audit and scrutiny panel - north lanarkshire · 2019. 9. 16. · 5.1 internal audit reports...

North Lanarkshire Council

Report

Audit and Scrutiny Panel

☐ for approval ☒ for noting Ref: KA/ASP/Sept19 Date: 25/09/2019

Internal Audit Progress Report

From: Ken Adamson, Audit and Risk Manager

Email: [email protected] Telephone: 01698 302188

Executive Summary

The purpose of this report is to provide an overview of Internal Audit activity and to report the results of Internal Audit outputs finalised since the last progress report submitted to the June 2019 meeting of the Audit and Scrutiny Panel.

The report highlights the most significant issues arising from recently completed audit work.

Appendix 1 provides a brief summary of the scope and key findings of each substantive audit report. In addition, a supplementary pack with full copies of these reports has also been circulated to Panel members.

Recommendations

The Panel is invited to:

(1) consider whether there are any issues raised by Internal Audit which are sufficiently significant to require a further report from management to be submitted to a future meeting of the Panel;

(2) request that Internal Audit provide a report to future meetings of the Panel reporting progress made by management implementing agreed management actions in relation to all audit recommendations categorised as ‘Red’ or ‘Amber’; and

(3) otherwise note this report.

The Plan for North Lanarkshire:

Priority: All priorities

Ambition statement All ambition statements

mailto:[email protected]

1. Background

1.1 In June 2019, the Panel approved the 2019-20 Internal Audit Annual Plan which detailed a programme of work to be carried out. The Internal Audit Charter, most recently approved by the Panel in February 2018, requires that the results of Internal Audit’s work are periodically reported to the Panel.

2. Report

Audit reviews completed in the period

2.1 Work has continued in accordance with the approved annual plan. Table 1 below provides an overview of recently completed Internal Audit reports since the last progress report presented to the Audit and Scrutiny Panel in June 2019.

Table 1: Completed Internal Audit outputs

Subject Internal Audit Opinion

1. Scottish Attainment Challenge Reasonable assurance

(Green-Amber)

2. Income / cash collection Substantial assurance

(Green)

3. Housing Benefit Reasonable assurance

(Green-Amber)

4. IT Network controls Reasonable assurance

(Green-Amber)

5. Municipal Bank Reasonable assurance

(Green-Amber)

2.2 Appendix 1 provides a brief summary of those reports forming part of the annual programme of planned assurance work. Copies of all finalised reports are included in the supporting pack to these papers.

2.3 Appendix 2 contains detailed definitions of the categories used by Internal Audit when making recommendations, providing an audit opinion and on the extent of assurance which is being provided to management and Panel members on those systems or areas of Council operations examined by Internal Audit.

2.4 This report excludes specific audit outputs produced for the North Lanarkshire IJB which are reported directly to its senior management teams and audit committees.

Commentary on completed Internal Audit work

2.5 The nature of Internal Audit exercises means that most reviews invariably find some scope for improvement, usually in the form of controls which are weak or only partially effective and, therefore, contain a number of recommendations. I am pleased, however, to be able to report that none of the audits competed in the period offered only ‘limited assurance’.

2.6 In determining which other issues from our recent outputs to highlight in this report, I have selected those issues which I consider to be most significant either because of the nature of the topic examined, or the risk implications of the weaknesses identified.

2.7 Our work on IT Network controls although providing a ‘Reasonable assurance’ opinion identified a range of concerns which we consider management needed to address. We were pleased to note that the Council has Public Sector Network (PSN) accreditation and had been assessed as meeting the Scottish Government ‘Cyber Essentials’ standard.

2.8 We also highlighted that although the Council has a range of information security and ICT policies, these need to be reviewed to ensure that they remain up-to-date and reflect current corporate expectations, good practice and any relevant legislative requirements. We also commented on the need for more/better training and information to be available to staff in relation IT security issues, including cyber threats.

2.9 We also questioned why formal testing of back-up recovery is currently limited to ‘Gold’ applications and does not extend to network drives and non-Gold applications and highlighted delays in introducing Security Incident Event Management (SIEM) software to provide better real-time analysis of security alerts.

2.10 Finally, our review also highlighted an issue, which although outwith the scope of the audit, we considered sufficiently significant to include in this report and which needs to be resolved urgently. This issue, which we have categorised as ‘Red’, relates to the Council not currently being compliant with the Payment Card Industry Data Security Standard (PCI DSS). This creates significant operational, financial and reputational risk and could ultimately result in the Council being refused access to accepting card payments.

2.11 Appropriate management responses have been received to the issues raised by Internal Audit.

2.12 Our work on the Scottish Attainment Challenge, whilst generally positive did highlight some areas for the Service to address. We are broadly satisfied that the relevant control environment appears generally adequate. The Service’s management arrangements around the Council’s use of Scottish Attainment Challenge (SAC) funding appear adequate and generally effective in ensuring that relevant spend is consistent with the purposes for which it was provided and that the Council is complying with key Scottish Government expectations.

2.13 The Service has also established monitoring arrangements to assess whether desired improvements in relation to reducing the poverty-related attainment gap are being delivered, although it should be recognised that assessing the impact or effectiveness of many of the interventions undertaken using SAC funding is difficult, particularly in the short-term and/or when being undertaken as part of a wider focus on improving attainment.

2.14 In our report, we have commented that the Service needs to provide better guidance for schools regarding the use by Secondary Schools of allocated SAC funding, in conjunction with PEF funding, and increased monitoring undertaken to ensure that the Service is able to satisfy itself that the conditions of the grant, relating to this allocation of funding, are being fully met and needs to ensure that schools are clearer on how the allocated SAC-funded additional teaching resource is enabling or contributing to the delivery of the SAC programme.

2.15 We have also highlighted that while the Service gathers a significant amount of data relating to the ‘attainment gap’ and the use of SAC funding, it needs to improve the way in which information is evaluated and reported to stakeholders.

2.16 Again, appropriate management responses have been received to the issues raised by Internal Audit.

2.17 Our reports on Income/cash collection, Housing Benefit and Municipal Bank, whilst generally positive in respect of the overall control environment, all highlighted some control weaknesses or areas for improvement that we considered management should address.

2.18 I am pleased to confirm that satisfactory management responses have been received to the issues raised in all of the Internal Audit report issued in the period and appropriate actions have been taken or commitments made to future actions within appropriate timescales.

2.19 There are no other issues arising from completed reports which I consider sufficiently significant to highlight to the Panel. Future follow-up reports will provide the Panel with information on the implementation, or otherwise, of all actions proposed by management in response to audit recommendations categorised as ‘Red’ or ‘Amber’.

3 Equality and diversity

Fairer Scotland Duty There is no requirement to carry out a Fairer Scotland assessment in this instance.

Equality Impact Assessment

There is no requirement to carry out an equality impact assessment in this instance.

4. Implications

Financial impact None identified

HR/Policy/Legislative Impact

None identified

Environmental Impact None identified

Risk impact Any failure to operate an effective internal audit service could impact on the effectiveness of the Council’s risk management and corporate governance processes.

5. Measures of success

5.1 Internal Audit reports annually on its performance to the Panel and is also subject to review annually by the Council’s appointed external auditors.

6. Supporting Documents

Appendix 1 Summary of completed Internal Audit assignments

Appendix 2 Audit gradings

Ken Adamson, Audit and Risk Manager

Appendix 1

Summary of Internal Audit assignments completed since the last Panel meeting

Internal Audit outputs: Audit opinion and commentary

1. Scottish Attainment Challenge

Internal Audit Opinion: Reasonable assurance (Green-Amber)

Audit recommendations: Red 1 Amber 4 Green 1

The purpose of this audit was to provide assurance on the adequacy and effectiveness of key controls around the Council’s use of Scottish Attainment Challenge (SAC) funding to ensure that relevant spend is consistent with the purposes for which it is intended, that the Council is complying with key Scottish Government expectations and that appropriate arrangements are in place to monitor whether expected outcomes or improvements are being delivered. The audit was not designed to consider the educational appropriateness or efficacy of the Council’s planned actions and interventions.

The Scottish Attainment Challenge is a major Scottish Government initiative designed to achieve equity in educational outcomes by closing the poverty related attainment gap. Education Scotland published a report in July 2018 on ‘How well is North Lanarkshire Council improving learning, raising attainment and closing the poverty-related attainment gap?’ which concluded that the Council is making good progress in these areas.

Based on the results of our audit work, we have categorised this audit as offering ‘reasonable assurance’. We are broadly satisfied that the relevant control environment appears generally adequate. The Service’s management arrangements around the Council’s use of Scottish Attainment Challenge (SAC) funding appear adequate and generally effective in ensuring that relevant spend is consistent with the purposes for which it was provided and that the Council is complying with relevant key Scottish Government expectations.

The Service has also established monitoring arrangements to assess whether desired improvements in relation to reducing the poverty-related attainment gap are being delivered, although it should be recognised that assessing the impact or effectiveness of many of the interventions undertaken using SAC funding is difficult, particularly in the short-term and/or when being undertaken as part of a wider focus on improving attainment.

As a result of the audit, we have identified a number of areas where we consider action is required and/or scope for improvement exists. These include:

The Service needs to provide better guidance for schools regarding the use by Secondary Schools of allocated SAC funding, in conjunction with PEF funding, and increased monitoring undertaken to ensure that the Service is able to satisfy itself that the conditions of the grant, relating to this allocation of funding, are being fully met.

The Service needs to ensure that schools are clearer on how the allocated SAC-funded additional teaching resource is enabling or contributing to the delivery of the SAC programme;

The Service needs to ensure that in developing the mentor programme in secondary schools it addresses some of the important issues raised in the recent Internal Audit report on Education Recruitment; and

While the Service gathers a significant amount of data relating to the ‘attainment gap’ and the use of SAC funding, it needs to improve the way in which information is evaluated and reported to stakeholders.

Satisfactory management responses have been received to the issues and audit recommendations contained within the report.

Appendix 1 (continued)



2. Income / cash collection

Internal Audit Opinion: Substantial assurance (Green)


This was a brief substantive based review designed to provide assurance on the effectiveness of key controls relating to the operation of the Council’s cash collection offices/First Stop Shops. Management responsibility for the operation of the cash offices/First Stop Shops lies with Housing Solutions, with responsibility for banking reconciliations and administration of the Cash Receipting system lying with Financial Solutions.

In line with an approach previously agreed with management, we visited four separate cash offices and undertook a range of checks on different aspects of cash collection activity with the aim of providing assurance to management on compliance across the cash offices with expected procedures. We also undertook testing to assess the adequacy of arrangements within the Controls & Reconciliations Team (‘Income HQ’) within Financial Solutions, who are responsible for reviewing/monitoring cash collection activity and the reconciliation of monies collected/banked.

As well as the attached summary report which presents the key issues arising from the testing undertaken at both Income HQ and cash office level, individual reports for each of the four cash offices visited (Airdrie, Coatbridge, Cumbernauld and Motherwell) have been issued under separate cover for management consideration highlighting issues arising, including any areas of non-compliance with procedures identified.

We were pleased to note that, based on the results of our work, the control environment appears sound with our testing indicating a high level of compliance with expected procedures. We have, therefore, assessed the audit as offering ‘substantial assurance’, meaning that the control environment is adequate and has operated substantially as intended with any control issues or weaknesses identified presenting only a low risk to the control environment.

We have however identified some areas where scope for further improvement exists and accordingly we have made a small number of recommendations for management attention.





3. Housing Benefit



This was a brief, substantive based review designed to provide assurance that the Council has adequate, robust and effective governance arrangements in place for ensuring that it continues to comply with relevant legislation and DWP requirements in respect of new Housing Benefit applications/claims and changes in circumstances.

As part of our work, we undertook detailed testing and re-calculation of a sample of successful new claims and a sample of amended (change of circumstances) claims selected at random from the period January to March 2019. In addition, we reviewed documentation held to evidence that the expected level and type of management checks were being undertaken and that appropriate actions were being taken as a result.

The results of our work indicate that generally, the Service has in place arrangements to ensure that only properly supported and eligible applications for HB are being approved and that relevant benefit is awarded. We were also pleased to note that management checks are being regularly undertaken to review the quality of decision-making and ensure that only properly supported and eligible applications for Housing Benefit are being approved. We do, however, continue to have some concerns at the higher than expected incidence of non-compliance and error in the processing of new and amended claims identified by the Service’s own management checks and by this and previous similar Internal Audit exercises, with the identified error rate being significantly higher than the Service’s performance targets.

Overall, as a result of our findings, we have categorised this audit as offering ‘reasonable assurance’, meaning that while the control environment is generally operating as intended, there are some aspects where we consider that scope for improvement exists and we have raised a small number of recommendations for management attention.





4. IT Network controls



The purpose of this review was to provide independent assurance on selected IT network controls (network administration, patching and back-ups) in order to provide assurance that the Council has adequate, robust and effective governance arrangements in place to support the operation of the Council’s IT network. The review involved assessing the adequacy and effectiveness of the Council’s arrangements and processes against good practice, as well as relevant testing to confirm that the controls were operating as intended.

The Council recognises IT security as a key corporate risk and has secured Public Services Network (PSN) compliance and Cyber Essentials certification which demonstrates that the Council’s IT security arrangements, policies and controls in place are sufficiently robust to allow interaction with other organisations connected to the PSN and to protect the network against common cyber threats. As a result, we were able to place reliance on these externally inspected accreditations for some areas (in particular, aspects of controls in relation to firewalls and anti-virus protection) covered by this audit.

