EXECUTIVE SUMMARIES - North Lanarkshire · 1 Executive Summary Objeètives The purpose of this audit was to provide assurance on the adequacy and effectiveness of the Council's arrangements

EXECUTIVE SUMMARIES

(1) City Deal (pages 3−8)

(2) Information Governance (pages 9−23)

(3) Payroll Regularity (pages 24−32)

(4) Creditors (pages 33−41)

(5) Waste Management (pages 42−51)

I :\ADMIN\EXECSUM4LD. DOCX

AGENDA ITEM No.

rkshireCouncil

INTERNAL AUDIT REPORT

CITY DEAL − PROGRAMME GOVERNANCE ARRANGEMENTS

Contents 1. Executive Summary 2. Findings and recommendations 3. Action PlanAppendix 1: Audit grading Appendix 2: City Deal Assurance Statement

Issued to: Head of Planning and Regeneration and Enterprise Projects ManagerCopied to: Chief Executive

Headlines t

The purpose of this audit was to provide assurance on the adequacy and effectiveness of the Council'sarrangements in respect of its participation in the Glasgow City Region (GCR) City Deal. Internal Audit isrequired to return an assurance statement to the Head of Audit and Inspection at Glasgow City Council as thelead auditor for the GCR City Deal and the work undertaken as part of this review underpins the completion ofthis statement.Our work for this audit has focused on considering the Council's governance arrangements in relation to CityDeal and the extent to which the Council is adhering to the OCR City Deal Assurance Framework with aparticular focus on reviewing procurement/tendering arrangements, project monitoring arrangements and theprocesses surrounding the preparation and submission of grant claims.Based on the results of our work, we have concluded that:

• We are satisfied that the Council is complying with the GCR Assurance Framework;

• The Council has substantively complied with the Council's General Contract Standing Orders in itsprocurement/tendering processes for City Deal projects;

• The Council has established a series of governance arrangements in relation to the planning, controlling,monitoring and oversight of projects which is consistent with the requirements set out in the GCR AssuranceFramework; and

• City Deal grant claims in 2018−19 were properly prepared and submitted in accordance with the terms andconditions under which the grant award is made, the funds have been used for the intended purposes inaccordance with the terms and conditions under which the grant is made and the sums claimed are properlydue.

We have categorised the audit as offering 'substantial assurance' as the control environment appears adequateand to have operated as intended with only a small number of minor discrepancies or areas for improvementidentified. Based on this review we intend to return an assurance statement for City Deal to Glasgow CityCouncil Internal Audit which states that there are no significant matters that require to be raised which wouldhave a material impact on the GCR Annual Assurance Statement for financial year 2018−2019 (see Appendix2).

Internal Audit Opinion (seedefiniiionat Appendix I) Substantial assurance (Green)

Organisational impact (See definitionat Appendix I−) Moderate

Report status FINAL Audit ref 0300/2019/001 Date issued 15/05/19

Audit Team Elaine MacDonald (01698 302184), Paula Hendry and Hugh Shevlin

L\DataONT_AUD\ENVSER\rtCoy DeaSAssorance work 2018−MA9\A Reports & subsequent corrsopondcncn\Forat report as issuod.docx

3

1 Executive Summary

ObjeètivesThe purpose of this audit was to provide assurance on the adequacy and effectiveness of the Council'sarrangements in respect of its participation in the Glasgow City Region (GCR) City Deal. Internal Audit isrequired to return an assurance statement to the Head of Audit at Glasgow City Council as the lead auditor forthe GCR City Deal and the work undertaken as part of this review underpins the completion of this statement.Our work for this audit has focused on considering the extent to which the Council is adhering to the GCR CityDeal Assurance framework with a focus on the following areas:• The 2018−19 quarter two grant claim submitted to Glasgow City Region Programme Management Office

(PMO);

• The procurement/tendering arrangements for two recently awarded contracts for the sub projects EastAirdrie Link Road and Ravenscraig South Transport Assessment; and

• The adequacy of Project monitoring arrangements in respect of the sub project Motherwell Town Centre −Muir Street.

We understand that changes have been proposed to the GCR Assurance Framework but that these changes havenot yet been approved although it is anticipated that the revised framework will be in place later in 2019. Ourwork has, therefore, been based on the current Assurance Framework approved in March 2015.This engagement has been conducted in accordance with the 'Public Sector Internal Audit Standards'. TheInternal Audit section reports formally on conformance with these standards to the Audit and Scrutiny Panel.

