol and Procedures.
1. Complete the „Front Sheet‟ (Form 1). This should provide an overview of the case, the particulars of those involved and must be updated as the case progresses. Please consult with the Head of Service to receive a unique identifying number for the each case.
If a decision is made to report this case to the appropriate safeguarding authority, it is the responsibility of the reporter to contact them for an update of action taken and log this on the Front Sheet with the date and details of who
30 Page 44
was spoken to. For those in „Low Risk‟ areas, this reporter should usually be the Head of Service or Designated Safeguarding Lead.
2. Complete the „Statement Sheet‟ (Form 2). This should be completed as soon after becoming aware of the safeguarding case as possible, to promote accuracy. It should be completed by the person who has identified the relevant concern, witnessed the incident or who received disclosure comprising an allegation, wherever possible. If you are not that person, you should provide the details of that person, if possible, and an explanation as to why you are completing the Statement Sheet on their behalf. Separate Statement Sheets need to be completed by each person who has identified the concern, witnessed the incident or received disclosure comprising an allegation. All Statement Sheets should be signed by their author.
3. Once all the paperwork is completed, the Front Sheet and any Statement Sheets must be placed together in a clear pocket and passed to your Head of Service.
4. A case will only be closed after it is reviewed by Head of Service. It must then be securely archived as per the timescales set out in the Safeguarding Protocol. It is essential that this paperwork is typed wherever possible, updated and completed fully and all details recorded as it will be required as evidence should this matter develop into criminal proceedings or require a serious case review.
„Low Risk‟ Areas
Employees working in areas of the organisation that are largely office-based are considered to have a low risk of likelihood of encountering safeguarding issues during the fulfilment of their contractual duties.
Nevertheless, the Safeguarding Protocol makes it clear that all employees are subject to a duty to promote safeguarding wherever and whenever the situation arises. In such situations, the aforementioned recording procedure should be followed.
„High Risk‟ Areas
High Risk areas of the organisation are considered to be those with frequent contact with the general public or vulnerable individuals. This may include workers who spend time frequently in transport hubs, on public transport, or those working with the homeless. Such areas necessarily have their own reporting mechanisms and procedures; where these are present throughout the organisation they are set out below:
Housing First
31 Page 45
Before completing steps 1-4 as aforementioned in this Appendix, complete the fields in the „Recording Log‟ in Mainstay and issue a sequential identifying number to the case. This number must be quoted on all further paperwork. This log is separate from individual case files.
Households into Work
Before completing steps 1-4 as aforementioned in this Appendix, inform your Team Leader that you are reporting a safeguarding matter. If you are unable to contact your Team Leader or it is not appropriate to do so, you must inform a member of the Programme Support Team.
APPENDIX E - Useful Contacts
Where a safeguarding concern or incident has been identified in relation to a child, young person or adult at risk within the locale of a certain local authority:
Adults at risk Children
Central Advice and Duty Team Wirral Integrated Front Door
0151 514 2222 (Mon-Fri 08:50-17:00) 0151 606 2008 (Mon-Fri 9.00-17:00)
Wirral Outside these hours – 0151 677 6557 Outside these hours - 0151 677 6557
https://www.wirral.gov.uk/health-and-social- E-mail: [email protected] care/adult-social-care/safeguarding- adults/reporting-abuse-or-neglect-adult https://www.wirralsafeguarding.co.uk/
0345 140 0845 (Mon-Fri 08:00-18:00) 0345 140 0845 (Mon-Fri 08:00-18:00)
https://www.sefton.gov.uk/social- 0151 934 3555 (emergency duty team care/adults/worried-about-someone/if-you-think- from 5.30pm Mon to Thurs, and 4pm Sefton someone-is-being-harmed-or-neglected.aspx Friday and weekends
0151 934 3555 (emergency duty team from https://seftonlscb.org.uk/lscb 5.30pm Monday to Thursday, and until 4pm
32 Page 46
Friday and weekends)
Careline Careline
0151 233 3800 0151 233 3800
Liverpool https://liverpool.gov.uk/social-care/adult-social- https://liverpool.gov.uk/social-care/adult- care/keeping-adults-safe/adults-at-risk/ social-care/keeping-adults-safe/adults- at-risk/
0151 443 2600 0151 433 2600
Knowsley https://forms.knowsley.gov.uk/AdultSafeguarding https://www.knowsleyscb.org.uk/
01744 676767 01744 676600
0345 050 0148 (Emergency Duty Team) 0345 050 0148 (Emergency Duty Team)
St Helens https://www.sthelens.gov.uk/social-care- https://sthelenssafeguarding.org.uk/scp health/adults/safeguarding-adults/
0151 907 8306 0151 907 8305 (Mon-Fri 9:00-17:00)
Halton 0345 050 0148 (Emergency Duty Service - out 0345 050 0148 (Emergency Duty of office hours) Service - out of office hours)
http://adult.haltonsafeguarding.co.uk/ https://children.haltonsafeguarding.co.uk/
Where an allegation has been made against an adult working with children or young people:
The Local Authority Designated Officer (LADO) helps co-ordinate information- sharing with the right people and will also monitor and track any investigation, with the aim to resolve it as quickly as possible.
The LADO must be told of allegations against adults working with children and young people within 24 hours. This includes all cases where a person is alleged to have:
Behaved in a way that has harmed, or may have harmed a child; Possibly committed a criminal offence against, or related to, a child; or Behaved towards a child or children in a way that indicates they may pose a risk of harm to children.
District LADO Contact Details
Suzanne Cottrell - 0151 666 4582
Wirral Email: [email protected]
33 Page 47
https://www.wirralsafeguarding.co.uk/professionals/lado-allegations/
0151 934 3783
Sefton Email: [email protected].
https://seftonlscb.org.uk/lscb/professionals/managing-allegations-local-authoritys- designated-officer
0151 233 3700 via Careline
Liverpool https://liverpool.gov.uk/social-care/childrens-social-care/keeping-children- safe/children-at-risk/
0151 443 3928
Knowsley https://www.knowsleyscb.org.uk/local-authority-designated-officer-lado-guidance- practitioners-parentscarers-children/
Timba Kanngoni - 01744 661 809
St Helens https://sthelenssafeguarding.org.uk/scp/scp/workforce/allegations-against- professionals-lado
0151 511 7229
Halton https://children.haltonsafeguarding.co.uk/contact-us/
Other Useful Contacts
NSPCC Child Protection Helpline (24 hours) To report or discuss concerns about a child‟s welfare, call 0808 800 5000 or email [email protected]
Child Exploitation and online Protection Command (CEOP) To report a concern that a child is being abused or groomed online at www.ceop.police.uk
Related policies and procedures
This protocol should be read in conjunction with the following Local Authority and LCRCA policies and procedures:
Responding to concerns about a child or adults at risk wellbeing Dealing with allegations of abuse Role of the Designated Safeguarding Lead Safer recruitment procedures Code of conduct for employees and agents of the LCRCA Anti-bullying guidance and procedures
34 Page 48
General Data Protection Regulations (GDPR) Whistleblowing policy Antisocial behaviour on the Merseytravel estate Protocols for supported bus, train services and Mersey Ferries. HR policies including but not limited to: Disciplinary and grievance, harassment and bullying, induction, ICT acceptable use, recruitment and selection, employee training and development
The following legislation is also relevant to this protocol:
Care Act 2014 Children Act 1989, 2004 Counter-terrorism and Security Act 2015 Data Protection Act 2018 Equality Act 2010 Female Genital Mutilation Act 2003 Health and Safety at Work Act 1974 Human Rights Act 1998 Management of Health and Safety at Work Regulations 1999 Mental Capacity Act 2005 Modern Slavery Act 2015 Limitation Act 1980 Police Act 1997 Protection of Children Act 1999 Protection of Freedoms Act 2012 Rehabilitation of Offenders Act 1974 & (exceptions) order 1975 Safeguarding Vulnerable Groups Act 2006 Sex Offenders Act 2003
Protocol Owner
Safeguarding Protocol is owned by the Liverpool City Region Combined Authority (LCRCA). It will be annually reviewed and updated in order to ensure compliance with legislative changes and internal business development. The Lead officer with support from internal stakeholders will ensure that each published version of the protocol is published and cascaded appropriately.
Contact details
Nominated Lead: John Fogarty
Title: Director of Resources
Contact number: 0151 330 1137
Email: [email protected]
35 Page 49
In the absence of the nominated lead, please contact:
Name Nicola Swanson
Title Liverpool City Region Travelsafe Officer
Mobile no: 07843 642357
Email [email protected]
Merseyside Police
Emergency number 999
Reporting of a non-urgent issue 101
Document Control
Version Date of issue Date of next review
1 xx/xx/xx xx/xx/xx
36 Page 50 Agenda Item 8
LIVERPOOL CITY REGION COMBINED AUTHORITY
To: Members of the Audit and Governance Committee
Meeting: LCR Audit and Governance Committee
Authority/Authorities Affected: All
EXEMPT/CONFIDENTIAL ITEM: No
REPORT OF THE MONITORING OFFICER
Insurance Claims Review - July 2020
1. PURPOSE OF REPORT
1.1. The purpose of this report is to provide a review of insurance claims during the period 1 July 2019 – 30 June 2020.
2. RECOMMENDATIONS
2.1. It is recommended that Audit and Governance Committee note the contents of the report.
3. BACKGROUND
3.1 This report has been prepared following a recommendation from the Head of Internal Audit which specifically requested that the following information be reported annually to the Audit & Governance Committee of the Combined Authority and the Audit Risk and Governance Board of Merseytravel:-
(a) insurance claims received for the period 1 July 2019 to 30 June 2020; (b) defensibility rates; (c) levels of fraudulent claims; and (d) any specific financial implications arising from the above.
3.2 Claims received for the period 1 July 2019 to 30 June 2020
18 claims were received in total during the year. These are broken down into insured risk (17) and un-insured risk (1). Details are set out in the Appendix to this report.
3.3 Defensibility Rates
Out of the 18 claims made in this period 7 have concluded and were successfully defended. The defensibility rate so far in the past year was 39%. There are a Page 51 number of cases that are ongoing so the 39% may increase depending on the outcome of the other 11 that have arisen in the last year. Often cases take a considerable time to resolve especially if they proceed to court. Officers are also very challenging on costs claimed by solicitors.
3.4 Levels of Fraudulent Claims
There have been no known fraudulent claims. Insurers have a process in place to be able to recognise fraudulent claims to support the internal officers.
3.4 Financial Implications of Claims
The table below sets out damages paid out for claims during the period. Reserve figures are also detailed.
Claim ref Recommended Damages paid Costs Total Reserve Case 119332 £10,000 £1,049 TBC TBC Case 2 £4,430 TBC TBC TBC Case 3 £5,000 £3,000 TBC TBC Case 4 £5,000 TBC TBC TBC Case 5 £0 £25,000 TBC TBC
4. RESOURCE IMPLICATIONS
4.1. Financial
Details of claims paid out during the year are indicated in the table above. There is currently an excess of £25k in respect of public liability and property damage insurance so any claims received below the excess are deemed self-insured. There is a nil excess for employers liability claims so all claims are paid for by insurers. There is no policy in place in respect of Industrial Disease claims prior to 31 March 1986 so the organisation carries its own risk in this regard.
4.2. Human Resources
There are no direct issues arising from this report.
4.3. Physical Assets
There are no direct issues arising from this report.
4.4. Information Technology
There are no direct issues arising from this report.
4.5 Programme Management Office (PMO)
There are no direct issues arising from this report.
Page 52
5. RISKS AND MITIGATION
5.1. The organisation has an adequate insurance programme in place which mitigates the risks of significant claims against the organisation. All of the measures that have been implemented within the organisation have helped to keep these claims low on an annual basis. Out of the 18 claims received, only 9 are actual injury claims the rest are related to property damage.
5.2. In order to mitigate the risks, feedback is provided to the relevant departments of the organisation to ensure that if there are any issues they can be remedied to prevent further claims.
6. EQUALITY AND DIVERSITY IMPLICATIONS
There are no direct equality and diversity issues arising from this report.
7. PRIVACY IMPLICATIONS
There are no direct privacy implications arising from this report.
8. COMMUNICATION ISSUES
There are no direct communication issues arising from this report.
9. CONCLUSION
A periodic review of claims received between 1 July 2019 to 30 June 2020 has been undertaken. This report highlights the insurance claims received for this period, the defensibility rates, the levels of fraudulent claims and the financial implications of these.
Jill Coule MONITORING OFFICER
Contact Officer(s): Louise Outram, Deputy Monitoring Officer 0151 330 1700 Joanna Sawyer, Corporate Communications Manager 0151 330 1129
Page 53
Page 54 Page Agenda Item 9
LIVERPOOL CITY REGION COMBINED AUTHORITY
To: The Chair and Members of the Audit & Governance Committee
Meeting: 23 September 2020
Authority/Authorities Affected: All
EXEMPT/CONFIDENTIAL ITEM: No
REPORT OF THE MONITORING OFFICER
LIVERPOOL CITY REGION COMBINED AUTHORITY AUDIT AND GOVERNANCE COMMITTEE ANNUAL REVIEW 2019/2020
1. PURPOSE OF REPORT
The purpose of the report is to provide Members of the Audit and Governance Committee with an Annual Review for 2019/20 that includes Audit and Governance activity, schedule of proposed meeting dates and forward plan to demonstrate how the Committee will discharge its functions during 2020/21.
2. RECOMMENDATIONS
The Liverpool City Region Audit and Governance Committee is recommended to:
a) agree the Audit and Governance Committee Annual Review for 2019/20 at Appendix 1 and that any amendments/insertions be made in consultation with the Chairperson, Vice Chairperson, the Head of Internal Audit and the Monitoring Officer; and
b) agree the proposed programme of meetings and provisional work programme for the Audit and Governance Committee for 2020/21 at Appendix 1 and that any amendments during the course of the new municipal year be made in consultation with the Chairperson, Vice Chairperson, the Head of Internal Audit and the Monitoring Officer.
3. BACKGROUND
3.1 To enable the Audit and Governance Committee to discharge its functions as defined in its Terms of Reference in the LCRCA Constitution, the enclosed cycle of meetings and provisional work programme of core business is proposed at Appendix 1.
Page 55 3.2 In addition to the activities detailed in Appendix 1, during the year, the Audit and Governance Committee may also consider additional items of business within its remit, including, but not limited to;
a) Reports and recommendations of external audit and inspection agencies and their implications for governance, risk management or internal control, where appropriate;
b) Review the effectiveness of the Authority’s risk management arrangements, Corporate Risk Register and Risk Management Strategy and policies;
c) Review and consider the Authority’s Accounting Policies, Treasury Management arrangements and financial performance;
d) Consider revisions to the Liverpool City Region Combined Authority Code of Corporate Governance and Assurance Framework, if required;
e) Consider the Authority’s counter-fraud arrangements;
f) Consider the Authority’s compliance with Public Sector Internal Audit Standards (PSIAS), the CIPFA Local Government Application Note (LGAN) and associated guidance and best practice; and
g) Any other business proposed by the Chair, officers or Members of the Authority, as appropriate.
4. RESOURCE IMPLICATIONS
There are no direct issues arising from this report which is for noting only.
4.1 Financial
There are no direct issues arising from this report.
4.2 Human Resources
There are no direct issues arising from this report.
4.3 Physical Assets
There are no direct issues arising from this report.
4.4 Information Technology
There are no direct issues arising from this report.
5. RISKS AND MITIGATION
There are no direct issues arising from this report.
Page 56
6. EQUALITY AND DIVERSITY IMPLICATIONS
There are no direct issues arising from this report.
7. COMMUNICATION ISSUES
There are no direct issues arising from this report.
8. CONCLUSION
The Combined Authority is required by law to ensure that adequate and effective internal audit arrangements are provided for. The proposed schedule of dates and forward plan of Committee activities outlined in this Report seek to ensure that legal and Constitutional obligations are met in respect of these requirements.
JILL COULE Monitoring Officer
Contact Officer(s): Dave Knott, Audit Manager, 0151 330 1122 Shauna Phillips, Democratic Services, 0151 330 1086
Appendices:
Appendix 1 – Audit and Governance Committee Annual Review for 2019/20 and Provisional Work Programme for 2020/21
Background Documents: None
Page 57 This page is intentionally left blank
LIVERPOOL CITY REGION AUDIT AND GOVERNANCE COMMITTEE
ANNUAL REPORT 2019/20
Page 59
CONTENTS
Page nos.
Foreword by the Audit & Governance Committee Chair 3
Audit & Governance Committee Members 2019/20 4
Audit & Governance Committee Terms of Reference 5 - 8
Audit & Governance Committee Activity 2019/20 9 - 10
Key Achievements of the Committee during 2019/20
Audit & Governance Committee – Provisional Work Programme 2020/21 11 - 12
Areas of Focus 2020/21
2 Page 60
FOREWORD
Chairperson, Councillor Edna Finneran
Welcome to the 2019/20 Annual Report of the LCR Audit and Governance Committee. I am pleased to present this report that highlights the work of the Committee over the last twelve months and also sets out the proposed work programme going forward for the Audit and Governance Committee for 2020/21.
I hope that this Annual Report helps to demonstrate the vital role that is carried out by the Committee and the contribution that it makes to the Combined Authority‟s overall governance. As with all Liverpool City Region Combined Authority Committees, scheduled meetings are open to members of the public and I would encourage residents within the City Region to come along and see the Committee in action.
I would like to thank the officer team, who have been supportive in providing training and explaining all the audit and governance terminology and provided the Committee with information and frameworks to assist us in monitoring the audit and governance arrangements. Finally, I would like to thank my fellow councillors for their attendance and commitment to the Committee.
Edna Finneran ______Chairperson, Councillor Edna Finneran
3 Page 61
AUDIT AND GOVERNANCE COMMITTEE MEMBERS 2019/20
Chairperson: Councillor Edna Finneran Labour, Halewood South Ward Knowsley Metropolitan Borough Council
Councillor Dr John Pugh Liberal Democrat, Dukes Ward Opposition Group Representative Sefton Metropolitan Borough Council
Councillor Sir Ron Watson Conservative, Dukes Ward Opposition Group Representative Sefton Metropolitan Borough Council
Councillor Pat Hackett Labour, New Brighton Combined Authority Representative Wirral Borough Council
Councillor David Baines Labour, Windle Combined Authority Representative St Helens Borough Council
Councillor Louise Whitley Labour, Halton View Halton Borough Council
4 Page 62
AUDIT AND GOVERNANCE COMMITTEE TERMS OF REFERENCE
1. Composition
Membership
The Audit and Governance Committee will be composed of 7 Members as follows:
(i) 6 elected Members which consist from the voting members of the Combined Authority and the Overview and Scrutiny Committee; and (ii) 1 Independent Member.
There will be no more than two Members of the Combined Authority on the Committee.
Chairing the Committee
The Chair shall be appointed annually from amongst the voting membership of the Committee at its first meeting following the Annual Meeting and before proceeding to other business.
Appointment
The Combined Authority shall appoint an Audit and Governance Committee at the Annual Meeting of the Combined Authority, which shall consist of:
(a) members appointed from the voting members of: (i) Combined Authority and (ii) Overview and Scrutiny Committee, together with (iii) another elected voting member as a substitute member of the Audit and Governance Committee to act in the absence of the member appointed above, in such a manner that the members of the Audit and Governance Committee taken as a whole will reflect, so far as reasonably practicable, the balance of political parties for the time being prevailing among members of the Constituent Councils when taken together;
(b) at least one Independent Person, appointed through the prescribed procedure and who: (i) is not a member, co-opted member or officer of the authority; (ii) is not a member, co-opted member or officer of a parish council for which the authority is the principal authority; 5 Page 63 (iii) is not a relative, or close friend, of a person within sub-paragraph (i) or (ii); and (iv) was not at any time during the 5 years ending with an appointment (1) a member, co-opted member or officer of the authority; or (2) a member, co-opted member or officer of a parish council for which the authority is the principal authority; and
(c) such non-voting members may be co-opted from other organisations in such manner and at such times as the Audit and Governance Committee may decide.
Quorum
No business of the Audit and Governance Committee shall be transacted unless at least two-thirds of the voting members are present.
Meetings and Procedure
The Committee will conduct business in accordance with the overview and scrutiny rules, meeting standing orders, access to information rules and other standing orders, codes and protocols set out in Part 4 of this Constitution.
Delegation
The Committee may establish such sub-committees, panels and ad-hoc working groups as it considers expedient to assist it.
Statement of Purpose
The Audit and Governance Committee is a key component in the Combined Authority‟s Corporate Governance Arrangements. Its main objectives are to:
provide assurance of the adequacy of the risk management framework and the associated control environment, including the Annual Governance Statement and other assurance statements;
ensure that it properly reflects the risk environment and considers any actions required to improve it and to demonstrate how good governance supports the achievements of the Combined Authority‟s objectives; and
promote and maintain high standards of conduct by Combined Authority Members.
Functions
The Combined Authority has delegated to the Audit and Governance Committee the following roles in order to advise the Combined Authority:
(a) to satisfy itself that the Combined Authority‟s assurance statements, including the Annual Governance Statement, properly reflect the risk environment and
6 Page 64 any actions required to improve it, and demonstrate how governance supports the achievements of the Combined Authority‟s objectives;
(b) in relation to the Combined Authority‟s internal audit functions:
approve the Internal Audit Charter, Quality Assurance & Improvement Programme and Code of Ethics for Internal Audit.
approve the risk-based internal audit plan, including any significant interim changes to the plan
monitor compliance with the Public Sector Internal Audit Standards.
consider the Head of Internal Audit‟s Annual Report
oversee its independence, objectivity, performance and professionalism;
support the effectiveness of the internal audit process; and
promote the effective use of internal audit within the assurance framework;
(c) to consider the effectiveness of the Combined Authority‟s risk management arrangements and the control environment. Review the risk profile of the organisation and assurances that action is being taken on risk-related issues, including partnerships with other organisations;
(d) to monitor the effectiveness of the control environment, including arrangements for ensuring value for money and for managing the Combined Authority‟s exposure to the risks of fraud and corruption;
(e) to consider the reports and recommendations of external audit and inspection agencies and their implications for governance, risk management or control;
(f) to support effective relationships between external audit and internal audit, inspection agencies and other relevant bodies, and encourage the active promotion of the value of the audit process;
(g) to review the accounting policies, financial statements, external auditor‟s opinion and reports to members, and monitor management action in response to the issues raised by external audit;
(h) to promote and maintain high standards of conduct by Members;
(i) to assist Combined Authority Members to observe the Combined Authority‟s Code of Conduct for Members;
(j) to advise the Combined Authority on the adoption, revision or replacement of the Combined Authority‟s Code of Conduct for Members and the Combined Authority‟s Arrangements for Dealing with Complaints that Combined Authority 7 Page 65 Members have failed to comply with the Combined Authority‟s Code of Conduct for Members (“the Authority‟s Arrangements”);
(k) to monitor the operation of the Combined Authority‟s Code of Conduct for Members and the Authority „s Arrangements;
(l) to advise, train or arrange to train Combined Authority Members to observe the Combined Authority‟s Code of Conduct for Members;
(m) to determine, in accordance with the Authority‟s Arrangements, whether a Member has failed to comply with the Combined Authority‟s Code of Conduct for Members and, if so, to determine what action (if any) to take in respect of the Combined Authority Member, such actions to include: –
• publication of the findings of the Combined Authority‟s Standards Committee in respect of the Subject Member‟s conduct; • reporting the findings of the Combined Authority‟s Standards Committee to the Combined Authority for information; • recommendation to the Combined Authority that the Subject Member should be censured; • instructing the Combined Authority‟s Monitoring Officer to arrange training for the Subject Member; or • recommendation to the Combined Authority that the Subject Member should be removed from all appointments to which the Subject Member has been appointed or nominated by the Combined Authority;
(n) to determine appeals against the Monitoring Officer‟s decision on the grant of dispensations;
(o) to report to the Combined Authority on the Committee‟s findings conclusions and recommendations concerning the adequacy and effectiveness of the Authority‟s governance, risk management and internal control frameworks; financial reporting arrangements, and internal and external audit functions; and
(p) to report to the Combined Authority on the performance of the Committee in relation to its Terms of Reference and the effectiveness of the Committee in meeting its purpose.
8 Page 66
AUDIT AND GOVERNANCE COMMITTEE ACTIVITY 2019/20
Meeting: 24 July 2019 Items covered: Internal Audit Annual Report and Opinion 18/19 Internal Audit Performance Report Risk Management Update Final Accounts 18/19 Work Programme Constitution Update
Meeting: 2 October 2019 Items covered: Internal Audit Performance Report Amendments to the LCRCA Single Entity statement of Accounts Counter Fraud Update Governance Update – Constitution and Returning Officer Risk Management Update
Meeting: 11 March 2020 – Inquorate Meeting Items covered: Risk Management Update Internal Audit Performance Report Internal Audit Plan and Charter 20/21 External Audit Progress Update External Audit Letter 18/19 External Audit Plan 19/20 External Audit Letter 19/20 Work Programme and Meeting Dates 19/20
KEY ACHIEVEMENTS OF THE COMMITTEE DURING 2019/20
The consideration of the items of business detailed in the table above has enabled the Committee to fulfil its obligations according to its Terms of Reference.
In particular, the level of engagement and scrutiny displayed by members of the Committee has been positive in demonstrating the discharge of the Committee‟s responsibilities. The engagement and contribution of the Independent Member of the Committee has further emphasised this.
It is acknowledged that the statutory position on quoracy of the Committee has presented challenges during the year, and the Committee‟s March 2020 meeting was not quorate. This affects the ability of the Committee to transact its business effectively and is a continued area of focus going forward.
Key achievements have been:
9 Page 67 Review and update of the Terms of Reference of the Committee so as to comply with the best practice detailed in the CIPFA document: “Audit Committees: Practical Guidance for Local Authorities and Police” (2018 Edition). Review of the performance of Internal Audit and the role the function plays in the system of internal control; Holding officers to account in respect of their response to matters raised in internal and external audit reports Review and approval of the LCRCA‟s financial statements, including the Annual Governance Statement, and associated external audit reports Overview of risk management matters including encouraging the continued embedding of an effective corporate system of risk management, and approval of the Risk Management Policy Review and oversight of matters relating to the organisation‟s response to fraud and corruption, and encouraging the embedding of an appropriate system to support this Upholding standards of conduct and good governance by receiving reports detailing matters relating to complaints, whistleblowing and related matters.
10 Page 68
AUDIT AND GOVERNANCE COMMITTEE
Provisional Work Programme for 2020/21
The Committee would like to propose the following provisional work programme for 2020/21
DATES AGENDA ITEMS
23 September Internal Audit 2020 Head of Internal Audit Annual Report and Opinion Internal Audit Performance Risk Management Update Internal Audit Plan 2020/21 and Internal Audit Charter Finance External Auditor‟s Audit Strategy Governance Procedure for Dealing with Complaints Against Members Audit & Governance Annual Report
4 November 2020 Internal Audit Internal Audit Performance Report Risk Management Update Insurance Update (joint report with Legal) Finance Liverpool City Region Combined Authority Final Accounts Governance Governance Update (Information Management – Breaches, Conduct and Complaints and Whistleblowing)
20 January 2021 Internal Audit Internal Audit Performance Report Risk Management Update Counter-Fraud Update Counter-Fraud Policies Finance Mazars Annual Audit Letter
3 March 2021 Internal Audit Internal Audit Performance Report Internal Audit Plan Risk Management Update Risk Management Policy Finance Accounting Policies (revised) External Audit Plan Governance Schedule of A&G Committee Dates & Forward Plan 11 Page 69
AUDIT AND GOVERNANCE COMMITTEE
Looking Ahead to 2020/21
Audit and Governance plays an important role in challenging performance and driving improvement and needs to be as effective as possible.
Areas of Focus for 2020/21
AREA OF FOCUS COMMENTS Developing effectiveness of the Committee in accordance with good practice for audit committees outlined by CIPFA in their publication “Audit Committees: Practical Guidance for Local Authorities and Police” (2018 Edition). This will enable Further training for members to support development Committee members to and increase effectiveness. assess their own compliance with the guidance and report on this in 2020-21.
Continues focus on ensuring quoracy of Committee meetings.
12 Page 70 Agenda Item 10
LIVERPOOL CITY REGION COMBINED AUTHORITY
To: The Chair and Members of the Combined Authority Audit and Governance Committee
Meeting: 23 September 2020
Authority/Authorities Affected: Combined Authority/All Districts
EXEMPT/CONFIDENTIAL ITEM: No
REPORT OF THE HEAD OF INTERNAL AUDIT
HEAD OF INTERNAL AUDIT ANNUAL REPORT AND OPINION 2019-20
1. PURPOSE OF REPORT
The purpose of this report is to provide the Head of Internal Audit’s Annual Report and Opinion in respect of Liverpool City Region Combined Authority for the financial year 2019-20. The report summarises the work undertaken by Internal Audit during the year, the key conclusions that can be drawn from this, and the overall opinion on the organisation’s governance, risk and internal control environment.
2. RECOMMENDATIONS
It is recommended that the Audit and Governance Committee:
(a) Notes the report.
3. BACKGROUND
So as to support the Committee in the discharge of its duties according to its Terms of Reference, and in accordance with the Public Sector Internal Audit Standards, this report fulfils the requirement for the Head of Internal Audit to provide an annual report and opinion on the effectiveness of the organisation’s governance, risk and internal control environment. It is worthy of note that there is a separate Annual Report and Opinion relating to Merseytravel, and this is reported to the Audit, Risk and Governance Board.
The report highlights the following key points:
A summary of the Internal Audit work undertaken during 2019-20; A summary of the performance of Internal Audit; The impact of the Coronavirus outbreak; A review of Internal Audit’s compliance with the Public Sector Internal Audit Standards (PSIAS); A summary of the Quality Assurance and Improvement Programme (QAIP) established during the year; Page 71 The overall Head of Internal Audit opinion on the overall adequacy and effectiveness of the organisation’s framework of governance, risk management and control in 2019-20; and A look ahead to the Internal Audit Plan 2020-21.