Based on the results of our work, we have categorised this audit as offering ‘reasonable assurance’ meaning that we are generally satisfied that the control environment in respect of network administration, patch-management and back-ups appears generally adequate and is mainly operating as intended. However, we identified a number of areas where we consider management action is required and/or scope for improvement exists. These include:

the Council’s current Cyber Essentials accreditation expired in June 2019 and although the Council is actively pursuing re-accreditation, this has not yet been achieved;

although the Council has a range of information security and ICT policies, these need to be reviewed to ensure that they remain up-to-date and reflect current corporate expectations, good practice and any relevant legislative requirements;

there is a need for more/better training and information to be available to staff in relation IT security issues, including cyber threats;

formal testing of back-up recovery is currently limited to ‘Gold’ applications and does not extend to network drives and non-Gold applications; and

there have delays in introducing Security Incident Event Management (SIEM) software to provide real-time analysis of security alerts.

Our review also highlighted an issue, which although outwith the scope of this audit, we consider sufficiently significant to include in this report and which needs to be resolved urgently. This issue, which we have categorised as ‘Red’, relates to the Council not currently being compliant with the Payment Card Industry Data Security Standard (PCI DSS). This creates significant operational, financial and reputational risk and could ultimately result in the Council being refused access to accepting card payments.





5. Municipal Bank



This review was designed to provide independent assurance to senior management and elected members on certain aspects of the Council’s Municipal Bank operations. In particular, the audit considered the adequacy and effectiveness of internal controls associated with changes to customer details and the opening and closure of account and the adequacy and effectiveness of the Municipal Bank’s operations in relation to money laundering. The review also assessed whether the Council has adequate and effective arrangements in place to maintain and safeguard relevant records of accounts and transactions.

Management responsibility for the operation of the cash offices/First Stop Shops (from where the Municipal Bank operates) lies with Housing Solutions, while responsibility for the preparation of reconciliations and administration of the cash receipting/Municipal Bank systems lies with the Controls and Reconciliations Team located within Financial Solutions.

The results of testing of the internal controls associated with account opening, changes to accounts and account closures were generally satisfactory with no significant issues arising. The Municipal Bank is aware of the risk of Money Laundering and has put in place arrangements designed to mitigate the identified risks. However we consider that there is a need to enhance current procedures with regard to the initial and ongoing assessment of risk of money laundering on new and amended accounts and more should be done to record the rationale for decisions made by the Money Laundering Officer about how to respond to suspicious transaction reports made by staff.

Overall, we have assessed the audit as providing ‘Reasonable assurance’, as we consider the control weaknesses identified present low to medium risk to the control environment. We have made a number of recommendations for management considerations/action.


Appendix 2

Audit Gradings

Audit reports are graded with an overall assurance opinion, and any issues and associated recommendations are classified individually to denote their relative importance, in accordance with the definitions in the tables below.

Definition of audit assurance and recommendation categories

Assurance Confidence based on sufficient evidence that internal controls are in place, operating effectively and objectives are being achieved.

Assurance opinion

Green Substantial Assurance

There are minimal or minor control weaknesses that present low risk to the control environment. The control environment has substantially operated as intended although some minor errors have been detected. Very few or no improvements are needed.

Green - Amber Reasonable Assurance

There are some control weaknesses that present a low to medium risk to the control environment. The control environment has mainly operated as intended although errors have been detected. Some improvements should be made.

Amber - Red Limited

Assurance

There are significant control weaknesses that present medium to high risk to the control environment. The control environment has not operated as intended. Significant errors have been detected. Substantial improvements should be made.

Red No Assurance

There are fundamental control weaknesses that present an unacceptable level of risk to the control environment. The control environment has fundamentally broken down and is open to significant error or abuse. Immediate and major changes need to be made.

Organisational impact

Major The weaknesses identified during the review have left the Council open to significant risk. If the risk materialises it would have a major impact upon the organisation as a whole.

Moderate The weaknesses identified during the review have left the Council open to medium risk. If the risk materialises it would have a moderate impact upon the organisation as a whole.

Minor The weaknesses identified during the review have left the Council open to low risk. If the risk materialises it would have a minor impact upon the organisation as a whole.

Recommendation priority

Red Significant weaknesses which management needs to address and resolve immediately.

Amber Weaknesses which require prompt but not immediate action by management.

Green Less significant issues and/or areas for improvement which do not require immediate management action.

EXECUTIVE SUMMARIES

(1) Scottish Attainment Challenge Funding (pages 3−13)

(2) Income and Cash Collection (pages 14−22)

(3) Housing Benefit Regularity − New and Amended Claims (pages 23−29)

(4) IT Network Controls (pages 30−48)

(5) Municipal Bank (pages 49−55)

:\ADMIN\EXECSUM5LDDOCX

AGENDA ITEM No....L−−−−−−−

NORTHLANARKSHIREr " " - COUNCIL

INTERNAL AUDIT REPORT

SCOTTISH ATTAINMENT CHALLENGE FUNDING

Contents1. Executive Summary 2. Findings and Recommendations 3. Action PlanAppendix 1:Audit gradingIssued to: Executive Director (Education and Families) and Head Lead Officer Copied to: Chief Executive

HeadlinesThe purpose of this audit was to provide assurance on the adequacy and effectiveness of key controls aroundthe Council's use of Scottish Attainment Challenge (SAC) funding to ensure that relevant spend is consistentwith the purposes for which it is intended, that the Council is complying with key Scottish Governmentexpectations and that appropriate arrangements are in place to monitor whether expected outcomes orimprovements are being delivered. The audit was not designed to consider the appropriateness or efficacy ofthe Council's planned actions and interventions.The Scottish Attainment Challenge is a major Scottish Government initiative designed to achieve equity ineducational outcomes by closing the poverty related attainment gap. Education Scotland published a report inJuly 2018 on 'How well is North Lanarkshire Council improving learning, raising attainment and closing thepoverty−related attainment gap?' which concluded that the Council is making good progress in these areas.Based on the results of our audit work, we have categorised this audit as offering 'reasonable assurance'. Weare broadly satisfied that the relevant control environment appears generally adequate. The Service'smanagement arrangements around the Council's use of Scottish Attainment Challenge (SAC) funding appearadequate and generally effective in ensuring that relevant spend is consistent with the purposes for which itwas provided and that the Council is complying with relevant key Scottish Government expectations.The Service has also established monitoring arrangements to assess whether desired improvements in relationto reducing the poverty−related attainment gap are being delivered, although it should be recognised thatassessing the impact or effectiveness of many of the interventions undertaken using SAC funding is difficult,particularly in the short−term and/or when being undertaken as part of a wider focus on improving attainment.As a result of the audit, we have identified a number of areas where we consider action is required and/or scopefor improvement exists. These include:

• The Service needs to provide better guidance for schools regarding the use by Secondary Schools ofallocated SAC funding, in conjunction with PEF funding, and increased monitoring undertaken to ensurethat the Service is able to satisfy itself that the conditions of the grant, relating to this allocation of funding,are being fully met.

• The Service needs to ensure that schools are clearer on how the allocated SAC−funded additional teachingresource is enabling or contributing to the delivery of the SAC programme;

• The Service needs to ensure that in developing the mentor programme in secondary schools it addressessome of the important issues raised in the recent Internal Audit report on Education Recruitment; and

• While the Service gathers a significant amount of data relating to the 'attainment gap' and the use of SACfunding, it needs to improve the way in which information is evaluated and reported to stakeholders.

Internal Audit Opinion (see definition at Appendix 1) Reasonable assurance

Organisational impact (see definition at Appendix I) Moderate

Report status FINAL Audit ref 0330/2019/002 J Date issued 1 03/09/2019

Audit Team Lynn McCrum (01698 302182), Paula Hendry and Hugh Shevlin

I−\Data\INTERNAI. AUD!T\PRE 2019−20\INT AUD\Educalon Youth aM Communnes\Scba&s Attainment Challcogc Fundng\A. Report and Sahseqoer,t Corrcsponderrce\hnal report asssued 0309. 19docu

1. Executive Summary

ObjectivesThe purpose of this audit was to provide assurance on the adequacy and effectiveness of key controls aroundthe Council's use of Scottish Attainment Challenge (SAC) funding to ensure that relevant spend is consistentwith the purposes for which it is intended, that the Council is complying with key Scottish Governmentexpectations and that appropriate arrangements are in place to monitor whether expected outcomes orimprovements are being delivered.The audit reviewed how the Service is using and monitoring SAC funding, how this relates to the SAC planand how the Service are evaluating, or plan to evaluate, the impact of the Council's use of SAC monies on thepoverty−related attainment gap.The Scottish Attainment Challenge funding and Pupil Equity Funding, which is allocated directly to schools,are both part of the Attainment Scotland Fund which focuses on closing the attainment gap between the mostand least disadvantaged children.This engagement has been conducted in accordance with the 'Public Sector Internal Audit Standards'. TheInternal Audit section reports formally on conformance with these standards to the Audit and Scrutiny Panel.

2. Findings and Recommendations

Number and category o f recommendations raised Red Amber Green(see definition o f priority at Appendix!)

1 4 1

Key areas requiring management action (Red)The following key area requiring urgent management action has been identified:

• The Service needs to provide better guidance for schools regarding the use by Secondary Schools ofallocated SAC funding, in conjunction with PEF funding, and increased monitoring undertaken to ensurethat the Service is able to satisfy itself that the conditions of the grant, relating to this allocation of funding,are being fully met.

Good practice identifiedWe noted the following areas of good practice during the audit:

• A performance dashboard has been devised providing clear data to the Head Teachers and the SAC CoreTeam for tracking and monitoring of progress of individuals;

• Clear funding proposals are submitted to the Scottish Government each year, detailing plans for the yeargoing forward and the measures which will be used to monitor progress in achieving objectives/expectedoutcomes;

• Financial controls are clearly evident for accounting for Scottish Attainment Challenge funding, withseparate cost centres created and expenditure tracked and monitored on a four−weekly basis; and

• Grant claims and progress reports are being submitted to the Scottish Government in line with prescribedtimescales.

I:\OaLa\!NTERNAL AUDITPRL 2019−20\INT AUD\Educat,on Youth and Communfl,esSchooIs Attainment Challcngc Fuoding\A. Report uod Sutcquerrt Correspondcnce\FnaI report usssued 0 3 0 9 19 docu

Other areas for improvement (Amber)A number of other areas for improvement were also identified:

• The Service needs to ensure that schools are clearer on how the allocated SAC−funded additional teachingresource is enabling or contributing to the delivery of the SAC programme;

• The Service needs to ensure that in developing the mentor programme in secondary schools it addressessome of the important issues raised in the recent Internal Audit report on Education Recruitment;

• While the Service gathers a significant amount of data relating to the 'attainment gap' and the use of SACfunding, it needs to improve the way in which information is evaluated and reported to stakeholders; and

• Invoices were not always authorised for payment by individuals who had delegated authority to authorisesuch payments.

I\Dala\INTERNAL AUDIT\PRE 2019−70\INT_AUO\Education Youth aM Comm-ticskSchools Attanmcnt Challenge Fundtng\A Report a M Subsequent Correnpondence\Final report asissued 03 09. 19doco

PLO

——

U

E

C

751

C

C'

C) (NI— (N

CL

C)C)

E 0C)

C) 0

E A − 0 − . 5 2 −oC ' s . ) C)

0— o>

00 c

C)−flCj.

=− • — C_

a

C CU AC) b O ' 0 . C .

E casX . < C)C3

L) C)

E B = 0.CU

• c •0−C

0 0 − − − C) o 1−. − C) C) 0 C) −0r,) ;

l u t o Q • . − Q= C ) C ) C)C ) 0 C ) < > − C

CD 03

C

0 X (N—C)

I −E . 0 C −− C) I — . −C!3' − . − − 0 .−o− −

−o 9 C−o − 0 − — C).00C−o

C) 0 C−

C − o co 00 C ) 5 C ) C ) C ) _ _ O . 0 0 C ) 0 . . 0 0 . 0 =

C ) C ) C ) O E > . 0 C .Eoo I 2 0 c# H −. . Q. — C.. — C). — ( (cu

E c13

=− 0

= C)OC)ccC)0C)0− >co0o

−flHI

0 0 = 0 C ) 0 C C) C−to tr C) I−. C)0 0° 2

° −0• totn InE E a 2E u c o − c = C— 0="..C)0 C) ciOC)

0.

= L• >.C) >−o_2 >9 2 g − °LT. w c i asI−C)QrJ)

0 CJ1.C) 1

C)

c I

2 C)C

C ) 00....•—C2= as

C)U t3

E U

C).G−. CE

45CHC)C)C)C)O

C)

—

U

E

.—I

C

C

.−C

—

ca

Cd

= =

In.Mtom_

CE E r−

._ ° o . c,oe−

E − −0. 0u> 0

−a . ) —. • Q p

O L —E•°°− ( NCO 00

V0 C<Q L ) ( I ) CI C3 0 . Q . 0 C14 C6

06

. .

—

— o ° 0

co

;

=

o. − −aEECV V

oE

b

C

. V

CdVV

V>0

asVV

C#D

—

9)9)

V——

VE

.−I

0

—

0

0 —a)

rl

ccs

a) >'0

a)C ca

Cda),

C−) a) 0−= E . o .2 a − − ,,, c#, − • − •

. 9 > ' cc'0 0

a) '− 0 4)

a) a) ..9

a) − − > .0Cl, .Eai 1i0

— 0.<.,0.

a) 2a)a)a)0a)

> — H— w

cu −0 0 . i l

ft — ' r.a)−0

C,.−a)

E 0

CL−

; − " −−− '− E f t a ) − H

a) I D . 0a14 ca)

0 00 C) Ca • a) c . − . c/D0Ca0 'o.•Ca

− 0 − 0 − a)L)C)tuE v H 0

>−kn

0 E C;: I Ea) a)

a) = h ° cID••• ! Ca ID

HC) ,. Ca Ca C...

a−a

•• E

C) a) a) CLa) 0 . 0 0 0 E C) O C) b1) a)

Q to

I − )

E H0.CLC)0C) .