2 Findings and Recommendations

Number and category o f recommendations raised ' Red Amber Green(see definition o f priority at Appendix I)

0 0 2

Key nareas requiring management action (Red)We identified no areas requiring urgent management action.

Good practice identifiedWe noted the following areas of good practice during the audit:

• The Council has substantively complied with the Council's General Contract Standing Orders in itsprocurement/tendering processes for City Deal projects;

• The Council has established a series of governance arrangements in relation to the planning, controlling,monitoring and oversight of projects which is consistent with the requirements set out in the GCR assuranceframework; and

• Grant claims are properly prepared and submitted in accordance with the terms and conditions under whichthe grant award is made.

Other areas for improvement (Amber)No other areas for improvement have been identified.

I \Daia\iNT_AUD\ENV_SERV\Cty Dcai\Assurancc work 2018−19\A − Reports & subsequent eoncspondmccTinal report as issued dccx 2

4

−−

C\

—>co−

U

IN

vto

03to

3

e−'Q

CL

cn

tOQ

r8

−c

•−•>3>

gy

2(>•

QU

8

'−o—−

'−

n'1)

0Q

.:

'•

−−

C.)

co

−'

zE

)c

)M

o2gU

OE

ob

−'

oE−0

)Q

0—

C•••

_•

o—

E

−−

.—−−−cc

ta

to

2co

to

5U

Cd

ri

Ec

._..)

V

5

en

I

Aug..

0C)

—0

—

E—>

—0

E

...

IUcc

Ea

aC)

00U

'a

pw

coC

)E

C)>

−−

.0C

Z&

C130

.:

t2

Fh

•3.Dcc

−−

>•

C)

0'−−•

rto

toou

−0

gi u−E

t!.

..

C)

ig12

=C

)=

C)

C)

C)

−'−co

−0

.2

−c

o

cu•

.•

o

co

ca

−ed

5E

r−C

)C

OC

).

2C)

C)

o−

.—.c

—C)

−.9

.0

••

8C

)2

−9

2E2.C

)10

°.2c

oQ

)t

:_

0>

C)

=C)

toCO

C)

.U

.—

—−o

C)V

0.

•.

.

C0

C)IG

C)

0.

C)

0C

)−

0C

)tQ

Oeco

−C)

.0.

ato

Qco

——

0

E.—

0.C

)QC.0

C)U

_0..

. −C)

0C

)

_0

000

Ucc

a—

0_

C)

C)

0C

)C

C)>

Q)

0.0

Q((C

)E

>>BC

)0.

E−

wca

wr

COto

0(

4)

0C

)

41

—(C

)C)

−C

)

EC

I0.0.

•o

UE

o

CCC)

Lxi

>z0I−z

0

Appendix 1 — Audit Grading

Audit reports are graded with an overall assurance opinion, and any issues and associated recommendations areclassified individually to denote their relative importance, in accordance with the definitions in the tables below.

efinition o f tudit assurance and recommendation c a t g o n ë s.

Assurance Confidence based on sufficient evidence that internal controls are in place, operatingeffectively and objectives are being achieved.

Assurance opimonThere are minimal or minor control weaknesses that present low risk to the

Green Substantial control environment. The control environment has substantially operated asAssurance intended although some minor errors have been detected. Very few or no

improvements are needed.

There are some control weaknesses that present low to medium risk to the

Green − AmberReasonable control environment. The control environment has mainly operated asAssurance intended although errors have been detected. Some improvements should

be made.

There are significant control weaknesses that present medium to high risk to

Amber − RedLimited the control environment. The control environment has not operated as

Assurance intended. Significant errors have been detected. Substantial improvementsshould be made.

There are fundamental control weaknesses that present an unacceptable level

RedNo o f risk to the control environment. The control environment has

e Assurance fundamentally broken down and is open to significant error or abuse.Immediate and major changes need to be made.

Organisational impact` . . ,.

MThe weaknesses identified during the review have left the Council open to significant risk. If

M a j o r the risk materialises it would have a major impact upon the organisation as a whole.

ModerateT h e weaknesses identified during the review have left the Council open to medium risk. If

the risk materialises it would have a moderate impact upon the organisation as a whole.

The weaknesses identified during the review have left the Council open to low risk. I f theMinor risk materialises it would have a minor impact upon the organisation as a whole.

Recommendation priority −Red Significant weaknesses which management needs to address and resolve immediately.

Amber Weaknesses which require prompt but not immediate action by management.