4. RESOURCE IMPLICATIONS
4.1 Financial
There are no direct issues arising from this report.
4.2 Human Resources
There are no direct issues arising from this report.
4.3 Physical Assets
There are no direct issues arising from this report.
4.4 Information Technology
There are no direct issues arising from this report.
4.5 Programme Management Office (PMO)
There are no direct issues arising from this report.
5. RISKS AND MITIGATION
5.1 It is the responsibility of the Liverpool City Region Combined Authority to establish effective arrangements for the management of risk. Internal Audit reports highlight weaknesses that pose a risk to the achievement of the organisation’s objectives and the according recommendations assist in mitigating such risks. Internal audit work is one strand of assurance regarding the effectiveness of the system of internal control and this can be utilised to inform the organisation’s view of organisational risk and its management.
6. EQUALITY AND DIVERSITY IMPLICATIONS
6.1 There are no direct issues arising from this report.
7. PRIVACY IMPLICATIONS
7.1 There are no direct issues arising from this report.
8. COMMUNICATION ISSUES
Page 72 8.1 There are no direct issues arising from this report.
9. CONCLUSION
9.1 The Head of Internal Audit’s Annual Report and Opinion is the culmination of the work of Internal Audit during the year, and forms a key strand of assurance for the organisation regarding the effectiveness of the governance, risk and internal control environment.
LAURA A. WILLIAMS Head of Internal Audit Contact Officer(s):
Laura A. Williams, Head of Internal Audit tel: 0151 330 1764
Appendices: Appendix 1 – Head of Internal Audit Annual Report and Opinion 2019-20
Background Documents: None
Page 73 This page is intentionally left blank
LIVERPOOL CITY REGION COMBINED AUTHORITY HEAD OF INTERNAL AUDIT INTERIM ANNUAL REPORT AND OPINION 2019-20
Page 75 Page
Audit and Governance Committee 23 September 2020
Laura A. Williams MA CPFA Head of Internal Audit
Contents
Page
1. Executive Summary 2
2. Introduction 4
3. Work Completed 6
Page 76 Page 4. Opinion 19
5. Effectiveness of Internal Audit 21
6. Developments 25
7. Looking Ahead 26
Head of Internal Audit Annual Report and Opinion 2019-20 - LCRCA Page | 1
1. Executive Summary
1.1 The Head of Internal Audit is obliged, under the Public Sector Internal Audit Standards (PSIAS), to provide an annual report summarising the work undertaken by internal audit during the last financial year, and to provide an overall opinion of the adequacy and effectiveness of the organisation’s framework of governance, risk management and internal control, derived from this work. This is a key part of the governance and assurance frameworks of the Liverpool City Region Combined Authority (LCRCA).
1.2 In respect of 2019-20, 6 audits were completed in respect of Liverpool City Region Combined Authority. The overall organisational risk opinions given in these reports are summarised as:
Page 77 Page Organisational Risk Number of Audits Opinion Major 0 Moderate 1 Minor 2 Negligible 0 Advice provided 3 Table 1
1.3 In addition to this, advice and guidance was given to developing systems, such as Adult Education Budget and Housing First, and 71 grants were certified, totalling £6,143,159.
Head of Internal Audit Annual Report and Opinion 2019-20 - LCRCA Page | 2
1.4 Based upon the work undertaken by Internal Audit in respect of 2019-20, the opinion of the Head of Internal Audit on the overall adequacy and effectiveness of LCRCA’s framework of governance, risk management and control is:
Head of Internal Audit Opinion 2019-20 Overall Opinion Capacity for Improvement Adequate Good Table 2
1.5 The remainder of this report sets out in more detail how the opinion is derived.
Page 78 Page
Head of Internal Audit Annual Report and Opinion 2019-20 - LCRCA Page | 3
2. Introduction
2.1 It is the responsibility of management to establish effective arrangements for governance, internal control and risk management in the organisation.
2.2 In accordance with the Accounts and Audit Regulations 2015, LCRCA must ensure that it provides adequate and effective internal audit arrangements in respect of its accounting records and systems of internal control, and that it conducts an annual review of the effectiveness of these. In addition, these arrangements must be delivered in accordance with the Public Sector Internal Audit Standards (PSIAS) and Local Government Application Note (LGAN), which came into effect on 1 April 2013 (and were revised 1 April 2016 and 1 April 2017 and LGAN revised 2019).
2.3 The PSIAS represent mandatory best practice for all public sector internal audit service providers in the UK and cover: Page 79 Page Definition of Internal Auditing; Code of Ethics; and International Standards for the Professional Practice of Internal Auditing.
2.4 Further to the 2016 revision to the PSIAS, Internal Audit has adopted the following mission statement: “To enhance and protect organisational value by providing risk-based and objective assurance, advice and insight.”
2.5 It is a requirement of the PSIAS that the Head of Internal Audit provides an annual report to those charged with governance, which should include an opinion on the overall adequacy and effectiveness of the organisation’s framework of governance, risk management and control. This report informs the Annual Governance Statement.
2.6 The CIPFA Statement on the Role of the Head of Internal Audit (2019) also states that “The head of internal audit (HIA) plays a critical role in delivering the organisation’s strategic objectives by objectively assessing the adequacy and effectiveness of governance and management of risks, giving an evidence-based opinion on all aspects of governance, risk management and internal control”.
Head of Internal Audit Annual Report and Opinion 2019-20 - LCRCA Page | 4
2.7 In arriving at this opinion, this report sets out:
A summary of the Internal Audit work undertaken during 2019-20; A summary of the performance of Internal Audit during the year; including commentary on the impact of the Coronavirus pandemic; A review of Internal Audit’s compliance with the Public Sector Internal Audit Standards (PSIAS); A summary of the Quality Assurance and Improvement Programme (QAIP) established during the year; The overall Head of Internal Audit opinion on the overall adequacy and effectiveness of the organisation’s framework of governance, risk management and control in 2019-20; and A look ahead to the Internal Audit Plan 2020-21.
Page 80 Page 2.8 It is worthy of note that in recognition of the separate legal status of Merseytravel, a separate Annual Report and Opinion has been issued in respect of that entity, and has been reported to the Audit, Risk and Governance Board and will be reported to Merseytravel. For the information of this Committee, the overall opinion in respect of Merseytravel is also provided at section 4 of this report.
2.9 It is confirmed that there was no impairment to Internal Audit objectivity during 2019-20.
Head of Internal Audit Annual Report and Opinion 2019-20 - LCRCA Page | 5
3. Work Completed
Background
3.1 The Internal Audit Plan 2019-20 was approved by the Combined Authority Audit and Governance Committee at its meeting on 20 March 2019.
3.2 Members of this Committee have been kept fully appraised of the delivery of this Plan and the resulting outcomes via the “Internal Audit Performance Report” which has been presented to each meeting of the Committee during the year. This report has also detailed those audits undertaken of Merseytravel services provided to LCRCA, so as to provide members of this Committee with transparent information regarding the services LCRCA receives. As these audits inform the Merseytravel Annual Report and Opinion, these are not detailed in this report. Page 81 Page 3.3 In addition, Internal Audit provides consultancy support in response to specific requests from management, which contributes to improving the organisation’s governance, risk management and internal control arrangements. Such work can include advice and guidance around the implementation of new systems and procedures, and this has been particularly pertinent during 2019-20 as the LCRCA’s arrangements have been continuing to develop.
Delivery
3.4 In respect of 2019-20, 6 internal audit reports were issued in respect of LCRCA.
3.5 The audit opinions given during the year are summarised in the following chart:
Head of Internal Audit Annual Report and Opinion 2019-20 - LCRCA Page | 6
Internal Audit Opinions 2019-20 0%
Major 17% Moderate 50% Minor
33% Negligible Advice provided
Page 82 Page 0% Chart 1
3.6 Recommendation priority levels featuring in these reports are summarised in the following chart:
Internal Audit Recommendations 2019-20
25% 30% High Medium 45% Advisory
Chart 2
3.7 The detailed outputs of the work completed are detailed in table 3:
Head of Internal Audit Annual Report and Opinion 2019-20 - LCRCA Page | 7
Audit Title Organisational Recommendation Priority Levels Risk Opinion High Medium Advisory Households into Work Minor 1 5 2 Housing First Moderate 5 3 1 SIF2 Assurance Framework Minor 0 1 2 LEP Governance Annual Review n/a n/a n/a n/a Annual Governance Statement n/a n/a n/a n/a Review 2018-19 Annual Governance Statement n/a n/a n/a n/a Review 2019-20 Table 3
3.8 It is pleasing to note that the work completed has yielded no opinions of major organisational risk rating. Page 83 Page
3.9 During the year, the Plan was the subject of ongoing review so as to ensure that it was reflective of the risk landscape. The review evaluated the risks presented by each of the audit areas, so as to ensure that:
The risks as these were perceived when the Internal Audit Plan was compiled was an accurate reflection of how these were perceived later in the year New and escalating risks were captured, and an audit included where necessary; The timing of the audit was most appropriate given the maturity of the risk involved; and The available audit days were used to provide the most comprehensive assurance possible, focusing on those risks that are most pertinent.
3.10 The reviews resulted in a number of changes to the Plan, all of which were presented to the Audit and Governance Committee at the appropriate time in advance of the changes being effected.
Head of Internal Audit Annual Report and Opinion 2019-20 - LCRCA Page | 8
Advice and Guidance on Developing Systems
3.11 During the year, advice and guidance has been provided relating to the following areas. This reflects the fact that the activities of the LCRCA were being developed during the year, and so the associated risks were being understood and controls being designed to mitigate these:
Housing First - Internal Audit is represented on the Project Board for the development of Housing First, and during the year has provided an independent view and advice on internal control, governance, insurance and risk management matters. The project concerns the award of a grant to the Combined Authority from the Ministry of Housing, Communities and Local Government (MHCLG) of £7.7m over three years, to deliver step change in homelessness in the City Region.
SIF – the team has provided advice and guidance to a variety of SIF projects, particularly when these have been at the Page 84 Page development stage. This has provided valuable assistance in ensuring that relevant considerations such as evidencing defrayal of expenditure have been borne in mind in the agreement of Grant Funding Agreements.
Head of Internal Audit Annual Report and Opinion 2019-20 - LCRCA Page | 9
Grant Assurance
3.12 In addition to the advice and guidance provided in respect of developing SIF projects, work has been undertaken by Internal Audit to review the evidence supporting requests for payment associated with grants. This work is vital in providing assurance that grant applicants (including constituent Local Authorities, educational institutions, charities, voluntary organisations and businesses) have complied with the Grant Funding Agreements in place. Table 4 below shows the grant claims that have been audited during 2019-20:
Grant Name Number of Claims Audited Value of Claims Audited (£)
Careers and Enterprise (LEP) 7 154,439
Page 85 Page Growth Hub (LEP) 4 482,039 Low Energy Hub (LEP) 4 224,415 Rural Leader 1 74,479 Strategic Investment Fund (SIF) 54 5,193,036 SIF – Transforming Cities Fund 1 14,750 Total 71 6,143,158 Table 4
Head of Internal Audit Annual Report and Opinion 2019-20 - LCRCA Page | 10
Corporate Governance
3.13 LCRCA has put in place a Code of Corporate Governance as part of its Constitution. This is held on the intranet for ease of reference for staff.
3.14 In order to appraise the effectiveness of corporate governance and provide supporting evidence to inform the Annual Governance Statement (AGS), Internal Audit has conducted a review of the LCRCA’s corporate governance arrangements. This has followed the mandatory CIPFA/SOLACE guidance “Delivering Good Governance in Local Government” (2016), which embodies the following Page 86 Page Core Principles illustrated by the diagram, right.
“Delivering Good Governance in Local Government” (CIPFA/SOLACE) 2016
3.15 The work covered the prescribed areas of governance as defined in the guidance, and engaged with all Heads of Service, Assistant Directors, Directors and the Chief Executive in gaining assurance that there is a comprehensive and effective system of governance in place.
3.16 This comprised the completion of a Governance Assurance Statement by each of these senior staff, in which they commented on the adequacy of the governance arrangements within their spheres of influence. The arrangements described in these Statements were generally positive and highlighted an awareness of the principles of good governance. Also, positively, most
Head of Internal Audit Annual Report and Opinion 2019-20 - LCRCA Page | 11
respondents highlighted their wish to develop and improve their governance arrangements and identified actions to be taken over the next year to do so.
3.17 Also forming part of the review was a piece of work to follow up on the “Key Issues” highlighted in the LCRCA AGS for 2018- 19. This identified that progress has been made in addressing these, and the following progress updates were obtained so as to include relevant narrative in the AGS 2019-20:
Significant Governance Issues from AGS 2018-19 To ensure that the City Region’s Local Industrial Strategy is built around the principle of sustainable inclusive growth and reflected in its Single Investment Funding methodology and also through the Skills Strategy and other strategies. To provide support to delivery partners to overcome barriers to delivery that are inhibiting the timely delivery of the benefits of previous investment decisions. To ensure that subsequent waves of investment decisions place greater emphasis on deliverability. Page 87 Page Identify an innovative funding model that provides additional capacity in new priority areas without increasing the financial burden on local taxpayers. Work with government to see how a relaxation of the requirements around the capital and revenue split could benefit the achievement of LCRCA priorities. The issues around quoracy improved in 2018/19 from previous years, however this area remains a challenge that is common to some other Mayoral CA’s. There is a need for continued focus and development of the system of corporate risk management, to continue the positive work commenced during 2018/19 and so as to facilitate the achievement of our corporate objectives. This work will also encapsulate the articulation of the organisation’s risk appetite, so that there is clarity about the extent to which officers are empowered to embrace opportunities within a robust control environment. The CA needs to employ its resources to develop and embed policies, systems and controls that reflect the specific nature of the CA. Work with elected members to ensure that the Audit and Governance Committee can meet in quorate and provide formal consideration of its business in 2019/20. To ensure that the City Region’s Local Industrial Strategy is built around the principle of sustainable inclusive growth and reflected in its Single Investment Funding methodology and also through the Skills Strategy and other strategies. Table 5
Head of Internal Audit Annual Report and Opinion 2019-20 - LCRCA Page | 12
Risk Management
3.18 The system of corporate risk management is facilitated by Internal Audit, with appropriate operational safeguards in place to preserve independence.
3.19 During the year, positive progress has been made in embedding an effective system of risk management across the LCRCA. This was especially necessary, not only in providing greater support to the achievement of corporate objectives, but because of the adverse comment in the external auditor’s reports in 2017-18 and 2018-19.
3.20 This progress has been reflected in a number of positive developments:
Establishment of a Corporate Risk Register for the LCRCA, which has been reviewed and presented to the Audit and Page 88 Page Governance Committee at each of its meetings during the year; Presentation of a report to Directors on two occasions during the year for the consideration of risk matters; Session on risk appetite which identified a number of key actions in train/planned in order to develop and articulate the appetite for risk across the organisation; Risk Group was convened which focuses on developing the corporate approach to risk and governance matters, so as to improve the manner in which these support delivery; Establishment of Service Risk Registers for all service areas.
3.21 It is important that the positive progress made in relation to risk management continues in 2020-21. This should encompass sustained focus on embedding effective risk management arrangements across the organisation. The establishment of a Risk Manager post within the Internal Audit Service has already provided additional corporate support to this, as has the continued development of the scope and activities of the Risk Group.
3.22 The Anti-Fraud, Bribery and Corruption Policy demonstrates the organisation’s commitment to creating an anti-fraud culture and maintaining high ethical standards in its administration of public funds. There is also a suite of complementary policies including the Bribery Policy, Money Laundering Policy, Confidential Reporting (Whistleblowing) Policy, Surveillance Policy and Investigation Policy. These link to other policies such as the Gifts and Hospitality Policy and the Employee Code of Conduct. During the year, Internal Audit refreshed those policies under its ownership and these were approved by LCRCA.
Head of Internal Audit Annual Report and Opinion 2019-20 - LCRCA Page | 13
3.23 The Internal Audit service also raised the profile of fraud issues amongst officers by participating in International Fraud Awareness Week, which involved a range of fraud-related messaging featuring on the intranet and staff briefing; and the development of a Fraud Awareness e-learning package which highlights the roles and responsibilities of staff in preventing and detecting fraud.
3.24 Internal Audit has a number of responsibilities in the prevention and detection of fraud, bribery and corruption:
Co-ordination of the organisation’s work on the National Fraud Initiative (NFI); Compilation of a Counter-Fraud Internal Audit Plan, which identifies a number of areas for proactive anti-fraud review for completion; Co-ordination of the compilation of the Fraud Risk Register, and use of this to inform the proactive counter fraud work undertaken;
Page 89 Page Production and maintenance of a suite of Counter-Fraud policies; Investigation of referrals of suspected fraud and irregularity; Receiving notification of suspected fraud or irregularity, reports of suspected money laundering (the Head of Internal Audit is the designated Money Laundering Reporting Officer), and the receipt of confidential reports (“whistleblows”); and Being consulted for advice and guidance on matters of conduct and probity.
3.25 A self-assessment of the organisation’s counter fraud arrangements against the CIPFA Code of Practice on Managing the Risk of Fraud and Corruption was conducted during 2019-20. In the Counter-Fraud Update report presented to this Committee at its October meeting, it was noted that a full review of the organisation’s compliance with the guidance had been undertaken, and that this had resulted in a number of action points, intended to raise compliance from 85% as this was assessed in the review, to full compliance. The following table gives an update on the progress being made to address the actions:
Head of Internal Audit Annual Report and Opinion 2019-20 - LCRCA Page | 14
Ref Action Implementation Progress Due Date 1 Update Counter Fraud and Corruption Policy and Strategy so as October 2019 Completed to include all relevant areas of the Code of Practice. Report this to Audit and Governance Committee and Merseytravel for approval and then publish to all staff via I4P. 2 Consider adding responsibilities for managing the risk of Fraud March 2020 Completed and Corruption to the Scheme of Delegation. Decision taken not to include with the Scheme of Delegation, but Constitution amendment has been made to clarify responsibilities. Page 90 Page 3 Participate in International Fraud Awareness week in November November 2019 Completed 2019. 4 Deliver e-learning fraud awareness training to all staff, and March 2020 The fraud awareness e-learning monitor the take-up levels. was made available in June 2019. Reminders have been issued to staff to complete the training, and monitoring of take up levels continues. 5 Report to LCRCA re adoption of the Code of Practice and October 2019 Completed associated actions. 6 Review MRFG benchmarking exercise and participate as March 2020 Initial discussions taking place. appropriate. Explore opportunities to benchmark or undertake Relationships with Heads of joint working with other Mayoral Combined Authorities. Internal Audit in other Combined Authorities being developed. 7 Consider running Fraud Risk Workshops within Departments, March 2020 Sessions will be planned post- especially those where fraud risks have been identified as most pandemic. significant.
Head of Internal Audit Annual Report and Opinion 2019-20 - LCRCA Page | 15
Ref Action Implementation Progress Due Date 8 Review Fraud Risk Register and include actions to address October 2019 Completed as part of the fraud risks. Establish regime of regular updates, including Service Risk Register review. consideration of any new or emerging fraud and corruption risks. 9 Introduce fraud risks to Risk Module on MKinsight. October 2019 Underway – Risk Manager commenced in employment in March 2020 and this is part of her role. 10 Provide annual report on counter-fraud activity, including October 2019 Completed measuring progress against the Code of Practice self- assessment.
Page 91 Page Table 6
3.26 During the year, there were no notifications of suspected fraud, bribery or corruption, or investigations of such matters carried out.
3.27 In terms of proactive counter-fraud work, a number of pieces of work were completed across the LCRCA and Merseytravel:
Audit Title Key Findings Gifts and Hospitality Whilst the general policy of both organisations is coherent and consistent in respect of materiality and appropriateness considerations, inconsistency was found regarding treatment of specific examples. Conflicts of Interest Lack of staff awareness of procurement rules, the Constitution and the Declarations of Interest procedures. Review of policy needs to be completed. Creditors Duplicate Payments No duplicate payments detected for sample period. Insurance Claims No findings. Payroll/ Establishment Reconciliation No findings when last reviewed by Audit in April 2019. HR has now taken responsibility but is still waiting for IT to add IDEA to their laptop Head of Internal Audit Annual Report and Opinion 2019-20 - LCRCA Page | 16
Corporate Credit Card Transaction logs and supporting evidence incomplete in some cases. Time and Attendance Exception monitoring not being undertaken. Adjustments not always cleared promptly Table 7
3.28 The organisation participates in the National Fraud Initiative co-ordinated by the Cabinet Office. Data from the Payroll, Creditors and concessionary travel systems are uploaded to the dedicated Cabinet Office website and are matched with data within and between participating bodies so as to identify potential frauds, overpayments and errors. On receipt of the results, the organisation has responsibility to follow up and investigate the matches. The main NFI data matching is undertaken every two years, the results of these matches are fed into a national report at the end of each cycle.
3.29 Data for this cycle was uploaded during October 2018 in accordance with the NFI timetable, and matches were received in Page 92 Page late January 2019. Work on investigating the matches was concluded during the year, and there were no significant issues identified.
Other Points of Note
3.30 There was one audit undertaken during the year that is worthy of note by virtue of their opinion of “moderate”:
Audit Title Key Findings Housing First The relationship between Housing First and Ministry of Housing, Communities and Local Government (MHCLG) required development, to ensure the performance of the scheme is effectively monitored. A more effective method of monitoring personal budgets needed to be established. A method of identifying service users for the scheme needed to be formalised and implemented. Table 8
Head of Internal Audit Annual Report and Opinion 2019-20 - LCRCA Page | 17
Implementation of Recommendations
3.31 During the year, follow up audits have been undertaken, so as to provide assurance that internal audit recommendations made have been implemented. The results of this work have been reported to each meeting of the Audit and Governance Committee. Generally, progress made in relation to audit recommendations has been positive, and has demonstrated the engagement of management in the audit process, and during the year, there have been no occasions on which the Audit and Governance Committee has been informed of concerns with the implementation of recommendations.
Impact of Coronavirus
3.32 Coronavirus started to have an impact during mid-March 2020, when it became apparent that significant changes to methods of working would have to be made. All staff who could work from home, including all Internal Audit staff, commenced doing so
Page 93 Page on 24 March 2020 following the Prime Minister’s announcement of “lockdown”.
3.33 At that stage of the year, over 80% of planned work had been completed, and work was being finalised across the remaining pieces of work. The organisation was placed into a situation of management of the unfolding crisis, and therefore, internal audit work was temporarily suspended so as to lessen the burden on officers during this period. The result of this has been that the completion of the outstanding pieces of work was delayed, with the final pieces of work being completed in July 2020.
3.34 It is worthy of note that during that period and the period that followed, the Internal Audit section has been called upon to provide advice and guidance to services in how they can manage delivery within a framework of appropriate control.
Head of Internal Audit Annual Report and Opinion 2019-20 - LCRCA Page | 18
4. Opinion
4.1 Based upon the work undertaken by Internal Audit in respect of 2019-20, the opinion of the Head of Internal Audit on the overall adequacy and effectiveness of the organisation’s framework of governance, risk management and internal control in 2019-20 is:
Head of Internal Audit Opinion 2019-20 Overall Opinion Capacity for Improvement Adequate Good Table 9
Page 94 Page 4.2 This opinion indicates that during 2019-20, taking into account all factors detailed below, the operation of governance, risk management and internal control has been judged as adequate, meaning that it meets the minimum standards. This has arisen as a result of:
An assessment of the work delivered by Internal Audit during 2019-20, and the generally positive opinions generated from Internal Audit work in respect of the LCRCA during the year; Considerable improvement in embedding an effective system of risk management during the year, including the regular review of the Corporate Risk Register; and Systems and processes for many of the activities of the organisation have become established and have strengthened during the year.
This is a positive reflection of the progress made since the “Inadequate” opinion given in this report last year, but whilst recognising that there is still work to do to embed effective internal control, risk management, and corporate planning and performance management into all parts of the organisation.
4.3 The capacity for improvement rating indicates the extent to which it is the Head of Internal Audit’s belief that the level of control will improve over the next year. This is based upon management’s response to Internal Audit work, and the indications of positive developments in the area of risk management and corporate planning/performance management.
Head of Internal Audit Annual Report and Opinion 2019-20 - LCRCA Page | 19
4.4 This opinion is based on the following:
The ongoing work to develop and embed effective risk management and corporate planning systems to optimise delivery of our objectives; The response to recommendations made to the LCRCA to date; The ongoing implementation of governance and internal control systems as the organisation develops.
4.5 It should be noted the opinion does not imply that Internal Audit has reviewed all risks and assurances relating to the organisation and is not an absolute assurance of the effectiveness of internal control arrangements and the management of risk. The purpose of this opinion is to contribute to the assurances available to the organisation which underpin the assessment of the effectiveness of its governance framework, including the system of internal control, which are encapsulated in the Annual Governance Statement.
Page 95 Page 4.6 As noted in the Introduction to this report, the opinion expressed above does not relate to Merseytravel, which, as a separate legal entity, attracts its own Annual Report and Opinion, which is prepared for the Audit, Risk and Governance Board. However, for the information of this Committee, the opinion provided in respect of Merseytravel is:
Head of Internal Audit Opinion 2019-20 Overall Opinion Capacity for Improvement Adequate Reasonable
Table 10
Head of Internal Audit Annual Report and Opinion 2019-20 - LCRCA Page | 20
5. Effectiveness of Internal Audit
5.1 In establishing and demonstrating the effectiveness of Internal Audit, there are a number of requirements set out in the PSIAS:
External peer assessment of compliance with the PSIAS, required every five years; Internal assessment of compliance with the PSIAS, ideally conducted annually; and Establishment and maintenance of a Quality Assurance and Improvement Programme (QAIP), designed to ensure the quality of internal audit work and its development and improvement over time.
External Peer Assessment
Page 96 Page 5.2 In 2017, the service was the subject of an external peer assessment, conducted by peer local authorities, of the extent to which the service complies with the mandatory framework for Internal Audit in the UK Public Sector: Public Sector Internal Audit Standards (PSIAS). The overall assessment was that the service “generally complies” with the PSIAS, the highest opinion that can be given. An Action Plan was issued and all recommendations have since been implemented.
5.3 As the PSIAS determine that this must take place every five years, the re-assessment will take place in 2022.
Internal Assessment
5.4 The ongoing internal assessment of compliance has continued during the year, and it is the opinion of the Head of Internal Audit that the service continues to “generally comply” with the PSIAS.
5.5 There were a number of actions arising from the self-assessment, and these fell into two categories – those felt to be essential to compliance with the PSIAS, and secondly, those felt to be improvements that could be made so as to continue the development of the service. The actions arising from the self-assessment, and the progress made to date is detailed in the following table:
Head of Internal Audit Annual Report and Opinion 2019-20 - LCRCA Page | 21
Ref Action Implementation Progress Due Date 1 Complete the Assurance Mapping exercise. March 2020 Completed 2 Consulting Engagements need to be included, and March 2020 Completed adequately defined, within the Audit Manual. 3 Archived records that are past their retention period March 2020 Completed should be deleted. It is noted that such records are only accessible to the audit team. 4 Update QAIP document and Audit Manual to reflect December 2019 Completed 2019-20 performance indicators. Areas for Development
Page 97 Page 1 Ensure that the appointment to the Risk Manager post January 2020 Completed further enhances the safeguards relating to roles and responsibilities that fall outside of internal auditing. 2 Embed the process of auditor and manager discussion March 2020 Completed re scope/most pertinent risks/available time budget; and pre-audit discussions with client to aid the process of scoping the audit review. 3 Enhance the process of discussing draft reports through March 2020 Completed embedding face-to-face meetings with the client. 4 Embed the Post-Audit Assessment in the team, so as to March 2020 Completed encourage ongoing improvement and development of the service, to support the Quality Assurance and Improvement Programme. Table 11
Quality Assurance and Improvement Programme (QAIP)
5.6 During the year, so as to ensure that the Service not only continues to comply with the PSIAS, but to ensure that the service continues to improve, the following actions were taken: Head of Internal Audit Annual Report and Opinion 2019-20 - LCRCA Page | 22
Staff attendance at relevant professional seminars and completion of relevant Continuing Professional Development requirements for professionally qualified staff; Increasing the focus on risk in internal audit work and reports; Recruitment of a Principal Auditor who is professionally qualified and suitably experienced; Engagement with Heads of Service and Directors regarding their perception of risk and their associated audit needs; Development of the relationship with the Audit and Governance Committee, including the development of more effective reporting to the Committee; and Continuous review and update of working practices and reflection of associated changes in the Internal Audit Manual.
5.7 A key element of the QAIP, in evidencing that the service complies with the PSIAS, operates in an efficient and effective manner, and is perceived as adding value to the organisation’s operations, is the adoption of a set of key performance
Page 98 Page indicators (KPIs). These feature in the Internal Audit Performance Report, which is presented to each meeting of the Audit, and Governance Committee. For 2019-20, the KPIs adopted, relating to LCRCA, their year-end results and associated commentary, are shown in the table below:
Description and Purpose Target Actual Variance and Explanation Compliance with Public Sector Internal Audit 100% 100% No variance Standards (PSIAS) The results of self-assessment reveal that the service This measures the extent to which the Internal continues to “generally comply” with the Standards. All Audit Service complies with the requirements set of the actions resulting from the self-assessment out in the Standards and the Local Government undertaken during 2019-20 have been completed. Application Note. Percentage of the Internal Audit Plan 2019/20 100% 100% No variance completed The 2019-20 Plan has been completed. This measures extent to which the Audit Plan is being delivered. The delivery of the Plan is vital in ensuring that an appropriate level of assurance is being provided across the organisation’s systems. Percentage of recommendations made that 100% 100% No variance have been agreed to be implemented by Acceptance of recommendations is generally high. management This measures the extent to which managers feel Head of Internal Audit Annual Report and Opinion 2019-20 - LCRCA Page | 23
Description and Purpose Target Actual Variance and Explanation that the recommendations made are appropriate and valuable in strengthening the control environment. Percentage of client survey responses 100% 100% No variance indicating a "very good" or "good" opinion The questionnaire return levels are rather low at 36%. This measures the feedback received on the service provided, and seeks to provide assurance that Internal Auditors conduct their duties in a professional manner. Percentage of annual senior management 100% 98% Negligible variance survey responses indicating satisfaction with Feedback positive although response levels were low. the Internal Audit service provided This measures the feedback received from Page 99 Page Directors and Heads of Service on the service provided, and seeks to provide assurance that Internal Audit is adding value at a strategic level. Table 12
Head of Internal Audit Annual Report and Opinion 2019-20 - LCRCA Page | 24
6. Developments
6.1 During the year, the staffing of the team evolved with the appointment of a new Principal Auditor, who is CIMA-qualified and suitably experienced. The loss of a Senior Auditor at the end of January 2020 and the loss of an Audit Manager in March 2020 has presented an opportunity for the structure of the service to be reviewed.