− 0 − e − − . . C) a) −C ) 0 a ) C ).. E ca 0C)a)

•7 2 a ) —E

0 − 0 0.C)bCCaa) . 0 o _ − . 9 EbUE a) sEo

C) Cl, C) a)>.− L ) .EoC)a)a ) C)

cd C's

Cl.ID

0 b o a) C.... 0 0 < 0 C)

O a ) . 9 (ID—bCd

. − C)a )C

)ca)C) o

IDb O . I

C)

r−u − 0 . −

> cua) 0

−

I c CL a) > C.. 0 ' C) t o = 0 > t o a)) ( ) a) (3 a) J a)a−OcID

a ) C L C L _−

0 0 o a)C)a) a)

E − . − cQ = I 0Cao a) C C ) .

− a).0CL0.E − a ) a ) C). • : − a)0I D a ) 0.−

0 C)Ca−−0.cCa

C)

GJCj>°V. a ) C Ca0 a − a c I D > )—

cd20. E ID Ca a) Q

a ) − IDCA

0O

.0 .E

(I)a)a)a)a ) − 0 L I D .−

V Ca 0 0.0 a ) 0 >L#D I−.

• •

I−N

—

U

E

.—I

I

.0go a) (

E − oa)

z

0 a.>> − a ; (.) 0−

a)a )

I−

. QI−C)

. . D 0 ( ) 0 •5

0 ca

._

CQ asI −

a) −0 E a ) 0

=s—a)−oa)o

a) a ) L I Jc t s a ) c t s a ) C(#)rJ>

0=Cç)

4> . a) ( 1 ) 0 Q a) −a) C.) CIS CU

0 . . 0 −g 0 C '− D 5

:3u:—(aI

—0C>

Z H o − 5 E H E H

I .0.© E

C a) 0 0 a) C − = a) a) a) a)) C3a − − − COCCC 0= 0 C a) VC oC − 0 a ) 0 0

,>(I− ( C= . 0

E .0a ) — ( 3 (l)

0−

E C a ) C 0 cu. a ) a ) a ) > • C

− 0 a) 0a) > ' − . . Q C 5—a) b a)0.0.a)

−cna) a)0.EC

Cd 11)

0 − 0 Z 0 . 0 0 0 0 a) a)

= a ) ( )−

C 0 . 5 . _ s . 0 u CL.−. _ (na)

u a t o asCOD

CL

C C C −

a)E a > −3

. 0 − 9 a)−> > E

edin.E a)a)

—0 − o E

0 c E 0 0 . cis

I− a) C a) −C.cC E r− −a

<95

—.5a) ( / Z5 0 a) Q0)

a) ( .o S#(a)

a < > O 0 5a)= a) C 0 0 E > C E −

rA— =− a a ) CC

C ) O O a ) a)•9C a ) 0a)− −

S S . e−−a . o E0ca

0 ( a)C C 0 . − ( a)

−) − C0

73a)E0.0

C

Ca ) a)a)

n . − . .>0 CA

> 6)7 j r , CA z a ) •>

C C0c 0 00<

−5c a).5'o0rM > L. 0C a ) 0−C 4 > a ) c C C a)a).−.a ) a )

sz5 C − 0 − − C 0 − _ .E

C a ) L _ >C_5C0 'a C3 a)

− E ° . S C a) −0 −.> C 0 − E a ) C

' (N0 − — _ 0

S..

—

—

U

E

.—:1

V=

CV

0

o ( N ( N (N..

( N (NI−V V V

E E E

EnV V V

—

− V o r = − V−

'I)V 0 t E v .E

..EI — c o 0 ..

_ 0 > V >V0 C V c0.

V—. −oc E _ − o—r−u0 −LV L) 0 • 0

. ccI—LL > < — V 0 c u 00 =

V _V

V .V0.−as

b i V e − uuas>EV> 0 −

— u0

Vs−.0 0 . E V 0 . 0— _15 c . 0 0 11V Q 0 (

C.J—

V0

U > − 0_b.−−−4 5coI − 0 b ._0COC0 >V

o

cc , − 0 . — 0 V 0 V

cv V H I . bVc's>V

0VOV VVE ow c

cl)0...0

0

0 V V 0

Q V( ) Q )C

go 0

CAV

V

E 0 ..— >

— ( 0 U 0 0.

Q V V C ) − − CIVVca w(N00 − o E o ca −0 CIS

0 V 0 . E — V0 C Q >E c i ca 0 — 0 ' − (VQI.. V 0 C Q

( N O

. 9 E E V o−o V E °w

caV V.0VC1()V Q V VO0

( 0 >−.(ID V V o0. 0 co• o o 0O2 − v E

V E .." c r o V0 c q s _ 0

V 0 _ b V

o c V EooVE2EV o > − VOOQC 0 2 OVE

V V .− VVV.2 o 0 c .0 VbE3

c −V73— •0_0(._ _ 0_ _ VLJ.E 0 . V Q − C V

V − 0 E >s• 0. 00.

. V E c o E 2 V

00

—

E

:1

i

0

. D

—

CD

0 t o 9 f l u.

.−

4j00 . •°E.{, −d;:E'E−0cu−'°−'o> __0

I−0

− o

"as 0 ca

0CL

.0EoH as c . − 0 0 '.− H U

−C 0>.2 r2 Cda.

C()0

=•−L

0

. = 0rd= −v. .00EE u −0 C,

c n 0o

0 0Q• 0 0 . . Q In. 0(Vcc cd

0cu 0

as

0

2E c— 0V

=.−=

V>0.0VV

00

E

0cI

0

0.—cJ

0iC) C'

p021

U−C C) − C)

C.) o C) C)C)

E M = − −6 u _ ca C '—' C)

,c r.CL

cAL.C) C) CC) C ) 0 C) C ) 0 C)C)._I−C)O

C)

. E

C)C)C)C)

. bC)

− _C) > I—−0 14 C cu

cd

ru−

En

Ca

CC)E CC)0

EC−o

C)

ci— 0 to

c E UH

C)C)C)>

.0ilPuQ _ C ) Co 0 t

—• >

C3 O0

cc as C)Ln−c.2 − C L E

−E— — O 0 C) 03Ob

l 0> − − C)

C)cd

Cc ( C C

C

0 0 0 C) L n −C)0*m12•C)0

Q C ) >C)EC) C)

.C) C)

C)c 0 C ) I − > O 0 0 C ) EA

2 < C)•CQC)

− − − − . .— C) C)E_. ) Q Q C)C)

— —QC)

Cj).E°E−ci C)−0Crn.!

r− C13 ..EC ) C ) • _ ( •_−c•

> 4) > 0 .C)I z

• C)0..

C ) 4 ) t c E − • − ; 3 4)CI 4)0..0 4−1 C)0Qc

04) C)C) to

CJ C) i < > ' c u cn− 0E 2 CI 0 > C) .− C) d 0 0−

I−'0

Appendix 1 − Audit Grading

Audit reports are graded with an overall assurance opinion, and any issues and associated recommendationsare classified individually to denote their relative importance, in accordance with the definitions in the tablesbelow.

Definition o f audit assurance and recommendation categories

Assurance Confidence based on sufficient evidence that internal controls are in place, operatingeffectively and objectives are being achieved.

Assurance opinion

There are minimal or minor control weaknesses that present low risk to the

Green Substantial control environment. The control environment has substantially operated asAssurance intended although some minor errors have been detected. Very few or no

improvements are needed.

There are some control weaknesses that present low to medium risk to the

Green − Amber Reasonable control environment. The control environment has mainly operated asAssurance intended although errors have been detected. Some improvements should

be made.

There are significant control weaknesses that present medium to high risk to

Amber − Red Limited the control environment. The control environment has not operated asAssurance intended. Significant errors have been detected. Substantial improvementsshould be made.

There are fundamental control weaknesses that present an unacceptable level

Red No of risk to the control environment. The control environment hase Assurance fundamentally broken down and is open to significant error or abuse.

Immediate and major changes need to be made.


Major The weaknesses identified during the review have left the Council open to significant risk. Ifaj the risk materialises it would have a major impact upon the organisation as a whole.

Moderate T h e weaknesses identified during the review have left the Council open to medium risk. If therisk materialises it would have a moderate impact upon the organisation as a whole.

The weaknesses identified during the review have left the Council open to low risk. If the riskMinor materialises it would have a minor impact upon the organisation as a whole.




Green Less significant issues and/or areas for improvement which do not require immediatemanagement action.

I \Data\INI ERNAL AUDI IWRE 2019−20\IN1 AUD\EducaIon Youth and Conunund,cs\Schooh AttanrnenI Challenge Fundng\A. Report and Suequcnt Corspondence\hnal reportissued 0 3 0 9 . 9 doux

AGENDA ITEM No.

KSHIREOUNCIL


INCOME AND CASH COLLECTION

HOUSING SOLUTIONS/FINANCIAL SOLUTIONS

Contents1. Executive Summary 2. Findings and Recommendations 3. Action PlanAppendix 1: Audit gradingIssued to: Executive Director of Enterprise & Communities, Head of Housing Solutions and Head ofFinancial Solutions Copied to: Business Finance Manager, Customer Manager and Chief Executive.

HeadlinesThis was a brief substantive based review designed to provide assurance on the effectiveness of key controlsrelating to the operation of the Council's cash collection offices/First Stop Shops. Managementresponsibility for the operation of the cash offices/First Stop Shops lies with Housing Solutions, withresponsibility for banking reconciliations and administration of the Cash Receipting system lying withFinancial Solutions.In line with an approach previously agreed with management, we visited four separate cash offices andundertook a range of checks on different aspects of cash collection activity with the aim of providingassurance to management on compliance across the cash offices with expected procedures. We alsoundertook testing to assess the adequacy of arrangements within the Controls & Reconciliations Team('Income HQ') within Financial Solutions, who are responsible for reviewing/monitoring cash collectionactivity and the reconciliation of monies collected/banked.As well as this summary report which presents the key issues arising from the testing undertaken at bothIncome HQ and cash office level, individual reports for each of the four cash offices visited (Airdrie,Coatbridge, Cumbernauld and Motherwell) have been issued under separate cover for managementconsideration highlighting issues arising, including any areas of non−compliance with procedures identified.We were pleased to note that, based on the results of our work, the control environment appears sound withour testing indicating a high level of compliance with expected procedures. We have, therefore, assessed theaudit as offering 'substantial assurance', meaning that the control environment is adequate and has operatedsubstantially as intended with any control issues or weaknesses identified presenting only a low risk to thecontrol environment. We have however identified some areas where scope for further improvement existsand accordingly we have made a small number of recommendations for management attention.

Internal Audit Opinion (see definition at Appendix 1) Substantial assurance (Green)

Organisational impact (see definition at Appendix 1) Minor

Report status FINAL Audit ref 0610/2020/001 Date issued 08/08/2019

Audit Team Jacquie llowden (01698 302185), Jackie Struthers, Hugh Shevlin and Liz Sweeney

daxa\in!mal a a d n 2 0 I 9.20\entcrpr,c and communitic (0600)thous,ng so] aIions (06 I 0)\canh collcnnon 201 9−20\conang\u ,nmary rcport\tinal rcpor* as issued 8 8 2 0 1 9 doc

1. Executive Summary I

ObjectivesThis was a brief substantive based review designed to provide assurance on the effectiveness of key controlsrelating to the operation of the Council's cash collection offices/First Stop Shops. In particular, the reviewconsidered whether:

• All cash/income received by the Council is properly recorded in the Council's financial systems andregularly reconciled to amounts recorded within the cash receipting system and other accounting systemsas required by Service guidance;

• All cash/income is held securely and banked timeously; and

• Appropriate security arrangements are in place within the cash collection facilities to prevent/discouragethefts and to address the safety and security of staff.

Detailed testing was carried out at four cash offices (Airdrie, Coatbridge, Cumbernauld and Motherwell)using a standard audit programme based on the current cash collection operating practices. We also reviewedthe adequacy of the management/monitoring of cash collection activity undertaken by Cash Officemanagement, including management checks on key records, reversals and discrepancies and security relatedissues. In addition, we assessed the adequacy of the additional monitoring of reversals and discrepancies andthe reconciliation of income collected undertaken by the Controls & Reconciliations team ('Income HQ').As well as this summary report which presents the key issues arising from the testing undertaken at bothIncome HQ and cash office level, individual reports for each of the four cash offices visited have been issuedunder separate cover for management consideration highlighting issues arising, including any areas ofnon−compliance

with procedures identified.This engagement has been conducted in accordance with the 'Public Sector Internal Audit Standards'. TheInternal Audit section reports formally on conformance with these standards to the Audit and Scrutiny Panel.


Number and category o f recommendations raised Red Amber Green(see definition of priority at Appendix 1)

0 1 7

Key areas requiring management action (Red)No issues requiring urgent management action have been identified.


• Regular management checks on the completion of key documentation are undertaken by the TeamLeaders at each cash office and by cash office management on a rolling basis throughout the year;

• Reports detailing reversals/correction of processing errors are reviewed and investigated as appropriateby the individual Team Leaders and by Financial Solutions;

• All income received is reconciled to transactions processed through the cash receipting system;

• Reconciliations between the financial ledger and bank statements, which are appropriately documentedand balanced, are carried out promptly after the end of each financial period by staff independent of thecash collection process and reviewed by a senior member of staff;

• Cash receipting and security procedures have been circulated to all cash office staff and trainingprovided on a regular basis to ensure all staff are aware of their responsibilities.