Green Less significant issues and/or areas for improvement which do not require immediatemanagement action.

I \D ta\INT_AIJD\ENV_SERV\Csy DeaI\Asssranc work 2019−19\.A − Reporis & sobsequem corrmpondenceFiral roporl as ssued d000 5

7

pendLx 2 − City Deal assurance statement

GLASGOW CITY REGION − CITY DEAL

NORTH LANARKSHIRE COUNCIL

ASSURANCE STATEMENT FOR THE YEAR ENDING 31 MARCH 2019

1. Purpose o f Statement

The purpose of this statement is to provide assurance that adequate and effective internal control and governance arrangementsexist within North Lanarkshire Council, and that no material issues have been identified which may directly or indirectly havean effect on the delivery of the Council's City Deal programme. I understand that any issues which are identified may beused to inform the Glasgow City Region (GCR) Annual Assurance Statement for financial year 2018−2019.

2. Assurance by Audit and Risk Manager, North Lanarkshire Council

North Lanarkshire Council seeks at all times to adhere to all relevant laws and regulations and the local code of governanceunder which the organisation conducts its business. I confirm that any issues identified which may have a negative impacton the City Deal programme (such as cases of actual or potential non−compliance with relevant laws and regulations,significant failures in the relevant control environment and any known or suspected cases of fraud relating to City Deal) havebeen reported to the Chief Auditor of Glasgow City Council (previously, or as set out below).

While I acknowledge that no system of control can ever give an absolute assurance that all transactions are properly processed,all errors have been prevented, and all policies and procedures have been fully implemented throughout the organisation.Based on the results of our audit work, I can confirm there are no known material issues which have not been taken intoaccount in the completion of this Assurance Statement.

3. Declaration

There are, in my opinion, no significant matters arising from our audit work that require to be raised in this statement whichwould have a material impact on the Glasgow City Region Annual Assurance Statement for financial year 2018−2019 and itis my opinion that the Council's procedures which have been designed to ensure proper governance and financial control inrelation to City Deal matters are consistent with the GCR assurance framework and operated effectively in the year ending 31March 2019.

KLKen Adamson CPFAAudit and Risk Manager, North Lanarkshire Council

8 May 2019

l:\Dwo\lNt_AUD\ENV_SERV\City DcaAssurmrco work 2 0 l − 19\A − Reports & subsequent correspondeoce\FrnI report as issued do"

8

AGENDA ITEM No. .,1?−−− −.

NORTHLANARKSHIREP, COUNCIL


INFORMATION GOVERNANCE

1. Executive SummaryAppendix 1 − Audit grading

2. Findings and Recommendations 3. Action Plan

Appendix 2 − Good practice against which the Council's arrangements were assessedIssued to: Chief Executive, Head Of Business Solutions, Head of Legal And Democratic Solutions

•.Sj . .. . . . − . ! . ..•−−tes

−

This audit was a high level review of the adequacy and effectiveness of key elements of the Council's approach toinformation governance issues. A key focus of the work was to assess relevant management arrangements,procedures and associated documentation against good practice principles included in self−assessment toolkitsprepared by the Information Commissioner's Office (ICO) and we considered a range of issues during the audit asdetailed in Appendix 2. We also considered whether the Council is complying with key requirements arising fromthe recent introduction of the General Data Protection Regulations (GDPR) as well as assessing the adequacy andeffectiveness of actions taken by management in response to the most recent Internal Audit report on this topicissued in October 2017.Based on the results o f work undertaken, we are generally satisfied that there has been, and continues to be,significant management effort across the Council to ensure appropriate and effective arrangements are in place tofulfil key information governance and data protection requirements including detailed consideration of therequirements of the recently introduced GDPR. Whilst we are satisfied that the Council's arrangements appear tobe generally adequate and effective, we have identified a number of issues which we consider management requireto address and these are as detailed at Section 3 of the report. The issues raised include:

• Management needs to consider how best to review and gain assurance on the extent of the Council's compliancewith key expectations and requirements arising from the Council's information governance policies;

• Management needs to consider how best to gain assurance on its compliance with published retention schedulesand also needs to finalise its current review of those schedules;

• Corporate procedures for dealing with Subject Access Requests (SARs) need to be formalised and thenconsistently implemented;

• Better arrangements are needed to monitor whether relevant staff have completed expected data protection andinformation governance training; and

• The Council's Information Asset Register needs to be more fully developed and populated with up to dateinformation which better reflects good practice requirements.