6.2 In spite of the loss of staff during quarter 4, the level of completion of the Internal Audit Plan has been extremely positive, and this has arisen through strengthening the performance management arrangements within the team, including holding weekly “Goal Setting” sessions and setting quarterly targets for completion of work.
Page 100 Page 6.3 During the year, the focus on modernising the service has continued, reflected in a more streamlined and risk-based approach. This has enabled very favourable comparison with our peers and has facilitated the effective completion of the Internal Audit Plan.
6.4 The relationships held by Internal Audit with stakeholders have continued to be positive during the year, and it is pleasing that despite the year being one of transition, the perception of the service has continued to be good, and its reputation has been maintained. This is reflected in the customer feedback obtained. The service has enjoyed good working relationships with officers across the organisation, and officers are thanked for their support during the year in enabling the completion of audit work and the development of the system of internal control. The relationship with the incoming external auditor, Mazars, has also been good, allowing for a positive level of liaison and co-ordination of effort.
6.5 In terms of the relationship of Internal Audit with the Audit and Governance Committee, the streamlined and effective reporting of Internal Audit matters to the Committee has facilitated a very positive relationship, with very complimentary feedback having been received from the Chair and Deputy Chair during the year.
Head of Internal Audit Annual Report and Opinion 2019-20 - LCRCA Page | 25
7. Looking Ahead
7.1 The new financial year presents an opportunity to continue to modernise the service. The key developments that are already in train for the year include:
Development and approval of a fully risk-based Internal Audit Plan, which draws on corporate and service risk information, and the views of Internal Audit, to arrive at a Plan which is reflective of the key risks facing the organisation. Crucially, this approach encourages a risk focus within audits and the audit report, and also allows for a dynamic approach to the Plan which is able to reflect the changing and emerging risks faced by the organisation; crucially those arising from the Coronavirus pandemic and the recovery of the organisation and the City Region as a whole, reflected within the Business Plan. Production of a Service Plan which sets a clear strategic direction for the service and its development, linking this to the Page 101 Page continued compliance with PSIAS and a stronger QAIP and how the service contributes to the achievement of corporate priorities; Strengthening the work undertaken on counter-fraud, to increase the focus on proactive work linked to the key fraud risks facing the organisation; and Implementation of a revised structure so as to provide a service that is fit for purpose.
7.2 The continued development and progress of the service will be reported to the Audit and Governance Committee, and the service looks forward to sharing its success with the Committee during 2020-21.
Head of Internal Audit Annual Report and Opinion 2019-20 - LCRCA Page | 26
This page is intentionally left blank Agenda Item 11
LIVERPOOL CITY REGION COMBINED AUTHORITY
To: The Chair and Members of the Combined Authority Audit and Governance Committee
Meeting: 23 September 2020
Authority/Authorities Affected: Combined Authority/All Districts
EXEMPT/CONFIDENTIAL ITEM: No
REPORT OF THE HEAD OF INTERNAL AUDIT
LIVERPOOL CITY REGION COMBINED AUTHORITY INTERNAL AUDIT PERFORMANCE
1. PURPOSE OF REPORT
1.1 The purpose of this report is to provide the Liverpool City Region Combined Authority (LCRCA) Audit and Governance Committee with an overview of the internal audit work completed in respect of the Combined Authority in the fourth quarter of 2019-20 and the first quarter of 2020-21, in accordance with the Internal Audit Plans 2019-20 and 2020-21.
2. RECOMMENDATIONS
2.1 The Liverpool City Region Combined Authority Audit and Governance Committee is recommended to:
(a) Note the outcomes of the audit work undertaken during the period of the report; and (b) Note the progress made in the delivery of the approved Internal Audit Plan in respect of the Combined Authority.
BACKGROUND
3.1 So as to support the Committee in the discharge of its duties according to its Terms of Reference, the report details the work undertaken by the Internal Audit service in respect of LCRCA in the fourth quarter of 2019-20 and the first quarter of 2020-21. The report highlights the following key points:
(a) A summary of Internal Audit Plan delivery for the period;
(b) Details of work undertaken, and key items of note in respect of corporate systems, LCRCA specific systems and Merseytravel specific systems;
Page 103 (c) An update on internal audit performance with reference to the key performance indicators detailed in the Quality Assurance and Improvement Programme (QAIP);
(d) An update on work undertaken in respect of fraud and irregularity;
(e) An update on the service’s compliance with the Public Sector Internal Audit Standards (PSIAS); and
(f) Commentary on the impact and ongoing effects of the Coronavirus pandemic.
RESOURCE IMPLICATIONS
4.1 Financial
There are no direct issues arising from this report.
4.2 Human Resources
There are no direct issues arising from this report.
4.3 Physical Assets
There are no direct issues arising from this report.
4.4 Information Technology
There are no direct issues arising from this report.
4.5 Programme Management Office (PMO)
There are no direct issues arising from this report.
5. RISKS AND MITIGATION
5.1 It is the responsibility of the LCRCA to establish effective arrangements for the management of risk. Internal Audit reports highlight weaknesses which pose a risk to the achievement of the organisation’s objectives and the according recommendations assist in mitigating such risks. Internal audit work is one strand of assurance regarding the effectiveness of the system of internal control and this can be utilised to inform the LCRCA’s view of organisational risk and its management.
6. EQUALITY AND DIVERSITY IMPLICATIONS
There are no direct issues arising from this report.
7. PRIVACY IMPLICATIONS Page 104
There are no direct issues arising from this report.
8. COMMUNICATION ISSUES
There are no direct issues arising from this report.
9. CONCLUSION
9.1 Internal Audit has made positive progress in the period of this report to deliver the Internal Audit Plan.
9.2 This report demonstrates how the provision of available Internal Audit resource has been utilised to provide appropriate assurance to the Combined Authority.
LAURA A. WILLIAMS Head of Internal Audit
Contact Officer(s): Laura A. Williams, Head of Internal Audit tel: 0151 330 1764
Appendices: Appendix 1 – Internal Audit Performance
Background Documents: None
Page 105 This page is intentionally left blank
INTERNAL AUDIT PERFORMANCE
Page 107 Page
Audit and Governance Committee 23 September 2020
Laura A. Williams MA CPFA Head of Internal Audit
Contents
Page
1. Introduction 2
2. Impact of the Coronavirus Pandemic 3
3. Summary of Internal Audit Plan Delivery 4
Page 108 Page 4. Corporate Systems 6
5. Liverpool City Region Combined Authority: Specific Systems 12
6. Merseytravel: Specific Systems 15
7. Quality Assurance and Improvement Programme 17
8. Fraud, Bribery and Corruption 20
9. Public Sector Internal Audit Standards 24
Appendices
A - Internal Audit Plan 2019-20 Status Update 28 B - Internal Audit Plan 2020-21 Status Update 31 C - Internal Audit Organisational Risk Opinions and Recommendation Priority Levels 33
Internal Audit Performance - LCRCA Page | 1
1. Introduction
1.1 The purpose of this report is to provide a summary of Internal Audit work completed in the fourth quarter of 2019-20 and first quarter of 2020-21, in respect of the Internal Audit Plans for 2019-20 and 2020-21.
1.2 The report is prepared for the Audit, Risk and Governance Board to facilitate the discharge of obligations as defined in its Terms of Reference (as approved April 2018) to highlight the outcomes of Internal Audit work as a source of assurance on the effectiveness of Merseytravel’s governance, risk and internal control environment.
1.3 Internal Audit is defined as: “an independent, objective assurance and consulting activity designed to add value and improve an organisation’s operations. It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes.” (Public Sector Internal Page 109 Page Audit Standards 2017)
1.4 The mission of Internal Audit is to: “To enhance and protect organisational value by providing risk-based and objective assurance, advice and insight”.
1.5 This report includes:
Commentary on the impact of the coronavirus pandemic on Internal Audit and the wider organisation; A summary of Internal Audit Plan delivery for the period; Details of work undertaken, and key items of note in respect of corporate systems and Merseytravel specific systems; An update on internal audit performance with reference to the key performance indicators detailed in the Quality Assurance and Improvement Programme (QAIP); An update on the progress being made in respect of managing the risk of fraud and corruption; and An update on the service’s compliance with the Public Sector Internal Audit Standards (PSIAS).
Internal Audit Performance - LCRCA Page | 2
2. Impact of the Coronavirus Pandemic
2.1 The coronavirus pandemic became a significant issue in late March 2020, when the Prime Minister announced a “lockdown” of society. The immediate impact of this for the organisation was, in accordance with government guidance, that staff who could work from home should do so. The Internal Audit team has been working from home since then.
2.2 The immediate response to the pandemic for the Internal Audit team was, in accordance with its business continuity plan, to temporarily suspend work. The team spent this time undertaking work which did not require contact with the wider organisation, such as reviewing the Audit Manual, undertaking e-learning and attending virtual CPD events, and planning forthcoming work.
Page 110 Page 2.3 Importantly, however, Internal Audit was called upon to provide advice and guidance to a number of areas of the business, as processes had to be adopted that were compliant with, for example, the Public Procurement Notes issued by government. It was pleasing to see Internal Audit being consulted in this way.
2.4 In respect of the Internal Audit Plan for 2019-20, delivery of the remaining elements of the Plan began to recommence in May and was completed in July. This has caused a knock-on effect to the delivery of the 2020-21 Internal Audit Plan.
2.5 In respect of the Internal Audit Plan for 2020-21, this was presented to the Audit and Governance Committee of the Combined Authority on 11 March 2020, but as the meeting was not quorate, the Plan was not able to be formally approved. The meeting of this Board that should have taken place in April was postponed. This gave the opportunity for the Plan to be fully revised so as to take account of the impact of the pandemic on the organisation’s risk profile and internal audit resources.
2.6 Therefore, the Internal Audit Plan 2020-21 has not been presented for approval until this meeting. The Plan is also to be presented to the Audit and Governance Committee at its next meeting in September 2020. However, delivery of the Plan is underway, and this report details the activity to date.
Internal Audit Performance - LCRCA Page | 3
3. Summary of Internal Audit Plan Delivery
3.1 Audits Completed
3.1.1 In the period, 20 audits were completed. These are shown in Table 1 (those shown in italics are at draft stage):
Organisational Corporate Audit Name LCRCA Merseytravel Risk Opinion System 2019-20 LEP Governance Annual Review n/a X Rolling Stock - Power Supply Upgrade Negligible X
Page 111 Page Risk Management Minor X AGS Review (LCRCA) 2019-20 n/a X AGS Review (Merseytravel) 2019-20 n/a X Rolling Stock – Manufacturing Minor X Building Security Moderate X Treasury Management Minor X Housing First Moderate X Commissioning Moderate X SIF2 Assurance Framework Minor X Payroll Minor X Business Continuity tbc X Recruitment and Selection Moderate X Debtors Minor X
2020-21 Urban Traffic Control Minor X Tunnels - Cash Toll Recording n/a X Internal Audit Performance - LCRCA Page | 4
Organisational Corporate Audit Name LCRCA Merseytravel Risk Opinion System Credit Cards n/a X Spaceport Closure n/a X Covid-19 Safe Working – Transport Directly Operated Services Minor X Table 1
3.2 Review of Internal Audit Plan
3.2.1 Appendix A and B give a detailed breakdown of the Internal Audit Plans 2019-20 and 2020-21 respectively, showing the status of each item of audit work that was contained within the Plan as approved by the Committee in April 2019, or features Page 112 Page in the draft 2020-21 Plan.
Internal Audit Performance - LCRCA Page | 5
4. Corporate Systems
4.1 Background
4.1.1 10 of the audits completed in the period were of corporate systems that are provided by Merseytravel to both Merseytravel and LCRCA. Reporting of the outcomes from the audit work in these areas formally falls within the remit of the Merseytravel Audit, Risk and Governance Board, but as the LCRCA is a “recipient” of these services, the audit findings are also reported to the Audit and Governance Committee. This is to provide assurance that the risks associated with these are being managed effectively.
4.2 Organisational Risk Opinion
Page 113 Page 4.2.1 Four of these audits of Corporate Systems received an organisational risk opinion of “Minor” or “Negligible”, which means that a satisfactory level of assurance on the effectiveness of the internal controls reviewed can be derived, and that the risk presented to the organisation by the recommendations made is at a low level. An opinion is not provided in respect of Counter Fraud audits due to the nature of the work undertaken – there were two of these undertaken in the period.
4.2.2 Three audits were given audit opinions of “Moderate”, meaning that there were significant weaknesses detected, and that the risk presented to the organisation by the recommendations made is at a moderate level. These were: Building Security, Commissioning and Recruitment and Selection.
4.2.3 One audit was in draft at the time of writing.
4.3 Recommendations of Note
4.3.1 The audits finalised within the period identified eleven recommendations classed as “high priority”.
4.3.2 These recommendations are detailed in Table 2:
Internal Audit Performance - LCRCA Page | 6
Audit Title Recommendation Action Planned by Management Health and Safety The driver checks spreadsheet should be reviewed and Recommendation implemented any gaps or out of date information chased up. For any persons not supplying the information, the issue should be taken up with their line management, with one of the sanctions being stopping the member of staff from driving for work until compliance is achieved. Wallasey Stores The following Mainsaver permissions for Storekeepers Recommendation implemented should be removed:
Page 114 Page the ability to approve material requests for themselves, the ability to approve stock adjustments (Stock adjustments should be actioned by an Officer independent of the Stores). Storekeepers must be instructed not to issue stock Recommendation implemented without material request/works order. Storekeepers should be reminded to ensure that when Recommendation implemented cost prices change they are updated promptly on Stock Management System. Purchasing is reviewed to determine if efficiencies can Stores staff have been reminded about be made. The purchasing process must comply with responsibilities of following the the Constitution. Constitution Building Security A plan for carrying out security reviews within Mann Monthly inspection form has been Island should be produced and implemented. This is produced for future use. particularly pertinent as the building tenants and usage changes over time. The results of such reviews should be documented and appropriate actions taken to address any issues arising. All staff working at Mann Island should be advised to Recommendation implemented Internal Audit Performance - LCRCA Page | 7
Audit Title Recommendation Action Planned by Management wear ID passes without exception Written procedures for the opening and closing of the Recommendation implemented building should be documented and issued to all relevant staff. Treasury i) A Treasury Management Policy and Treasury The Treasury Management Practices are Management Management Practices must be compiled (in currently in draft, these will be completed accordance with CIPFA's "Treasury Management in the and approved by the Director of Corporate Public Services" Code of Practice and Guidance Note), Services. approved (expected to be by the Director of Corporate Services in accordance with the procedure currently documented within the Merseytravel Constitution) and implemented at the earliest convenience. Once Page 115 Page approved, the documents should be disseminated to all relevant staff.
ii) The Treasury Management section of the Constitution(s) should reflect the overarching framework in place, utilising the requirements set out in CIPFA’s Code of Practice: Treasury Management in the Public Services (it is acknowledged that advice will be sought from Legal to determine whether it is appropriate for such information is included within the Merseytravel Constitution). Recruitment and The process to ensure that omissions in respect of Awaiting Management Response Selection proof of identity, address and qualifications are followed up is reviewed to ensure that omissions are not overlooked. Supervisory checks should be periodically made to verify that the mandatory checks are being completed Checks on the currency of professional memberships Awaiting Management Response Internal Audit Performance - LCRCA Page | 8
Audit Title Recommendation Action Planned by Management or authenticity of qualifications should be undertaken on a sample basis and for specific posts (where a professional membership or qualification may be mandatory to the post) and the decision recorded on the recruitment file.
Table 2
4.3.3 The implementation of recommendations is subject to ongoing monitoring and where dates of agreed action have passed and confirmation of implementation has not been received, Internal Audit contacts managers to establish progress, confirm
Page 116 Page actions completed or agree revised implementation dates, if appropriate.
4.3.4 Table 3 provides a summary of progress in respect of the implementation of previous recommendations made in respect of corporate systems:
Internal Audit Performance - LCRCA Page | 9
Assurance Organisational Priority Date of oldest Audit Name Priority Required Advisory Completed In Progress Overdue Comment Rating Impact Overdue overdue 2017-18 Ethical Policy Framework Reasonable Medium 0 10 2 3 9 9 0 30.04.19 Extension requested and acceptable Offsite Document Archive Storage Limited High 3 16 4 23 0 Customer Feedback Reasonable Medium 1 14 2 17 0 Absence Management Reasonable Medium 0 5 6 11 0 Fleet Management Limited Medium 3 20 1 20 4 5 1 30.11.18 Extension requested and acceptable Investigation - A Procurement n/a n/a 0 4 3 7 0 Asset Register Reasonable Medium 0 2 3 5 0 Procurement Reasonable Medium 0 8 7 10 5 5 0 30.03.19 Extension requested and acceptable IT - Information Governance Reaasonable Medium 0 4 1 5 0 2018-19 Creditors & Cheque Control Reasonable Medium 0 9 1 6 4 4 0 31.03.20 No extension request received Main Accounting System - Income Reconciliation Reasonable Medium 1 8 3 6 6 6 0 31.03.20 No extension request received VAT Reasonable Medium 0 1 0 1 0 Delegated Decisions Reasonable Low 1 2 2 5 0 Gifts & Hospitality Reasonable Medium 0 11 0 11 0 Travel, Accommodation & Expenses Limited Medium 0 3 0 2 1 1 0 31.12.19 No extension request received Payroll Reasonable Medium 1 4 0 4 1 1 0 31.01.20 Extension requested and acceptable Mail Services Limited Medium 1 13 1 14 1 1 0 29.03.19 Extension requested and acceptable IT - Information Security Policies Satisfactory n/a 0 5 0 1 4 0 IT - Cyber Security Satisfactory n/a 3 10 0 7 6 6 1 30.09.19 Extension requested and acceptable IT - Network Management Satisfactory n/a 0 6 0 3 3 3 0 31.10.19 Extension requested and acceptable IT - E-mail Management Satisfactory n/a 0 4 0 4 0 Page 117 Page IT - Mobile Working Satisfactory n/a 2 7 1 8 2 2 2 30.09.19 Extension requested and acceptable IT - IT Asset Control (CMDB) Satisfactory n/a 0 6 0 6 1 1 0 31.03.20 Extension requested and acceptable Overdue against Organisational original Date of oldest Audit Name High Medium Advisory Completed In Progress High Comment Risk Opinion Implementation overdue Date 2019-20 Term Maintenance Contract Minor 0 7 0 7 0 Ancillary Income and Debt Recovery Minor 3 2 2 6 1 0 Building Tenancies Minor 1 4 2 5 2 2 0 31.12.19 Extension requested and acceptable Corporate Performance Management Moderate 0 11 0 0 11 6 0 27.12.19 Extension requested and acceptable PMO Moderate 0 10 1 1 10 4 0 30.06.20 Extension requested and acceptable Facilities Services Contract Minor 0 9 0 7 2 1 0 01.04.20 Extension requested and acceptable Telephone Monitoring Minor 0 5 0 4 1 0 Internet Monitoring Minor 0 2 0 0 2 0 Fast Tag Account Management Minor 1 1 1 1 2 1 0 01.07.20 Extension requested and acceptable Tunnels Toll Recording and Reconciliation Minor 0 4 0 2 2 0 Democratic Services Minor 0 3 2 0 5 1 0 30.06.20 Extension requested and acceptable Procurement Minor 0 1 0 0 1 0 Wallasey Stores Moderate 4 15 2 6 15 2 0 31.05.20 Extension requested and acceptable Health and Safety Minor 1 2 2 2 3 1 0 03.04.20 No extension request received Application Control Minor 0 2 0 2 0 Budget Monitoring Minor 2 2 1 0 5 0 Risk Management Minor 0 2 7 1 8 0 Building Security Moderate 3 7 2 7 5 0 Treasury Management Minor 1 0 2 0 3 0 Insurance n/a 1 0 0 0 1 0 Time & Attendance n/a 1 6 0 6 1 0 Procurement Cards n/a 1 5 2 7 1 0 Gifts & Hospitality n/a 1 4 0 2 3 3 1 30.06.20 Extension requested and acceptable Payroll Minor 0 1 0 0 1 0 Commissioning Moderate 3 3 0 0 6 0 Recruitment and Selection Moderate 2 9 1 0 12 0 Table 3
Internal Audit Performance - LCRCA Page | 10
4.3.5 Significant work has been undertaken with Heads of Service to encourage completion of outstanding recommendations, particularly those that are long-standing. This has generated engagement and has prompted fresh focus and action on progressing the issues, and consequently a number of recommendations have been closed during the period.
4.3.6 A number of recommendations have had their implementation dates revised, and these are shown in the Comments column in table 3 above. These movements have been the subject of discussions with internal audit, and the explanations provided were deemed to be reasonable. However, there will be ongoing attention paid to these recommendations to ensure that timely implementation occurs.
Page 118 Page
Internal Audit Performance - LCRCA Page | 11
5. Liverpool City Region Combined Authority: Specific Systems
5.1 Background
5.1.1 Four of the pieces of work completed in the period were of systems that are specific to LCRCA. From a governance perspective, these fall entirely within the remit of the Audit and Governance Committee and would not be routinely reported to the Merseytravel Audit, Risk and Governance Board.
5.2 Organisational Risk Opinion
5.2.1 An opinion is not provided in respect of Governance reviews due to the nature of the work undertaken.
Page 119 Page 5.2.2 The audit of Housing First was given an audit opinion of “Moderate”, meaning that there were significant weaknesses detected, and that the risk presented to the organisation by the recommendations made is at a moderate level.
5.3 Recommendations of Note
5.3.1 The Housing First audit identified five recommendation classed as “high priority”.
5.3.2 This recommendation is detailed in Table 4:
Audit Title Recommendation Action Planned by Management Housing First A Housing First Policy should be documented, detailing Awaiting Management Response the principles and priorities of the programme Performance expectations should continue to be Awaiting Management Response discussed with MHCLG to establish a realistic and achievable target Performance monitoring sheets should be fully Awaiting Management Response completed and accurately reflect the position of the programme
Internal Audit Performance - LCRCA Page | 12
Audit Title Recommendation Action Planned by Management The Housing First Eligibility Criteria process should be Awaiting Management Response formally documented and once implemented be applied consistently A robust method of recording expenditure and Awaiting Management Response monitoring personal budgets of individual service users should be established, so as to provide assurance that funding is being spent fairly and in line with the overall budget to achieve the intended outcomes of the scheme Table 4
Page 120 Page 5.4.2 The implementation of recommendations is subject to ongoing monitoring and where dates of agreed action have passed and confirmation of implementation has not been received, Internal Audit contacts managers to establish progress, confirm actions completed or agree revised implementation dates, if appropriate.
5.4.3 Table 5 provides a summary of progress in respect of the implementation of previous recommendations made in respect of corporate systems:
Organisational Audit Name High Medium Advisory Completed In Progress Overdue High Date Overdue Comment Risk Opinion Households into Work Minor 1 5 2 0 8 Housing First Moderate 5 3 1 0 9 SIF2 Assurance Framework Minor 0 1 2 0 3 Table 5
5.5 Grant Certification
5.5.1 In the period, the following grant claims were reviewed, so as to confirm compliance with grant conditions:
Internal Audit Performance - LCRCA Page | 13
Grant Name Number of Claims Audited Value Audited 2019-20 Q4 & 2020-21 Q1 (£) BEIS EU Exit Business Readiness Fund 1 403,000 Careers & Enterprise 4 196,852 Growth Hub 1 128,093 Low Energy Hub 2 183,937 Rural LEADER 1 74,479 SIF 5 688,232 SIF - Pre Development Funding 7 278,455 SIF - Skills 18 1,890,094 SIF - Transforming Cities Fund 2 67,640 TOTAL 41 3,910,782 Table 6
Page 121 Page
Internal Audit Performance - LCRCA Page | 14
6. Merseytravel: Specific Systems
6.1 Background
6.1.1 Six of the audits completed in the period were of systems that are specific to Merseytravel. From a governance perspective, these fall entirely within the remit of the Audit, Risk and Governance Board, but are also reported to the Audit and Governance Committee for information and in the interests of transparency.
Page 122 Page 6.2 Organisational Risk Opinion
6.2.1 Three of the audits of Merseytravel specific systems received an organisational risk opinion of “Minor” or “Negligible”, which means that a satisfactory level of assurance on the effectiveness of the internal controls reviewed can be derived, and that the risk presented to the organisation by the recommendations made is at a low level. An opinion is not provided in respect of Counter Fraud audits or the Annual Governance Statement review due to the nature of the work undertaken.
6.2.2 None of the audits were given audit opinions of “Moderate” or “Major”, meaning that there were no significant weaknesses detected. One audit was in draft at the time of writing
6.3 Recommendations of Note
6.3.1 The audits completed finalised in respect of Merseytravel specific systems within the period identified no recommendations classed as “high priority”.
6.3.2 The implementation of recommendations is subject to ongoing monitoring and where dates of agreed action have passed and confirmation of implementation has not been received, Internal Audit contacts managers to establish progress, confirm actions completed or agree revised implementation dates, if appropriate.
Internal Audit Performance - LCRCA Page | 15
6.3.3 Table 7 provides a summary of progress in respect of the implementation of previous recommendations made in respect of Merseytravel specific systems:
Assurance Organisational Audit Name Priority Required Advisory Completed In Progress Overdue Priority Date Overdue Comment Rating Impact 2017-18 Rail Concession Benefit Share Reasonable Medium 0 11 1 9 3 3 0 30.04.18 Extension requested and acceptable 2018-19 Vehicle Tracking System Reasonable Low 1 3 4 5 3 3 0 31.08.19 Extension requested and acceptable Beatles Story - Governance Reasonable Low 0 7 0 6 1 1 0 31.10.19 Extension requested and acceptable Travel Centres - Stock / Income Reasonable Medium 3 8 0 10 1 1 0 31.12.19 No extension request received Contact Centre Reasonable Low 3 4 2 8 1 1 1 31.12.19 Extension requested and acceptable Organisational Audit Name High Medium Advisory Completed In Progress Overdue High Date Overdue Comment Risk Opinion 2019-20 Rail Operators - Ticket Stock Control Minor 0 8 3 10 1 1 0 31.12.19 Extension requested and acceptable Catering Concession - Contract Management Minor 0 5 2 5 2 2 0 31.03.20 Covid related Street Furniture Contract Minor 0 1 1 0 2 2 0 13.02.20 No extension request received The Beatles Story - Admissions Minor 0 5 2 6 1 1 0 30.11.19 No extension request received Concessionary Travel Pass Applications Minor 0 4 0 3 1 0 Travel Centres - Income / Stock Reconciliation Minor 2 11 0 0 13 13 2 01.04.20 Extension requested and acceptable
Page 123 Page Rail Concession Agreements Annual Assessment - Merseyrail and LSP Minor 0 0 8 0 8 8 0 31.03.20 Extension requested and acceptable Bus Services - Development Negligible 0 0 1 0 1 1 0 31.03.20 No extension request received Bus Services - Contracts Minor 0 4 1 0 5 0 Rolling Stock - Manufacturing Minor 0 1 0 0 1 0 Organisational Audit Name High Medium Advisory Completed In Progress Overdue High Date Overdue Comment Risk Opinion 2020-21 Urban Traffic Control Contract Minor 0 2 0 1 1 0 0 Covid-19 Safe Working – Transport Directly Operated Services Minor 0 0 7 0 7 0 0 Table 7
6.3.4 Significant work has been undertaken with Heads of Service to encourage completion of outstanding recommendations, particularly those that are long-standing. This has generated engagement and has prompted fresh focus and action on progressing the issues.
6.3.5 A number of recommendations have had their implementation dates revised, and these are shown in the Comments column in table 5 above. These movements have been the subject of discussions with internal audit, and the explanations provided were deemed to be reasonable. However, there will be ongoing attention paid to these recommendations to ensure that timely implementation occurs.
6.4 Grant Certification
6.4.1 In the period, there were no Merseytravel grant claims received for review.
Internal Audit Performance - LCRCA Page | 16
7. Quality Assurance and Improvement Programme
7.1 Performance Update
7.1.1 The Public Sector Internal Audit Standards (PSIAS) require that the service maintains a Quality Assurance and Improvement Programme (QAIP) which includes a series of performance measures and associated targets.
7.1.2 Performance measures defined in the QAIP are also included within the Internal Audit Service Plan and are thus reported to Page 124 Page senior management in accordance with the corporate quarterly performance reporting process. This provides senior management oversight and scrutiny of performance and of any remedial actions required to meet identified targets.
7.1.3 Table 8 below details the performance measures and the results for the period:
Description and Purpose Target Actual Variance and Explanation Compliance with Public Sector Internal 100% 100% No variance Audit Standards (PSIAS) The results of self-assessment reveal that the This measures the extent to which the Internal service continues to “generally comply” with the Audit Service complies with the requirements Standards. All of the actions resulting from the self- set out in the Standards and the Local assessment undertaken during 2019-20 have been Government Application Note. completed – see section 8 of this report. Percentage of the Internal Audit Plan N/A N/A A target has not yet been set for delivery of the Plan 2020/21 completed in quarter 1, because of the knock-on effects of the This measures extent to which the Audit Plan pandemic and the hiatus in Internal Audit work in q4 is being delivered. The delivery of the Plan is of 2019-20. Once the Internal Audit Plan 2020-21 is vital in ensuring that an appropriate level of approved, a profiling exercise will be undertaken to assurance is being provided across the set targets for completion in each of the remaining organisation’s systems. quarters.