Other areas for improvement (Amber)One area for improvement was identified as follows:

• Some areas of non−compliance with expected security procedures and/or issues regarding the securityarrangements within cash offices were observed during our audit.

ldaia1ntctnaI aodt12019−20\cnu'rprise and commu,,ites (0600)lhoosng solutions (0610)\c,h coIIcIion 20I9−20r.portug\srnm,rv r.port1fnal cpon as issued 882019 doc

—

—

c−)

E

—

—

.—V

c.—N

0

0 U FE E 0 > 0 0 0> 4)>0 4)(2 C4)

o 9r M , , H 0

2 E0 4)CIJ

o •Ec l −

•C_)−

C −−bo

caE_ 4)

00 0 4)0 ••0

4)E

4)4)—

4)− . C,)

> C j Cl) 4)(#)4)C.−0C

−C l ) 4 )0ci

L) ca4) C13 0<L)c

C C l ) —

.0.2 E

6) > 1 t o C/) 0) — 0 0 > 0 ) 0 Q >,6 ) 0 4) —0)

o− 0o l)E4)

8 cu 0 ) 4 ) > Ci−;0−

−00 Q ( 0 4)

• ) C l ) 9)C 4)6)

E −4)

I

ccc0c)2 −

E 0 u uu ca

lID 4) —0 .− 4)0

C)0 E t or

4)

E— C . 4 ) C

CIS uo−000Q

N4)'—C

E − v E 0 vcocrC13

•o

C•—

CKS >0Q

2 CL u 0 7E− 0 tr

0 b 0 C l ) 4 ) 4 ) 4 ) 4)−− 0 C C t EC l ) 0 0 0 −(I,

6) 1o − • C > c0

C 1 3 _ 0 − 4)0 0 _>

.0C.)

E ' 400 cc u zr−C) CISo I − −0 — −

— — C. 0 0 4 ) 4)4)00.0

4um−

C . 4)

O H o°EU . − Cl) C;) > −

(_) .0 0 C−.0 04) • 0 o −

− − − . 0 − •− Cl) LU > − 0) 6)Q 0 0 Q . . o E − . . 4 ) E .0E.0E

2 E'°0 o _ o — − E o

to−E ° = 0

° o>o4−00)

−oH.−o'

(zaOC−.

O >0Q0 vCl) 0—ojO 2 . 2 o H

0 x —C13 L0

( 0 0 . 0 0 C l ) 0 C C C l ) 0 •

C−4)

—

E

0

C'

—

r'

0−C0

a t0

>C)

0ca

Eo00

cd

C,)

. 2 C ) o ° 0 CIS'n CIS— 'd >

=UCc:0

= °−o2 • 0 o.

C) 0 C ) o E C> C) C)

lu 48 21

i

= =V

2 2 coC)

o• i Eo

0 E= − > − c

EE &).EU0 <o.9cu

co En Lnto t: coi

o C 0. .

Li 0

— > V 0 C) —c0VE − L) −

0

0 0

co00C) C)

E

C) >>−.

0 C).−0>

C U .

. . C V − C C ) Vr−cuU t −o .2 U .

QM C°90 0 C) _ . . 0 C 0

C)C

—C)

!cc, , i2 E

E—eC oOVoC)OC)> 0 0

•C)

VE − o −o

0 ( C c C 0 — Co0.nce

C)co)C

C) C) 0

− .− o C −

E gC 0 0 0 I C 3 Q

w T"

C

——C

EC

I

= C ' C'− C ' −. = C − C

cn

0 0 .

mN C NN

− −E − E0 4)

−

0 4 ) Q "−o

−− —

0 −0

4)(

o 4 ) 4 4 .Q J 4 ) 4)0' I ) −C_.−4 ) c 4 ) 04)C

4 ) c o o —totn>1c u

c u . Ipi. >.4)0

E E4?o C I o <2

0.− 4)l4Cd Q − C • Q ;−to

2 E 4 ) 0 ) O C 4 ) ej− _−CCJ

4? — O < o I Uoci4c._

ci

CU cu 0

p

4?

.2

. −−v

−.2 −oC04.>

= ( 4 )4)−4?

E • − o oE© 3 0 o

cd C4)2

−. 0 . −−C U . _ L l ) c 000cc.0.cu

CU 0

0 CU49ci

cu cu

Cd

cz

−C

0

c

H..E.

I, 0rM 0 4)4)6)0

4? −=•.E C,3• .

)0.

Eo.co 0

cuI−.

.— 4).−,4)0

E > E= 0

4 ) 4 )LL

I 5 4)4)64 − cr)

− 0 − 4)0=

− a0

CA 0

CIS

L16

0 • 0 ..... −0−C4

L T . 4 ? ' − 0 . . E..

o 0

(#D 0 . 3 L I . . c 0 0 CU4) = −

.E E

W m0 6 4 4 ) 6 ) 6 4 4)4)U4

c 0 ( / ) . c 0 0 ( 4 c − ° 0E S

r − 5 : c C Q oEi − . 4 ) − o 4 . 0 0 . c − 0 rIVE,4)cU0 E 2 H o o H O c,.L) 0....−

0−..

64(4 4)

(4 0 . .E S • S • S

I,.'

—

E0.0

I

− 0

4)

− −. 2 2

PI . V0to

.04).9 r•9

0 0.)000° >−00 . >

>

_bt

> c 4)−

4)− −'−4)

− 0 . 0 0 A 0 ( l b))E − − 0 > − . 4 ) O4) = −Q) .0

0 1 − L J 0 O − Oi−1−r.

w − 0 4 ) − 0 2 1 − "g _ − # )

4)0cH H Q 2 . −...

00

o

. 4) 4)

o 4)•

−0 0 o . 0

0

−V.01−0

V.2; 4) _0

0• − ) − E toto

.0

C4)EE c i o CIS 0c−0

OUbo toto 12

01−4)•9.0O4)

Q1I

> 1 − > 0 4 O 4 ) 0 44o .0.00

00Oc

E o0 . .

0

. •−−20 c 4)

o04)

C13 m

M ca

01 0 .0

t−.0

.0

0

V . 0 4 ) 0 V 4I00 . 4)00.0

E ° C,

− . 0 E 1−

C 4 ) 4 j

. . c.0Co.−. 0 000

4; o b 0 0 0E00.0 − 0 0 . 0 (l 0 9 otoL. C,

z2•0.0

Ca4)0

0 03 C13 0 EE—ejI,

0 0− 2 4)

0 00cvj4)

V 0 1 • _ 0 ° 0 0 ° . 0 004)2

4)EoJ0>___

WT F

c−)

E

C)

0C)

—

. − 0 0'

cdCU

—0 0

− rl

−C) 0 0

C)C)C) 00

=0

−o−oC) ( C C I D1−0. C) 0 . C)

−j _ 0 C)C)

>− E −o= —0.− — o 2E

0C) 0 ued

C))

= C) C) co>E − o 2 >C)CE14

VD CU

0

_JL)

−C C)0 C)I−C

− −:1−−.0.0C ) E > C ) _

− nC

()C)In

1 −>'C) .0

− ° nC i − . o b 0 . D ,c i .− c z z C )

caCC− − C ) c E

o > o > − C)= .0 (

C) —C ) n n • C.)i

c0

− E°0−−O 0 C ) 0 . C l C C ) . _ C C L CIS I nuc

C ) > . 0 o0.0 tnC.

C) —C ) 0 0 . 0 C . co m.

CIS 0C).E g ' — .> 0 o.− 2 E −C13

− C)• 0 . C ) 1 − − >CCC C#CC) C ) C )

− C'0 cbI) C)

°cqE

•— CISL)

C) C ) 1 − − 0 CC)0

Cn CIS C)

i−.cc

I t i n 0ZC)C)© 0 C ) > CC)cc

Cd C ) 0 .i − 0 . — . 0 C )

•C)C1.0

CAC)L_..0

C ) t >U

.0

u CL 00 E>c o ' 2 J ) 5 < .0

C ) . E • — C)C)C)

Z:I r o _ r . O =•cc>0C)0

0 − C ) 041 ' I U o O C) −.0o . E o o−−

0 nC−01−

1−C) 0C) .0z •C.—C)0−n= . 2 0 0CC)

C) −C)

−( j C ) 0 C.CL

C) C).0UC I S C ) C ) O cn3 C)nCl_•

C) 0−O

0 . > — . 0 C) C') C ) C ) >C) C) C ) . 0 C ' ) ' C C z O 0 C S

. C)c')C)−01C)−−−_ i − 0 j C ) − >C) 0'−1.

C—C−−

el

"C

C

Q—CL)

U

EC

1−1

.,

—

C

.−o_—

E − −0

P

> 1coo

= ))..J.c: 0

−. w−2

L−−. .−JL) H

Gj

Ojo > 1 In

• ç

− ) )−o o

I−.

CU

cts.2

—−−E

>0E ci ).—cl

E to

0 −Q

E0

—c.−o o −

72

cu 0

U )

.2

• E.

0 . — . U−Z o U

to−

cIU

t oI − DU

— O U O j−

•)UCS

o'.— c' v−i

. −o− EvUOHUE

—U.2z Ucc U_Fm

− •E 0 −ca

> ' v 8= .E c −,.d E

U

o −

U 00

00





Assurance opinion


Green Substantial control environment. The control environment has substantially operatedAssurance as intended although some minor errors have been detected. Very few or

no improvements are needed.



be made.

There are significant control weaknesses that present medium to high risk

Amber − Red Limited to the control environment. The control environment has not operated asAssurance intended. Significant errors have been detected. Substantial improvementsshould be made.

There are fundamental control weaknesses that present an unacceptable

Red No level of risk to the control environment. The control environment hase Assurance fundamentally broken down and is open to significant error or abuse.



Major The weaknesses identified during the review have left the Council open to significant risk.ajo If the risk materialises it would have a major impact upon the organisation as a whole.

Moderate T h e weaknesses identified during the review have left the Council open to medium risk. Ifthe risk materialises it would have a moderate impact upon the organisation as a whole.

The weaknesses identified during the review have left the Council open to low risk. If theMinor risk materialises it would have a minor impact upon the organisation as a whole.





:\da1a\rnCeral audn2019−20\cnterprsc and co,nmonncs (0600)\hnasrng oIutions (0610)lcanh collecoon 2019−20\rnrnng\sunmar rport\6nal ropon as imued 882019 dcc

AGENDA ITEM No.−3_ −−−−−−

RECIL


[ M U S I N G BENEFIT REGULARITY − NEW AND AMENDED CLAIMS

Contents1. Executive Summary 2. Findings and Recommendations 3. Action PlanAppendix 1:Audit gradingIssued to: Head of Financial Solutions, Incomes Manager Copied to: Support and NDR Manager, BenefitsManager (Operational) and Chief Executive (when finalised)

Headlines

This was a brief, substantive based review designed to provide assurance that the Council has adequate,robust and effective governance arrangements in place for ensuring that it continues to comply with relevantlegislation and DWP requirements in respect of new Housing Benefit applications/claims and changes incircumstances.As part of our work, we undertook detailed testing and re−calculation of a sample of successful new claimsand a sample of amended (Change of Circumstances) claims selected at random from the period January toMarch 2019. In addition, we reviewed documentation held to evidence that the expected level and type ofmanagement checks were being undertaken and that appropriate actions were being taken as a result.The results of our work indicate that generally, the Service has in place arrangements to ensure that onlyproperly supported and eligible applications for HB are being approved. We were also pleased to note thatmanagement checks are being regularly undertaken to review the quality of decision−making and ensure thatonly properly supported and eligible applications for Housing Benefit are being approved. We do, however,continue to have some concerns at the higher than expected incidence of non−compliance and error in theprocessing of new and amended claims identified by the Service's own management checks and by this andprevious similar Internal Audit exercises, with the identified error rate being significantly higher than theService's performance targets.Overall, as a result of our findings, we have categorised this audit as offering 'reasonable assurance',meaning that while the control environment is generally operating as intended, there are some aspects wherewe consider that scope for improvement exists and we have raised a small number of recommendations formanagement attention.

Internal Audit Opinion (see definition at Appendix 1) 1 R e a s o n a b l e assurance (Green−Amber)

Organisational impact (see definition at Appendix 1) Minor

Report status FINAL Audit ref 0220/2020/001 Date issued 04/09/2019

Audit Team Jacquie Howden (01698 302185), Paula Hendry and Hugh Shevlin

i:\data\intcrrral audrt\20I9−20\f,nancial solutions (0200)\revenue solutions (0220)'housing benefit regularity − new and amended ctannrs\rcportrng\linai report as issued 0409 2019 dcc


ObjectivesThis was a brief, substantive based review designed to provide assurance that the Council has adequate,robust and effective governance arrangements in place for ensuring that it continues to comply with relevantlegislation and DWP requirements in respect of Housing Benefit applications/claims and changes incircumstances. In particular, we considered whether there were appropriate arrangements in place to ensurethat only properly supported and eligible applications are approved and the amount of benefit due to eligibleapplicants is accurately calculated. In carrying out our work we considered the following key controls:

• Claims assessment is compliance with DWP requirements, including supporting documentation inrespect of liability, residency, identity, household and non−dependents and rent payable;

• Calculations, start dates (including backdating of claims where appropriate) and end dates, whererelevant, are properly calculated in line with current Housing Benefit rules;

• The Service is undertaking the expected level of management checks on claims processed and the resultsof such checks appear satisfactory; and

• Payments are properly recorded in the Housing Benefits system and financial ledger.Work undertaken as part of the review included detailed testing and re−calculation of successful new claimsand amended (Change of Circumstances) claims (including both notified and unreported claims) selected atrandom for the period from January to March 2019. In addition, we reviewed documentation held toevidence that the expected level and type of management checks were being undertaken and that appropriateactions were being taken as a result. This engagement has been conducted in accordance with the 'PublicSector Internal Audi! Standards'. The Internal Audit section reports formally on conformance with thesestandards to the Audit and Scrutiny Panel.