Internal Audit Opinion (see definition at Appendix 1) Reasonable Assurance (Green−Amber)

Organisational impact (see definition at Appendix I) Moderate

LRe10 status FINAL Audit ref 0900/2019/008 Date issued 10/06/19

Audit Teath..., Susan Whyte (01698 302183), Paula Hendry and Elizabeth Sweeney

1:\Data\INT_AUD\Corporate\Inforrnation Governance 2018−1 9\Findings and Report\tinal report as at 10.06.1 9.docx

9

1 Executive Summary

ObjettivesThis audit was a high level review designed to provide assurance on the adequacy and effectiveness of key elementsof the Council's approach to information governance issues. In carrying out the audit work we considered thefollowing areas:• data protection governance and the structures, policies and procedures established by the Council to ensure

compliance with data protection legislation;

• the Council's processes for managing both electronic and manual records containing personal data;

• the Council's processes for responding to any request for personal data, including requests by individuals forcopies of their data as well as those made by third parties, and sharing agreements;

• the technical and organisational measures in place to ensure that there is adequate security over personal dataheld in manual or electronic form; and

• the provision and monitoring of staff data protection training and awareness of data protection requirements.This audit review included assessing relevant management arrangements, procedures and associated documentationagainst good practice principles included in self−assessment toolkits prepared by the Information Commissioner'sOffice (ICO). We considered a range of issues during the audit as detailed in Appendix 2.A separate audit exercise which will review selected IT network controls in more detail is currently underway andaccordingly issues identified during this audit in relation to data security (see section 4 of Appendix 2) will beincorporated into this later audit output.This engagement has been conducted in accordance with the Public Sector Internal Audit Standards. The InternalAudit section reports formally on conformance with these standards to the Audit and Scrutiny Panel.

2 Findings and Recommendations

Number and category o f recommendations raised(see definition o f priority at Appendix 1)

R e d • l . A m b e r een

0 I 5 I 4

C 71

Key areas requiring management action (Red)No areas requiring urgent management action have been identified.


• The Council has a well−established Information Governance Policy Framework which includes a range of relatedpolicies and guidelines;

• The Council's Records Management Plan has been approved by the Registers of Scotland;

• The Council's statutory responsibilities in respect of Data Protection are captured in relevant policies andguidance and further details are publically available on the Council website including reference to legal rightsand subject access requests;

• The Council has a number of formal data sharing arrangements which provide a clear legal basis and frameworkfor exchanging data with third parties;

• The Council has established a series of Information Asset Registers (IAR) to ensure that all information assetsare identified and ownership/responsibility is allocated to a specified member of staff; and

• The Council has set out the training it expects different staff to undertake dependent on their roles and hasdeveloped e−learning modules on data protection, information security awareness and other informationgovernance topics. A tailored training programme was also developed for elected members to raise awarenessof the requirements of the GDPR.

I:\Data\ENT_AUD\Corporate\Information Governance 2018−19\Findings and Report\final report as at O 06.19.docx

10

2 Findings and Recomniendations (continued)−

Other arias f o r impr'overnent (Amber)The following areas for improvement were noted during the audit:

• Management needs to consider how best to review and gain assurance on the extent of the Council's compliancewith key expectations and requirements arising from the Council's information governance policies;

• Management needs to consider how best to gain assurance on its compliance with published retention schedulesand also needs to finalise its current review of those schedules;

• Corporate procedures for dealing with Subject Access Requests (SARs) need to be formalised and thenconsistently implemented;

• Better arrangements are needed to monitor whether relevant staff have completed expected data protection andinformation governance training; and

• The Council's Information Asset Register needs to be more fully developed and populated with up to dateinformation which better reflects good practice requirements.

1:\Data\[NT_AUD\Corporatc\Information Governance 2018−19\Findings and Report\final report as at 10.06.19 docx

11

00

.040−

.0

cis

ccQ

CD

CD

NN

N

—Q

—

E

Q0

−0.—

G)

−

_i−

5—

ccr−−

−

Er

,−

−>

0>

.−

—−

.−

−—

.)

—w

0cu

9E2

cc:•E2

−.

.

•.

E0

−c

um

—.2

..

.o

u1

−•?P

•−.•

—−

00

Ec

•

ae−Q

C)

0)0

−•

..

0)2

—

r− E•

−−

−h

−

E0

Cc

0E

2E

−0)

0)0

0y

•

4.!II H

itUiiU

HIi

oo0r.

I−o−2

.2−−¼2

cocu

0)000

'E—'−.