Internal Audit Performance - LCRCA Page | 17
Description and Purpose Target Actual Variance and Explanation Percentage of the Internal Audit Plan 100% 100% No variance 2019/20 completed The 2019-20 Plan has been completed. This measures extent to which the Audit Plan is being delivered. The delivery of the Plan is vital in ensuring that an appropriate level of assurance is being provided across the organisation’s systems. Percentage of recommendations made that 100% 100% No variance have been agreed to be implemented by Acceptance of recommendations is generally high. management This measures the extent to which managers feel that the recommendations made are Page 125 Page appropriate and valuable in strengthening the control environment. Percentage of client survey responses 100% 100% No variance indicating a "very good" or "good" opinion This measures the feedback received on the service provided, and seeks to provide assurance that Internal Auditors conduct their duties in a professional manner. Percentage of annual senior management 100% 98% Negligible variance survey responses indicating satisfaction Feedback was positive although response levels with the Internal Audit service provided were rather low. This measures the feedback received from Directors and Heads of Service on the service provided, and seeks to provide assurance that Internal Audit is adding value at a strategic level. Table 8
Internal Audit Performance - LCRCA Page | 18
7.2 Resources
7.2.1 At the last report to the Committee, it was noted that two members of the Internal Audit team left the service during Quarter 4 of 2019-20.
7.2.2 This was taken as an opportunity to restructure the service, and a modest restructure was approved by Merseytravel in June 2020. This comprised the refresh and harmonisation of role descriptions across the service, and also job evaluation of two posts, and the recruitment of one Principal Auditor. By focusing on creating additional resource to deliver audits, this creates
Page 126 Page a strong backbone to the team, focused on delivery. It is hoped that this will create a service that is fit for purpose and continue to build its positive reputation.
7.2.3 The recruitment exercise is being progressed, with an advertisement of the vacancy being undertaken at present.
Internal Audit Performance - LCRCA Page | 19
8. Fraud, Bribery and Corruption
8.1 CIPFA Code of Practice on Managing the Risk of Fraud and Corruption (2014)
8.1.1 The CIPFA Code of Practice on Managing the Risk of Fraud and Corruption is the key guidance document for the sector on managing fraud risk.
8.1.2 In the Counter-Fraud Update report presented to this Board at its October 2019 meeting, it was noted that a full review of the organisation’s compliance with the guidance had been undertaken, and that this had resulted in a number of action points, intended to raise compliance from 85% as this was assessed in the review, to full compliance. The following table gives an update on the progress being made to address the actions. It is positive to note that all actions are mostly implemented:
Page 127 Page Ref Action Implementation Progress Due Date 1 Update Counter Fraud and Corruption Policy and Strategy so as October 2019 Completed to include all relevant areas of the Code of Practice. Report this to Audit and Governance Committee and Merseytravel for approval and then publish to all staff via I4P. 2 Consider adding responsibilities for managing the risk of Fraud March 2020 Completed and Corruption to the Scheme of Delegation. Decision taken not to include with the Scheme of Delegation, but Constitution amendment has been made to clarify responsibilities. 3 Participate in International Fraud Awareness week in November November 2019 Completed 2019. 4 Deliver e-learning fraud awareness training to all staff, and March 2020 The fraud awareness e-learning monitor the take-up levels. was made available in June 2019. Reminders have been issued to staff to complete the
Internal Audit Performance - LCRCA Page | 20
Ref Action Implementation Progress Due Date training, and monitoring of take up levels continues. 5 Report to LCRCA re adoption of the Code of Practice and October 2019 Completed associated actions. 6 Review MRFG benchmarking exercise and participate as March 2020 Initial discussions taking place. appropriate. Explore opportunities to benchmark or undertake Relationships with Heads of joint working with other Mayoral Combined Authorities. Internal Audit in other Combined Authorities being developed. Page 128 Page 7 Consider running Fraud Risk Workshops within Departments, March 2020 Virtual sessions will be planned especially those where fraud risks have been identified as most post-pandemic. significant. 8 Review Fraud Risk Register and include actions to address October 2019 Completed as part of the fraud risks. Establish regime of regular updates, including Service Risk Register review. consideration of any new or emerging fraud and corruption risks. 9 Introduce fraud risks to Risk Module on MKinsight. October 2019 Underway – Risk Manager commenced in employment in March 2020 and this is part of her role. 10 Provide annual report on counter-fraud activity, including October 2019 Completed measuring progress against the Code of Practice self- assessment.
8.2 Fraud Plan
Internal Audit Performance - LCRCA Page | 21
8.2.1 The Internal Audit Plan 2020-21 includes 90 days for proactive counter-fraud work across both Merseytravel and the Combined Authority. It is also of note that key anti-fraud controls are also evaluated as part of a significant number of other audits within the Plan.
8.2.2 The Plan includes the following areas of focus:
Audit Title Audit Days Progress Report Fast Tag Account Management 10 Not yet commenced Tunnels Cash Toll Recording Q1 Completed Travel Centres - Income / Stock Reconciliation 10 Not yet commenced Debtors 10 Not yet commenced
Page 129 Page Staff Benefits 10 Commenced Creditors and Cheque Control 10 Not yet commenced Insurance Claims 10 Not yet commenced Mersey Ferries - Retail and Stock Reconciliation 10 Not yet commenced Spaceport Closure Q1 Completed Mersey Ferries - Ticketing and Admissions 10 Not yet commenced Credit Cards Q1 Completed Rail Operators - Stock Control 10 Not yet commenced Table 9
8.2.3 There is also a provision of 12 days in the Plan for the investigation of allegations of fraud or irregularity, and this has not been utilised during this quarter.
8.3 Fraud Risk Register
8.3.1 Given the increase in attempted fraudulent activity that is likely to proliferate during the pandemic, the Fraud Risk Register is under further review in conjunction with Heads of Service. This is with the objective of updating the risks held within the risk register so as to reflect new and emerging fraud risks associated with coronavirus, and to ensure that Heads of Service have acknowledged such risks in their planning and development of internal controls. Internal Audit Performance - LCRCA Page | 22
8.4 National Fraud Initiative (NFI)
8.4.1 The organisation participates in the National Fraud Initiative co-ordinated by the Cabinet Office. Data from the Payroll and Creditors systems are uploaded to the dedicated Cabinet Office website and are matched with data within and between participating bodies so as to identify potential frauds, overpayments and errors. On receipt of the results, the organisation has responsibility to follow up and investigate the matches. The main NFI data matching is undertaken every two years, the results of these matches is fed into a national report at the end of each cycle.
8.4.2 The next upload of data is due in October 2020.
Page 130 Page 8.5 Investigations
8.5.1 There have been no investigations undertaken by Internal Audit in the quarter.
8.6 Fraud Policy Framework
8.6.1 All fraud policies within the Policy Framework are current and up to date, and all have been issued to staff for them to read and acknowledge acceptance.
Internal Audit Performance - LCRCA Page | 23
9. Public Sector Internal Audit Standards (PSIAS)
9.1 Internal Assessment
9.1.1 The PSIAS Local Government Application Note (LGAN), the document which assists in translating the requirements of the Public Sector Internal Audit Standards into a local government setting, has been reviewed, and a refreshed document issued by CIPFA in February 2019. It is important to state that this document does not introduce new requirements emanating from the Standards but is more useful in assisting local authorities to assess their own compliance with the Standards.
9.1.2 At the last meeting, it was reported that an exercise had been undertaken to review and refresh the self-assessment of the service against the updated LGAN.
Page 131 Page 9.1.3 The self-assessment indicated 83% compliance with its requirements. Whilst this is still a very positive level of compliance, and still indicates that the service “generally complies” with the Standards. However, it is a reduction from the previous assessment undertaken in early 2018, when it was assessed that there was full compliance with the PSIAS, as all actions arising from the external assessment were deemed to have been implemented. This more prudent assessment is more reflective of the current level of compliance, and the huge amount of work done to modernise the service, developing an explicit risk focus and higher standards of work and reporting.
9.1.4 There were a number of actions arising from the self-assessment, and these fell into two categories – those felt to be essential to compliance with the PSIAS, and secondly, those felt to be improvements that could be made so as to continue the development of the service. The actions arising from the self-assessment, and the progress made to date are detailed in the following table. All actions are now completed.
Ref Action Implementation Progress Due Date 1 Complete the Assurance Mapping exercise. March 2020 Completed 2 Consulting Engagements need to be included, and March 2020 Completed adequately defined, within the Audit Manual.
Internal Audit Performance - LCRCA Page | 24
Ref Action Implementation Progress Due Date 3 Archived records that are past their retention period March 2020 Completed should be deleted. It is noted that such records are only accessible to the audit team. 4 Update QAIP document and Audit Manual to reflect December 2019 Completed 2019-20 performance indicators. Areas for Development 1 Ensure that the appointment to the Risk Manager post January 2020 Completed further enhances the safeguards relating to roles and responsibilities that fall outside of internal auditing. Page 132 Page 2 Embed the process of auditor and manager discussion March 2020 Completed re scope/most pertinent risks/available time budget; and pre-audit discussions with client to aid the process of scoping the audit review. 3 Enhance the process of discussing draft reports through March 2020 Completed embedding face-to-face meetings with the client. 4 Embed the Post-Audit Assessment in the team, so as to March 2020 Completed encourage ongoing improvement and development of the service, to support the Quality Assurance and Improvement Programme. Table 10
9.2 IASAB Guidance
9.2.1 Acknowledging the difficult circumstances presented by the Coronavirus pandemic for internal auditors, the Internal Audit Standards Advisory Board (IASAB) published guidance on how compliance with the Public Sector Internal Audit Standards should be maintained. The guidance suggests a number of actions, and these are detailed below, along with commentary on how each of these has been approached:
Internal Audit Performance - LCRCA Page | 25
IASAB Guidance Commentary Advise the audit committee and other key stakeholders in the Senior management has been kept informed of the governance process of the changes to the audit plan and operations operation of the Internal Audit team. of the internal audit team. A lengthy report is not required but the Reporting to Audit, Risk and Governance Board and Audit committee should be made aware. Brief but regular updates should be and Governance Committee resumed August and provided as the situation develops. September 2020 respectively.
Where internal audit staff are reassigned to undertake advisory or Advice and guidance has been provided in respect of consultancy work rather than assurance engagements then they developing systems but this is not considered to have should be made aware of the standards relating to consulting impinged on the assurance role. activities, if they are not already familiar with them.
Where internal audit staff are diverted into operational roles it should Not applicable- internal audit staff remained in their audit
Page 133 Page be made clear that for the duration that the staff are not operating as roles throughout. internal auditors. When staff return to their internal audit role, a review can be undertaken to see if any steps are necessary to address impairment to independence and objectivity (standard 1130).
Keep clear records of the changes to roles and plans. These will help Clear records have been maintained throughout. key stakeholders understand the revised arrangements and will help resolve any conflicts of interest later.
Remember the Mission of Internal Audit and act in accordance with it. Internal Audit staff have been reminded of the Mission and When the immediate crisis is over the head of internal audit should be the Head of Internal Audit has been keen to add value by able to demonstrate how the operation of internal audit has helped providing relevant advice and guidance throughout the fulfilment of the Mission. pandemic to date.
At all times Internal Auditors should comply with Government advice, Internal Audit staff have been reminded of the need to and that of their organisation, regarding health and safety during the “lead by example”. coronavirus pandemic.
Table 11
Internal Audit Performance - LCRCA Page | 26
9.3 External Assessment
9.3.1 It is a requirement of the PSIAS that the service must be subject to an external assessment of its compliance with the Standards every five years. The service was subject to such an external assessment (peer review validation of self- assessment) against the requirements of the Public Sector Internal Audit Standards (PSIAS) in June 2017.
9.3.2 The overall outcome of this assessment was that the service conforms to the PSIAS. The assessor’s report was submitted to this Board at its meeting on 24 November 2017. All actions arising from the report have subsequently been completed.
9.3.3 The internal assessment is kept updated until the next scheduled external review, which will take place in 2022.
Page 134 Page
Internal Audit Performance - LCRCA Page | 27
Appendix A: Internal Audit Plan 2019-20 Status Update
Entity Risk Auditable Area Corporate Status Risk Opinion LCRCA Merseytravel Level System Investment Models X Withdrawn - Deferred to 2020-21 Moderate SIF2 Assurance Framework X Final Report Issued Moderate Minor Mayoral Programme - Digital X Withdrawn - Deferred to 2020-21 Moderate Mayoral Programme - Tidal X Withdrawn - Deferred to 2020-21 Moderate Housing First X Final Report Issued Moderate Moderate Households into Work X Final Report Issued Moderate Minor Lessons Learned ESIF X Withdrawn Moderate Project Pipeline X Withdrawn - inc in SIF2 Assurance Framework Moderate LEP Governance Annual Review X Final Report Issued Moderate n/a LEP Risk and Control Review X Withdrawn - Deferred to 2020-21 Moderate Annual Governance Statement Review 2018-19 X Final Report Issued Moderate n/a Annual Governance Statement Review 2019-20 X Final Report Issued Moderate n/a Corporate Performance Management X Final Report Issued Major Moderate
Page 135 Page PMO X Final Report Issued Moderate Moderate Rolling Stock - Power Supply Upgrade X Final Report Issued Moderate Negligible Rolling Stock - Introduction into Service X Withdrawn - Deferred to 2020-21 Moderate Rolling Stock - Manufacturing X Final Report Issued Moderate Minor Payroll X Final Report Issued Moderate Minor Absence Management X Withdrawn Moderate Health and Safety X Final Report Issued Moderate Minor Recruitment and Selection X Final Report Issued Moderate Moderate Phone Monitoring X Final Report Issued Moderate Minor Internet Monitoring X Final Report Issued Moderate Minor Application Control X Final Report Issued Moderate Minor Vessel Maintenance X Withdrawn Moderate Facilities Services Contract X Final Report Issued Moderate Minor Wallasey Stores X Final Report Issued Moderate Moderate Term Maintenance Contract X Final Report Issued Moderate Minor Street Furniture Contract X Final Report Issued Moderate Minor Asset Register X Advice Provided Moderate n/a Service / Maintenance Contracts X Final Report Issued Major Minor Building Tenancies X Final Report Issued Moderate Minor Waste Management Contract X Final Report Issued Moderate Negligible Building Security X Final Report Issued Moderate Moderate Concierge & Portering Contract X Final Report Issued Minor Minor Tunnel Strategy X Withdrawn Moderate Frameworks X Withdrawn Moderate Bus Services - Contracts X Final Report Issued Major Minor Bus Services - Provider Failure X Final Report Issued Moderate Minor Bus Services - Development X Final Report Issued Moderate Negligible Supported Services - Dynamic Purchasing X Withdrawn Moderate
Internal Audit Performance - LCRCA Page | 28
Entity Audit Auditable Area Corporate Status Risk Level LCRCA Merseytravel Opinion System Bus - Alternative Delivery Models X Advice Provided Moderate n/a Bus Ancillary Contracts X Withdrawn - Deferred to 2020-21 Moderate The Beatles Story - Admissions X Final Report Issued Moderate Minor Business Continuity X Draft Report Issued Moderate tbc Fast Tag Account Management X Final Report Issued Moderate Minor Ancillary Income and Debt Recovery X Final Report Issued Moderate Minor Concessionary Travel Pass Applications X Final Report Issued Moderate Minor Mersey Ferries - Governance (MF Programme Board) X Final Report Issued Moderate Negligible Mersey Ferries - New Vessel X Withdrawn - Deferred to 2020-21 Moderate Travel Centres - Income / Stock Reconciliation X Final Report Issued Moderate Minor Tunnels Toll Recording and Reconciliation X Final Report Issued Moderate Minor Catering Concession – Contract Management X Final Report Issued Moderate Minor Electric Vehicle Charging Points X Withdrawn Moderate
Page 136 Page Rail Concession Agreements Annual Assessment - Merseyrail and LSP X Final Report Issued Moderate Minor NNLNNG - Maghull X Withdrawn Moderate Efficient Operator Review X Final Report Issued Moderate Minor Operator of Last Resort X Withdrawn - Deferred to 2020-21 Moderate Special Rail Grant X Final Report Issued Moderate Minor Rail Operators - Ticket Stock Control X Final Report Issued Minor Minor Debtors X Draft Report Issued Major Minor Main Accounting System X Withdrawn - inc in Budget Monitoring Major Creditors and Cheque Control X Final Report Issued Moderate Minor Treasury Management X Final Report Issued Moderate Minor Carbon Reduction Commitment X Final Report Issued Moderate Negligible Budget Monitoring X Draft Report Issued Moderate Minor Cashiers X Withdrawn Moderate Capital Programme X Withdrawn - Deferred to 2020-21 Moderate Concessionary and Prepaid Travel X Withdrawn Moderate Risk Management X Final Report Issued Major Minor Democratic Services X Final Report Issued Moderate Minor Insurance X Withdrawn Moderate Extensions to Contract X Withdrawn Moderate Variations to Contract X Withdrawn Moderate Commissioning X Draft Report Issued Moderate Moderate Procurement X Final Report Issued Moderate Minor Annual Governance Statement Review 2018-19 X Final Report Issued Moderate n/a Annual Governance Statement Review 2019-20 X Final Report Issued Moderate n/a Insurance X Final Report Issued n/a n/a Time & Attendance X Final Report Issued n/a n/a Procurement Cards X Final Report Issued n/a n/a Gifts & Hospitality X Final Report Issued n/a n/a
Internal Audit Performance - LCRCA Page | 29
Entity Audit Auditable Area Corporate Status Risk Level LCRCA Merseytravel Opinion System Patch and Vulnerability Management X Commenced n/a Third Party Access anagement X Draft Report Issued n/a Minor IT Service Continuity X Draft Report Issued n/a Minor Information Security Management (Subsidiaries) X Final Report Issued n/a Minor IT Service Management X Commenced n/a
Page 137 Page
Internal Audit Performance - LCRCA Page | 30
Appendix B: Internal Audit Plan 2020-21 Status Update
Risk Risk Auditable Area Entity Status Corporate Level Opinion LCRCA Merseytravel System Business Continuity Management Y Major Covid-19 PPN 02/20 and PPN 03/20 Y Moderate Covid-19 Future Innovation Fund Y Moderate Covid-19 Govt Funding Y Moderate Covid-19 Safe Working Govt Guidance - Transport Directly Operated Services Y Draft Report Issued Moderate Covid-19 Safe Working Govt Guidance - Asset Management Y Moderate Covid-19 Safe Working Govt Guidance - Office Based Services Y Moderate
Page 138 Page Grant Auditing Arrangements at Local Authorities Y Moderate Merseytravel Grant Assurance Y Ongoing Major LCRCA Grant Assurance Y Ongoing Major Risk Management Y Major Capital Programme Y Major Alternative Delivery Models Y Major Rolling Stock - TCIS Project Y Commenced Moderate Rolling Stock - Testing Programme y Moderate Rolling Stock - Train Lengthening Project y Moderate Investment Models Y Moderate Mayoral Programme - Digital Y Moderate Governance Assurance Statement 2020-21 Y Moderate Governance Assurance Statement 2020-21 Y Moderate Annual Governance Statement Review 2020-21 Y Moderate Annual Governance Statement Review 2020-21 Y Moderate LCRCA/MT Annual Governance Statement Review 2019-20 Y Completed Moderate n/a LCRCA/MT Annual Governance Statement Review 2019-20 Y Completed Moderate n/a SIF2 Assurance Framework Y Moderate ESIF Y Commenced Moderate Sustainable Urban Development Y Moderate Rail Concession Agreements (VFM) Y Moderate Housing First (VFM) Y Moderate LEP Governance Annual Review Y Moderate LEP Risk & Control Review Y Moderate
Internal Audit Performance - LCRCA Page | 31
Entity Risk Risk Auditable Area Corporate Status LCRCA Merseytravel Level Opinion System Mayoral Programme - Tidal Y Commenced Moderate Cycling and Walking (TCF) Y Moderate Adult Education Budget Y Moderate Transforming Cities Fund Y Moderate Procurement Y Moderate Urban Traffic Control Y Final Report Issued Moderate Minor Application Control Y Moderate CCTV Y Moderate Operator of Last Resort Y Commenced Moderate Payroll Y Moderate Beatles Story - Payroll Y Moderate Software Asset and License Management (FAST) Y Moderate Fast Tag Account Management Y Tunnels Cash Toll Recording Y Draft Report Issued Travel Centres - Income / Stock Reconciliation Y Debtors Y Staff Benefits Y Commenced Page 139 Page Creditors and Cheque Control Y Insurance Claims Y Commenced Mersey Ferries - Retail and Stock Reconciliation Y Spaceport Closure Y Draft Report Issued Mersey Ferries - Ticketing and Admissions Y Credit Cards Y Draft Report Issued Rail Operators - Stock Control Y
Internal Audit Performance - LCRCA Page | 32
Appendix C: Organisational Risk Opinions and Recommendation Priority Levels
Organisational Risk Opinions Recommendation Priority Levels
Major High The risks identified in the review could, if they materialised, The recommendation is essential to the management of risk have a major impact on the organisation as a whole. within the area under review.
Page 140 Page Moderate Medium The risks identified in the review could, if they materialised, The recommendation is important to the management of risk have a moderate impact on the organisation as a whole. within the area under review.
Minor Advisory The risks identified in the review could, if they materialised, The recommendation is a suggestion intended to enhance the have a minor impact on the organisation as a whole. existing management of risk within the area under review.
Negligible No risks were identified within the review.
Internal Audit Performance - LCRCA Page | 33
Agenda Item 12
LIVERPOOL CITY REGION COMBINED AUTHORITY
To: The Chair and Members of the Combined Authority Audit and Governance Committee
Meeting: 23 September 2020
Authority/Authorities Affected: Combined Authority/All Districts
EXEMPT/CONFIDENTIAL ITEM: No
REPORT OF THE HEAD OF INTERNAL AUDIT
LIVERPOOL CITY REGION COMBINED AUTHORITY INTERNAL AUDIT PLAN AND CHARTER 2020-21
1. PURPOSE OF REPORT
1.1 The purpose of this report is to provide the Liverpool City Region Combined Authority (LCRCA) Audit and Governance Committee with the updated Internal Audit Plan of work and Internal Audit Charter for 2020-21.
2. RECOMMENDATIONS
2.1 The Liverpool City Region Combined Authority Audit and Governance Committee is recommended to:
(a) Approve the Internal Audit Plan 2020-21 and
(b) Approve the Internal Audit Charter 2020-21.
3. BACKGROUND
3.1 So as to support the Committee in the discharge of its duties according to its Terms of Reference, the report details the proposed plan of internal audit work in respect of the Liverpool City Region Combined Authority for 2020-21. It also includes, in the interests of transparency, the planned work for Merseytravel, so that the Committee is fully sighted on the planned activities of the Internal Audit function during the forthcoming year. The report explains the detailed process of compilation of the Plan, using a risk-based approach, and highlights the key areas for consideration.
3.2 The report also provides the Internal Audit Charter for 2020-21 for the approval of the Committee. This document sets out the role, purpose and authority of Internal Audit, and highlights the ethical framework within which internal auditors work.
Page 141 3.3 Both documents are key requirements of the Public Sector Internal Audit Standards.
3.4 These documents were previously reported to the meeting of the Audit and Governance Committee on 11 March 2020, but as this meeting was not quorate, the item could not be approved. In addition, given the changes in the organisation’s risk profile as a result of Coronavirus, the Internal Audit Plan 2020-21 has been reviewed and updated.
4. RESOURCE IMPLICATIONS
4.1 Financial
There are no direct issues arising from this report.
4.2 Human Resources
There are no direct issues arising from this report.
4.3 Physical Assets
There are no direct issues arising from this report.
4.4 Information Technology
There are no direct issues arising from this report.
4.5 Programme Management Office (PMO)
There are no direct issues arising from this report.
5. RISKS AND MITIGATION
5.1 It is the responsibility of the LCRCA to establish effective arrangements for the management of risk. The Internal Audit Plan has been produced using a risk-based approach which facilitates targeting resource to those organisational areas of greatest risk.
5.2 Internal audit work is one strand of assurance regarding the effectiveness of the system of internal control and this can be utilised to inform the LCRCA’s view of organisational risk and its management.
6. EQUALITY AND DIVERSITY IMPLICATIONS
6.1 There are no direct issues arising from this report.
7. PRIVACY IMPLICATIONS
7.1 There are no direct issues arising from this report. Page 142
8. COMMUNICATION ISSUES
8.1 There are no direct issues arising from this report.
9. CONCLUSION
9.1 Internal Audit has produced a plan of work for the 2020-21 financial year, which concentrates on areas of most significant organisational risk, including the risks arising from Coronavirus, so as to contribute to the maintenance of an effective internal control environment and management of risk.
9.2 Internal Audit has also produced an Internal Audit Charter for 2020-21 which highlights the role of internal audit and how it will conduct its work.
LAURA A. WILLIAMS Head of Internal Audit
Contact Officer(s): Laura A. Williams, Head of Internal Audit tel: 0151 330 1764
Appendices: Appendix 1 – Internal Audit Plan and Charter 2020-21 Appendix 2 – Internal Audit Plan 2020-21 Appendix 3 – Internal Audit Charter 2020-21
Background Documents: None
Page 143 This page is intentionally left blank
LIVERPOOL CITY REGION COMBINED AUTHORITY AND MERSEYTRAVEL Page 145 Page
INTERNAL AUDIT PLAN AND CHARTER 2020-21
Audit and Governance Committee 23 September 2020
Laura A. Williams MA CPFA Head of Internal Audit
Contents
Page
1. Executive Summary 2
2. Plan Compilation and Principles 3
3. Organisational Context 4 Page 146 Page 4. Composition 5
5. Corporate Systems 7
6. Liverpool City Region Combined Authority: Specific Systems 10
7. Merseytravel: Specific Systems 12
8. Planned Developments 14
9. Internal Audit Charter 15
Internal Audit Plan and Charter 2020-21 Page | 1
1. Executive Summary
1.1 This report provides the Internal Audit Plan and Charter 2020-21 for the Liverpool City Region Combined Authority (LCRCA) and Merseytravel.
1.2 The Internal Audit Plan is a key requirement of the Public Sector Internal Audit Standards (hereafter referred to as “the Standards”) and is vital in demonstrating the Internal Audit service’s continued compliance.
1.3 The Plan demonstrates how internal audit resources will be used during the financial year so as to provide assurance on the effectiveness of the internal control systems in place in both organisations, so as to inform the Annual Report and Opinion of the Head of Internal Audit for 2020-21 for LCRCA and for Merseytravel.
Page 147 Page 1.4 Particular attention has been paid to ensuring that the Internal Audit Plan is reflective of the changing risk landscape of the organisation, including those risks arising from Coronavirus, and that it provides tangible added value in maintaining an effective system of internal control and management of risk. The Plan has a particular emphasis on the role Internal Audit can play at a strategic level. This has been achieved through consultation with relevant stakeholders.
1.5 The Internal Audit Charter sets out the role, purpose and authority of Internal Audit, and details the behaviours and values adopted by audit staff.
1.6 It is noted that the Internal Audit Plan 2020-21 was previously presented to the Audit and Governance Committee on 11 March 2020. As this meeting was not quorate, the Committee could not approve the report, although the members present indicated they were content with the report. Since that time, the Internal Audit Plan has been updated to reflect the new risks presented to the organisation by Coronavirus and also to reflect the impact of the pandemic on the Internal Audit team. The Internal Audit Charter is unchanged.
Internal Audit Plan and Charter 2020-21 Page | 2
2. Plan Compilation and Principles
2.1 The Standards state that the “Chief Audit Executive” must “establish risk-based plans to determine the priorities of the internal audit activity, consistent with the organisation’s goals”. They refer to the need for the plan to reflect the assurance framework, risk management arrangements and input from management and “the board”.
2.2 In meeting this Standard, an extensive consultation exercise has been undertaken to identify potential areas for audit, comprising:
Review of the Corporate Risk Register and Transport Risk Register; Page 148 Page Review of Service Risk Registers; Review of Committee reports and decisions; Cumulative audit knowledge and experience; Findings and outcomes from previous audit work; Engagement with Heads of Service, Assistant Directors and Directors; Evaluation of the risks highlighted by the Internal Audit Plan 2019-20; and Identification and inclusion of key risks facing the organisation as a result of the Coronavirus.
2.3 An extensive risk assessment exercise took place so as to form an overall view on the level of organisational risk each area poses. By implementing a risk-based methodology, the Plan is intended to ensure that Internal Audit resource is used to concentrate on the most significant identified risks which may jeopardise the achievement of the corporate objectives, as detailed in the Business Plan. This has been updated during the year to date to encompass those new risks presented to the organisation by Coronavirus and to reflect the slow start to audit work during the year as a knock-on effect of the pause in work in the early part of the pandemic. Such a focus on risk is also intended to assist management in understanding the risks within their own service delivery areas, and to assist them in developing robust and resource-effective controls to mitigate these risks. This is intended to support the Corporate Behaviour “action focus” in assisting in the delivery of objectives.
Internal Audit Plan and Charter 2020-21 Page | 3
3. Organisational Context
3.1 The organisational context for the Internal Audit Plan is one of significant and fast-paced change. The organisational, financial, social, and economic impacts of the Coronavirus are significant, and coupled with ongoing uncertainty regarding government funding to support the organisation in these unprecedented circumstances, the organisation faces a host of new risks which must be managed effectively so as to facilitate delivery of the Devolution Deal. These circumstances have, however, highlighted a number of opportunities for the organisation to act as a catalyst for change, both in the way it operates internally and how it encourages development and growth within the City Region.