Number and category o f recommendations raised Red Amber Green(see definition of priority at Appendix I)

0 1 4

Key areas requiring management action (Red)No areas requiring urgent management action have been identified.


• Relevant legislation and DWP guidelines are embedded within the Service's operating procedures andwritten guidance and these were generally being complied with;

• Awards, start dates, effective date of change and end dates, where relevant, were found generally to beproperly calculated in line with current Housing Benefit rules;

• The results of management checks are monitored and reported to key stakeholders and fed back to staffto ensure relevant actions are taken as appropriate; and

• Reconciliations between the Housing Benefit system and the financial ledger are undertaken for eachfinancial period.

Other areas for improvement (Amber)One other area for improvement was identified:

• There continues to be a high level of non−compliance and error in the initial processing of new andamended claims, indicating that further training requires to be provided to housing benefit staff.

i:\daLa\intcrrui1auditQ019−2G\financia1 solutions (0200)lresenue solutions (0220)thousing benefit regularity − new and amended clainss\r.portrng\1,nal report as issued 0409 2019 doe

—

PCCa

E

z

ICa

e −

P rnCbO'−V4)Q4)

4 ) 4 ) _ i z

> f l 0 )c°

_• W −

. . 4) '− 0 • 0 − 2C13o −6) C I ) > • 0.

•IC4)0 CA> ° 9 .−4) cl)

o g − 4) > − I − CE

6) . .−u•sc)

4) 4)=bDS4)0

Q

4)

L..2 E06.

"a > 1 bo u V to u 0 0 4 ) d − 4 ) d − . 4 ) c − . 4) dId b 4 ) 0 > dId 4)

o −5 as , 0 0 d I d did

o dlC0 im. aj0 . .

C) c o 0.C . . − '

− •_F'0 . − . .V0.12 C

ca u= − ' 2 ° 4)

0 CZ− . 9 4 ) . 9 dIdC.) 4) 0 Idd1,04)

:flo E I−.dd−C)

4) 4) e − a a g

to E C )did

g a E > () c >0$ _ . _ 4) • . 4) c2 0 (

ci

4) 4) 4)62

0 as cu

as−

E 9a0.0.4)00

— — 0 . > 0.62 4) dId 62 0 . 6 2 6 2 6 ) ....

I m nco

>..Cc=tYssC14

=cmEa004)— 0 co — 62 4)4)

• (0 r1 CO.−E 4 ) 6 2

− − −0

− 0 0f l • tdOd/C

• 0) • d _3 o coCL

4)E o −o c.−d: 0•− E. ! − −4 ) • — '− E

ECL ci (2 0 •/d 4) •2

E . E — − 4 ) 0

0 6 ) 4 ) > '0 . .

−− c 2 as

_ 3 . − • Q _ −rid4= E 0 0 O C 2 Q ( O —

0 . 6 2 4 )ccL)−

L 0 E 00 2 U Q. 4)CL X LV c a 0 . 4 ) 0E=

150 . v 4 ) 0 _ 2 C.) 0 . 6)0o did 20 = CO − 0.= CO −rid cO0E 2 0 . o 4 ) 4 ) 4) ( 2 • 4)

ob 0 −2−6)

(0 4)cu( 6)−0 4 )

.−.(2.0•8as 2

CKSE EE

0 CO0 4)

4) 4)

= t −i > ' uca

9t0t> 0 0 4 ) 4 ) 0 80 0 4) CL5I— 4) 4<I − t 0 0 CO E 0 . 0 − — − 0 4) CO

62 0 . • S •0 dO CO . — . 0 0 0 . S • • S S

6) —

—

E

z

I0

=

0

C C

0EV

V V—

>. _ c − a s

MV — ,z

− 9V0 V0C

. − c9− − ..c c= 0

VE O .−o

U −−0.0

V−−

. c ©

z V t o V 0 V V V V V E V

.E . 9 E − − − −

0

o 0<

−− V._

V I −V

E −E V−o

−−r00

E.0Vx

c VI . − c . −

V=0 V >V 0

V0V Q V C U uV E −o − − − a − −oV

cts −E o V o−53

(_) ' −0tu;a0— >o−0_

V V 0 V V 0 V C d.E0−'.−.O :_0 V 0 I− 0 0 CA= c Q • −c−V

( f J o − − − o V0cu

0 . o

−o

FECVV=.

0 Vto−0V V− c,C'sI−co

V=V− 0

cV _

V V V V_ 0 o.V

C,3 mVV E − ' V Q V V 0I)VV > 00—I − . − . = 0V V V V 0 • _ _ < 0V V 016Eo .VV00. V O 0 0•−V V OVVOV

=V0E

− −

N

—

E

z

I..

0

0

.2 &.cccc w N.0

— Cl)

V

0 ......V

V −. 0 −

V 0

9UiV C−) VoE

V°

VVtV L L . c a ZZci

to

pV

.9

CIV

0−CAco o co 0

0 f ) I>#

V .E ' A toO

V ifl−V liflHIC

In

D

0 − −

LJ

V 0 C # Q 0 VV>t CE

r r00 0 V V V C .− . V

−0V E−Vto

a • b ••−)

V 0c' 0.;−:E E X − V N Vcc 0.

. 0 C . è O QC' , UP

. C .− C ' s V

EVCA CaV

Q.E c − V0

−V v V ' V .9En

C C O o

w Ss? ° E − V 1 0

uV V CID.D

0. 0. − E • •0 − e 0 ca

I−V0E C 0 . V V VQ0 Q0 − I V . o E V 0 VV C o o Ev

V . − . C)VVVI−EV V c a V E V V

cu CdC E o . oco0V

V 0 0 00 − −a s 00:3fn

V

ell

—

E

z

I

I

—

C) N N

N—

EC)

—

Co

C)iIIC)

0− 0 oC)

C COC)C

•0

(•C)

Cl)C) al• C ) C ) C ) C)

−• C) C) − I) EC)

E o m m=o) Cl)C)C) OC)9

0 C)OD 0CCl)•Oca

0C) C) 3 =−

c

−C) C) C ) t C)C)C

C) C)C)C)au0

− J c # U . 7s z u −F−pC) C)

0 C)• çj

o•

− C) − C)− C)

tr 10−C

cu 0C) C)

C) C)Cl C) C)OEE O −

. C).

ü C) 0 − E C) C)

C)oCC 0 0 0 CCC)

C) 0 C) O >− − . . C) C= . 0 0 0

C)−

o C) oo.00 CC. _ • C ) • 4 )C l C f C I 0−CISad

• O C ) CC

− CCE— • 0_C)

> − C)— CC − • • − (C −

H CC 0 − 0 . CC CC −

−ECC °

ca 0•;L.Ad

0−C)•

o C C C ) 0

9 (C•C C C l (tCC

0C)C) E

E= − . > •

−C)

4 1 C C CCC)

: t oo − o o . 2

−C)

• 5 C .− 0 −−= CC

En

− 0. − o. EEC' CCC)

1.0 b L −

•0 _ C # D−

−C ) C C (C(

co 0 −CCcc 0

o • • 0 C ) 0C)C − 0

(r'

'I)C) Q . 9 C−−l−−0

C ) C−•−o0CC(C.E

50 C ) O o − . 00Cl)−

• − ( l ) C ) CC2

>C)bO−.CCCC

ca " C ) 0 .C)0OC)

6 r as cu

w T− −

−'0





Assurance opinion






be made.







Major The weaknesses identified during the review have left the Council open to significant risk.JO If the risk materialises it would have a major impact upon the organisation as a whole.

Moderate The weaknesses identified during the review have left the Council open to medium risk. If0 era e the risk materialises it would have a moderate impact upon the organisation as a whole.






\dat\intcrnat adit\2OI9−20\fi,,a,caI soutjon (0200)\rcvcnue solutions (0220)\boos,ng benefit mgularity − new and amended claamreporting\final report as issued 04.09 20 l9.doc

/(±NDA ITEM No.......

KSHIREOUNC1L


IT NETWORK CONTROLS

Contents1. Executive Summary 2. Findings and Recommendations 3. Action PlanAppendix 1 :Audit grading Appendix 2: Areas where arrangements require to be further developedIssued to: Chief Executive, Head of Business Solutions, Head of Financial Solutions (item I only) and Head of People andOrganisational Development (items 4 and 9 only). Copied to: Service Delivery Manager, Information Risk Manager andChief Technology Officer

Headlines

The purpose of this review was to provide independent assurance on selected IT network controls (networkadministration, patching and back−ups) in order to provide assurance that the Council has adequate, robust andeffective governance arrangements in place to support the operation of the Council's IT network. The reviewinvolved assessing the adequacy and effectiveness of the Council's arrangements and processes against goodpractice, as well as relevant testing to confirm that the controls were operating as intended.The Council recognises IT security as a key corporate risk and has secured Public Services Network (PSN)compliance and Cyber Essentials certification which demonstrates that the Council's IT security arrangements,policies and controls in place are sufficiently robust to allow interaction with other organisations connected tothe PSN and to protect the network against common cyber threats. As a result, we were able to place reliance onthese externally inspected accreditations for some areas (in particular, aspects of controls in relation to firewallsand anti−virus protection) covered by this audit.Based on the results of our work, we have categorised this audit as offering 'reasonable assurance' meaning thatwe are generally satisfied that the control environment in respect of network administration, patch−managementand back−ups appears generally adequate and is mainly operating as intended. However, we identified a numberof areas where we consider management action is required and/or scope for improvement exists. These include:

• the Council's current Cyber Essentials accreditation expired in June 2019 and although the Council is activelypursuing re−accreditation, this has not yet been achieved;

• although the Council has a range of information security and ICT policies, these need to be reviewed to ensurethat they remain up−to−date and reflect current corporate expectations, good practice and any relevantlegislative requirements;

• there is a need for more/better training and information to be available to staff in relation IT security issues,including cyber threats;

• formal testing of back−up recovery is currently limited to 'Gold' applications and does not extend to networkdrives and non−Gold applications; and

• there have delays in introducing Security Incident Event Management (SIEM) software to provide real−timeanalysis of security alerts.

Our review also highlighted an issue, which although outwith the scope of this audit, we consider sufficientlysignificant to include in this report and which needs to be resolved urgently. This issue, which we havecategorised as 'Red', relates to the Council not currently being compliant with the Payment Card Industry DataSecurity Standard (PCI DSS). This creates significant operational, financial and reputational risk and couldultimately result in the Council being refused access to accepting card payments.

Internal Audit Opinion (see definition at Appendix 1) Reasonable assurance (Green−Amber)

Organisational impact (see definition at Appendix I) Moderate

Report status FINAL Audit ref 0900/2019/017 1 Date issued 11/09/19

Audit Team Lesley Armstrong (01698 302181) and Paula Hendry

L1t)aXaIJNTERNAL AIJDIT2019−20\BUSINESS SOLUTIONS (0400)\ICT (0420)\IT Network Controls 0900201901 7\Firnlings and RepOrlWinal reportdoc


ObjectivesThe purpose of this high−level review was to provide independent assurance on selected IT network key controls(network administration, patching and back−ups) and whether the Council has adequate, robust and effectivegovernance arrangements in place to support the operation of the Council's IT network.In particular, the review considered the Council's arrangements in respect of the following:

• Has the Council established adequate and effective processes and procedures relating to the administrationof the Council's IT network?

• Does the Council have and operate adequate and effective arrangements in respect of patch management?

• Has the Council established appropriate and adequate processes in respect of system back−ups and is thereevidence that these processes are operating effectively and are consistent with the organisation's businessrequirements?

The review involved assessing the adequacy and effectiveness of the Council's arrangements and processesagainst good practice as well as relevant testing to confirm that the identified controls were operating asindented. We also considered the Council's arrangements in respect of progress towards complying with theScottish Government's Cyber Essentials Plus framework and reviewed recent relevant self−evaluations and theprogress of any outstanding improvement actions.This engagement has been conducted in accordance with the 'Public Sector Internal Audit Standards'. TheInternal Audit section reports formally on conformance with these standards to the Audit and Scrutiny Panel.


Number and category o f recommendations raised Red Amber Green(see definition o f priority at Appendix 1)

1 6 3

Key areas requiring management action (Red)One area requiring urgent management action has been identified:

• The Council is not currently compliant with the Payment Card Industry Data Security Standard (PCI DSS).This creates significant operational, financial and reputational risk and could ultimately result in the Councilbeing refused access to accepting card payments.


• All IT users are allocated a unique user ID which is linked to a designated profile to provide access to onlypermitted areas of the network. Access to the Council's network is through a valid user ID and password.

• Requests for changes to users IDs and profiles (new users, amendments and removals) are only actioned upona formal request from an authorised person.

• The creation of any new admin user profiles/access requires to be approved by the Security ManagementTeam. The IT Security team receive email notifications of these amendments, thereby enabling anyelevations which have not been approved to be identified, investigated and removed as appropriate. TheInformation Risk Manager also undertakes six monthly reviews on all user accounts with admin privileges.

• Wipro undertake monthly 'floor to book' and 'book to floor' checks on corporate hardware devices toconfirm the accuracy of the hardware inventory, updating the inventory as appropriate for any errorsidentified.

IData\1NTERNAI. AUOIT\201 9−20\BUSINESS SOLUTIONS (0400)\ICT (0420)111 N.twork Controis 09002019 01 7\Fndings and RcporOFnaI rcpotdoc

Good, practice identified

• There is a corporate process in place for the disposal of IT hardware devices and this appears to beoperating as expected.