C)

−

0)cl

Eo

o0)v0

Qo

—E

.E

0—E

in.c0)••.

0)QO

o0

)C

c0

•N

0−

—

•—

2E

E•

0

•cc

cz

0)E2E

0)4).2

oES

.2−c

cCd

−0−E−0)Esi

QE

n0

)−

:•

B

°2−E0

_.

00

)a

•−o−•0

çj

'0)c0)_0

0

12

−t

.—I

C'I—

−C

−c

−−o

C)

C

−Cd

C)

CIS

cdC

h

to &U

hC)

C)L)

U•

C)

..C)

U.I

lidil

0.

C)

C2

o_00C

)

41

•jQ

C)

0−

C)−

cu0

C)c

(.—.

(IC

..

'−°g

CL

c0

−−

0−

(ICC

)C)°

o

torco

cd

−'−S

v

−S

C)

C)(j

03E

>C

)−

−0

Eg

−..&

.E•

..dC0

clsC)

3CbO

c,,O

)C

)C

)C

)

−C

)C

).00Q

(IC

bO

C)

00

'o

0C)

•−0−−

.=C)

•0

91—

CI

0C

t0

.C

)

−c

cE

•−−.

:−uC

)C

)−

cc

Ln>

—'—

(•)()

−−

C)

.:

−0

—•

—C

)0

0CC

.)•

ci

Llu

fa

r−

0_

—=

lo−−13

©0

L_

C\

−

—= E.—r−i

c)=

'E

•—

..cs..

(l

C)

C)C

)C)0

.2C)

Li21

−b

• .'−•

−E

—>

c>c0

.0.

2•

−c

,C

OC

)b

LC

..−.CL

−_

••

C)

•.

C)

C)

4,

c•—−

mu

CC)

.0Cd

−0_

IEU

i:Uh

FH

0C

)C)

RU

C!C

)

..•

.'.0

C)C

)CO

c'ca

.2−

−• −

C)>

.0

−C)

5

−0.

CC)

C)C)

>.

cC

)

Cp

•c•

•−

5•

2C

0.

.−

..

.IC

•−

H0

..to

eC

)—

C

—E

0.

0C

LE

CC

)C

QC

>

—;

H•

•−•

CL

00

.C)>

<C

.C

0C

00

CC

CC

0C

)0

..

..

.CIC

>00CC

.−

CCC

•C)

CL•

−.

in.C

)/

)0

−0

−c

C0

O

•0.

0ICUE

CO

L−C13C

2>1−

o−

e1)

CCcC

Cr

CCC

r.

CL

CC

CL—

C−

>.

00

00

C)

EE

0ca.C)

.00ci,C

C

.−

RU

CI

−C

C0

C)

.−.0.._o.CC

ca

.−

rC50_

C.

0.

CC

—u

cu.

C)C

CC

cC

C)

C)i..

0.

—r−.

—C

)C

)−

0.

(ICC

)O.C

)rC

rC

C)

zC

CC

C)

00

CL

0C

)C

LO

0•2

Ica

:5C

CL

r..o

conr

c.

HcC

0.

−;:−−1<C

)0C'

q

ICC,

C

14

:

.©−−

r−IO

v:.

.0._

U−

a°3

.2

EE

—)9>

−En

b:

!−

E•

'−

−C

13000

410

,; IV

V

−−

QQ

—>

C0

r;

0V

0

.,

−−

...

−:

0r

9V

c2

.0

toN

'−

−C

−c

N•

—:.−

−V

−V

0.

9V

•−..

−−

S.

H=.−−−.

−•

−0)

−−'—

—0

cr—

u0

—−

−−c

VC

V0

j,

.

−iz

cc

o−

0Q

0•V

:−

.•−..

7:.c

>oC13

C,3•S

to

u

:−g'a

1.

toE

to

.n..−..

−−.−

•;—_−

—−

.5cts−

=.

.c

OV

C.−−

VE

0.

0V

i2

oeca

−0

00

.0

V.

C1

30)

S'−

0V

—−

ES

EE

.00Vlu

,−−.−

VQ

C>

VC

O—

J)Q(I)

O−•

E:;2

—.

••

C0;

.g

.55to

•..

o.2

CV

VtO

—.−

V−−−oca

−−

>−

—−.

oi−

0−

.::ci

.2−.−

>C−

—.

0E

0M

in

..

Vcts

E.

.50E

•.

−−−

toC3

CN

.−

.0

._

.C

V0

VV

#0

V.