3.2 Key to ensuring delivery of the organisation’s responsibilities is the need to manage risk effectively, by establishing robust systems of internal control.
Page 149 Page 3.3 The Internal Audit Plan reflects these key challenges, recognising the need to ensure that the organisation is able to deliver with confidence during the challenging period that lies ahead. The Internal Audit Plan allocates time to advice and guidance and developing systems, so that assurance can be provided on the extent to which planned systems mitigate risk, coupled with reviews of the key systems and processes that will support delivery. This proactive involvement of Internal Audit at an early stage of system and project development has been stressed with Directors and Heads of Service as a key method in which Internal Audit can add value.
3.4 Feedback from Senior Officers has indicated a wish for Internal Audit to continue to focus on the value it can add at a strategic level. Therefore, the Plan reflects a heightened focus on audits of strategic importance, by aligning the plan closely with the most significant risks faced by the organisation, reflected in the Corporate Risk Register.
3.5 It is important to recognise that the key risks facing the organisation will also continue to evolve. In this context, the Internal Audit Plan must remain flexible so as to be able to adapt to and reflect the changing risk landscape of the organisation and to external factors such as a "second spike" of the virus. Therefore, it is likely, and indeed desirable that the Plan presented in this report will evolve and change throughout the year so as to keep pace with such changes.
Internal Audit Plan and Charter 2020-21 Page | 4
4. Composition
4.1 The Internal Audit Plan has been based upon 952.5 available audit days. This is following the deduction of bank holidays, annual leave, staff training and development, and management. There is also an additional 60 days provided by Salford Internal Audit Services for the provision of technical ICT audit, giving 1012.5 audit days in total.
4.2 The number of audit days available has reduced from the days available last year because of the delay in progressing the recruitment to the vacancy at Principal Auditor level and the knock-on effect of having a hiatus in audit work in late 2019/20 and during part of the first quarter of 2020/21, both as a result of the coronavirus pandemic.
Page 150 Page 4.3 The Plan is composed of the following key areas:
Plan Heading Desription Audit Days Total
Corporate Provides assurance relating to a system that has applicability across the 112.5 112.5 225 organisation – for example corporate governance, risk management, procurement, corporate planning and performance, ICT and financial systems. Service - Specific Provides assurance relating to systems that are specific to a particular service area. 125 157.5 282.5 Grant Assurance Discharging the requirement for Internal Audit review prior to grants being 45 30 75 recommended for payment. Counter-Fraud Proactive and reactive work to contribute to managing the organisation’s risk of 133 133 fraud. Work on corporate systems will include testing of LCRCA transactions Corporate Guidance and Providing input to key corporate projects and advising on developing systems and 59.25 69 128.25 Consultancy emerging risks. Audit Management Time spent by the Head of Internal Audit and Audit Manager reviewing outputs. 108.75 108.75 TOTAL AUDIT DAYS 462.25 490.25 952.5
Internal Audit Plan and Charter 2020-21 Page | 5
There is also an allocation of non-audit days for supporting the organisation, such as facilitating the system of risk management and insurance and corporate support such as administration of the Insight 4 Policies system, and annual leave, bank holidays and training.
4.4 The detailed Internal Audit Plan 2020-21 is shown at Appendix 2.
Page 151 Page
Internal Audit Plan and Charter 2020-21 Page | 6
5. Corporate Systems
5.1 There are a number of key systems which are largely provided by Merseytravel to both Merseytravel and LCRCA. Reporting of the outcomes from the audit work in these areas formally falls within the remit of the Merseytravel Audit, Risk and Governance Board, but as the LCRCA is a “recipient” of these services, the audit findings will also be reported to the Audit and Governance Committee so as to provide assurance that the risks associated with these are being managed effectively. Corporate Planning and Performance Management and the Programme Management Office are administered by the LCRCA but provide services to both organisations. This makes the Audit, Risk and Governance Board the primary body for the reporting of audits of these areas.
Page 152 Page 5.2 The main areas of note within the Internal Audit Plan 2020-21 are:
Corporate Governance This is the annual review of the organisation’s corporate governance arrangements, in accordance with the CIPFA/Solace “Delivering Good Governance in Local Government” (2016) so as to inform the Annual Governance Statements for both organisations.
Risk Management Review of the extent to which robust and effective arrangements for risk management have been embedded within the organisation, so as to optimise delivery of the objectives articulated in the Corporate Plan and supporting plans.
Procurement This is a key area for review as the activities of the organisation grow, and this work will seek to provide assurance on the extent to which goods and services procured are subject to procurement exercises where necessary.
Business Continuity The Coronavirus pandemic has placed the organisation’s business continuity arrangements under the spotlight. Work will be completed to review how the experience gained from the response to the pandemic has been utilised to improve the organisation’s system of business continuity management.
Internal Audit Plan and Charter 2020-21 Page | 7
Safe Working Guidance This work will review the processes that have been undertaken by the organisation to comply with the government guidance for safe working in respect of coronavirus in three key settings:
Transport Directly Operated Services – ferries, tunnels and hubs; Asset Management; and Office-Based Services.
Government Funding A review will be conducted of the additional funding provided by government to the CA and to Merseytravel to support its activities in the wake of the pandemic, and how this is being utilised to maximise the value derived. The scope and nature of this work will largely be defined by the quantum of funding and the associated grant conditions. Page 153 Page
ICT The ICT service provides services to both organisations. Technical ICT audit is provided via a contractual arrangement with Salford Internal Audit Services, which provides approximately 60 days of audit work based upon a specific risk assessment. Less technical areas such as the audit of application control are to be carried out by the in-house audit team.
Counter-Fraud There are two elements to the audit work in respect of counter-fraud – firstly, there is a provision of audit days for the investigation of allegations of fraud referred to Internal Audit. Secondly, there is proactive internal audit work to contribute to the prevention and detection of fraud, appraising the effectiveness of anti-fraud controls in place.
This work is informed by the fraud risks found within Service Risk Registers, such as misappropriation of funds; misuse of resources; procurement fraud; bribery and corruption of officers/members; recruitment fraud; and creditor fraud.
During this year’s Internal Audit Plan, this takes the form of reviews in respect of the following corporate systems, appraising transactions to examine for the risk of fraud:
Debtors; Internal Audit Plan and Charter 2020-21 Page | 8
Staff benefits; Creditors and cheque control; Insurance claims; and Credit cards.
Page 154 Page
Internal Audit Plan and Charter 2020-21 Page | 9
6. Liverpool City Region Combined Authority: Specific Systems
6.1 There are a number of systems that are specific to LCRCA. From a governance perspective, these fall entirely within the remit of the Audit and Governance Committee and would not be routinely reported to the Merseytravel Audit, Risk and Governance Board.
6.2 As the activities of the LCRCA continue to grow, there has been a commensurate increase in the audit time to be spent, rising from 411 in 2019-20 to 462.5 in 2020-21. The main areas of note within the Internal Audit Plan 2020-21 are:
Adult Education Budget This audit will examine the recently devolved system so as to provide assurance that this is being administered effectively.
Page 155 Page Housing First A more detailed review of this scheme, to examine effectiveness, outcomes and efficiency of the preferred model for delivery.
Strategic Investment Fund (SIF) A number of reviews are to take place, looking at how the Assurance Framework is supporting delivery of objectives following its refresh, a review of the types of financing vehicles used for SIF schemes, and a review of the arrangements for administering the Transforming Cities Fund.
Mayoral Projects A review of two key Mayoral Projects: Tidal and Digital. Reviews will be planned to coincide with key delivery milestones.
Local Enterprise Partnership (LEP) The annual review of governance, to coincide with and inform the annual statement provided by the Director of Corporate Services, as s73 officer, will be undertaken, alongside a substantive review on the operation of the LEP and its delivery arm under its revised governance arrangements.
Internal Audit Plan and Charter 2020-21 Page | 10
Covid-19 Future Innovation Fund Advice and guidance is being provided to the Investment Team in respect of the configuration of this Fund and the assurance arrangements, coupled with audit review of grant claims.
Page 156 Page
Internal Audit Plan and Charter 2020-21 Page | 11
7. Merseytravel: Specific Systems
7.1 There are a number of systems that are specific to Merseytravel. From a governance perspective, these fall entirely within the remit of the Audit, Risk and Governance Board, and would not be routinely reported to the Audit and Governance Committee. The main areas of note within the Internal Audit Plan 2020-21 are:
i. Counter-Fraud There is a provision of audit days for the investigation of any allegations of fraud relating to Merseytravel activities and officers referred to internal audit. There is also proactive internal audit work to contribute to the prevention and detection of fraud, by appraising the effectiveness of anti-fraud controls in place. This work is informed by the specific fraud risks in relevant Service Plans, which include ticket fraud; Concessionary travel applications; and Money Laundering.
Page 157 Page These risks also include the potential for the organisation to be a victim of fraud perpetrated by another individual or organisation. During this year’s Internal Audit Plan, this takes the form of reviews in respect of the following corporate systems, appraising transactions to examine for the risk of fraud, particularly in light of changes to working practices in light of the pandemic:
Fast Tag accounts; Travel Centres income and stock; Mersey Ferries income and stock; Tunnel Tolls income collection; Spaceport closure; Mersey Ferries ticketing and admissions; and Rail operators’ stock control.
ii. Specific Systems The Internal Audit Plan 2020-21 reflects the key risk areas that align to the systems administered by Merseytravel. These include:
Internal Audit Plan and Charter 2020-21 Page | 12
Bus Alternative Delivery Models Various strands to this audit activity are planned, including ad hoc attendance at meetings and providing advice and consultancy to the project, and substantive work to support the independent audit of the business case.
Rolling Stock A range of audits will be conducted throughout the year so as to evaluate the project at key stages of development.
Contract Management Reviews will be conducted of a number of contracts so as to ensure that these are being managed effectively so as to maximise contractor performance and outcomes, as well as value for money.
Page 158 Page Transport Schemes Reviews of projects forming part of Transforming Cities Fund bids, or predevelopment funding, are to be appraised during the year. This may overlap with the work on Government funding, as funding has already been provided to support cycling and walking schemes as part of encouraging transport modal shift as a feature of the pandemic recovery.
Internal Audit Plan and Charter 2020-21 Page | 13
8. Planned Developments
Quality Assurance and Improvement Programme (QAIP)
8.1 Key details of the outcomes of audit work will continue to be presented to every meeting of the Audit and Governance Committee and the Merseytravel Audit, Risk and Governance Board.
8.2 In addition, a suite of performance indicators will be used to measure the delivery of the Internal Audit Plan and the effectiveness of the work undertaken. This is a key part of ensuring that the service develops its quality and effectiveness as part of its Quality Assurance and Improvement Programme (QAIP), required by the Standards.
Page 159 Page 8.3 For 2020-21, the performance indicators and associated targets are:
Description and Purpose Target Compliance with the Public Sector Internal Audit Standards (PSIAS) 100% This measures the extent to which the results of internal assessment indicate that the Service retains its full compliance with the PSIAS. Percentage of the Internal Audit Plan 2020-21 completed 100% This measures the extent to which the Internal Audit Plan agreed by this Board is being delivered. The delivery of the Plan is vital in ensuring that an appropriate level of assurance is being provided across the organisation’s key risks. Percentage of Client Survey responses indicating a “very good” or “good” opinion 100% This measures the feedback received on the service provided and seeks to provide assurance that Internal Auditors conduct their duties in a professional manner. Percentage of annual senior management survey responses indicating satisfaction with the Internal Audit 100% service provided This measure the feedback received on the level of satisfaction amongst senior management, expressed during the annual satisfaction survey. Percentage of recommendations implemented within a reasonable timescale 100% This measures the extent to which managers feel that the recommendations made are appropriate and valuable in strengthening the control environment and also provides the Board with a view on how effective management action is in responding to recommendations. Internal Audit Plan and Charter 2020-21 Page | 14
9. Internal Audit Charter
9.1 In compliance with the Standards, Internal Audit is required to establish a Charter which sets out its role, purpose and authority.
9.2 This provides clarity and legitimacy to the role of Internal Audit in the organisation and assists the function in operating in line within an agreed framework.
9.3 The document acts as a guide for Internal Auditors in their daily work, but also assists officers and members in understanding what internal audit is and how it operates. The document includes a Code of Ethics which details the ethical behaviour and Page 160 Page standards auditors are required to demonstrate.
9.4 The Charter has been prepared so as to meet the Standards and incorporates all relevant requirements.
9.5 The Charter is shown at Appendix 3. This is reviewed and presented to this Committee on an annual basis.
Internal Audit Plan and Charter 2020-21 Page | 15
Entity Audit Title Assessed Level of Scope of Audit Audit Days Organisational Risk
CORPORATE MT Covid-19 PPN 02/20 and PPN MODERATE Review of the extent to which, and how, the items in the 10 03/20 two notes have been implemented, reviewing controls, potential risk exposure and fraud issues. MT Covid-19 Govt Funding MODERATE Review of various grant funding streams made available 10 by government to support the CA in the COVID response.
MT Covid-19 Safe Working Govt MODERATE Review of compliance with Government guidance on safe 10 Guidance - Office Based Services working in relation to office based services.
MT Business Continuity Management MAJOR Review of implementation of recommendations from the 10 Business Continuity review. CA Grant Auditing Arrangements at MODERATE Review roles of local authorities in auditing grants on 10 Local Authorities behalf of CA CA Risk Management MAJOR Review of the system operating in services of risk 15 management against the CIPFA guidance detailed in "It’s a Risky Business". CA Capital Programme MAJOR Review of system following planned system changes. 15
Page 161 Page CA Governance Assurance Statement MODERATE Statutory work under the Accounts and Audit Regulations 7.5 2020-21 CA Annual Governance Statement MODERATE Statutory work under the Accounts and Audit Regulations 7.5 Review 2020-21 CA LCRCA/MT Annual Governance MODERATE Statutory work under the Accounts and Audit Regulations Q1 Statement Review 2019-20 MT Governance Assurance Statement MODERATE Statutory work under the Accounts and Audit Regulations 7.5 2020-21 MT Annual Governance Statement MODERATE Statutory work under the Accounts and Audit Regulations 7.5 Review 2020-21 MT LCRCA/MT Annual Governance MODERATE Statutory work under the Accounts and Audit Regulations Q1 Statement Review 2019-20 Corp Procurement MODERATE Review of the procurement system to ensure compliance 10 with relevant guidance and legislation. Corp IT Application Control MODERATE Internal audit to review of application controls across a 30 range of key applications. Corp Payroll MODERATE Review of key controls in respect of the payroll system. 10 Particular focus on overtime. Corp Software Asset and License MODERATE Review of licencing arrangements for compliance. 5 Management (FAST) Corp IT Audit MODERATE Areas of focus to be confirmed by Salford Internal Audit 60 Services following meeting to discuss areas of risk.
225 SERVICE-SPECIFIC CA Covid-19 Future Innovation Fund MODERATE Advice on the developing system regarding the Innovation 10 Fund being made available to business to support them in recovering from COVID. CA Investment Models MODERATE Review of the control environment related to different 15 funding and investment models including loans or profit share. Entity Audit Title Assessed Level of Scope of Audit Audit Days Organisational Risk
CA Mayoral Programme - Digital MODERATE Reviews of key areas of control to align with key stages of 10 project delivery. CA SIF2 Assurance Framework MODERATE Parallel review to the one conducted in 2019-20, but 15 evaluating the impact of changes to the Assurance Framework on a sample of schemes. CA ESIF MODERATE Review of controls over ESIF schemes, to include testing 15 of a sample of schemes to verify existence of robust evidence. CA Housing First MODERATE Review of arrangements to appraise effectiveness, once 10 the operation's permanent arrangements have been established. CA LEP Governance Annual Review MODERATE Review to support the Director of Corporate Services, as 10 s73 officer of the accountable body for the LEP, regarding the governance and financial control arrangements for the LEP. CA LEP Risk & Control Review MODERATE Review of key aspects of the operation of the LEP, 10 following revision of its governance arrangements. CA Mayoral Programme - Tidal MODERATE Reviews of key areas of control to align with key stages of 10 project delivery.
Page 162 Page CA Adult Education Budget MODERATE Review of the process and payments made under the 10 devolved arrangements. CA Transforming Cities Fund MODERATE Review of data capture and record keeping. Potential to 10 extend to cover wider issues including review of projects in flight and in pipeline, and issues regarding overprogramming. MT Covid-19 Safe Working Govt MODERATE Review of compliance with Government guidance on safe 7.5 Guidance - Transport Directly working in directly-operated travel settings - eg Mersey Operated Services Ferries, Mersey Tunnels and Bus Stations. MT Covid-19 Safe Working Govt MODERATE Review of compliance with Government guidance on safe 10 Guidance - Asset Management working in relation to asset management services.
MT Bus Alternative Delivery Models MAJOR Support to the Bus Devolution project. 15 MT Rolling Stock - TCIS Project MODERATE Reviews of key areas of control to align with key stages of 15 project delivery. MT Rolling Stock - Train Lengthening MODERATE Reviews of key areas of control to align with key stages of 15 Project project delivery. MT Rolling Stock - Testing MODERATE Reviews of key areas of control to align with key stages of 15 Programme project delivery. MT Sustainable Urban Development MODERATE Proactive audit to review procedures ahead of an ERDF 10 audit of procurement in June/July. MT Rail Concession Agreements MODERATE Review of the payments made under the concession 15 (VFM) agreement. MT Bus Services - Contract MODERATE Review with an emphasis on payments and the process 10 Management (VFM) for service credits/penalties.
MT Cycling and Walking (TCF) MODERATE Review of schemes forming part of the TCF bid. 10 MT Urban Traffic Control MODERATE Audit to review the contracting/commissioning process Q1 carried out. MT CCTV MODERATE Review of coverage and control of CCTV in key locations. 10 Entity Audit Title Assessed Level of Scope of Audit Audit Days Organisational Risk
MT Operator of Last Resort/Operator MODERATE Review of the arrangements in the event that Merseyrail 15 Financial Sustainability has its concession withdrawn.
MT Beatles Story - Payroll MODERATE Review of the controls in place over the Payroll system 10 and arrangements at the Beatles Story. 282.5 GRANT ASSURANCE CA LCRCA Grant Assurance MAJOR Review of grant claims to ensure compliance with grant 45 conditions, prior to authorisation for payment. MT Transport Grant Assurance MAJOR Review of grant claims to ensure compliance with grant 30 conditions, prior to authorisation for payment. 75 COUNTER FRAUD MT Fast Tag Account Management Counter fraud review of controls in place over the process 10 for payment at the barrier, top ups and income reconciliation. MT Tunnels Cash Toll Recording Counter fraud review of controls in place over the Q1 collection of cash tolls MT Travel Centres - Income / Stock Counter fraud review of controls in place over stock and 10 Page 163 Page Reconciliation income reconciliation at Travel Centres. Corp Debtors Counter fraud review of controls in place over the 10 operation of the corporate credit cards. Corp Staff Benefits Counter fraud review of controls in place over usage and 10 eligiblity for Employee Loans, Professional Subscriptions, Walrus, and Fast Tag. Corp Creditors and Cheque Control Counter fraud review of controls in place over creditor 10 MODERATE payments. Corp Insurance Claims Counter fraud review of controls in place over insurance 10 claims. MT Mersey Ferries - Retail and Stock Counter fraud review of controls in place over the retail 10 Reconciliation operation, including coverage of stock reconciliation. MT Spaceport Closure Counter fraud review of controls in place over the Q1 disposal of assets at Spaceport. MT Mersey Ferries - Ticketing and Counter fraud review of controls in place over ticketing 10 Admissions and admissions to Ferries. Corp Credit Cards Counter fraud review of controls in place over the Q1 operation of the corporate credit cards. MT Rail Operators - Stock Control Counter fraud review of controls in place over the 10 processes for safeguarding tickets held at Merseyrail/Northern stations. Corp Counter Fraud Policy N/A Ensuring that the organisation's counter-fraud policy 5 Development framework is robust and up to date. Corp Fraud Awareness N/A Co-ordinating activity to ensure staff are aware of the risk 5 of fraud and their responsibility to be alert to this. Corp National Fraud Initiative Co- N/A Co-ordination of the Cabinet Office exercise to conduct 21 ordination data matching across the public sector. Corp Reactive Counter Fraud work N/A Investigation of allegations of fraud and irregularity when 12 required. 133 CORPORATE GUIDANCE AND CONSULTANCY Entity Audit Title Assessed Level of Scope of Audit Audit Days Organisational Risk
CA Consultancy and General Advice - Providing general advice on risk, internal control and risk 19 LCRCA management. MT Consultancy and General Advice - Providing general advice on risk, internal control and risk 14 Merseytravel management. CA Tunnel Tolls Innovation Advice on developing system. 5 MT Hydrogen Bus Advice/guidance and potential audit work on the 5 acquisition of hydrogen buses via the TCF bid. Areas may include to sit on governance board and also to carry out reviews in a similar way to Rolling Stock. MT Bus - Alternative Delivery Models Advice and guidance (including attendance at project 5 meetings). MT Supported Services - Dynamic Advice and guidance on developing system. 5 Purchasing CA Audit and Governance Committee Attendance and preparation for the Committee. 12
MT Audit, Risk and Governance Board Attendance and preparation for the Committee. 12 Page 164 Page
LIVERPOOL CITY REGION COMBINED AUTHORITY AND MERSEYTRAVEL
Page 165 Page
INTERNAL AUDIT CHARTER 2020-21
Contents
Page
1. Purpose 2
2. Definitions 3
3. Public Sector Internal Audit Standards 6
4. Responsibilities of Internal Audit 7
Page 166 Page 5. Independence of Internal Audit 8
6. The Head of Internal Audit 9
7. The Scope of Internal Audit 10
8. Appendix A: Internal Audit Code of Ethics 14
1. Purpose . Introduction The purpose of the Internal Audit Charter is to define internal audit‟s purpose, authority and responsibility. It establishes internal audit‟s position within Liverpool City Region Combined Authority (LCRCA) and Merseytravel and defines the scope of internal audit activities.
This Charter also covers the arrangements for the appointment of the Head of Internal Audit and internal audit staff, and identifies the professionalism, skills and experience required.
This Charter will be appropriately updated following any changes to the Public Sector Internal Audit Standards (hereafter referred to as “the Standards”) issued in June 2017 or internal audit‟s operating environment and, as a minimum, will be reviewed by the
Page 167 Page Head of Internal Audit and presented to the LCRCA Audit and Governance Committee and Merseytravel Audit, Risk and Governance Board on an annual basis.
The requirements of an Internal Audit Charter are defined in the Public Sector Internal Audit Standards at Standard 1000: Purpose, Authority and Responsibility.
The Charter must:
• define the terms „board‟ and „senior management‟ for the purposes of internal audit activity • cover the arrangements for appropriate resourcing • define the role of internal audit in any fraud-related work; and • describe safeguards to limit independence or objectivity if internal audit or the Head of Internal Audit undertakes non-audit activities.
2. Definitions
The Standards define Internal auditing is as “an independent, objective assurance and consulting activity designed to add value and improve an organisation‟s operations. It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes”.
The Standards require that the Internal Audit Charter defines the terms „board‟ and „senior management‟ in relation to the work of internal audit. For the purposes of internal audit work, the „board‟ refers to the LCRCA Audit and Governance Committee, and the Merseytravel Audit, Risk and Governance Board which assume responsibility for overseeing the work of internal audit in the respective organisations. The senior management team refers to the Directors.
Page 168 Page The Head of Internal Audit fulfils the Chief Audit Executive (CAE) role as defined by the Standards.
Mission of Internal Audit
The Standards define the Mission of Internal Audit as follows:
“To enhance and protect organisational value by providing risk-based and objective assurance, advice and insight”
Core Principles of Internal Audit
The Standards also include ten Core Principles of Internal Audit, as follows:
Demonstrates integrity Demonstrates competence and due professional care Is objective and free from undue influence (independent) Aligns with the strategies, objectives, and risks of the organisation Is appropriately positioned and adequately resourced Demonstrates quality and continuous improvement Communicates effectively
Provides risk-based assurance Is insightful, proactive, and future-focused Promotes organisational improvement.
The Standards require that the Charter defines various terms and the identity of these bodies needs to be stated in relation to the work of internal audit.
The Board
For the purposes of internal audit work, the „Board‟ refers to the LCRCA Audit and Governance Committee and Merseytravel Audit, Risk and Governance Board which assume the role of the Board as defined by the Standards and are responsible for overseeing the work of internal audit.
Page 169 Page The Boards provides an independent and high level review of the audit, assurance and reporting arrangements that underpin good governance and financial standards.
They provide independent review of the Authority‟s governance, risk management and control frameworks and oversee the financial reporting and annual governance processes. They help to ensure efficient and effective assurance arrangements are in place.
Senior Management
The Authority‟s senior management team is the Directors, including the Head of Paid Service, Treasurer (Section 73 Officer) and Monitoring Officer, (collectively defined in the Constitution as the Statutory Officers).
Chief Audit Executive
The Head of Internal Audit fulfils the Chief Audit Executive (CAE) role, as defined by the Standards.
Internal Audit arrangements within the Authority
The Treasurer is responsible for ensuring appropriate internal audit arrangements are established and maintained.
Page 170 Page
3. Public Sector Internal Audit Standards
Any appointed internal audit function of the Authority is required to comply with the standards. The Relevant Internal Audit Standard Setters, which includes the Chartered Institute of Public Finance and Accountancy (CIPFA), adopted the standards with effect from 1 April 2013. These Standards replaced the CIPFA Code of Practice for Internal Audit in Local Government in the United Kingdom 2006 (“The Code”). The standards encompass the mandatory elements of the Chartered Institute of Internal Auditors (CIIA) International Professional Practices Framework (IPPF).
The Standards were subject to review and update in April 2017 and can be accessed via the following link:
Public Sector Internal Audit Standards (April 2017) Page 171 Page
Compliance with the Standards is mandatory and must be subject to both internal and external assessment.
CIPFA has developed a Local Government Application Note (LGAN) as the sector-specific requirements for compliance with the Standards within Local Authorities and other relevant public sector bodies, including Combined Authorities. This consists of an extensive self-assessment, which facilitates consistent interpretation of the Standards within the public sector environment and enables compliance with the requirements of the Standards.
The Head of Internal Audit must undertake a self-assessment on a regular basis. An external assessment or validation of the self-assessment must also be conducted at least once every five years by a qualified, independent assessor or assessment team from outside the organisation. The results of these assessments will be reported to the Audit and Governance Committee and Audit, Risk and Governance Board.
4. Responsibilities
The internal audit function is responsible for establishing procedures and applying the required resources to ensure that the service conforms to the Mission Statement and Definition of Internal Auditing, the Core Principles and the Standards. All members of the internal audit team must also demonstrate conformance with a Code of Ethics, which is attached at Appendix A.
The Head of Internal Audit must deliver an annual report and opinion that are used to inform the Authority‟s Annual Governance Statement. The annual internal audit opinion must conclude on the overall adequacy and effectiveness of the organisation‟s framework of governance, risk management and control. This is the „assurance role‟ of internal audit.
Page 172 Page Internal audit may also provide an independent and objective consultancy service, which is advisory in nature and generally performed at the specific request of senior management. The aim of the consultancy service is to help senior management to improve the Authority‟s‟ risk management, governance and internal control arrangements.
The Authority‟s Treasurer is required to ensure that appropriate arrangements are made for the provision of an internal audit service. This includes the approval of this Charter by the Audit and Governance Committee and Audit, Risk and Governance Board.
Senior Management has a responsibility to respond promptly to audit plans, reports and recommendations, where appropriate.
Responsibility for monitoring and ensuring the implementation of agreed recommendations rests with management and is monitored by Internal Audit and reported to the Audit and Governance Committee and Audit, Risk and Governance Board.
.
5. Independence of Internal Audit
The internal audit activity must be independent and internal auditors must be objective in performing their work. The Head of Internal Audit must confirm the organisational independence of the internal audit activity, at least annually. Internal audit has no operational responsibilities within the line management structure.
Any operational (non-audit) activities undertaken by the Head of Internal Audit or a member of the Internal Audit team will be recorded and any conflict of interest declared to ensure that the independence of future internal audit work in respect of the activity is not compromised.
Any real or perceived conflicts are considered and recorded at the commencement of each internal audit engagement.
Page 173 Page
6. The Head of Internal Audit
The Treasurer must be satisfied that the Head of Internal Audit has sufficient skill, experience and professional competence to work with Senior Management and the Audit Committee to influence and inform the risk management, governance and internal control arrangements of the Authority.
The Head of Internal Audit is responsible for ensuring that the members of the Internal Audit team possess the appropriate knowledge, skills, qualifications and experience to deliver the Internal Audit Plan and to meet the requirements of the Standards. The Head of Internal Audit will hold a full, professional qualification, defined as CCAB, CMIIA or equivalent professional membership and adhere to professional values and the Code of Ethics.
Page 174 Page The Head of Internal Audit reports directly to the Treasurer. The Head of Internal Audit, or an appropriate representative of the internal audit team, attends all meetings of the Audit and Governance Committee and Audit, Risk and Governance Board unless, exceptionally, the Audit and Governance Committee or Audit, Risk and Governance Board decides that they should be excluded from either the whole meeting or from particular agenda items.
The Head of Internal Audit shall have an independent right of access to the Chairs of the Audit and Governance Committee and Audit, Risk and Governance Board, if required. In exceptional circumstances, where normal reporting channels may be seen to impinge on the objectivity of the audit, the Head of Internal Audit may report directly to the Chair of the Audit and Governance Committee or the Audit, Risk and Governance Board.
Internal Audit will co-operate with and assist the appointed External Auditors, who are invited to attend all meetings of the Audit and Governance Committee and Audit, Risk and Governance Board.