• There are various firewalls within the Council's IT network to protect the network, systems and devices.There is also a contract in place with an external company that allows penetrative testing on firewalls,with any issues or anomalies arising from this testing to be investigated and appropriate action taken.

• Anti−virus software is installed on a central server which manages the server and desktop estate and allnew devices have anti−virus software installed as part of the build. The software checks for updatesnumerous times throughout the day and Wipro receive reports detailing any errors or issues on a dailybasis and these are investigated and resolved as appropriate.

• The Council has adequate and effective arrangements in place in respect of patch management. Patchesare applied automatically on scheduled dates and compliance levels are monitored by Wipro. Patches areprioritised in line with Cyber Essentials guidance with patches arising from known vulnerabilities beingdeployed immediately, high risk and critical security patches being deployed within 14 days, importantpatches being deployed within 30 days and other patches being deployed within 90 days.

• The Council has adequate and effective arrangements in place in respect of system back−ups. A fullback−upof every area is run automatically every night and data is backed−up to one of two data domains, after

which the full back−up is crossed over to the other data domain. Wipro are responsible for managingback−ups and undertake a number of daily checks which include reviewing auto reports on failed andsuccessful back−ups and taking remedial action as appropriate on any failed back−ups. IT staff receive adaily back−up failures report.


• The Council's current Cyber Essentials accreditation expired in June 2019 and although the Council isactively pursuing re−accreditation, this has not yet been achieved.

• Although the Council has a range of information security and ICT policies, these need to be reviewed toensure that they remain up−to−date and reflect current corporate expectations, good practice and anyrelevant legislative requirements.

• There is a need for more/better training and information to be available to staff in relation IT securityissues, including cyber threats.

• Testing of back−up recovery is currently limited to 'Gold' applications and does not extend to networkdrives and non−Gold applications.

• There have delays in introducing Security Incident Event Management (SIEM) software to providereal−timeanalysis of security alerts generated by applications and network hardware.

• A number of ICT security related projects have been delayed and/or not progressed due to resourceconstraints and/or other priorities. Management should review whether the associated risk exposurearising from a lack of implementation of these projects is acceptable.

I:\DataUNTERNAL AU[)IT12019.20WUSINESS SOLUTIONS (0400)\ICI (0420)\IT Network Controls 0900 2019 017\Fndings and ReportFinal reportdoc

N

a'

a

aL)

a

z

a—..cJ

eli

= —rl4)

.0E − E

20.4)

−

CI 0) − )

U 2 . 0 2

C.

0 ) 4 ) 0)_c_). 0

• 0

4? 4)E−000

IM I m i . Z ° −O−.

−−

.oE4−4?

E j − C,D0 ) c I D ..

01 co c d C 3 0 C C 0 . −EC 04)20O

o c 0o

. _ : . Q O ) >I−Lc ' 3 0 . _ Q . o : : )<

−!

Cl) 0 − C/) — Cl) 0 c L. < c . 4) 4) C

. •003.

CUas r

− C

0

cts75e=

Cl)−0go4?

0

E o— 4)

4)4?

cutb

—to

0 C/)i E

I1Thn −C) −ca cz 22E

U 4)0 −0

CL. . . Q − −

0 . • E . > u>. 0 ) − 0 Q −

C)Cl

0

CL 0

Z.. . 0 Cl

. E. .

Cl C 0 − 0) U 4) 0 ) 4 ) Cç/)4)Cl, —

.l)4 ) 0 c lE6. cud

Cl) CL ci, 0

− Qcis0

4) ce..4) −

0 L ) 04?Cl4−4)

.4)OCdQcd

Cl0 C l

00.:

3

0 . Cl— o?Cl0ca

0

as 03 E −a . 0 ° Cl4? E X

co0 c ) .i[0T−−

NON—

0

0

0

z

0

C

.−Cl−a)

N

NE0C)

to 9<−00

a)Ccla ) 2 a)

Cl) −H E o

−a)

E 0 0 . 0a)

cu

U.a)

0 − •1010N a)Eooz

a)L u . 2 . o o.

a)T .0

a) 00 a)CO

o)

()a) u 0 clto I − . − > −

to •0CL

o O C)0.

CI)

E" c i Q

a ) CI).ZnLu

LU cea) rI

Cl)

−CL0 C> ) C)

0 • − ) I−ca

cu

a). 0 . − . − . C•..

C.) −− .

o 0 a) a)I−..

.. a.a)t0

−

QCL)a)0LJ−cl

9 a ) a ) a ) ECU 0 cu

−0 .. I)

c i 0:−

c i a ) j C l .cu

ci oL) −— 0.−−ao

chCI) C l 0 . C... 0 Cl) CI) CA

n 0 . > LI. oC . ( I ) C . O a)a)O)a− o E ° . a ) 0 ç5

. 0) −a ) E

ia)V >.Oa)

c i N_ a)( E 0 0 Ha)a) 00 '0 > 0 . − c i

• 0 LI.al

.

g).

−a) a)

o E E a ) a)E.0a ) 0 a ) . 0 a ) Ci c i 9 a ) W a ) C i 0 0 L J 0 0 . a ) Oa) C Z 0 C) c. − 2 . 0 a)

Q 0 9 oo >−. o_o?a)0 . 0 0 0 . 0 1 − a ) .0

0 . − .1 aiCl) 0

r .

C I ) 0 C i a ) . 0 O−−LL 0 0 . E

=ia)CVEa) −

.a ) 0 . − C) 0cE to i a)Im CI) C) 0 . ci'C)0Xa)Cl . 0 C ' > C) 0

cc u H o c i oLu . a . a)

N

a'

a

ac)

a

Vz

0−4

V

a

aI'

0'0 a . —

U U. 0 .0

E.

U>0 Uz (I)

— ' o Cv0 . D C 0 0 c 0 0

ca oC,AV U − 0 • o 9 0 U >OD vCM.0&)U

cn_ uU

0 > E UC) − >U

o c C . ' − U 0UE2U CU U0rqCID U 0 i

a− − o. . 0 ) U 0 − > CU0to 2EUUC) .0

EU− b E .0.−U0

C C ) U U U0 . 0 U 0−ca 0

•a −

o UUE U 16 2.2Vcu

a−0.0

N _ U C) E H — 0 . 0 _.•OQLl •:

as I n C < E − E 0 0 −c (.Li . .0 OH CU

a.•0

VV

00− .E. o 9 C)Inu> C. C)O C)j

− Ce—.

Q 0 C l C U o o E c °EEn UV C ) U . C) U U0−−oEo. C) UC

U 0o −V Q C ) Q C ) > UU0.(Qv CO o .

Erz−UU10 . E b

0H U C L 0 EC

− 0 U O > U U .OU.UOU O U 0 > C ) 0 ..0− I— 0

> I− −Q C 0 0O>0 U−U−— • − I..

0 > C) C) 0 00H o. C —C 0 U 0. 0C OUOL)0 0 0 Oc ( C >—

V V_−.0>'−0

a. OJç0.. as co

. 0 o>• o H 00 ( 0.−Uta.o0 3 0 U 0CUEUUC.−− −C)C UC0E V . C 2 CLo

_ nCV0 a . V U U −o

V O• U 0.V O OUE01

ci)

—

C

C

LuC

=

C

C

cliriclq 0 0−

V V VI − —0.

— —,

− gQV o

0 V 0 1E−d'O 0 V>VCl)

V • OJ4 t − 2 − z − ' —V '−2V ' − 0 . 2 V V

V ) • 0 V − 1.2'S.—e 0 O V ) C V 2

>.. − > . − 2 .2V C10 VV−ft

I−o220 V−2°

V −0 o 9 − crs1

> 0 > − .ci)u CIS CL CqC,3E V −V U E o c ' i − V 0

Cd

H . — − f . − −t −c N bO 2 t . t — 00 L)

V . 2 − E 0 v 0 0 0 . V0 − 0 0> V20

H " VtVcucoE 15t_

H . t c U c 0 o v H 0 V 0 ci) L.. 0 c o. o. Li.. 2 H Cd 0 .0

• E

−.0ca.VZO.0VV C,3 v m 2U 0 o CC)Co 3 . t V , ot C

> C− V 0 C C... 0 c.. 0c 0 t C . . 0 C V −−C, C L c . V >

Cl)

.Q b ) I n cd

0;

C V E o > 2 0.0.V V 0 V 2V c.i0E

E ..HVBft

V CC −CAV − 3 V . 2 C .2

00ci. •t._0 VE " . . . . o

C . . . t 0 co

V C − . − . . V . C . V 0 C V C 2C−— 0t(LLJc0.>C00V°2V— V t • V :o 2

' V V C− Cl) V >,

CCd)CC V u C , 0C−' ri)VVt . Cl) CC)

CLCL

C d ) t C l ) ' VO0 2 0 0VV.—cClV . 0 _ C l C− .0

• 0

V−C

E

.−−

V 0H 2 0 .H

— 0

cn2

000 ttVC•. E

• _

0 • Et > f 2 o ff3

• —.−5VE

V C) V otEoCl) >—0 U 0 V t H C) — ) C −Cl)Ct3−0 c a _ 3 • _ 2toEtt2C−

> ,V 0 . 2 C − V V V •

CU VQOf3C) VC... O V ° . O . t Q 2 t

Va... 0 . 2 0 0 6 t 0

C13 N V V U C) V V V VC−V VV,)cf3Qf3f30

ff3 − ff3

I−

N

=C

I.C

z

=.,

C

=

C

.−•%4?

—

CA

cq

a)

ba&Ca)s.0Cda)0a)

C) Cd

0. co EH.o'ti−−

4? cia)cicI− a)a).

− a)− a ) > E2

−−

− — a)

03

Do0 )0.

−Cd•Cd

a) 0 C) Cd.00

Cda)

I−a)

I . •

.9 E

a)−

−−a)− O − ° • 0.

I−a)

o a) Ci

CiC)

aooa) W;' r− lc 7iciE >

E0

x CMa)

CC CL 0

u

a)

C) a

C)

.2 − C) c, 16

Ea)ciE 0 >'

— Oa) cdI − I . . 0 . _ CM 0 − o CdI

CM"9M.

− : i a)0 Cd 0 . 0 0.

Cd C) 0

C M I a)a)a)−0.a)

ci(dc i − 2 0

vi(do 0 . ? 2a? Ci00._

ca C'sC)0.

C) 0.f_.

— 0 0 CMC ) . 9 E − − 0 o . . .a)'−a)

C ) o =3 cdCd' o

U0. ca Q−OC)a ) C M CM C) a) — Ci ( ) 0.

a ) C ) 0.a)Cd

a • ' − o o ° o − E . − '−0ciã.0a ) c d 0.E0o..0

− Cd Cd 0 a) 0 0= 3 E− 0

Ea ) E CME_a)− . −− E 0CM

_a)I − > CM72

cauCM to CMa) C) o o >0 . 9C)cCMECd

0.

a ) — − C )

Q . Cd −— cu Cd

cu U 0 . 0 . Cd 0. −

C.

kn

F−.

It

It

z

0

0

eli

C'

C.r '4 0

I−.

.8 .8E E2 C)C)

>C) C

Z—

0 9 C r C CbOE

•<tv Ctz

C cd a C−

C)C

.

C . 2C).−.C...

C)—•−

. − . C)

0 CC • − C — ç / ) C ) CC)C)

CI 'C C)O r − >−−

..—cl.−u r4C)

C)

clca

I−..

•C EC

CC)

− − — 2

C)()• _ _ > ; E

− OC(C)

.. − C20− _eO — C C)

qj. −0 C ) − 0

−2

E −

tt − 0 . − .

. C.) V C &EEE )

−

C)C) C)0

C,,co toE

o oca ca 41 C) L i J C C i . C)01C)

C)C ) C C)

cd Ecn

cn

Cl

C)

−CC)

— C..

C) C

— u Etr.

cts461) −0 IcnIs

LI•−

oca EC., C)

U _E''#D a O3o

0. 0 0 o >

EE > d C _ C C v i o2C C= C) I ) 1 —41A mC.....

r. 2 − 0_C"C

Ma E C) C) 0 °−EC 3

_ 0 ( ) C ) 0CI)C)QC)

−c c . t . c , .€ ,,C) C) C C) C)

0 −r i d C •

−0 . > C ) o

p CJ>0CM

20 C) −. c CM— −. .0 E Z

N

r1

0

0cu?

0

z

−

•0

0

0.−eli

−0I—Cd

Q−oC)

I−.•

0 12

C)Qn−o−EtnEC < . . O •

−ocoj2

.9 .−_CdC ) 0 Q O C ) 2 v C)0CdCd

. 3 E.co

− _>a) .0E

C ) = •'0a) Cdt:

− c i 0Cd.−bU0 (lC.InmEQCda)Qa)

a) — :6−E ''ad C)

C)a)C)a)

Cd −0 c l , 0 V • aa)

L_Q

a)I − .0

E

Q C ) C I C I C C)4)C00.

. c n 0 0 . 0 − b − . C)C)Cd− __o.Q_ '0 2•− >0.zE.

0 0a)CIC

CIC C)E − 4 − . . _0C)>

E − .•b

ococi 0 3 i..a)

C)0> 0 −cl−S

3 − C_ . . to. 9

0 Cd

l z cu

o >• • — c d O C)

. − . t o 0 — .0 . E3C)C)o

. 9Cd

a)OOC#CQ

• a) 1 t 0t O > 5 C ) .0'00

E−−−c

C) •−.