0C

's

−−

V

−−

_M

−0oo

−'−

V'

A•

C(

c0

V−

0ca

CV

'−

−o

.2

−.EV

C.S

_Cbp

N•

..

−u

cu

EE

0

V..

•v

.9

QV

0t

.V

>C

CQ

•V

.5−

EO

VC−.)

−o*

g—

o0

V

−−0

CC

−c

04j

•−:

−−V..

..

xC)

−q0'q

15

CC

00—E

turi—©

.−−

−−

LV•

−S

CC

5O

.−

5>

Cc

.•:

•c.

EE

acE.9

ci)−

−•−>

•CL

—c

>i.

<a:C

oo• −

Q−

CLc

. −c

C,

ci

caco

•−..:−−−−

E_

c−

I•c'V

S.

−−

−

..

.:C

Z

.1

V•

i

.V

OC

L

−−

'−d−

•−

0.

ac

3m

V

a

CR

−

−c

VV

•

−:V

E••

CLV

V

S

V−

−.D

−−

co

−−

—c

.C

•V

0−

>'

−0

.00−0V

EC5

—V

.r,O

CO

VC

Cca

UCl

−0

r−

CU

CE

−V

V

0V

—c

•−

co

•V

0V

V−E

jI

QC

Co

0>

OV

_c

D0

V0

co

CV

SC

VC

D

•C

fl•

−−

V_

>5

CV

C−

Cc•_.

:0

C••

.0

V−−

• r0

C−

—cj

Cc'2V

Q

—−

−0

cI

)0

CLV

c<0

as−

o—

EC

••

li

T'S

C

16

"S

.C

..

V−

•

=

..

Q0

V.−C

IO

—!

cn−C)

,c

oC

).

EC'3

E.

.4

r.

0Q

C)

QE

C)−C

)•

E.

2(ID

•.−

.C.)

—(f

;'

cc

i,>

>S

I_C

)C

lC

)C

−.

C)

−C

)t

vIV

—.

C.

)'

jC)

fl.—

−•J

C)C)

I−a

•C)—

t.ECIO

0

.!V•

C)C

)•−

.'N.

C)

C)

V•C

)Q•_C

O−V

.

C)−.C

):

0—

.0.

cu—

0−0E−0−.

−0

I_

00

0C

._V.••C

)C

)

−0

&i.9

−V

C)−

••7

C)C

CU

cua

cc

.0

.0

cdE

.'−−−V

.•

−V

−V

−

CC

MI'—

.

tz

−=

−cc

vt

Z4E

,

Cd

Cj

=C

)−−'−V

.

—

_.

aca

S5

E−V0−

C)

rd

c_

c

−.C

)•−C)>

0c

Q•C

)C)

cl.—.

..5.—

._c

(1

_..

=.

E°

°−

•25=.0C

'3C

),.c5=C

)go

'V

VZ

C)

.c

−°E•

−>.

0_'−C

)=C

)C)

>"−0VS

Ve.

−>

0F

−H

cz

B:.

VV

•'

−C)

I.•©

C)

0.2

V—

.−

t,

,C)

C)

C)

C)

71

VC)

C)C.'O

0Cd)

•=

=C

)C

)tn

><

._

<>

5V

_C

)cz

•:

L

VV

(IDcc

.0

•C:0

.cq

•I

17

C)

0•00''a

00Cd

a.Cd

—Cd

Cl

—

E−

−vE

I−)C

D−

tO

==c

0.0

C(

I−

_)

C

•−

(_)_

.—

co0c#

Ecuji

•L

c.−

>)

71

••

,•

••

.−

•_

)

i−(I

.−

.••−−

>.•.c

>?;•

5−

−0

3

u

cJ

E.

5>•C

=c

—o

c

..

Q

.—'

•2•—

−ol

=

S

tu

E−

clu

—cc—

cI

)U

;jQI−.

.•

=•

−C•

—U

,O

OU

0ocj

U.2

cls

c13E

•c#

Q•U

,.•

0•E

•c=

•E−

o.−

o−−

(0Q

—C

.

•−

−−

−0__

44(0(2

U

00

18

óo

—

:.—

.−

.•

•i−i−0

OJ0

)−

0−.

00

>•

−E

v0

.−•−

E2

−−

—_

_0

cl

•−

•7

_0_

•−6g

•<

−•−.•

.?

•0

5E

CID

•;;

.•

7cz—

−−−.