7. Scope of Internal Audit
The Head of Internal Audit should develop and maintain a process for providing the Treasurer with an objective evaluation of, and opinions on, the effectiveness of the Authority‟s risk management, governance and internal control arrangements. Internal Audit‟s activities should be undertaken effectively and efficiently. The annual Internal Audit Plan will be risk based, prepared in consultation with relevant officers and be presented to the Audit and Governance Committee and Audit, Risk and Governance Board for approval. The opinions of the Head of Internal Audit are drawn from the outcomes of internal audit work and are a key element of the framework of assurance needed to inform the completion of the Annual Governance Statement (AGS).
Opinion Work
The internal audit activity must evaluate and contribute to the improvement of governance, risk management and control Page 175 Page processes using a systematic, disciplined and risk-based approach.
Internal Audit‟s planned work is determined through an annual strategic risk assessment and planning process, from which Annual Audit Plans are produced and subject to approval by the Audit and Governance Committee and Audit, Risk and Governance Board.
The Internal Audit Plan is sufficiently flexible to reflect the changing risks and priorities of the organisation, and is subject to ongoing review and update during the year to ensure that it is fit for purpose and adds value to the Authority.
Internal Audit must be able to clearly demonstrate that its scope of work reflects the Authority‟s corporate objectives and assurance needs, therefore strategic internal audit planning activity will consider the Authority‟s priorities, funding streams, risk assessment processes and defined assurance and governance requirements.
Governance
Internal audit must assess and make appropriate recommendations for improving the governance process in its accomplishment of the following objectives:
promoting appropriate ethics and values within the City Region; ensuring effective organisational performance management and accountability; communicating risk and control information to appropriate areas of the Authority; and co-ordinating the activities of and communicating information to the Audit and Governance Committee, Audit, Risk and Governance Board, external audit, internal auditors and senior management.
Risk Management
Internal audit must evaluate the effectiveness of, and contribute to, the improvement of risk management processes by:
ensuring significant risks are identified and assessed when scoping audit work; and Page 176 Page ensuring that audit recommendations are appropriate to address key risk areas identified.
Internal Control
Internal audit must assist the organisation in maintaining effective controls by evaluating their effectiveness and efficiency and by promoting continuous improvement. The internal audit activity must evaluate the adequacy and effectiveness of controls in responding to risks within the organisation‟s governance, operations and information systems regarding:
achievement of the organisation‟s strategic objectives; reliability and integrity of financial and operational information; economical, effective and efficient use of resources; effectiveness and efficiency of operations and programmes; safeguarding of the Authority‟s assets and interests from losses of all kinds, including those arising from theft, fraud, irregularity, corruption or bribery; and compliance with laws, regulations, policies, procedures and contracts.
The Head of Internal Audit must ensure appropriate internal audit arrangements are in place in respect of partnership or joint working arrangements.
Non-Opinion and Assurance Work
Non-opinion work includes the review of partnership arrangements, where appropriate and the provision of assurance on the legitimacy of payment / grant claims. Internal Audit also undertakes assurance work in respect of regulatory compliance and facilitates the production of relevant policy documentation. In addition, the service may provide, at the request of management, a consultancy service which evaluates policies, procedures, systems and operations put in place by management.
The Head of Internal Audit must consider the effect on the opinion work before accepting consultancy work or management requests over and above the contingency allowed for in the Internal Audit Plan. Approval would be sought from the Audit and Governance Committee and/or Audit, Risk and Governance Board for any significant additional consulting services not already included in the Internal Audit Plan prior to accepting the engagement, if it is deemed that undertaking this work could compromise delivery of the agreed Internal Audit Plan or annual audit opinion. The Head of Internal Audit must consider if consultancy work
Page 177 Page contributes towards the overall annual opinion.
Fraud, Bribery and Corruption
Managing the risk of fraud is the responsibility of line management. The Treasurer has specific responsibilities in relation to the detection and investigation of fraud and may request Internal Audit to assist with the investigation of suspected fraud or corruption. Internal audit should be notified of all suspected or detected fraud, corruption or impropriety, to inform its opinion on the control environment and the audit plan.
The Treasurer and Head of Internal Audit will ensure that the Authority is seeking to ensure appropriate governance and operational arrangements in place to counter fraud and corruption, in accordance with the (non-statutory) requirements of the CIPFA Code of Practice on Managing the Risk of Fraud and Corruption (2014). Compliance with the Code and ongoing actions to achieve compliance will be reported to the Audit and Governance Committee, and Audit, Risk and Governance Board as appropriate.
Reporting
The Head of Internal Audit will present a formal report annually to Senior Management and the Audit and Governance Committee and the Audit, Risk and Governance Board giving an opinion on the overall adequacy and effectiveness of the Authority‟s
framework of governance, risk management, and internal control. This report will conform to the Standards, and will provide a summary of the work to support the opinion. It will be timed to support the production of the Annual Governance Statement. Reports of progress against the planned work will be presented to the Audit and Governance Committee and Audit, Risk and Governance Board on a quarterly basis during the year, in accordance with the requirements of Internal Audit‟s Quality Assurance and Improvement Programme (QAIP).
Internal Audit Access Rights
Where necessary in the conduct of their work, designated auditors are entitled to require and receive:
access to all records, documents and correspondence relating to any financial or other relevant transactions, including Page 178 Page documents of a confidential nature access at all reasonable times to any land, premises and officer of the Authority, or officers acting on behalf of the Authority the production of any cash, assets or other property of the Authority under an officer‟s control explanations concerning any matter under investigation.
Internal Audit Resources
If the Head of Internal Audit or the Audit and Governance Committee/Audit, Risk and Governance Board considers that the level of audit resources or the terms of reference in any way limits the scope of Internal Audit, or prejudice the ability of internal audit to deliver a service consistent with the Definition of Internal Auditing and the Standards, the Statutory Officers should be advised accordingly.
APPENDIX A INTERNAL AUDIT CODE OF ETHICS Requirements
In accordance with the Public Sector Internal Audit Standards (“the Standards”), internal auditors in UK public sector organisations must conform to a Code of Ethics.
If individual internal auditors have membership of a professional body, then he or she must also comply with the relevant requirements of that organisation.
The purpose of the Code of Ethics is to promote an ethical culture in the profession of internal auditing. A Code of Ethics is
Page 179 Page necessary and appropriate for the profession of internal auditing, founded as it is on the trust placed in its objective assurance about risk management, control and governance.
The Code of Ethics includes two essential components:
1. Principles that are relevant to the profession and practice of internal auditing; and
2. Rules of Conduct that describe behaviour norms expected of internal auditors.
These rules are an aid to interpreting the Principles into practical applications and are intended to guide the ethical conduct of internal auditors.
The Code of Ethics provides guidance to internal auditors serving others. The term „Internal auditors‟ refers to members of recognised Professional Bodies (e.g. CIPFA, CIIA) and those who provide internal auditing services within the definition of internal auditing.
The Code of Ethics also takes into consideration the relevant Principles of Internal Audit, as defined by the Standards as follows:
Demonstrates integrity
Demonstrates competence and due professional care Is objective and free from undue influence (independent) Aligns with the strategies, objectives, and risks of the organisation Is appropriately positioned and adequately resourced Demonstrates quality and continuous improvement Communicates effectively Provides risk-based assurance Is insightful, proactive, and future-focused Promotes organisational improvement
Page 180 Page Further information on the Nolan Principles can be accessed via the attached link:
https://www.gov.uk/government/organisations/the-committee-on-standards-in-public-life
Applicability and Enforcement
This Code of Ethics applies to both individuals and entities that provide internal auditing services. Disciplinary procedures of professional bodies and employing organisations may apply to breaches of this Code of Ethics.
Integrity
Principle 1: The integrity of internal auditors establishes trust and thus provides the basis for reliance on their judgement.
Rules of Conduct:
Internal Auditors:
Shall perform their work with honesty, diligence and responsibility Shall observe the law and make disclosures expected by the law and the profession
Shall not knowingly be a party to any illegal activity, or engage in acts that are discreditable to the profession of internal auditing or to the organisation Shall respect and contribute to the legitimate and ethical objectives of the organisation.
Competency
Principle 2: Internal auditors apply the knowledge, skills and experience needed in the performance of internal auditing services.
Rules of Conduct:
Internal Auditors:
Page 181 Page Shall engage only in those services for which they have the necessary knowledge, skills and experience Shall perform internal auditing services in accordance with the International Standards for the Professional Practice of Internal Auditing Shall continually improve their proficiency and effectiveness and quality of their services.
Internal auditors who work in the public sector must also have regard to the Committee on Standards of Public Life‟s Seven Principles of Public Life (the “Nolan Principles”):
Selflessness Integrity Objectivity Accountability Openness Honesty Leadership.
Objectivity
Principle 3: Internal auditors exhibit the highest level of professional objectivity in gathering, evaluating and communicating information about the activity or process being examined. Internal auditors make a balanced assessment of all the relevant circumstances and are not unduly influenced by their own interests or by others in forming judgements.
Rules of Conduct:
Internal Auditors:
Page 182 Page Shall not participate in any activity or relationship that may impair or be presumed to impair their unbiased assessment. This participation includes those activities or relationships that may be in conflict with the interests of the organisation Shall not accept anything that may impair or be presumed to impair their professional judgement Shall disclose all material facts known to them that, if not disclosed, may distort the reporting of activities under review.
Confidentiality
Principle 4: Internal auditors respect the value and ownership of information they receive and do not disclose information without appropriate authority unless there is a legal or professional obligation to do so.
Rules of Conduct:
Internal Auditors:
Shall be prudent in the use and protection of information acquired in the course of their duties Shall not use information for any personal gain or in any manner that would be contrary to the law or detrimental to the legitimate and ethical objectives of the organisation.
Internal Audit seek to promote robust ethical standards throughout the organisation, and recognise the importance of an appropriate ethical framework and ethical capability, encompassing principled leadership and governance, clear lines of accountability and informed and transparent decision making. This reflects the suggested measures outlined by the Committee on Standards in Public Life.
Page 183 Page This page is intentionally left blank Agenda Item 13
LIVERPOOL CITY REGION COMBINED AUTHORITY
To: Audit and Governance Committee
Meeting: 23 September 2020
Authority/Authorities Affected: None
EXEMPT/CONFIDENTIAL ITEM: No
REPORT OF THE HEAD OF INTERNAL AUDIT
RISK MANAGEMENT UPDATE
1. PURPOSE OF REPORT
1.1 The purpose of this report is to provide an update in respect of the system of corporate risk management and the activity that has been undertaken in embedding this system during the fourth quarter of 2019-20 and first quarter of 2020-21. This encompasses presenting the updated Corporate Risk Register for noting.
2. RECOMMENDATIONS
2.1 It is recommended that the Audit and Governance Committee:
(a) Notes the progress made in embedding the system of corporate risk management into the organisation;
(b) Approves the updated Risk Management Policy; and
(c) Notes the refreshed Corporate Risk Register.
3. BACKGROUND
3.1 So as to support the Committee in the discharge of its duties according to its Terms of Reference, the report details the key activities undertaken so as to embed the system of corporate risk management. The report highlights the following key points:
the developments in respect of the Corporate Risk Register, presenting the fully refreshed Corporate Risk Register for noting by the Committee; the impact of the Coronavirus pandemic on the organisation’s risk profile; development of Service Risks; and the plans to embed risk management further into the organisation.
4. RESOURCE IMPLICATIONS Page 185
4.1 Financial
There are no direct issues arising from this report.
4.2 Human Resources
There are no direct issues arising from this report.
4.3 Physical Assets
There are no direct issues arising from this report.
4.4 Information Technology
There are no direct issues arising from this report.
4.5 Programme Management Office (PMO)
There are no direct issues arising from this report.
5. RISKS AND MITIGATION
5.1 The implementation of an effective system of corporate and service risk management will support the organisation in the delivery of its objectives, by identifying threats that may jeopardise their achievement and maximising opportunities as they arise. The contents of this report give a narrative on the progress being made to establish and maintain such a system.
6. EQUALITY AND DIVERSITY IMPLICATIONS
6.1 There are no direct issues arising from this report.
7. PRIVACY IMPLICATIONS
7.1 There are no direct issues arising from this report.
8. COMMUNICATION ISSUES
8.1 There are no direct issues arising from this report.
9. CONCLUSION
9.1 The organisation continues to make positive progress in embedding a more robust and effective system for the management of risk. The most significant development in the period is the review of the Corporate Risk Register by Directors so as to take account of the significant impact of the Coronavirus pandemic. Page 186
LAURA A. WILLIAMS Head of Internal Audit
Contact Officer(s):
Laura A. Williams, Head of Internal Audit tel: 0151 330 1764
Appendices: Appendix A - Risk Management Update Appendix B – Risk Management Policy Appendix C - LCRCA Corporate Risk Register
Background Documents: None
Page 187 This page is intentionally left blank
RISK MANAGEMENT UPDATE
Page 189 Page
Audit and Governance Committee 23 September 2020
Laura A. Williams MA CPFA Head of Internal Audit
Contents
Page
1. Introduction 2
2. Corporate Risk Register 3
3. Service Risk 5
Page 190 Page 4. Embedding Effective Risk Management 6
Risk Management Update Page | 1
1. Introduction
1.1 The purpose of this report is to provide a summary of the Combined Authority‟s risk management activity for the fourth quarter of 2019-20 and the first quarter of 2020-21.
1.2 It is prepared for the Audit and Governance Committee and its purpose is to facilitate the Committee in discharging its obligations as defined in its Terms of Reference: “to review the Combined Authority‟s financial affairs, internal control, corporate governance arrangements and risk management”. It is also intended to assist in continuing the progress made to date in embedding effective strategic and operational risk management into the organisation.
1.3 The report covers:
Page 191 Page the developments in respect of the Corporate Risk Register and its review; the impact of the Coronavirus pandemic on the organisation‟s risk profile; development of Service Risks; and how effective risk management is being embedded further into the organisation.
Risk Management Update Page | 2
2. Corporate Risk Register
2.1 The Corporate Risk Register is reviewed by Directors on an ongoing basis so as to ascertain that:
The risks identified are still pertinent and the risk details and consequences still accurate; The control measures are still in place and working, and reflect any new or additional controls that have been implemented; The risk scoring identified is still considered an accurate representation; The actions identified are still the right ones, and progress is being made; Any new or emerging risks are captured; and Page 192 Page Risks that are reducing in score are identified and de-escalated to service risk registers as necessary.
2.2 In this period, the risk profile of the organisation has, in common with other organisations, changed as a result of the Coronavirus pandemic. The most significant changes to the risk landscape have meant that the review of the Corporate Risk Register has resulted in some additional risks. These are:
The register has been updated to reflect the four new priorities set out in the recently published Business Plan.
An additional dimension has been added to risk CA1 (Failure to achieve the required outputs associated with prioritising and managing the resources and responsibilities associated with the City Region‟s devolution deal), highlighting the risk of clawback of government funding should any project end dates not align with funding parameters. The score has also been increased from 20 to 25 to reflect the increased likelihood of the clawback / loss of funding as a result of the increased focus on funding conditions as a result of the national financial situation arising from the pandemic.
The score of risk CA2 (Lack of sustainable funding mechanism to support the achievement of Mayoral priorities, maintain capacity and resilience and manage the external funding portfolio associated with the City Region‟s devolution deal) has been increased from 15 to 20, in light of the increased likelihood arising from the pandemic funding pressures.
Risk Management Update Page | 3
Risk CA7(Failure to maximise LCRCA's opportunities to have a positive impact on air quality and to improve air quality across the City Region particularly in light of the recovery from the pandemic) has been expanded to include the opportunity risk arising from the pandemic recovery.
Risk CA9 (Information Governance breach or cyber-attack) has had its score increased from 15 to 20 as a result of the heightened risk of cyber-attack resulting from the pandemic.
Two new risks have been suggested for inclusion, and these relate to transport operator liquidity (CA13) – which has been initially scored at 25 and failure to carry out housing predevelopment work (CA14) – which has been initially scored at 20.
Page 193 Page 2.3 The Corporate Risk Register is shown at Appendix C.
Risk Management Update Page | 4
3. Service Risk
3.1 Each Head of Service maintains a risk register that identifies those risks to the achievement of the corporate objectives that have a residual risk score of 15 and below. These registers are now circulated on a quarterly basis to ensure that the risks remain adequately controlled and updated accordingly, and more frequent consideration within services is encouraged.
3.2 An extensive exercise has been underway to review and update the Service Risks, so as to ensure that there is clarity regarding the level and ownership of risks and ensures that there is no duplication of risks held at service level and those at Page 194 Page corporate level. Heads of Service are also being encouraged to consider the recording of opportunities as so to maximise the benefits in achieving the objectives detailed in the Business Plan.
3.3 Service risks have been reviewed so as to ensure that these are aligned with the new considerations arising as a result of the pandemic, and there is also an ongoing exercise to re-align risks with the refreshed Service Plans produced as a result of the publication of the Business Plan.
Risk Management Update Page | 5
4. Embedding Effective Risk Management
4.1 In embedding a system of effective risk management into the organisation, it is important that the progress made to date continues. A key element of this is that the Senior Leadership Team drives and owns the process of risk management and most importantly, uses this to inform decision-making. This will ensure that management of risk contributes positively to the improvement of the control framework and keeps risk under control as far as possible, so facilitating the achievement of the organisation‟s objectives. It is positive that the Directors have engaged with this process and have used the Director meeting effectively as a forum for the discussion of risk matters and the update of the risk register.
4.2 The Risk Management Policy has been reviewed and updated, and is attached at Appendix B. This takes on board the recommendations made in the Internal Audit review of Risk Management. The key changes to the Policy are:
Page 195 Page The Risk Management Policy now summarises the role of the members of the Risk Group as Risk Champions nominated from each service area to give more clarification on how their role can assist in further embedding the risk management process throughout the organisation.
The revised policy has also been updated to reflect the potential to consider opportunities that can maximise the benefits in achieving corporate objectives.
The Risk Management Practical Guidance and the risk register template has been modified to include target risk and risk treatment and these areas of the process will be developed over the coming months.
4.3 During 2019-20, Internal Audit conducted a review of the organisation‟s risk management arrangements. The overall opinion for this work was a Minor organisational risk, and there were a number of recommendations made, these are detailed in the table below:
Risk Management Update Page | 6
Recommendation Agreed Action Due Date Progress Update The process of considering risks as Opportunities are to be 31 March 2021 The Risk Management Policy has already opportunities, as well as threats, should included in the next update been reviewed and opportunities are now to be continue to be developed (aligning to the of the Risk Management considered as part of the risk identification organisation‟s evolving risk appetite) and Policy, scheduled for March process. Risk training is also encouraging subsequently articulated and communicated 2021. officers to consider opportunities. via the Risk Management Policy.
Continued promotion and publicising of the These actions will be 30 September The Risk Management Policy has now been Risk Management Policy should be undertaken in the period 2020 refreshed and will be circulated following undertaken (particularly following the following approval of the approval by Merseytravel and the Audit and approval of the refreshed Policy; due to be updated Risk Management Governance Committee. first reviewed by Audit and Governance Policy.
Page 196 Page Committee on 11 March 2020), which could include:
confirming dissemination of the Policy by members of the Risk Group; extending dissemination of the Policy to Managers (in addition to Directors, Assistant Directors, Heads of Service) via the Insight 4 Policies system; and considering inclusion as an item within the weekly corporate communication email.
Utilising recent sessions with Heads of Development to risk 31 December Development of the risk appetite continues and Service and Directors, the organisation appetite to continue with 2020 will be followed up with Directorates by the should now formalise and articulate how risk the report to Directors due Risk Manager over the forthcoming months. appetite will be utilised. The potential to link April 2020 and followed up risk appetite to risk scoring also exists. by the Risk Manager in the Implementation will likely be achieved over forthcoming months, as she the „longer-term‟; hence in the „shorter-term‟, undertakes risk sessions an update should be provided to Directors to with Directorates. outline the steps to be taken and likely time- scales.
Risk Management Update Page | 7
i) Discuss with Audit, Risk and Training to be suggested to 30 September We are currently in the process of recruiting an Governance Board the possibility of the Audit and Governance 2020 Independent Member for the ARG Board. undertaking some form of risk Committee following new Once this position is filled, the proposed management training with the group, and elections to membership training will take implemented. if agreed, provide such training during (May 2020) and to the 2020/21; and Audit. Risk and Governance Board ii) Discuss with Audit and Governance following the induction of During 2020/21 no Member induction has been Committee the possibility of undertaking the Risk Manager. undertaken due to the postponement of the some form of risk management training May 2020 elections. Induction training will now (essentially „refresher‟ training for some be timetabled for May 2021. Members) during 2020/21, following the May 2020 elections (potentially as part of the Member Induction process).
Page 197 Page To further enhance the consideration of Contact will be made with 30 November A review of the report template is underway risk(s), a review should be undertaken of how Democratic Services to 2020 and the Risk Manager will work closely with the existing „Risks and Mitigation‟ section of explore opportunities for colleagues to ensure that the risks within the Report Template (when reporting to a guidance to be built into the committee reports are being considered. relevant committee) is being utilised. This report template and/or could include determining whether: associated guidance. Modern.Gov will be updated accordingly and risks are genuinely being considered; access to review reports will be granted to the support, or improved guidance, is required Risk Manager. for report authors (e.g. note included in Modern.gov); and the Risk Manager should be assigned as a "reviewer" within Modern.gov.
Risk Management Update Page | 8
As part of the process of updating Risk Risk sessions to be 31 December The risk registers have been reviewed to Registers across the organisation (following undertaken by the Risk 2020 reflect the Business plan published in July the update to the Corporate Plan and Manager to support and 2020. Risk sessions have commenced and associated Service Plans), continued support develop this process within include Housing First, Transport Recovery should be provided, including the potential to Services and Directorates. Group and a further session has been review and confirm clear link exists between delivered for the Internal Audit Team. objectives and risks.
The use of risk workshops should continue, One of the key tasks of the 31 March 2021 Risk sessions have commenced and include with the potential for the new corporate Risk Risk Manager will be Housing First, Transport Recovery Group and Manager to promote (either directly or via the facilitate risk workshops, a further session has been delivered for the Risk Group) and facilitate such sessions and this additional capacity Internal Audit Team. within directorates. will mean a wider offer of
Page 198 Page such can be made.
i) It should be determined whether it would Recommendation agreed. 31 March 2021 A further column has been added to the Risk be useful to include, within the Risk This will be considered as Register template, included within the Risk Register template, a section referencing part of the next update of Management Policy. how a particular risk is to be managed the Risk Management (i.e. Tolerate / Transfer / Terminate / Policy, due March 2021. Treat – n.b. more than one of these options may be utilised in relation to a risk). This may also aid discussion and decision making relating to control measures.
ii)It would also be prudent to advocate the Outcomes, lessons learnt, and good practice usefulness of retaining evidence/details of have been added as Standing Items on the discussions held and how options to manage Risk Group agenda. This will also be a risk have been discussed, evaluated and incorporated to future training workshops and have potentially evolved (this should also be risk sessions. useful when evaluating good practice processes and/or lessons learned).
Risk Management Update Page | 9
The Risk Group should be requested to This is to be added as a 31 March 2020 Recommendation implemented. support the discussion and dissemination of standing agenda item for all any examples of risk management good forthcoming meetings. This practice. A decision should be taken as to will be supported by an whether to include this as a standing Risk item at the April meeting Group meeting agenda item. summarising the role of members of the group in disseminating information to their respective Departments.
4.4 Internal Audit continues to play a vital role in facilitating the system of risk management. Key strands of activity in the period
Page 199 Page have been:
Convening the second and third meetings of the Risk Group, a group focused on risk and governance matters. The Terms of Reference for the Group have now been agreed and are included within the Risk Management Policy at Appendix B; Presentation of the biannual report to Directors on Risk Management, presenting the risk appetite actions for discussion and the Corporate and Transport Risk Registers for review, focusing particularly on the risks arising from the Coronavirus pandemic; Facilitating the review of service risks by Heads of Service, updating these for risks arising from the Coronavirus pandemic and also ensuring alignment with delivering the Business Plan; Providing corporate support in respect of risk management across the organisation; and Over 40 staff were trained in risk management, in sessions facilitated by the organisation‟s insurers.
4.5 During March 2020, the Risk Manager commenced in post. Natasha Bryan joined the organisation from Wigan Council, where she was in a similar role. Natasha holds the Institute of Risk Management qualification and has many years‟
Risk Management Update Page | 10
experience in the field. This has already proved to be a positive appointment in giving the organisation dedicated support in the area of risk management.
4.6 The quarterly reports to this Committee will continue to give a full overview of the progress being made in delivering the activities above, and the effectiveness of these actions in increasing the level to which effective risk management arrangements are embedded into the organisation.
Page 200 Page
Risk Management Update Page | 11
Risk Management Policy
Document Owner Internal Audit Document Version 0.3 Approved By Audit and Governance Committee: 23 September 2020 Merseytravel: 19 August 2020
Review Date March 2021
This document is the property of LCRCA/Merseytravel. It may not be reproduced or used for any other purpose than that for which it is supplied without the written permission of LCRCA/Merseytravel.
Uncontrolled when printed – for latest version, please check One Place
Page 201
Contents
Page
1. Introduction 2
2. Objectives 2
3. Responsibilities 2
4. Risk Management Process – Practical Guidance 6
Stage 1: Identification of Risks 6 Stage 2: Evaluation of Risks 7 Stage 3: Addressing Risks 8 Stage 4: Risk Review and Reporting 9
5. Appendices
A: Risk Group: Terms of Reference 12 B: Scoring Risk Impact 14 C: Scoring Risk Likelihood 15 D: Risk Register Template 16
Risk Management Policy | 1 Page 202
1. Introduction
Risk is defined as “the effect of uncertainty on the achievement of objectives, where effect is any deviation from the expected – positive or negative”. (ISO 31000)
Any large and complex organisation faces a range of risks that may affect the achievement of its defined objectives. These risks have varying levels of likelihood of materialising and of impact to the organisation and its stakeholders if these did materialise. Therefore, the effective management of risk and opportunities is a key component of an organisation that is effective in meeting its defined objectives.
Risk Management is the process by which risks and potential opportunities are identified, evaluated and controlled.
LCRCA/Merseytravel recognises the importance of effective risk management as a key element of its performance and governance framework. It is the responsibility of LCRCA/Merseytravel to ensure that it establishes and maintains a system that provides the organisation with assurance that there is accountability and ownership of the key risks that the organisation faces, maximises the achievement of its objectives, and ensures that good governance can be demonstrated.
2. Objectives
The objectives of this Policy are to:
Embed risk management into the culture and operations of the organisation Promote risk management as an integral part of business planning and decision making and performance management Maintain an effective process of key risk identification, analysis and control Anticipate and respond to changing requirements whether political, economic, social, technological, legislative or environmental (PESTLE) Ensure that there is clear accountability for both the ownership and cost of risk and the tools used to effectively reduce risk Improve governance and raise awareness of the need for risk management by all those connected with the organisation’s delivery Demonstrate how effective risk management can improve delivery of organisational objectives and increase resilience.
3. Responsibilities
Head of Paid Service /Director General Has overall responsibility for LCRCA/Merseytravel’s risk management arrangements. This involves being the corporate sponsor for risk management, and ensuring that the system of corporate risk management is effective, consistently applied and embedded into the organisation.
Risk Management Policy | 2 Page 203
Directors Directors have responsibility for identifying and managing the most significant risks to corporate objectives. They will ensure that these are reflected in the Corporate Risk Register, which will be considered and reviewed on a regular basis. They will ensure that appropriate controls and actions are in place so as to control and manage the corporate risks for which they have responsibility, and for those service risks which sit within their area of responsibility.
Assistant Directors/ Heads of Service Assistant Directors/Heads of Service have responsibility for identifying and managing the risks to service objectives. They will ensure that these are reflected in the relevant Service Risk Register, which will be considered and reviewed on a regular basis. They will ensure that appropriate mitigations and actions are in place so as to control and manage the risks which sit within their area of responsibility. They are responsible for establishing sound systems of internal control within their service areas.
Assistant Directors/Heads of Service must notify the Head of Internal Audit of any significant changes in business activity that may impact on insurance provision, so as to ensure that appropriate and adequate insurance is in place.
Any decision submitted through the Delegated Decisions system or a Committee report (via the Modern.gov system) must include appropriate consideration of risk and implications associated with the proposed decision, so as to demonstrate the consideration of risk in decision-making.
Risk Group The Risk Group is the key forum for the consideration of opportunities and risks facing the achievement of the Corporate/Business Plan. It sets the tone for corporate risk management and uses this to drive improvement in delivery of corporate objectives. This group’s Terms of Reference are detailed at Appendix A.
Project/Programme Managers When an officer is managing a project/programme, it is their responsibility to ensure that adequate consideration is given to the management of the risks that threaten the delivery of the project/programme, and that effective controls are in place so that these are managed. Such risks and opportunities should be captured within a Project Risk Register, and which should be reviewed with appropriate regularity throughout the project lifecycle.
Programme Management Office (PMO) The Programme Management Office supports Project/Programme Managers in the delivery of projects/programmes, and assists them in identifying and assessing the risks that could jeopardise the delivery of the projects/programmes, and in facilitating the planning of controls and actions to minimise the likelihood of such risks materialising, and/or their impact if they did materialise. The risk management methodology used by the PMO is being developed, but will follow the principles outlined in this document.
Risk Management Policy | 3 Page 204
Managers Managers should understand their role in the risk management process, and the benefits of effective risk management. It is their responsibility to assist their Head of Service in the management of relevant service risks and opportunities through maintaining an effective system of internal control and through undertaking any actions assigned to them in the management of specific service risks.
Risk Champions Risk Champions should represent their service area and report on any issues and make recommendations to the Risk Group on any action required to enhance the effectiveness of the risk management process. They should be a catalyst for embedding the risk management process into corporate business processes within their service area and provide feedback from the Risk Group to their service on any key risks or opportunities that may affect their service area. They should also support in the development and maintenance of both the Corporate and Service Risk Registers and report on any risks or opportunities in relation to partnerships, shared services and key projects that may have an impact on the Authority’s key objectives.
All Employees All employees have responsibility for complying with the defined internal controls designed to minimise risk and for being aware of the risks that they encounter in their day to day roles.