CdU V _

• C d C ) 0 U°3

.. r 3 C d c a acl

CMC)

o ° − V C) 0 )(V 0 o 2 ° C))00.0− . I −. a)

t3 O C I C V . c C ) C 033 ) . − . 0 −Cd 0 C ) 0 o

EC m cz 7 E 140.za) C) o.cQC)C,

h C #TIC c lQ C d 2 a)QC.CC)10

cc cr

0 −

' − 3 I

c4 U−, 0 Cd0

cc/CI v

0 . C ) c,CdC)En

1Cd− C) > C ) E Evc cu LL)

cc E − • − C)C)

01C)01 0 . c . 0 0

a) C ) 5 • 0 cI)I 0...CdVa) • • •

N

N

ON

C'

C

CU19C

z

C

C

I.4) 4)2

0I−S S

0 r'1 0 0cc0 0 0

> O 0 > 2296) − − −c 4 ) :•

4)4 ) • 5 _ 4)a.

I − o > • − u − C)' − 0 0 4)0Q

c >

a . 4 1 '0 ( 2 0 :−

6)44 ( 4 4 ) 4 ) 4 ) 0 4)

ca−6

− ° 0 0 > ( ( 4 cci

o 2 g . 5 2 4 ) 0Cl) =4 ) . E

4 ) E 4)2

I−. . − ' − −

E6) 4)Cl

54)c4 0 c4

− − 4 ) •2H . − zr−6)6 ) 0 v 5 — ( 4

1 . E .2 0

.—O.Cl)Cl)0

(4 . > 5

− i −2 0 5

bO.4 ) 4 ) 4 )

. − E o 0 . ),

.D0 g 0−F

5 0 4 ) 0

) : E0 6)4) — t4)90.>

t 2 =cd

H 0 H < 0 (4 o. < .2 °. .

2• r.

p6)

−

− 02 E6 ) )C−−

C4•

−− >

cd

ca 0

.9Cd C − • 5 −

.(4o 0 C) )

− a . °) 0

5 H g 0 −a

−o .5 0 ca a

EasCl)

—Vt1

cts2 a 4)− − 4 4 94)C4(4

LT− 0344 −

E −..− − 0 ••− 4) 0 O 6 ) . . . . − C 1 3 CLI CL

cn

'−4 ) 4 4 C − 0

g4)> 0 0 (4 4)

H Cl)con o—2

−c

2 0I H

.5 .04)

—−ag

4 0 C.−. 0 −=s'cud (4

iF−Cd

44E4) 0 0 >

. − 4)•0−>0 c40

CL0 − . 0 − 0 . − . . c 4 0

4) > > 4) Cl) 0 0 — e.o •>−C). • C . − . 0

Cl) 0o

9 10 v 0 4 ) . −

—. E 4 ) 4 ) 05 9 0 4 ) 0 0 v 0 ..

(4 (4 4)V0_

0 '− N•

C)C.−. 4)CIS

E4 )' − −

− 6)−.

• ( 4 _ _ .4)

10—

6)E.−:

S (4 0000 . 0 ) (4 1.. .− 4) CI 0 . 0.−.:3

uccIn. S S •

N

©©©

rl)—

=0U

C

z

0

C

r l C

. 0 a)

2

—

aa)> a)40 a)'

0 .2

a)E 0 Ua 0 > − ° − E c4

a)

— . . U − − — 0−

5 I. C

E C 0) − • • 9 . − 0)a) IC,)

a) Q C C , 0a)U − — 0)a)

ca

c3 0 ) − C C

0 C 0 Cri −−

− − − .E

bLZ U co− cl

C0C çj

ci− C.. CC. 2 − a ) C,' C , '0)r−m 2 ° . E

.C H0)0 )

0) 0 − 20.

2 4) − __ 0 0. a) a 0).2 6 S Cl) 0 0 0 − 0 ' E Cl) 4) − fla)Cl) 4) 'E> ( Q 5 a) 0 E S a)0 >. CC.. 4)4) C.. E

0 a)= 0 S .

0 a ) >a).. C CIS a)c l E > > 0 V I..

H o C . . H 01211>bo − 0 − 0. . − 4) U. C C

coZs a ) a ) c oCME

.−. — a )− > 5 02 2 C/) −D 00 0 . 0 ) E oE O C CC_C,ç C 9 9 4 ) 0.oC 4 • CC'sUCCC.. 0 . U E a)

oj 0

0 z a ) 0 c l C 2 ' — . 0

0D r,' .50.oU o oUa)

. . 0 E o. . . . . .I.C..0 )0 0D t a ) o ( ° _00

0 E C E . 0 0 C• a ) C 2 4)C—a) − IC−. 9 C5 0a)

.S o − Ec'ci

ca C

0 0 0 0

—0 0

− . 0 0 ) C.4) − −0 0. 5

.— − 2a) ) E o2 • — ._0)

Co− , a ) .

0

'0

CISQ a )CC >

CKS

o C 3 c

•CC−.−CCC

C a—−o.. t 0 b a O C C. E

5Ua)uG)a ) C . . D . a ) C • • O C,CW− 0 cn.CEo.2

0 ) . C H 0 Ecr> .−. 0 C. 0 o 0 − C. =Cd C

za ) 0 caC C,'C > q . a ) 0'0'A0Q CL −0 u n . 0 0 . C > >cac) 0.CCC−−0) 4) .−Co

S S S

0

0

00

0

z

rw

—

C

eli

=—

a)

a)>

p z

CL

− a)

0a

−C.)a) aa2

= I −En

a)a) Q a)I−.

4)=

( o < < M−

th

p=

C a)

I − a )

a) >

0> − c −

cll

=e − 0•0

a)

• ..Ea) crasEJfl

a)

a)

0−

H > − 0 . '− a)C 0 c a) c ' 0

−•3= U)c c . _

{o0

.Cl

− a)oao

−CISb 0 C) Cl)j

a)0

0 1 1 − C. 0 0H c..5 > 0 C) U

C l a ) 0 a ) a ) a ) −.a)

Cl− 0 −a a ) c 1 a)

Um−

Cl) a)

−'C/Ca)

=.9a)gEGM= =O 5 O O

U)0 a ) _ o o ClI− a)L − Cl

a)a)_0=_ a ) a)

C/)= a• E a)−E

cc 0=

Cl 0>•3Q)ow

0−l−a)ç)=

a) 0•. = 0 a ) 0 0ct o co U a) 00 > coea.9

—

0

a.

a.

0

a.

a.

E

a.a.

a.

Il)

a.

. — t o − 4)#) 4)

4)

E4) 0.00

CU − c._ c.

4) r−LV

I) ca 4)H >'

U4)C.)

4.) O4) —

0V0− 0.

−− C ) 0.

0 0 0 0CI 0

I..

o04)

v._.C_. I. 0 00

o4)

— 4.)1) 4)

a 0 0 0ECD0i c U U• . S • • S

C >−—

4)> − l,1—C Hcd4)

04)4)

4 ) . _ 0 C 4) −—Q

c , >•

04−−

0 0.— _ C • − 0 '−4)4)4.)

QCICO)

00

rL4)4)c,,

U>

4)V

E > < − 4)

V 0 CIS( # 4 . C.)

1:3 ci 4)

4) C C > C 4)−14Ou0J4 ) U 4 )0 4 )

UC0J0 ' '4)>rm−

−00U

•_ 4) C•_

I− 4 ) C ) 0 .0.0

0Co)Mo.E

. . − o 4)−C) −0C,30.cc g ( A 00H4)

C0C4)

E2o > >UI−0r−CJ.00 F C4)0 . 'A 0 c a 0

i..4)

= M O 4)C E 4)

0co

0 . . ( ) 4 ) 4 )4)>00

000 . i

−. 4I2C • − 4) − C) 4)

o to

C134) 0

>F 4 ) U

04 — I..0 U — 0 4 ) C0

V CEVas to

( 1 4 _ U I . . ( 4 ) )ej

>.( 0 0 )CwV00 Cdq.

.. C_ • − 0E;j

C.) −) ° . − E

−0 C ) ( 0 F E 4) .as0.0

r− CIS cu. 2− − Eo

C C C r i V 0oI−−−−−•= 5 E —

°m

C• . . C F C >—4 ) a ° U . F :

HcOoco

GoV V

0

0

Lu

Lu

0

Lu.—Lu

LuLu

Lu

(I)

Lu

. − a ) Q C 0a)rJ)>. − 0Q

a ) > 0.Eco(l)

0Oa)

_ u −>E −Q

−

O a ) i. a) a)− •−ECd —E

. c# r

0 o.Eios

000 −I−: 3

.o.−. 0) a) 00.0 • − . 0.a)

0)to 7 0 °30

C130− − a)•−0) −

Q a)C13 0 )

.9a) — 0 −o 0)cno − ; cl)a) _ − 0)

'−0',−.Oa) 0.c.)rIU U.....

• S • • S S

F − C > O ' a )0'−C

a)C

a)C00 COl ) 0c

) a ) a) a ) > O j a).0)

2oc,, O . i . . oO>c20 w ' − −

0)a) a) ' L)a)Cd)C•

0)0 0 ) E o − > 0 3 0) 0 −> . C C cdo−t : : ' − a )

004. I− a)

002 C _ − C a) a)

• a ) C I S C a)aC− E o — :=c4

L)o c•—− 0 a ) >

4? C . _ −c • C c l O

− ' E − 0)'C _ c c —

04 a)C>a)

—C'

4 )0 i . 0 > C < .0

3"CU

U c , 3a >−.bIa)

to 0a)DEE°_ −− C 0 4 0) a)0j'Ca)E• − C C 0b O − Q t .

0)30)

E−o− E3 a ) 0

0 0 0 —0I−.to(I)

. 3 0−−C

(4 ( 4 0 . 0

In cc rAC 04 5: C _ a ) . ' • 5 a) C

E .E−o

− a)00a) a) c, − −

— —−

_ _ 2

.

_ t > . 0 • 0 Cr cuE >.

0 0−04

( I 0 I . . a)(4CLto0)

—4 ? a).__'c,,

0J C " — ( a 0 4 −7Ei... ca)

— — (Sc —(4

−C−Ca)IU C0

a ) C 0 )C O ) E s

> i..

a) 0 c 4 a ) C 3 0−

a)004 c 4 ( a E a ) Ca)O0a)CIS

0— c , E & c'c.−. c − c 4 c , a ) C 4 c , c 4 a )

C4

' E '−—E a)1Ca ) > c . − a ) > ' . − −C a)" c C 0 " c t 0)D C _ C < C _ i 0 : − S c 4 C H E < o −Co.

C

V

C—VV

I.V

V

C

V

VI'

VEV

1...

V

V

VI.

.−V

I ) U •− − −− ouciciciQ

< 0Oaj

U − (−

c i U0 . U

' – cI0.

L t 00 Q —

−0 <0ci'

0. •−0.

ciI − c i 0 2 −>_ 2o

..E < b —

as − ociI−_ o c 2 0 —as

cn CIS

UU

cI−0

0_En

U C E OciU o

uZ= 5 i L ) r . c i c i 0.0

• S • S S

c i tO>C a 0 O p

HUUI_

cicUo ° 2 0 . 0.00 c i U .−. 0.

2 .QU

O O −'

U E− O U 0<0 cdo ' −0•−0U

> . − (1 N Uas

—CZ− − 0 ca 0 − U

a.

U −000cl

U 0 . 0 2 . 0 car ••oES

c i ci

0 E . .− I.. '−CZci >< E 2 EU 2U,'−−= uo

caU' − U b c i ( J O 0O

U0−C U E −> c i U D Uo

2EU 0 c i 2− 0

− 0C o 200.0

C − oc i U C . o.ciUE..

u c .− . U c iOcioE 0

U − U U− U 0 00.

g .22 Q I − c..... o . U,• − ' − —U ca

U ciOciU C) −− − 0 . − > − 0 ci 0I− • 0ciC Uca− − 0

• − 0 ocu C13 CdciC)

−C yl

c. 2 −− • ° − • − − 00

U 0a•−CLU U E

cqcu r−7 s <2cu

10=U,

C—

C

2...—=

E

2..2..

2..

ci)

2..

.—oI−.−−CO 03

o E c 2C)

CO C) C)4è . 2 C) 0

o C.).C)

O C O ' 0 . COO00

C) O6 cuV3 luE o . —o E CO

C) QC)C ) Q − Qç>

V.

—.C)Mx

to CL

o CO 0EiCZ u C rr−0

cuC)I−00C,3C,1..>

QC)I−L)5

• . S S

cRC) C)CU C O C O E C O .r' − . 0 O . 4)

−− , 0 C)o 0.

O C ) V2 ' C ) , c O 0 0 000ta

i i U CO00

. E −C) CO. 000

− . , 2 H9ECh

o 5o0COvs. ! "

− > C) > 00 − 0C) C) C) I− CO C)

E C)•CO o 0 — )c0 t o C )

C) cnQ C4 o r 03

CL 0 > − 0 C3C) C)

. o 0 CO.ctl

V C 00 —− > −, '

..L Cl) >. Q C) C') CO C ) C)

Cl)C)5

. 0 . 0− C)

= 3 A •− C.) C.) CO − C)C)

V'−C)−0c07

− h

−

'°

CA

C ) C ) . 0 00' C O ) I ) ' − C ) I . C ) .

l)COj

−−

' − C ) C ) 0 _. . . C.)

0

%cl

" ' ° −

.

− 2 0 0 0 . o r − c i s o

C ) 0 C " — — −

— 0 0 , '( ) CO CO i. C ) . 0 . . 0 C)— . 0 0 C)

_0 2OCOca

CO−C)CO

o 2 E . 9 o o o.−3C)o C)0 _ > tC)C)Cl) 0 0 . 0 — 0 . _

4 r , O − .−.00 C LCO

0r—OCOCOO

M C13

ad m

E CO—Q.

CO ,C ) C " ' . C)

L−

CO C)r−0C)..CIS

− E 2 . .C ) Q C O C U cn>(l

o 0 0o ca

> 0 0.COCOO0 . 0 0 ) Q C ) C ) . . . . 0 C)

−0 ) < ' − IC' .. .00.0.,.