'•−

−t,

−

..−

−•

Q•

'−

oE

22

b−

c−

0f

−'0

.@

j•,

•0

•.

•I−

.(

lQ

−−−−:

2:E

−o—

0..−.−

0..s.

cl,Ino

W'

U−

−.2••U

..••−

.O

—•

.•

.0

0.•−

e.l)c0cqcq

•Q−0

.E

o2

—o

0

•1

•.

−0

−0

−0

0•

>>

−o0

O•20.9..00Q

_0

00

__

_CC

1_

tl−>

0.

)<

g.oat

0>

to•2

−o

ou−−

c−

Qj

.2

..:tj

−o−−.280

CL

−.−

00

..o0

C0

−•

U.E

•.2

−.2

ej.2

°.80

−0

_0

00

co

6..9−E

o.oEoo

•−

0ø

j0

0−c

—>•

0.−'—

E0

..

•C

−−

0

cdclsco '

−.

•−−

−.0

0'

V00

−•−−'

•−.

UI

0.−

0o

0_

0_

−000.co0E02

cls00

C'3so

un

−•−

C'

•.:−19

Appendix 1 − Audit GradingAudit reports are graded with an overall assurance opinion, and any issues and associated recommendations areclassified individually to denote their relative importance, in accordance with the definitions in the tables below.

finition o f audit assurance and recommendation categories


Assurance opinion

There are minimal or minor control weaknesses that present low risk to the




Green − Amber Reasonable control environment. The control environment has mainly operated asAssurance intended although errors have been detected. Some improvements should

be made.


Amber − Red Limited the control environment. The control environment has not operated asAssurance intended. Significant errors have been detected. Substantial improvementsshould be made.


Red No of risk to the control environment. The control environment hase Assurance fundamentally broken down and is open to significant error or abuse.

Immediate and major changes need to be made.

Organisational impact

MThe weaknesses identified during the review have left the Council open to significant risk. If

Major the risk materialises it would have a major impact upon the organisation as a whole.

ModerateThe weaknesses identified during the review have left the Council open to medium risk. If

0 the risk materialises it would have a moderate impact upon the organisation as a whole.

The weaknesses identified during the review have left the Council open to low risk. If theMinor risk materialises it would have a minor impact upon the organisation as a whole.

Recommendation priority.

Red Significant weaknesses which management needs to address and resolve immediately.



I:\Data\rNT_AUD\Corporate\infomaiion Governance 2018−19\Findings and Report\final report as at 10.06 19.docx

20

[Appendix 2 1 Good practice issues against which the Cunci1's arrangements were assesse

The audit involved review of the Council's approach to managing information governance issues against goodpractice principles included in self−assessment toolkits prepared by the ICO. The questions against which theCouncil's arrangements were reviewed are as follows:

• • . , 4 • &

..... ........,.........,...•1 Governance, Accountability and Compliance with Data Protection Legislation

1.1 Has the Council documented the personal data it holds, where it comes from, who it is shared with andwhat it does with it?

1.2 Does the Council have a data protection lead or Data Protection Officer (DPO)?

1.3 Does the Council have an appropriate data protection policy?

1.4 Does the Council understand when they should conduct a Data Protection Impact Assessment (DPIA)and do they have processes in place to action this?

1.5 Does the Council monitor compliance with data protection policies and regularly review theeffectiveness of data handling and security controls?

1.6 Has the Council reviewed how it asks for and records consent and does it have systems for recordingand managing ongoing consent?

1.7 Has the Council provided privacy information to individuals?

1.8 Does the Council inform individuals about sharing of their personal data?

1.9 Has the Council identified the lawful bases for processing and documenting personal data?

1.10 Does the Council have a written contract/agreement with all processors and third party service providersthat they use to ensure that the personal data they access and process on the Council's behalf is protectedand secure?

1.11 Is the Council currently registered with the Information Commissioners Office?• . . ' [ .• ' •••• ..• .....2 −Records Management ..' −

2.1 Has the Council defined and allocated record management responsibilities?

2.2 Has the Council identified records management risks as part of a wider information risk managementprocess?

2.3 Has the Council approved and published an appropriate records management policy and is this subjectto a regular review process?

2.4 Does the Council carry out periodic checks on records security and is there monitoring of compliancewith records management procedures?

2.5 Has the Council set minimum standards for the creation of paper or electronic records?

2.6 Has the Council identified where manual and electronic record keeping systems are used and do theyactively maintain a centralised record of those systems?