Combined Authority Meeting This group has overall oversight of the governance and risk management arrangements for the Combined Authority, and has responsibility for approving its Risk Management Policy.
Merseytravel Meeting This group has overall oversight of the governance and risk management arrangements for Merseytravel, and has responsibility for approving its Risk Management Policy.
LCRCA Audit and Governance Committee Merseytravel Audit, Risk and Governance Board Both fora have responsibility for the monitoring and review of the effectiveness of risk management arrangements and overseeing the continued development of these arrangements. This will be chiefly implemented as reviewing the relevant aspects of the Corporate Risk Register, so as to obtain assurance that the risks identified as most significant threats to the achievement of objectives are being managed and controlled effectively.
Both fora will monitor progress in addressing any risk related issues reported to it, including those identified through Internal Audit reports.
Internal Audit Service Internal Audit, specifically the Risk Management function within it, has responsibility for facilitating the system of risk management, and ensuring the continued development of the system so as to maximise its effectiveness. This comprises:
Risk Management Policy | 4 Page 205
Compilation of the Risk Management Policy Facilitating the process of risk review and reporting Promoting the embedding of effective risk management processes into the normal business processes of the organisation. Advising on how to treat and manage risks Providing training on risk Helping to improve risk management through advising and supporting the identification of current and emerging risks.
Internal Audit is responsible for monitoring the effectiveness of risk management arrangements, through delivery of the Internal Audit Plan. The work of Internal Audit in assessing the effectiveness of LCRCA/Merseytravel’s management and control of risk will inform the Head of Internal Audit’s Annual Report and the Annual Governance Statement (AGS).
So as to preserve the independence of Internal Audit, it is important to note that its role will not comprise: Dictate or influence risk identification, scoring or risk appetite Acting to mitigate or control risks.
Risk Management Policy | 5 Page 206
4. Risk Management Process: Practical Guidance
The following diagram highlights the three key stages of the risk management process:
Identification of risks / opportunities Assessment of risks / opportunities Addressing risks / opportunities
Overview of the Risk Management / Assurance Process:
DIAGRAM 1
Source: It’s a Risky Business (CIPFA, 2014)
STAGE 1: Identification of Risks or Opportunities
The first stage in the process is to identify the risks that threaten the identification of the organisation’s objectives. Risks can be identified in various ways, including through formal risk workshops, planning sessions or often, these emerge “naturally” through business as usual. The identification of risks should not be seen as a one off exercise, and once an initial identification exercise has been undertaken, this should be updated on an ongoing basis so as to ensure that the risks identified are still reflective of those facing the organisation.
Risk Management Policy | 6 Page 207
The identification and accurate framing of risks is crucial to the success of the process that follows, and so this stage should receive sufficient attention to ensure it is comprehensive.
The following Risk Wheel identifies the main risk categories which can be used as prompts during the identification process:
Health and Service Safety Disruption/ Reliability
Financial Performance Loss/Cost
Legislative and Regulatory Reputation
Key factors to consider when identifying a risk or opportunity:
Be specific in framing what the risk is Be clear on how the risk may impact the achievement of objectives – which objective is under threat Think about the different facets of the risk and how the risk may affect a number of objectives or impact across a wider area of the business Where risks have a wider applicability, consult colleagues so that the risk can be framed to take account of cross-cutting issues.
STAGE 2: Evaluation of Risks or Opportunities
The first part of evaluating a risk is to be clear on the consequences if the risk was to materialise. This should include clear reference to the objective which would be compromised by the materialisation of the risk. This should also include other consequences such as “negative media attention” or “legal challenge”, which may be knock-on effects of the objective not being met.
The risk should then be allocated an owner. Ownership should sit with the officer in the organisation who has the appropriate level of control over the management of the risk. Risks should sit at Director level (for corporate risks), Head of Service level (for service risks) or Project/Programme Manager level (for project/programme risks). So as to promote accountability, a single post should be named as the owner, rather than a group of people.
Risk Management Policy | 7 Page 208
The third stage is to score the “inherent risk” for its likelihood and impact. This relates to the likelihood of the risk materialising, and its impact if it was to materialise, without any controls or mitigating actions having being applied. This helps to give a view of the “raw” risk prior to the organisation having taken any action to minimise it. Both aspects are allocated a score between 1 and 5, and one is multiplied by the other to give a total inherent risk score out of 25. Guidance on scoring impact and likelihood is provided at Appendix B and C respectively.
Whilst the inherent risk score identifies the likelihood and impact of the risk if it was to materialise without the implementation of controls, it is highly unlikely that this reflects the actual position. With the potential exception of very new or emerging risks, it is likely that the organisation will have implemented one or a number of control measures to reduce the likelihood of the risk materialising and/or the impact if it was to materialise. Controls are defined as “any action taken by management, the board or other parties to manage the risk and increase the likelihood that established objectives and goals will be achieved.”
The next stage of the evaluation process is to identify what control measures the organisation has already put in place. It is important that the controls listed genuinely relate to the risk under consideration, and that the control is actually in place and is effective – i.e. controls that are planned to be implemented should not feature at this stage. Again, it is important to be specific in detailing the controls. Assurances that have been received that indicate the effective operation of a control should be available to demonstrate that it is fulfilling its intended purpose – inspection reports, customer feedback or internal audit reports are examples of such assurances.
The implementation of effective controls should serve to reduce the risk score associated with the risk. This is the residual risk score – the likelihood and impact if the risk should materialise. The implementation of controls which do not reduce these scores should lead to questions of the reason for resources having been expended on it – controls consume resources and should be proportionate to the risk they are intended to mitigate. The risk is now rescored, using the same criteria (as detailed in Appendix C and D) to evaluate its likelihood and impact now that controls have been applied. Again, one score is multiplied by the other so as to give a total residual risk score out of 25.
The final assessment stage is to identify the target risk, this is where all control measures are in place there are no other controls that could be implemented. The risk would now be acceptable, provided the risk remains within the corporate risk appetite. The risk is once again re-scored, using the same criteria (as detailed in Appendix C and D) to evaluate its likelihood and impact now that all controls have been applied. The same multiplier is applied to give a total target risk score out of 25.
STAGE 3: Addressing Risks or Opportunities
Once the risk has been given a residual risk score, thought can be given to the treatment of the risk, and where actions that can be taken to reduce the impact and/or likelihood further. The residual risk score assists management in prioritising resources to mitigate risks. There are four main options for treatment of a risk:
Risk Management Policy | 8 Page 209
Terminate – can an activity be discontinued so that the risk is eliminated? This usually applies to risks with very high residual scores. Treat – can the risk be mitigated by the application of controls? Tolerate – can the risk be accepted? This usually applied to risks with very low residual scores. Transfer – can the risk be transferred to another party? It is rare that a risk can be fully transferred, but a significant element could be transferred via insurance, for example.
The relevant treatment option should then be recorded on the Risk Register in the appropriate column.
An organisation’s risk appetite is the level of risk that it is prepared to tolerate without putting in place further risk mitigation or controls. LCRCA/Merseytravel may accept that a risk exists and that to put in place further measures to reduce that risk is not possible, practical or cost effective.
It may be that it is felt that the risk has been reduced as much as possible or that any remaining actions to be taken are unpalatable or unfeasible – for example they may consume more resource than is worthwhile, considering the impact if the risk materialised.
In most cases, however, a set of actions can be agreed that would have a beneficial effect on the risk’s impact and/or likelihood, and do not exceed the cost of the risk being realised. The actions should be defined in a SMART way – specific, measurable, achievable, relevant and timely. A responsible officer should be assigned to each of the actions, and this should be a person who has the autonomy to implement the action. A due date, by which the action will be implemented, should also be added. A red/amber/green rating should also be assigned to the action, so that there is a view on whether the completion of the action is progressing in line with the planned timescale.
STAGE 4: Risk Review and Reporting There is a clear relationship between the residual risk score and where the risk is owned and how it is reported. This ensures that risks are managed at the most appropriate level of the organisation. Therefore, the Risk Evaluation Scoring Matrix should be used to determine the review and reporting arrangements for each identified risk. Flexibility can be applied to this model, as for example emerging risks which score less than 16 may be included in the Corporate Risk Register so as to encourage early consideration and action prior to their expected escalation.
Risk Management Policy | 9 Page 210
Risk Evaluation Scoring Matrix
Highly 5 5 10 15 20 25 Probable
4 4 8 12 16 20
Probable
3 3 6 9 12 15 Possible
LIKELIHOOD 2 2 4 6 8 10 Unlikely
1 1 2 3 4 5 Highly Unlikely 1 2 3 4 5 Negligible Minor Moderate Major Critical
IMPACT
Colour Coding Red Risks Amber Risks Green Risks
Residual Risk Score 16 - 25 8 - 15 1 - 6 Range
Risk Register Corporate Risk Register or Service or Project/Programme Risk Transport Risk Register Register
Risk Owner Director Assistant Director/ Head of Service
Officer Reporting Directors meeting Service Management Team Forum Directorate Management Teams Project/Programme Board
Member Reporting Audit and Governance None (risks scoring 15 could be noted for Forum Committee (Corporate Risk members where it is felt that the risk is Register) escalating and is likely to reach a score of 16 or above) Audit, Risk and Governance Board (Transport Risk Register)
Corporate Risks The Corporate Risk Register and Transport Risk Register are the subject of a full quarterly review by Directors. This review is informed by updated Service and Project Programme Risk Registers.
The updated Corporate Risk Register is then presented on a quarterly basis to the Audit and Governance Committee (for risks pertaining to the Combined Authority and Risk Management Policy | 10 Page 211 overarching risks) and the Audit, Risk and Governance Board (for risks pertaining to Transport).
Service Risks Service Risk Registers are maintained at Head of Service level and are the subject of a quarterly review within Service Management Team meetings. New or escalating risks that score 16 or above, (or are expected to escalate towards a high score in the future if left untreated), should be put forward for review and potential inclusion in the Corporate Risk Register or the Transport Risk Register.
Project/Programme Risks Project/Programme Risks are maintained at Project/Programme Manager level, and are the subject of review within the governance structure relevant to the project/programme.
In reviewing a risk register, the following key items should be considered:
Are all existing risks relevant to the delivery of corporate/service/programme objectives included? Have any of the risks changed, and does the risk description, controls, actions and scoring need to be updated to reflect the change? Have any new risks emerged? Are controls still in place and working effectively? Do any new controls need to be put in place? Is the scoring of the identified risks correct – are risks increasing or decreasing and if so, does the risk need to the escalated to the Corporate Risk Register or can it be de-escalated or closed? Are agreed actions being implemented according to the timescale? Have any actions been completed, meaning that there is a new control in place, and so does the residual score need to reduce as a result?
Risk Management Policy | 11 Page 212
5. Appendices APPENDIX A RISK GROUP TERMS OF REFERENCE
CORE PURPOSE To focus on how the organisation’s risk management, performance management and governance arrangements can be developed to optimise delivery of the Corporate Plan.
FUNCTIONS The key functions of the Group are:
To facilitate delivery of the Corporate Plan by appraising the organisation’s arrangements for the management of risk, performance, and governance and making recommendations to the Delivery Panel/Directors in order to develop these arrangements as to optimise their effectiveness.
To champion effective and appropriate risk management at all levels of the organisation, so as to ensure that benefits are harnessed.
To support corporate improvement by monitoring the progress made in addressing relevant actions arising from sources such as external audit, internal audit, external bodies (including government) and those identified in the Annual Governance Statements.
To inform the Annual Governance Statements by appraising the organisation’s governance arrangements so as to provide focus to the ongoing development of these arrangements.
To identify emerging risks and hot topics relevant to the organisation and to recommend organisational approaches to manage these.
The Risk Group may establish task and finish sub-groups to consider specific issues in more detail. These may involve officers who are not permanent members of the Risk Group. Such groups will report their work and its outcomes to the Risk Group for onward consideration and reporting.
MEMBERSHIP Chair: Head of Internal Audit Assistant Director: Corporate Assistant Director: Legal Delivery Assistant Director: Finance Co-head of Investment Head of People and Organisational Corporate Performance and Development Research Manager Head of IT Head of Asset Management Risk Management Policy | 12 Page 213
FREQUENCY The Group will meet on a quarterly basis but can meet more frequently if required.
REPORTING The Group’s work will be reported to the Delivery Panel/Directors in the first instance, with onward reporting of agreed actions through the relevant governance channels (Audit and Governance Committee, Audit, Risk and Governance Board, Merseytravel).
Risk Management Policy | 13 Page 214
APPENDIX B Scoring Risk Impact
1 2 3 4 5 Negligible Minor Moderate Major Critical Complete loss of a non- Brief disruption to crucial service area for a Major loss of service Complete loss of Major loss of service important service protracted period or an for less than one non-crucial service for over one month areas important service area month for a short period
Up to £10,000 £10,001 to £250,000 £250,001 to £3m £3m to £10m Over £10m
Contained within Adverse local public or Contained within LCRCA/Merseytravel / Adverse national Adverse central
Page 215 Page press interest; directorate reported public or press interest government response complaints to Executive Minor injury or Minor injury or Major injury to more Major injury to an discomfort to an discomfort to more than than one individual Death individual individual one individual Some minor Systematic non- One-off minor breach One-off moderate infringements of compliance resulting in resulting in minor breach resulting in Forced closure of regulations / legislation significant Litigation / adverse publicity / moderate fines or LCRCA/Merseytravel resulting in minor fines Fines or Court regulatory attention adverse publicity or adverse publicity appearance Sustained reduction in One-off minor performance in one area Sustained systematic Sustained reduction in reduction in or reduction in non-performance Complete performance in more performance in one performance across resulting against most performance failure than one service area service area more than one service performance targets area
Risk Management Policy | 14
APPENDIX C Scoring Risk Likelihood Extremely likely The event is expected to occur in almost all circumstances 5 Highly Probable There has been a history of regular occurrences, i.e. on multiple occasions in the last twelve months If new event, likelihood of occurrence regarded as almost inevitable There is a strong possibility the event or risk will occur 4 The event is expected to occur in a majority of circumstances Probable There is a history of several occurrences, i.e. on more than one occasion in the last twelve months If new event, likelihood of occurrence regarded as very likely Page 216 Page There is a reasonable probability the event or risk will occur There may be a history of frequent occurrences 3 Everyone with knowledge of issues in this area knows this could happen Possible No or few effective measures have been implemented to reduce the likelihood of the risk materialising If new event, likelihood of occurrence will probably occur in most circumstances The event might occur at some time There could be a history of ad hoc occurrences 2 Most of the team knows that the whilst unlikely, the risk might occur Unlikely Measures that reduce likelihood have been taken but are not fully effective If new event, likelihood of occurrence regarded as unlikely but possible Not expected, but there is a slight possibility it could occur at some time 1 Some of the team considers that this is a risk that might occur Highly Unlikely Team considers there is an appropriate control framework in place Conditions exist for this to occur, but is highly unlikely Probably requires more than two coincident events
Risk Management Policy | 15
APPENDIX D Risk Register Template
Corporate/Service Risk Register: Name of Service Area
Date of Review: Date Page 217 Page
Risk Management Policy | 16
This page is intentionally left blank Corporate Risk Register: Liverpool City Region Combined Authority Date of Review: September 2020
Ref. Risk Details Inherent Risk Scoring Control Measures in Operation Residual Risk Scoring Corporate Risk Description Consequences of Risk Materialising Risk Owner Impact Likelihood Total Impact Likelihood Total /Service Objective (post title) Score Score Score Score Score Score Jeopardised
CA1 All Failure to achieve the required Inability to deliver Devolution Deal Director of 5 5 25 Business Plan 5 5 25 outputs associated with Loss of devolved powers Investment and Performance Management prioritising and managing the Opportunities for growth compromised Commercial PMO Capacity resources and responsibilities Withdrawal of Constituent member Development Commercial and Investment expertise associated with the City Region’s Government claw back of funds if project end dates do not align with funding Budget recognises delivery as a priority devolution deal. deadlines Spatial Development Strategy under construction Reputational Damage Report on the use of mayoral bus powers presented to Combined Negative media interest Authority on 28 February 2020
CA2 All Lack of sustainable funding Inability to deliver Devolution Deal Director of 5 5 25 Transitional funding package /Emergency Government funding in 5 4 20 mechanism to support the Loss of devolved powers Corporate Services relation to COVID 19 achievement of Mayoral priorities, Opportunities for growth compromised Mayoral Capacity grant maintain capacity and resilience CIPFA study on sustainable funding and manage the external funding Budget process portfolio associated with the City Role of Scrutiny Region’s devolution deal. Page 219 Page
CA3 All Inability to collaborate effectively Inability to deliver targets, outputs and outcomes / Missed Opportunity to Director of 5 4 20 Strategic involvement of constituent Local Authorities 5 3 15 with constituent Local Authorities, Build Back Better Corporate Role of portfolio holders and deputy portfolio holders and with other key partners – Reputational damage Development and Collaboration on key strategies including residents and Inability to deliver Devolution Deal Delivery FASJAB businesses – to identify City Loss of devolved powers Formal consultation mechanism for TUs Region priorities and determine Withdrawal of Constituent member the most effective mechanisms for delivering these priorities.
CA4 All Failure to maintain a strong and Failure to engage effectively with member organisations Director of 5 4 20 Revised Constitution 5 3 15 effective governance framework Ineffective allocation of resources Corporate Services Code of Corporate Governance that promotes a delivery-focused Inability to deliver Devolution Deal Assurance Framework culture that puts the requirements Loss of devolved powers Financial Regulations of the City Region first. Corruption and illegality Internal Audit Plan Ill informed decision making Increased capacity in Internal Audit Reputational damage Risk Management arrangements Increased complaints Performance management arrangements Inability to work with partners and stakeholders if lack of confidence in Business Plan governance arrangements Inability to demonstrate effective governance Failure to deliver targets, outputs and outcomes Implications for employee wellbeing, morale, turnover and absence levels Legal action and associated costs, penalties and fines Insurance claims Ref. Risk Details Inherent Risk Scoring Control Measures in Operation Residual Risk Scoring Corporate Risk Description Consequences of Risk Materialising Risk Owner Impact Likelihood Total Impact Likelihood Total /Service Objective (post title) Score Score Score Score Score Score Jeopardised
CA5 All Failure to maintain the capacity Inability to deliver Devolution Deal Director of 5 4 20 Effective leadership and management 5 3 15 and skills to facilitate the delivery Loss of devolved powers Corporate Project management of the LCRCA priorities and Reputational damage Development and Communication and engagement strategy and plan objectives. Failure to deliver targets, outputs and outcomes Delivery Performance management framework Implications for employee wellbeing, morale, turnover and absence levels Human Resources and Organisational Development policies and procedures
CA6 All Failure to effectively identify and Loss of structural funds Director of 5 4 20 Investment Strategy 5 4 20 Page 220 Page address the impact of political, Skills shortages Investment and Assurance Framework social and economic Relocation of key businesses and employers Commercial Strategic Investment Fund uncertainties, in particular those Disruption and damage to LCRCA initiatives Development LCR Working Group associated with future Failure to achieve outcomes in business growth Increased financial support for small/medium sized enterprises (SMEs) arrangements for exiting the EU.
CA7 Environment Failure to maximise LCRCA's Impacts on health, wellbeing and environmental outcomes Director of Policy 5 5 25 Consideration as part of policy and strategy 5 3 15 opportunities to have a positive Loss of future funding streams and Strategic Monitoring of air quality on transport network impact on air quality and to Commissioning Active Travel being promoted throughout the CA Region improve air quality across the City Government Funding obtained for Active Travel initiatives and an Region particularly in light of the application for futher funding is to be drawn up. recovery from the pandemic (COVID 19)
CA8 All Failure to prevent, plan and Deaths and serious injuries Director of 5 5 25 Asset Management Plan 5 3 15 respond to major incidents Loss of connectivity Integrated Mersey Tunnels capital programme impacting on transport networks, Implications for reputation and confidence Transport Resilience arrangements in place and tested as part of the Pandemic and in particular failure to Legal issues – e.g. .corporate manslaughter (COVID 19) maintain robust systems and Disruptions to network Control Centre co-ordination procedures in respect of our own Unavailability of key systems and operational disruption Renewal of Rolling Stock Fleet transport assets. Lost revenue Provision of Active Travel infrastructure across LCR to maintain Injury and claims arising. connectivity Temporary (and maybe permanent) removal of service to address risk HSE investigation and fines Staff absence Increased complaints. Criticism/negative media coverage Recovery costs Increased insurance premiums Ref. Risk Details Inherent Risk Scoring Control Measures in Operation Residual Risk Scoring Corporate Risk Description Consequences of Risk Materialising Risk Owner Impact Likelihood Total Impact Likelihood Total /Service Objective (post title) Score Score Score Score Score Score Jeopardised
CA9 All Information Governance breach Data loss Director of 5 5 25 Information Management Group 5 4 20 or cyber attack Remediation costs Corporate Senior Information Management Officer Regulator fines Development and Information Sharing Protocol Implications for reputation and confidence Delivery Information Management Policy Framework Information System Security Arrangements Unavailability of key systems and operational disruption Staff Identified and Trained Ill informed decision making. Senior Information Risk Owner Systems compromised, resulting in internal and external threats: Viral, Denial ICT Strategy Of Service attack, Data Integrity (different levels of data: Financial, personal, Policy - Data Protection Policy commercial, operational) [Theft of data, Deletion of data and Data Resilience and Recovery Arrangements corruption], Disruptive attack and Privilege escalation. ICT Security Protocol Litigation and cost of claims. Monitoring of Performance Increased complaints. External Assessment Inability to work with partners and stakeholders if lack of confidence in Internal Policies and Procedures integrity of systems. Code of Conduct for Employees PCI Compliance Arrangements Acceptable Use Policy Business Continuity Arrangements
CA10 Good quality and Due to the nature of the direct 1. Unable to deliver Housing First, or significantly reduced capacity to deliver. Director of Policy 5 4 20 1. Commitment from 16 Housing Associations to provide Housing. 5 3 15 affordable housing client facing delivery taking place 2. Harm to person including death. Adverse public reaction/reputational and Strategic 2. On call system, lone working protection, robust safeguarding training on the Housing First programme, damage. Commisioning and procedures, links to police, mental health and NHS. and its pilot status, there are a 3. Unable to commision further delivery and meet target projections. 3. Commitment is over the spending review period, and good working number of risks related to the 4. Inability to sufficiently plan and mitigate risks as the CA, and organisations relationships with MHCLG. Commitment from Secretary of State. Page 221 Page project that combined make it an in the LCR have never delivered Housing First. 4. Comprehensive project risk register held by Project Board and HF organisational risk. These include: Steering Group and regularly reviewed. Expertise in the team include staff who have delivered homelessness services, including HF so 1. No/reduced Housing Supply experience of potential risks are highlighted as much as possible. 2. Serious incident within the service 3. Current lack of clarity on re- profile of spend/Unable to spend out of year 4. Unknowns of delivery
CA11 All Failure to deliver a medium term Unable to fulfil CA objectives for integrated transport Director of 5 5 25 Embedded service and financial planning 5 4 20 financial strategy Loss of future funding streams and inability to access grants Corporate Services Budget setting process (overprogramming, uncertainty Reputational damage Medium Term Financial Plan in place, reviewed regularly to reflect over future funds, lack of planning "Car based recovery" and changes in public behaviour reduces revenue and changes for after funding expires) the funding of the new Rolling Stock becomes more challenging Budget monitoring and reporting processes Corporate competency /responsibilities removed Reserves Policy and strategy for use of reserves Long term/continued existence of the organisation Merseytravel Constitution and Financial Procedure Rules in place Inability to set legal budget Income and expenditure controls Stakeholder relationships compromised/ withdrawn Delegated Authority and Scheme of Delegation in place Reduced confidence from stakeholders Detailed financial model developed and updated regularly to reflect Reduced ability to borrow changing circumstances with sensitivity testing Failure to generate savings needed leading to funding shortfalls/ reliance on Regular financial monitoring to inform medium term plans reserves to support expenditure plans, cuts to service expenditure Dedicated resource within Finance to lead on modelling and planning "Car based Recovery" and changes in Public behavior reduces Farebox responsible for maintaining awareness of governmental plans and revenue and the funding of the new Rolling Stock becomes more challenging updates Financial risk and reserves reporting embedded into reporting Ref. Risk Details Inherent Risk Scoring Control Measures in Operation Residual Risk Scoring Corporate Risk Description Consequences of Risk Materialising Risk Owner Impact Likelihood Total Impact Likelihood Total /Service Objective (post title) Score Score Score Score Score Score Jeopardised
CA12 All Failure to effectively lead the Loss of structural funds Director of 5 5 25 Businees Plan 5 4 20 New Risk economic recovery of the City Skills shortages Investment and Recovery Plan Region associated with the Reputational damage - negative media interest Commercial Investment Strategy Pandemic (COVID 19) Loss or relocation of key businesses and employers especially within the Development Assurance Framework hospitality sector and the impact on tourism. Strategic Investment Fund Disruption and damage to LCRCA initiatives LCR Working Group Failure to achieve outcomes in business growth Increased financial support for small/medium sized enterprises (SMEs) Missed opportunity to "Build Back Better" Ongoing scenario planning for Transport inc Transport Recovery Group Opportunity to promote the fact that the City Region has high employment in the Life Sciences Sector.
CA13 All Transport Operator Liquidity Reduction in patronage Director of 5 5 25 Meetings to take place to obtain a full understanding of commercial 5 5 25 New Risk Reduction in income Integrated markets and local industry Reputational risks Transport Business planning Negative media interest Operator meetings and forums Missed opportunity for economic recovery (Build Back Better) Performance reviews Loss of service provision Monitor network activity, development of commercial opportunities / Loss of potential new commercial initiatives reduction in networks and frequencies Increased cost associated with support to commercial networks or Understand and monitor return to commercial service levels, recovering replacement through supported service provision patronage levels Operators' appetite for increased commercial opportunity deminished due to Work closely with DFT and Wider transport groups to understand issues economic impacts of Covid 19 and find solutions to funding gaps or adjustments to legislation Potential for network stagnation if demand and network does not return to pre- Covid 19 levels and operators "do nothing" whilst the market adjusts or finds its new normal.
Page 222 Page CA14 Good quality and Failure carry out predevelopment Failure to bid for grant funding from Homes England 5 5 25 Regular meetings with LAs to discuss site readiness both for the 5 4 20 New Risk affordable housing work Reputational damage - negative media coverage Brownfield Land Fund and Strategic Housing, Infrastructure and Land Disruption and damage to LCRCA initiatives Fund (SHILF) – deadline of 24 July for LAs to confirm SHILF sites and Missed opportunity to "Build Back Better" technical site information so that we can move to site prioritisation. The SHILF is a standing item on weekly LA Growth Directors meetings.
We have secured £1.3m resource funding from Govt and identified £700K internally to help provide capacity to LAs to bring sites forward and ensure they are ready for potential bid.
Stakeholder engagement plan with MHCLG and Homes England on detail of funds and progress. Focus of MHCLG engagement on ensuring SHILF is a direct allocation of funding to the CA. Scoring Likelihood
Scoring Impact
Risk Reporting
Page 223 Page 224 1 2 3 4 5
Page 225 This page is intentionally left blank Agenda Item 14
LIVERPOOL CITY REGION COMBINED AUTHORITY
To: Members of the Audit and Governance Committee
Meeting: 24 September 2020
Authority/Authorities Affected: All
EXEMPT/CONFIDENTIAL ITEM: No
KEY DECISION No
REPORT OF THE DIRECTOR OF CORPORATE SERVICES
EXTERNAL AUDIT PLAN 2019/20
1. PURPOSE OF REPORT
1.1 The purpose of this report is to provide the Audit and Governance Committee with the updated external audit plan of work (2019/20) which is proposed by the appointed External Auditors, Mazars.
2. RECOMMENDATIONS
2.1 It is recommended that the Liverpool City Region Combined Authority Audit and Governance Committee:
(a) Note the contents of the updated audit plan.
3. BACKGROUND
3.1 The statutory responsibilities and powers of the External Auditors are set out in the Local Audit and Accountability Act 2014 and the National Audit Office’s Code of Audit Practice.
3.2 The external audit process has two key objectives, as follows:
a) Providing an opinion on the Financial Statements (including the Annual Governance Statement); and b) Concluding on the arrangements in place for securing economy, efficiency and effectiveness in the use of resources (the value for money conclusion).
3.3 To demonstrate how these objectives will be met the Liverpool City Region Combined Authority’s (LCR CA) External Auditor, Mazars, prepare an annual External Audit Plan in respect of the Financial Statement Audit and Value for Money work. The original plan in respect of the 2019/20 Financial Statements and Value for money work was presented to Members of the committee at its meeting on 11 Page 227 March 2020, however as a consequence of Covid 19, the timescales for the completion and audit of the annual statement of accounts have been altered. A revised plan has been completed by Mazars which is attached to this report at Appendix 1. The updated report is unchanged save for amendments to the audit and sign off timescales which is presented to the Committee for noting.
4. RESOURCE IMPLICATIONS
4.1 Financial
None arising directly as a consequence of this report.
4.2 Human Resources
None arising directly as a consequence of this report.
4.3 Physical Assets
None arising directly as a consequence of this report.
4.4 Information Technology
None arising directly as a consequence of this report.
5. LEGAL IMPLICATIONS
None arising directly as a consequence of this report.
6. RISKS AND MITIGATION
None arising directly as a consequence of this report.
7. EQUALITY AND DIVERSITY IMPLICATIONS
None arising directly as a consequence of this report.
8. PRIVACY IMPLICATIONS
None arising directly as a consequence of this report.
9. COMMUNICATION ISSUES
None arising directly as a consequence of this report.