. H C O C O O HC)Cl)C)09— −

..

.—E

ci)44

2 • to 00 0 L) U1.0

0 IL

C)− −

G ) C )z

C° C

CcI 0 C) 0 − C)C ) − C 0 −0o C)C

2'− %− L)

I − C−

— o −C)o

20

v C − C) C)0

2 2C)

° − − 2o.−

o.c.−I..− ! − − C) 0 C

C ) : : ) C D 0o •—C.CC)0 C) 0 C).CC

tCOC— e j

0r− 0 ( ) D C ) . C

0 C ) C ) : •00

− 0 2 − −o E2( _ C) C 0 . C C ) C . E b H'− I Z 0 CC!cd − C O 0)0

) o − o E5> cCECU 0 . E CE0 0( ) g U E C)C)C)• S • • . S S

2CCC/) C

Cla o 9 Z0)Z

− ,. − 0 0 Cl0 0)E o EC0−.

0o • • C o . C gI− • •— CO

0 C)v>°

to• − 0 .

Ecr

cucl−

C ) − 0 2 0) > < C)

− − . 9 0 0)0)C)

ClE0.C°

!0)

0) o. 0 − C 0 CU0)JO C) C C C ) − C > C ) I • • C)00

C C ) C)C0C0 C v a s 7EL

I− C)Cl 15 E. 0 0 C,30)CIC 0 0)

U C)

0CCl.0..C) − o 0 . 0 02 o . 0 .0C)•_ EC)C

C V i 0 > _ 0Cl C) − − . ) o u C 0 . Cl

C ) • C ) • C ..CC.CC( I C ) m 00.00)

− E.c00o

oE V0.O C − E o . E C)t 0CE 0. 0 0

( 1 ) 0 . Z C I H o ( / ) 0 c 1 0 0 <0.ClCl0 . 0 C ) C O O —CC

− 2 . − C 2co , C) 9E

o0 JO− C l 0 C 00)

.O b D o C

JO

Cl − 0 − − − c I ClC)asC.

0 cuO C >6bC)C

−r−0

cu 0(1Q C ()− 0 . C) C)

C) o .0()C

C l 0 E C)0.Or− c n 0 C 0

C) C)cc 0 0 ClJOo 0) Cl

− CE−

un0) −C

(1)0 0 0 . 0 C l 0 CCcuuCa C C C)E ClC)C

− .Cl

Appendix 1 − Audit GradingAudit reports are graded with an overall assurance opinion, and any issues and associated recommendationsare classified individually to denote their relative importance, in accordance with the definitions in the tablesbelow.



Assurance opinion






be made.







Major The weaknesses identified during the review have left the Council open to significant risk.If the risk materialises it would have a major impact upon the organisation as a whole.

Moderate T h e weaknesses identified during the review have left the Council open to medium risk. Ifthe risk materialises it would have a moderate impact upon the organisation as a whole.






I1Daa1lNThRNAI. AUDIf l2OI 9−20\RUSrNESS SOLCTIONS (04l2)UCi (0420)IIT .ctwork Controls 09002019.0 7\hndings RcporF,naI rcportdoc 19

AGENDA ITEM No.−−5 −−−−−−HR fCOUNCIL


MUNICIPAL BANK

Contents1. Executive Summary 2. Findings and Recommendations 3. Action PlanAppendix 1: Audit gradingIssued to: Head of Housing Solutions, Head of Financial Solutions (point 3), Customer ManagerCopied to: Executive Director of Enterprise and Communities and Chief Executive

Headlines

This review was designed to provide independent assurance to senior management and elected members oncertain aspects of the Council's Municipal Bank operations. In particular, the audit considered the adequacyand effectiveness of internal controls associated with changes to customer details and the opening and closureof account and the adequacy and effectiveness of the Municipal Bank's operations in relation to moneylaundering. The review also assessed whether the Council has adequate and effective arrangements in placeto maintain and safeguard relevant records of accounts and transactions.Management responsibility for the operation of the cash offices/First Stop Shops (from where the MunicipalBank operates) lies with Housing Solutions, while responsibility for the preparation of reconciliations andadministration of the cash receipting/Municipal Bank systems lies with the Controls and ReconciliationsTeam located within Financial Solutions.The results of testing of the internal controls associated with account opening, changes to accounts andaccount closures were generally satisfactory with no significant issues arising. The Municipal Bank is awareof the risk of Money Laundering and has put in place arrangements designed to mitigate the identified risks.However we consider that there is a need to enhance current procedures with regard to the initial and ongoingassessment of risk of money laundering on new and amended accounts and more should be done to record therationale for decisions made by the Money Laundering Officer about how to respond to suspicioustransaction reports made by staff.Overall, we have assessed the audit as providing 'Reasonable assurance', as we consider the controlweaknesses identified present low to medium risk to the control environment. We have made a number ofrecommendations for management consideration/action.

Internal Audit Opinion (see definition at Appendix I) Reasonable assurance

Organisational impact (see definition at Appendix I) Minor

Report status FINAL I Audit ref 02 10/2019/003 Date issued 1 06/09/2019

Audit Team Elaine MacDonald (0 1698 302184), Paula Hendry, Hugh Shevlin and Liz Sweeney

I 0 − V N I E R N A L AUDI j \ 2 9.2(JSINAI4(;IAI. SO l I J I IONS (02 0 ( 0 , , I S i r n ( U 1 I 0 ) ' i c ç I R . ,k02102019 I−J3\A− S , n d c 0 ( n I ddo


ObjectivesThis review was designed to provide independent assurance to senior management and elected members oncertain aspects of the Council's Municipal Bank operations. In particular, the audit considered:

• the adequacy and effectiveness of key controls associated with changes to customer details and theopening and closure of accounts;

• the adequacy and effectiveness of the Municipal Bank's operations in relation to money laundering; and

• whether the Council has adequate and effective arrangements in place to maintain and safeguard relevantrecords of accounts and transactions.

Management responsibility for the operation of the cash offices/First Stop Shops (from where the MunicipalBank operates), lies with Housing Solutions, while responsibility for the preparation of reconciliations andadministration of the cash receipting/Municipal Bank systems lies with the Controls and ReconciliationsTeam located within Financial Solutions.Work undertaken during the audit included testing controls relating to the opening and closure of accountsand changing customer details. We also considered the adequacy and effectiveness of the Municipal Bank'soperations in relation to money laundering and the adequacy and effectiveness of the key controls associatedwith the maintenance of proper records.This engagement has been conducted in accordance with the 'Public Sector Internal Audi! Standards'. TheInternal Audit section reports formally on conformance with these standards to the Audit and Scrutiny Panel.


Number and category o f recommendations raised Red Amber Green(see definition of priority at Appendix I) o 2 2

Key areas requiring management action (Red)No key areas requiring urgent management action have been identified.


• New accounts are opened at a pre−arranged appointment and include completion of a Know YourCustomer (KYC) checklist. Follow−up checks on accounts are conducted one year after opening toensure that accounts are being operated as expected;

• Regular management checks on the completion of key documentation are undertaken by the TeamLeaders at each cash office and by cash office management on a rolling basis throughout the year;

• Access to Municipal bank branches is restricted to authorised personnel only and all relevantdocumentation is securely held;

• Back−ups of the live municipal bank system are being conducted daily; and

• Municipal Bank staff are up to date with relevant money laundering training.


• There is a need to enhance current procedures with regard to initial and ongoing assessment of risk ofmoney laundering on new and amended accounts; and

• More should be done to record the rationale for decisions made by the Money Laundering Officer abouthow to respond to suspicious transaction reports made by staff.

I I . , ' J .TFRNAI AIJ1)tI \2U19−2(4INANCIAI. S I ) i . I ; r I o N s (021 )(I−m I ( 0 2 I 0 ) M . , p , I I I k 0 2 I 0 20(9 M W R q , , b mI 1 . c ( J i n I ( ( .

—r.

cl

0

eli

—'

C)

u

CISE− −c2

_c c : •CCOC)CCCC)CCOC)

= −C). _ C ) ' • − • C ) _ C

a− C)— CO

_ C −−c −2toC

C41

C)C)C)CC)

06

op 0 as v

CO− 2 < c Q C ) C ) COCOC

− a−−

a° 8

−c'2c C)E C)

tO 0 0 0 0 C)C,,C& C)C)C

−C c C ) C ) C 0 0 0

C)

. : t − cl ._ 28 C C C C C O 0 0 c

C) CO8 − C)C)o°

T i C ) C ) C • E o C)00C)0 0 E C ) C ) CC).0C C ) C ) C X C C ) C . _ C C)C.CCJCO"−C).−C−C)C

bo

C = C CO − − •2.−E>EE.−E

8—

− − :E E

2EE

a− " C . E g V C C 9C)C)

•C E C − − 2 − C . CO C 0 0 C)

. ° .9EcdC ) C O 2 C ) C . C ) − Q t O C C > C O C) C)0 o C E i _ o 0 0 C ) .− C)

−

i l !!iCc

U c C o C C . E C C)O 9 C O C ) c.e.C)C_00..C.0

C ) 4 C ) t − 0 0CO

. E−COW'u.uo −c_C)

" C C ) 2 COCO C) t00−C2 — o C ) D C ) > C C •−CO

a− 0 0 00 C C) 0 0 ' 00 c C − −.−.

− a−

c'− >

−c C C c C)C 2..8 4−−'

C C '−COcaI b L m C)

−− C C ) C C − C

totO E C ) C ) C ) C ) C ) 0 0

CC

O C U C 0 0 0 0 C'−CC)2_CE&cJ

CO CO> ' S

−•

C O

. _C O −

=

CC

. . − . S 4 r

C U 2 . E tO

w CLa.. C C C O j C O C ) C , C Q C O C C O C , C ) • − i ' C) oi

, C O C) − COCO CO CO C C) <c−i E C− CO • •

1—

cn

—

.−0

.—eli

(N

C)

E CID

−cV00 co

−C 00

C−—co

C C)−

C00

cce a E

.z. H C 1 o u Hu

.2 E3 − C V C

. C C V V V cC&)$−

Cd−

C.2 D

cu[flcaE

CID c . E t o ccC.0 Z3 C : c aC)w t o•iTh

C C.

> . C.)

V C.) C.) >

E − − − cu roCC)

C . − ..

C c E C)C

E ca v EsC.0O.9V

E c EL ca cr 0—a.

3 − 3 − a C " cC)C

.E— — —.. −

. C C . )V • . C : C V

C C C a . . c Z. . . − • :

6 ..

− − c −E,.VcC1CIS nV C)C

−D .−ej

0 C ) C) C) .C C . cc−Cec

to

E Est o

crd:

O'

C c

: − :

C m i.. CID .E H m C/)U H Z .9

0

Cl—

0

eli

=• i . a' a'

E − − −2 20C C

V • j V C C C '−' V QCVC>

E0V C

= C C 9E

o C C O C9 — E .9 CC.Od

OC

C−

9E o C

c − '− ' − −

V C V C VVC

C C C C V C Cca F− CE

0 LlEa− C •−• > C>cc r − (1

−−C

PC 78

> 10 V CCV

E .Po .. C' C . 0 C OV_C

..h H = §I iI0 O n C O − L ) 0

C C t 0 C V C VC C V . C C CC

− C. ! −C

; 0 V V−−

CA 2

CKS

E C C V OOCV− QC.CO

O cts>

a E C . . V C ( 0 0 C . 0 (000

C OO' C C C

= E C C C C V C−− _ − V − — −' C . V o F − V 0 0 C C 0 V..

co0 C . V

.. 0 C V

E o COV

C V C=a 0 > − 0 . V ( 0 3

− C o − o o E V C . .. V C

a − V00Vr1 C . CC

! i 1 ico.E

.9−co

0 c0 V c 3 C C . . . V (CbL C ' E C ° C O _C

.E V V 5 C V 0 ( 1 C . 0 0 C .V C E °.9c

=s a . c _ − 9 C CE. . . _ C C (1 V . . . . _. − . − r ._ V0c 0 ' C E C C ' C C 0 0 C V ..V0

V C 9 V . 0 0 O C − . 0 C Q C V(".ci

0 0 3 C Dcc;CL. C . C _ c c V V — 0 ' >0_._..E92

− − . C C . V V0..0 C. C..C..0 C (0 S S

uI

ON

—

.—C

C

.—C.,−

E −2

PO . C • — ()

C

AzZS

aj

40;j

=C

C 2 −−OU

ca 0Gj

C

−2C

._ U U c ..

40

06

co

p

.2I−C

o C——

'I( CO)CC..0

E CCc

E.2c5as

CO 03 −se

ca

C

I−• E −0−5

ME

0

−•

00a

C −d0 C0

E− −c− 0 v

− o 0 0

S C

E °− 0−nCCC

. C − − − • −

= . −or−_ −− Q C C ç ) cql

m ca

E.

.©

0E

L • c d # ; − 0 o cc 4Q ca−

C−14

4.) 4.) 1..

U,

Appendix 1 — Audit Grading




Assurance opinion





Green − Amber Reasonable control environment. The control environment has mainly operated asAssurance intended although errors have been detected. Some Improvements should

be made.







M The weaknesses identified during the review have left the Council open to significant risk.Major If the risk materialises it would have a major impact upon the organisation as a whole.

Moderate The weaknesses identified during the review have left the Council open to medium risk. Ifthe risk materialises it would have a moderate impact upon the organisation as a whole.






I I . ' J N I L R N A I A I I I ) IT I2 I I9 .2U 'F INAN( IA l . S ) I . I I T I O S i U 2 Brnk O2I( 2 0 1 9 M I A− Ro od