10. CONCLUSION
10.1 The revised External Audit Plan for 2019/20 is presented to the Committee for information.
Page 228
JOHN FOGARTY DIRECTOR OF CORPORATE SERVICES
Contact Officer(s): Sarah Johnston, Assistant Director of Finance, 0151 330 1015
Appendices: Appendix One – Mazars Audit Strategy Memorandum
Page 229 This page is intentionally left blank Audit Strategy Memorandum Liverpool City Region Combined Authority Year ending 31 March 2020
Page 231 CONTENTS
1. Engagement and responsibilities summary
2. Your audit engagement team
3. Audit scope, approach and timeline
4. Materiality and misstatements
5. Significant risks and key judgement areas
6. Value for Money
7. Fees for audit and other services
8. Our commitment to independence
Appendix A – Key communication points
Appendix B - Forthcoming accounting and other issues
This document is to be regarded as confidential to Liverpool City Region Combined Authority. It has been prepared for the sole use of the Audit and Governance Committee as the appropriate sub-committee charged with governance . No responsibility is accepted to any other person in respect of the whole or part of its contents. Our written consent must first be obtained before this document, or any part of it, is disclosed to a third party. Page 232 2 Mazars LLP One St Peters Square Manchester M2 3DE Members of the Audit and Governance Committee 1 Mann Island Liverpool L3 1 BP
19 February 2020
Dear Sirs / Madams
Audit Strategy Memorandum – Year ending 31 March 2020
We are pleased to present our Audit Strategy Memorandum for Liverpool City Region Combined Authority (the Authority) for the year ending 31 March 2020
The purpose of this document is to summarise our audit approach, highlight significant audit risks and areas of key judgements and provide you with the details of our audit team. As it is a fundamental requirement that an auditor is, and is seen to be, independent of its clients, Section 8 of this document also summarises our considerations and conclusions on our independence as auditors.
We consider two-way communication with you to be key to a successful audit and important in: • reaching a mutual understanding of the scope of the audit and the responsibilities of each of us;
• sharing information to assist each of us to fulfil our respective responsibilities;
• providing you with constructive observations arising from the audit process; and
• ensuring that we, as external auditors, gain an understanding of your attitude and views in respect of the internal and external operational, financial, compliance and other risks facing Liverpool City Region Combined Authority which may affect the audit, including the likelihood of those risks materialising and how they are monitored and managed.
This document, which has been prepared following our initial planning discussions with management, is the basis for discussion of our audit approach, and any questions or input you may have on our approach or role as auditor.
This document also contains specific appendices that outline our key communications with you during the course of the audit, and forthcoming accounting issues and other issues that may be of interest. Client service is extremely important to us and we strive to continuously provide technical excellence with the highest level of service quality, together with continuous improvement to exceed your expectations so, if you have any concerns or comments about this document or audit approach, please contact me on 0113 394 5316.
Yours faithfully
Mark Dalton, Director and Engagement Lead Mazars LLP
Page 233 3 1. ENGAGEMENT AND RESPONSIBILITIES SUMMARY
Overview of engagement We are appointed to perform the external audit of Liverpool City Region Combined Authority (the Authority) for the year to 31 March 2020. The scope of our engagement is set out in the Statement of Responsibilities of Auditors and Audited Bodies, issued by Public Sector Audit Appointments Ltd (PSAA) available from the PSAA website: https://www.psaa.co.uk/audit-quality/statement-of-responsibilities/
Our responsibilities Our responsibilities are principally derived from the Local Audit and Accountability Act 2014 (the 2014 Act) and the Code of Audit Practice issued by the National Audit Office (NAO), as outlined below:
We are responsible for forming and expressing an opinion on the financial statements.
Audit Our audit is planned and performed so to provide reasonable assurance that the financial statements are free opinion from material error and give a true and fair view of the financial performance and position of the Authority for the year.
ValueGoing for We are required to conclude whether the Authority has proper arrangements in place to secure economy, concernMoney efficiency and effectiveness in it its use of resources. We discuss our approach to Value for Money work further in section 6 of this report.
Reporting We report to the NAO on the consistency of the Authority's financial statements with its Whole of Government to the Accounts (WGA) submission. NAO Fraud
The 2014 Act requires us to give an elector, or any representative of the elector, the opportunity to question us Electors’ about the accounting records of the Authority and consider any objection made to the accounts. We also have a rights broad range of reporting responsibilities and powers that are unique to the audit of local authorities in the United Kingdom.
Our audit does not relieve management or those charged with governance, of their responsibilities. The responsibility for safeguarding assets and for the prevention and detection of fraud, error and non-compliance with law or regulations rests with both those charged with governance and management. In accordance with International Standards on Auditing (UK), we plan and perform our audit so as to obtain reasonable assurance that the financial statements taken as a whole are free from material misstatement, whether caused by fraud or error. However our audit should not be relied upon to identify all such misstatements.
As part of our audit procedures in relation to fraud we are required to enquire of those charged with governance as to their knowledge of instances of fraud, the risk of fraud and their views on management controls that mitigate the fraud risks.
The Authority is required to prepare its financial statements on a going concern basis by the Code of Practice on Local Authority Accounting. As auditors, we are required to consider the appropriateness of the use of the going concern assumption in the preparation of the financial statements and the adequacy of disclosures made.
For the purpose of our audit, we have identified the Combined Authority and the Audit and Governance Committee as those charged with governance.
4. Materiality 5. Significant 6. Value for 8. 1. Engagement and 2. Your audit and risks and key 7. Fees 3. Audit scope Money Independence Appendices responsibilities team misstatements judgements Page 234 4 2. YOUR AUDIT ENGAGEMENT TEAM
• Mark Dalton, Director Engagement • [email protected] Partner • T: 0113 394 5316 • M: 07795 506766
Engagement • Chris Whittingham, Senior Manager Manager • [email protected] • M: 07909 982497
• Paul Dinsdale Assistant Manager Engagement • [email protected] Senior • M: 07909 983021
4. Materiality 5. Significant 1. Engagement and 2. Your audit 6. Value for 8. 3. Audit scope and risks and key 7. Fees Appendices responsibilities team Money Independence misstatements judgements Page 235 5 3. AUDIT SCOPE, APPROACH AND TIMELINE
Audit scope Our audit approach is designed to provide an audit that complies with all professional requirements.
Our audit of the financial statements will be conducted in accordance with International Standards on Auditing (UK), relevant ethical and professional standards, our own audit approach and in accordance with the terms of our engagement. Our work is focused on those aspects of your business which we consider to have a higher risk of material misstatement, such as those affected by management judgement and estimation, application of new accounting standards, changes of accounting policy, changes to operations or areas which have been found to contain material errors in the past.
Audit approach Our audit approach is a risk-based approach primarily driven by the risks we consider to result in a higher risk of material misstatement of the financial statements. Once we have completed our risk assessment, we develop our audit strategy and design audit procedures in response to this assessment.
If we conclude that appropriately-designed controls are in place then we may plan to test and rely upon these controls. If we decide controls are not appropriately designed, or we decide it would be more efficient to do so, we may take a wholly substantive approach to our audit testing. Substantive procedures are audit procedures designed to detect material misstatements at the assertion level and comprise tests of details (of classes of transactions, account balances, and disclosures) and substantive analytical procedures. Irrespective of the assessed risks of material misstatement, which take into account our evaluation of the operating effectiveness of controls, we are required to design and perform substantive procedures for each material class of transactions, account balance, and disclosure.
Our audit will be planned and performed so as to provide reasonable assurance that the financial statements are free from material misstatement and give a true and fair view. The concept of materiality and how we define a misstatement is explained in more detail in section 4.
The diagram below outlines the procedures we perform at the different stages of the audit.
• Final review and disclosure checklist of financial • Initial opinion and value for money risk statements assessments • Final partner review • Updating our understanding of the Authority • Agreeing content of letter of representation • Considering proposed accounting • Reporting to Audit and Governance Board treatments and accounting policies • Reviewing post balance sheet events • Development of our audit strategy Planning Completion • Signing our opinion Dec 2019 - Feb • Agreement of timetables November 2020 2020 • Preliminary analytical procedures
• Review of draft financial statements Fieldwork Interim • Documenting systems and controls • Reassessment of audit strategy, Oct-Nov 2020 Jan-April 2020 • Walkthrough procedures revising as necessary • Controls testing, including general • Delivering our planned audit testing and application IT controls • Continuous communication on emerging • Early substantive testing of transactions issues • Clearance meeting
4. Materiality 5. Significant 1. Engagement and 2. Your audit 6. Value for 8. 3. Audit scope and risks and key 7. Fees Appendices responsibilities team misstatements judgements Money Independence Page 236 6 3. AUDIT SCOPE, APPROACH AND TIMELINE (CONTINUED)
Reliance on internal audit Where possible we will seek to utilise the work performed by internal audit to inform the nature, extent and timing of our audit procedures. We meet regularly with internal audit to discuss the progress and findings of their work prior to the commencement of our controls evaluation procedures.
Management’s and our experts Management makes use of experts in specific areas when preparing the Authority’s financial statements. We also use experts to assist us to obtain sufficient appropriate audit evidence on specific items of account.
Items of account Management's expert Our expert
Mercer – Actuary for the Merseyside PWC – Consulting actuary appointed on Defined benefit liability and asset Pension Fund behalf of the National Audit Office.
District Valuer Service - Property Services - We will use available third party information Property, plant and equipment part of the Valuation Office Agency. A to review and challenge the key valuation valuation desktop valuation is planned for 2019/20. assumptions. We will review Link Asset Services methodology to gain assurance that the fair Financial instrument disclosures Link Asset Services value disclosures of financial assets and liabilities are materially correct.
Service organisations
International Auditing Standards (UK) define service organisations as third party organisations that provide services to the Authority that are part of its information systems relevant to financial reporting. We are required to obtain an understanding of the services provided by service organisations as well as evaluating the design and implementation of controls over those services. The table below summarises the service organisations used by the Authority and our planned audit approach.
Items of account Service organisation Audit approach We plan to obtain assurance by understanding the processes and controls that the Authority has in place to assure itself that transactions re Payroll Expenditure CGI processed correctly. Our testing will include sample testing of transactions based on evidence available from the Authority rather than the shared service provider.
4. Materiality 5. Significant 1. Engagement and 2. Your audit 6. Value for 8. 3. Audit scope and risks and key 7. Fees Appendices responsibilities team misstatements judgements Money Independence Page 237 7 3. AUDIT SCOPE, APPROACH AND TIMELINE (CONTINUED)
Group audit approach Liverpool City Region Combined Authority prepares Group accounts and in 2018/19 consolidated the following body: • Merseytravel (including Mersey Ferries and Merseytravel Passenger Transport Services Limited) In auditing the accounts of the Liverpool City Region Combined Authority Group financial statements we need to obtain assurance over the transactions in the Group relating to the subsidiary body. We plan to obtain the necessary assurance over the Authority’s group accounts by placing reliance on the work we will complete in our capacity as component auditors on the financial statements of Merseytravel. We have not identified any significant risks for Group accounts purposes in relation to the component. The significant risks and areas of audit focus for the Authority as a single entity are set out in section 5. Based on our initial planning discussions we do not consider these significant risks to be risks for the component subsidiary companies.
4. Materiality 5. Significant 1. Engagement and 2. Your audit 6. Value for 8. 3. Audit scope and risks and key 7. Fees Appendices responsibilities team misstatements judgements Money Independence Page 238 8 4. MATERIALITY AND MISSTATEMENTS
Summary of initial materiality thresholds
Threshold Group (£’000s) Single Entity (£’000s)
Overall materiality 8,500 8,000
Performance materiality 6,375 6,000
Trivial threshold for errors to be reported to the Audit and Governance 255 240 Committee
Materiality Materiality is an expression of the relative significance or importance of a particular matter in the context of financial statements as a whole. Misstatements in financial statements are considered to be material if they, individually or in aggregate, could reasonably be expected to influence the economic decisions of users taken on the basis of the financial statements.
Judgements on materiality are made in light of surrounding circumstances and are affected by the size and nature of a misstatement, or a combination of both. Judgements about materiality are based on consideration of the common financial information needs of users as a group and not on specific individual users. The assessment of what is material is a matter of professional judgement and is affected by our perception of the financial information needs of the users of the financial statements. In making our assessment we assume that users:
• have a reasonable knowledge of business, economic activities and accounts;
• have a willingness to study the information in the financial statements with reasonable diligence; • understand that financial statements are prepared, presented and audited to levels of materiality;
• recognise the uncertainties inherent in the measurement of amounts based on the use of estimates, judgement and the consideration of future events; and
• will make reasonable economic decisions on the basis of the information in the financial statements. We consider materiality whilst planning and performing our audit based on quantitative and qualitative factors.
Whilst planning, we make judgements about the size of misstatements which we consider to be material and which provides a basis for determining the nature, timing and extent of risk assessment procedures, identifying and assessing the risk of material misstatement and determining the nature, timing and extent of further audit procedures.
The materiality determined at the planning stage does not necessarily establish an amount below which uncorrected misstatements, either individually or in aggregate, will be considered as immaterial. We revise materiality for the financial statements as our audit progresses should we become aware of information that would have caused us to determine a different amount had we been aware of that information at the planning stage.
Our provisional materiality is set based on a benchmark of gross expenditure on the provision of services. We will identify a figure for materiality but identify separate levels for procedures designed to detect individual errors, and also a level above which all identified errors will be reported to the Audit and Governance Committee.
4. Materiality 5. Significant 6. Value for 8. 1. Engagement and 2. Your audit and risks and key 7. Fees 3. Audit scope Money Independence Appendices responsibilities team misstatements judgements Page 239 9 4. MATERIALITY AND MISSTATEMENTS (CONTINUED)
We consider that gross expenditure at the provision of services remains the key focus of users of the financial statements and, as such, we base our materiality levels around this benchmark.
We have set a materiality threshold at 2% based on the 2018/19 audited financial statements gross expenditure at the provision of services. Based on our threshold of 2% of gross expenditure at the provision of services level, we anticipate the overall materiality for the year ending 31st March 2020 to be in the region for the Group of £8.5m (£7.8 in the prior year) and for the single entity of £8m (£5.9m in the prior year). After setting initial materiality, we continue to monitor materiality throughout the audit to ensure that it is set at an appropriate level.
Performance Materiality Performance materiality is the amount or amounts set by the auditor at less than materiality for the financial statements as a whole to reduce, to an appropriately low level, the probability that the aggregate of uncorrected and undetected misstatements exceeds materiality for the financial statements as a whole. Our initial assessment of performance materiality is based on low inherent risk, meaning that we have applied 75% of overall materiality as performance materiality.
We have also calculated materiality for specific classes of transactions, balances or disclosures where we determine that misstatements of a lesser amount than materiality for the financial statements as a whole, could reasonably be expected to influence the decisions of users taken on the basis of the financial statements. We have set specific materiality for the following items of account:
Item of account Specific materiality - £000s
Officer Remuneration Bandings 5
Related Party Transactions 50
Misstatements We aggregate misstatements identified during the audit that are other than clearly trivial. We set a level of triviality for individual errors identified (a reporting threshold) for reporting to the Audit and Governance Committee that is consistent with the level of triviality that we consider would not need to be accumulated because we expect that the accumulation of such amounts would not have a material effect on the financial statements. Based on our preliminary assessment of overall materiality, our proposed triviality threshold is £255k for the Group and £240k for the single entity based on 3% of overall materiality. If you have any queries about this please do not hesitate to raise these with Mark Dalton.
Reporting to the Audit and Governance Committee To comply with International Standards on Auditing (UK), the following three types of audit differences will be presented to the Audit and Governance Committee: • summary of adjusted audit differences; • summary of unadjusted audit differences; and • summary of disclosure differences (adjusted and unadjusted).
4. Materiality 5. Significant 6. Value for 8. 1. Engagement and 2. Your audit and risks and key 7. Fees 3. Audit scope Money Independence Appendices responsibilities team misstatements judgements Page 240 10 5. SIGNIFICANT RISKS AND KEY JUDGEMENT AREAS
Following the risk assessment approach discussed in section 3 of this document, we have identified relevant risks to the audit of financial statements. The risks that we identify are categorised as significant, enhanced or standard, as defined below:
Significant risk A significant risk is an identified and assessed risk of material misstatement that, in the auditor’s judgment, requires special audit consideration. For any significant risk, the auditor shall obtain an understanding of the entity’s controls, including control activities relevant to that risk.
Enhanced risk An enhanced risk is an area of higher assessed risk of material misstatement at audit assertion level other than a significant risk. Enhanced risks incorporate but may not be limited to:
• key areas of management judgement, including accounting estimates which are material but are not considered to give rise to a significant risk of material misstatement; and
• other audit assertion risks arising from significant events or transactions that occurred during the period.
Standard risk This is related to relatively routine, non-complex transactions that tend to be subject to systematic processing and require little management judgement. Although it is considered that there is a risk of material misstatement, there are no elevated or special factors related to the nature, the likely magnitude of the potential misstatements or the likelihood of the risk occurring.
The summary risk assessment, illustrated in the table below, highlights those risks which we deem to be significant. We have
summarised our audit response to these risks on the next page. High Risk 2 3
1 Management override of control Financial
impact 1 2 Property, plant and equipment valuation
3 Defined benefit liability valuation Low
Likelihood Low High
4. Materiality 5. Significant 6. Value for 8. 1. Engagement and 2. Your audit and risks and key 7. Fees 3. Audit scope Money Independence Appendices responsibilities team misstatements judgements Page 241 11 5. SIGNIFICANT RISKS AND KEY JUDGEMENT AREAS (CONTINUED)
We provide more detail on the identified risks and our testing approach with respect to significant risks in the table below. An audit is a dynamic process; should we change our view of risk or approach to address the identified risks during the course of our audit, we will report this to the Audit and Governance Committee.
Significant risks
Description of risk Planned response
1 Management override of controls We plan to address the management override of controls risk Management at various levels within an organisation through performing audit work over: are in a unique position to perpetrate fraud because of • accounting estimates, their ability to manipulate accounting records and prepare fraudulent financial statements by overriding • journal entries, focusing on those that we determine to contain controls that otherwise appear to be operating certain risk characteristics and; effectively. Due to the unpredictable way in which • significant transactions outside the normal course of business or such override could occur there is a risk of material otherwise unusual. misstatement due to fraud on all audits.
2 Property, plant and equipment valuation In relation to the valuation of land and buildings we will: • assess the skill, competence and experience of the Authority’s The CIPFA Code requires that where assets are external valuers; subject to revaluation, their year end carrying value should reflect the fair value at that date. The • critically assess the approach that the Authority has adopted to Authority approach is to conduct all required address the risk that assets not subject to valuation in 2019/20 revaluations once every five years with a full are materially misstated and consider the robustness of that revaluation exercise completed in 2018/19. There is approach in light of any valuation information reported by the a risk that individual assets not revalued in 2019/20 Authority’s valuers; are not valued at their materially correct fair value. • consider whether the overall revaluation methodology used by the Authority is in line with industry practice, the CIPFA Code of The valuation of Property, Plant & Equipment Practice and the Combined Authority’s accounting policies. We involves the use of a management expert (the will test the basis of the valuation to underlying data and critically valuer), and incorporates material assumptions and assess basis of assumptions applied; and estimates. • assess whether valuation movements are in line with market . expectations by using information available from other sources.
4. Materiality 5. Significant 6. Value for 8. 1. Engagement and 2. Your audit and risks and key 7. Fees 3. Audit scope Money Independence Appendices responsibilities team misstatements judgements Page 242 12 5. SIGNIFICANT RISKS AND KEY JUDGEMENT AREAS (CONTINUED)
Significant risks
Description of risk Planned response 3 Defined benefit liability valuation In relation to the valuation of the Liverpool City Region Combined Authority's defined benefit pension liability we will: The net pension liability represents a material element of Liverpool City Region Combined • critically assess the competency, objectivity and independence of Authority's balance sheet. The Authority is an the MPF’s Actuary, Mercers; admitted body of the Merseyside Pension Fund (MPF), which had its last triennial valuation • Liaise with the auditors of the Merseyside Pension Fund to gain completed as at 31 March 2019. assurance that the controls in place at the Pension Fund are operating effectively. This will include the processes and controls The valuation of the Local Government Pension in place to ensure data provided to the Actuary by the Pension Scheme relies on a number of assumptions, most Fund for the purposes of the IAS19 valuation is complete and notably around the actuarial assumptions, and accurate; actuarial methodology which results in the Authority’s overall valuation. • Test payroll transactions at the Authority to provide assurance over the pension contributions which are deducted and paid to the There are financial assumptions and demographic Pension Fund by the Authority; assumptions used in the calculation, such as the discount rate, inflation rates and mortality rates. The • Review the appropriateness of the Pension Asset and Liability assumptions should also reflect the profile of the valuation methodologies applied by the Pension Fund Actuary, Authority’s employees, and should be based on and the key assumptions included within the valuation. This will appropriate data. The basis of the assumptions is include comparing them to expected ranges, utilising information derived on a consistent basis year to year, or provided by PWC, consulting actuary engaged by the National updated to reflect any changes. Audit Office; and
There is a risk that the assumptions and • Agree the data in the IAS 19 valuation report provided by the methodology used in valuing the Authority’s pension Fund Actuary for accounting purposes to the pension accounting obligation are not reasonable or appropriate to entries and disclosures in the Authority’s financial statements. Liverpool Authority’s circumstances. This could have a material impact to the net pension liability
4. Materiality 5. Significant 6. Value for 8. 1. Engagement and 2. Your audit and risks and key 7. Fees 3. Audit scope Money Independence Appendices responsibilities team misstatements judgements Page 243 13 5. SIGNIFICANT RISKS AND KEY JUDGEMENT AREAS (CONTINUED)
Key areas of management judgement and enhanced risks
Key areas of management judgement include accounting estimates which are material but are not considered to give rise to a significant risk of material misstatement. These areas of management judgement represent other areas of audit emphasis.
Area of management judgement / enhanced risk Planned response
1 Group Financial Statement Consolidation Process Our approach to auditing the Group Financial Statements has been Liverpool City Region Combined Authority has made detailed on page 8. judgements around which of its group entities it consolidates into the Group Financial Statements, We will complement this work by our work over Liverpool City and how it consolidates the transactions and Region Combined Authority’s Group consolidation process. In balances into the Group. particular we will review the judgements relating to the entities that are assessed for consolidation into the Group financial statements, and we will review and test the method of consolidation of Merseytravel into the Group financial statements.
4. Materiality 5. Significant 6. Value for 8. 1. Engagement and 2. Your audit and risks and key 7. Fees 3. Audit scope Money Independence Appendices responsibilities team misstatements judgements Page 244 14 5. VALUE FOR MONEY
Our approach to Value for Money We are required to form a conclusion as to whether the Authority has made proper arrangements for securing economy, efficiency and effectiveness in its use of resources. The NAO issues guidance to auditors that underpins the work we are required to carry out, and sets out the overall criterion and sub-criteria that we are required to consider.
The overall criterion is that, ‘in all significant respects, the Authority had proper arrangements to ensure it took properly informed decisions and deployed resources to achieve planned and sustainable outcomes for taxpayers and local people.’
To assist auditors in reaching a conclusion on this overall criterion, the following sub-criteria are set out by the NAO: • informed decision making; • sustainable resource deployment; and • working with partners and other third parties.
A summary of the work we undertake to reach our conclusion is provided below: Risk assessment Risk mitigation work Other procedures
NAO Guidance Consider the work of regulators
Sector-wide issues Planned procedures to mitigate Consider the Annual the risk of forming an incorrect Governance Statement Your operational and business conclusion on arrangements risks Consistency review and reality Knowledge from other audit work check
Significant Value for Money risks The NAO’s guidance requires us to carry out work at the planning stage to identify whether or not a Value for Money (VFM) exists. Risk, in the context of our VFM work, is the risk that we come to an incorrect conclusion rather than the risk of the arrangements in place at the Authority being inadequate. As outlined above, we draw on our deep understanding of the Authority and its partners, the local and national economy and wider knowledge of the public sector.
For the 2019/20 financial year, we have again identified the following significant risk to our VFM work :
Description of significant risk Planned response Governance Arrangements – In 2018/19 we issued an “except for” VFM conclusion that whilst recognising that risk management arrangements continued to develop, for the We will review the development of risk majority of the year effective arrangements were not in place to support corporate management arrangements during decision making. 2019/20 and assess any plans in place to ensure appropriate attendance at key Furthermore, the Combined Authority continued to face challenges in respect of Combined Authority committees to help committee quoracy with both the Audit and Governance Committee and Overview and ensure there is appropriate challenge Scrutiny Committee meetings not being quorate on a number of occasions. Both these and scrutiny of key decisions. issues were evidence of weakness in identifying and managing risks effectively and maintaining a sound system of internal control to support informed decision making. There remains a risk that these deficiencies have not been sufficiently addressed during 2019/20.
4. Materiality 5. Significant 1. Engagement and 2. Your audit 6. Value for 8. 3. Audit scope and risks and key 7. Fees Appendices responsibilities team Money Independence misstatements judgements Page 245 15 6. FEES FOR AUDIT AND OTHER SERVICES
Fees for work as the Authority’s appointed auditor
At this stage of the audit we are not planning any divergence from the scale fees set by PSAA. Any proposed variations to the fee to address, for example, changes to identified risks or additional work required by regulators will be discussed and agreed with Management before approval is sought from PSAA.
Service 2018/19 fee 2019/20 fee
Code audit work £36,334 £36,334
Fees for non-PSAA work
We have not been engaged by Liverpool City Region Combined Authority to carry out any additional work over and above the audit of the Authority’s statutory audit. Should we be engaged to undertake any additional work we will consider whether there are any actual, potential or perceived threats to our independence. Further information about our responsibilities in relation to independence is provided in Section 7.
Services provided to other entities within the Liverpool City Region Combined Authority group
We were also appointed by PSAA to perform the external audit of Merseytravel for the year to 31 March 2020 where the fee for Code audit work is £29,121.
4. Significant 8. Materiality 1. Engagement and 2. Your audit 5. Value for 7. 3. Audit scope risks and key 6. Fees and Appendices responsibilities team Money Independence judgements misstatements Page 246 16 7. OUR COMMITMENT TO INDEPENDENCE
We are committed to independence and are required by the Financial Reporting Council to confirm to you at least annually, in writing, that we comply with the Financial Reporting Council’s Ethical Standard. In addition, we communicate any matters or relationship which we believe may have a bearing on our independence or the objectivity of the audit team.
Based on the information provided by you and our own internal procedures to safeguard our independence as auditors, we confirm that in our professional judgement there are no relationships between us and any of our related or subsidiary entities, and you and your related entities creating any unacceptable threats to our independence within the regulatory or professional requirements governing us as your auditors.
We have policies and procedures in place which are designed to ensure that we carry out our work with integrity, objectivity and independence. These policies include: • all partners and staff are required to complete an annual independence declaration;
• all new partners and staff are required to complete an independence confirmation and also complete computer-based ethics training;
• rotation policies covering audit engagement partners and other key members of the audit team; • use by managers and partners of our client and engagement acceptance system which requires all non-audit services to be approved in advance by the audit engagement partner.
We confirm, as at the date of this document, that the engagement team and others in the firm as appropriate, and Mazars LLP are independent and comply with relevant ethical requirements. However, if at any time you have concerns or questions about our integrity, objectivity or independence please discuss these with Mark Dalton in the first instance.
Prior to the provision of any non-audit services Mark Dalton will undertake appropriate procedures to consider and fully assess the impact that providing the service may have on our auditor independence. Included in this assessment is consideration of Auditor Guidance Note 01 as issued by the NAO, and the PSAA Terms of Appointment. Any emerging independence threats and associated identified safeguards will be communicated in our Audit Completion Report.
4. Significant 8. Materiality 1. Engagement and 2. Your audit 5. Value for 7. 3. Audit scope risks and key 6. Fees and Appendices responsibilities team Money Independence judgements misstatements Page 247 17 APPENDIX A – KEY COMMUNICATION POINTS
ISA (UK) 260 ‘Communication with Those Charged with Governance’, ISA (UK) 265 ‘Communicating Deficiencies In Internal Control To Those Charged With Governance And Management’ and other ISAs (UK) specifically require us to communicate the following:
Required communication Audit Strategy Audit Completion Memorandum Report Our responsibilities in relation to the audit of the financial statements and our wider responsibilities
Planned scope and timing of the audit
Significant audit risks and areas of management judgement
Our commitment to independence
Responsibilities for preventing and detecting errors
Materiality and misstatements
Fees for audit and other services
Significant deficiencies in internal control
Significant findings from the audit
Significant matters discussed with management
Our conclusions on the significant audit risks and areas of management judgement
Summary of misstatements
Management representation letter
Our proposed draft audit report
4. Significant 8. Materiality 1. Engagement and 2. Your audit 5. Value for 7. 3. Audit scope risks and key 6. Fees and Appendices responsibilities team Money Independence judgements misstatements Page 248 18 APPENDIX B – FORTHCOMING ACCOUNTING AND OTHER ISSUES
Financial reporting changes relevant to 2019/20 There are no significant changes in the Code of Practice on Local Authority Accounting for the 2019/20 financial year.
Financial reporting changes in future years
Accounting standard Year of application Commentary
IFRS 16 – Leases 2020/21 The CIPFA/LASAAC Code Board has determined that the Code of Practice on Local Authority Accounting will adopt the principles of IFRS 16 Leases, for the first time from 2020/21.
IFRS 16 will replace the existing leasing standard, IAS 17, and will introduce significant changes to the way bodies account for leases, which will have substantial implications for the majority of public sector bodies.
The most significant changes will be in respect of lessee accounting (i.e. where a body leases property or equipment from another entity). The existing distinction between operating and finance leases will be removed and instead, the new standard will require a right of use asset and an associated lease liability to be recognised on the lessee’s Balance Sheet.
In order to meet the requirements of IFRS 16, all local authorities will need to undertake a significant project that is likely to be time-consuming and potentially complex. There will also be consequential impacts upon capital financing arrangements at many authorities which will need to be identified and addressed at an early stage of the project.
4. Significant 8. Materiality 1. Engagement and 2. Your audit 5. Value for 7. 3. Audit scope risks and key 6. Fees and Appendices responsibilities team Money Independence judgements misstatements Page 249 This page is intentionally left blank