2.7 Does the Council have a process in place to ensure that the personal data it holds remains accurate,adequate, relevant, not excessive and up to date and that it is securely disposed of?

2.8 Does the Council have a retention and disposal schedule which details how long manual and electronicrecords should be kept?

2.9 Does the Council have confidential waste disposal processes to ensure that records are destroyed to anappropriate standard?

2.10 Does the Council have business continuity plans in place in the event of a disaster and does this includeidentifying records that are critical to the continued functioning or reconstitution of the Council?

I:\Data\INT_AUD\Corporate\Information Governance 201 8.19\Findings and Report\final report as at 10.06. 19.docx

21

Appendix 2 − Good practice issues against which the Council's arrangements were assessed

3 Subject Access, Data Portability and Data Sharing

3.1 Has the Council assigned responsibility to an appropriate member of staff for ensuring effective datasharing?

3.2 Does the Council have a documented process for dealing with requests for personal data? Have all staffbeen made aware of this process and has it been effectively implemented?

3.3 Has the Council communicated policies, procedures and guidance to all staff that clearly set out when itis appropriate for them to share or disclose data?

3.4 Does the Council monitor and review all requests for personal data and, where necessary, implementadditional measures to improve compliance?

3.5 Does the Council have a process to respond to a controllers request for information (following anindividual's request to access their personal data)?

3.6 Does the Council have a data sharing agreement (DSA) with any party that it routinely shares personaldata with or transfers large quantities of data to? Are these agreements reviewed regularly?

3.7 Does the Council maintain a log of all decisions to share personal data and is this reviewed regularly?

4 Data Security and Risk Management

4.1 Does the Council identify, assess and manage information risks in a structured way so that managementunderstands the business impact of personal data related risks and manages them effectively?

4.2 Does the Council have an approved and published information security policy supported by appropriatesecurity measures and is it regularly reviewed?

4.3 Has the Council defined and allocated information security responsibilities and has it established aframework to coordinate and review the implementation of information security?

4.4 Does the Council implement appropriate technical and organisational measures to integrate protectioninto their processing activities?

4.5 Has the Council identified, documented and classified its hardware and software assets and assignedownership of protection responsibilities?

4.6 Does the Council keep software up−to−date and apply the latest security patches in order to prevent theexploitation of technical vulnerabilities?

4.7 Does the Council assign user accounts to authorised individuals, removing them when they are no longerappropriate and do they manage user accounts effectively to provide the minimum access of information?

4.8 Has the Council appropriate password security procedures and 'rules' for information systems and dothey have a process in place to detect any unauthorised access or irregular use?

4.9 Does the Council log and monitor user and system activity to identify and help prevent data breaches?

4.10 Does the Council have boundary firewalls to protect computers from external attack and exploitationand help prevent data breaches?

4.11 Has the Council established effective anti−malware defences to protect computers from malwareinfection?

4.12 Does the Council routinely back−up electronic information to help restore information in the event of adisaster?

4.13 Does the Council have entry controls to restrict access to premises and equipment in order to preventunauthorised physical access, damage and interference to personal data?

l:\Data\INTAUD\Corporate\lnformation Governance 20 8−1 9\Findings and Report\final report as at I 0.06.1 9.docx

22

Appendix 2 − Good practice issues againt which the Counci1's arrangements were assessed

4 Data Security and Risk Managemeiit(contrnued)..4.14

Does the Council store paper and electronic records securely with appropriate environmental controlsand higher levels of security around special categories of personal data?

4.15 Does the Council restrict access to records storage areas in order to prevent unauthorised access, damage,theft or loss?

4.16 Does the Council ensure the security of mobile working and the use of mobile computing devices?

4.17 Has the Council established controls to manage the use of removable media in order to preventunauthorised disclosure, modification, removal or destruction of personal data stored on it?

4.18 Does the Council have secure storage arrangements to protect records and equipment in order to preventloss, damage, theft or compromise of personal data?

4.19 Does the Council have a process in place to securely dispose of records and equipment when no longerrequired?

4.20 Does the Council have appropriate measures in place to transfer electronic records off−site and protectpersonal data from loss or theft?

4.21 Does the Council have appropriate security measures in place to protect data that is in transit, receivedby the Council or transferred to another business?

4.22 Does the Council have effective processes in place to identify, report, manage and resolve any personaldata breaches?

4.23 Does the Council have procedures in place to report a breach to the ICO and to affected individuals,where necessary?

4.24 Does the Council have procedures in place to effectively investigate the cause(s) o f a breach andimplement measures to mitigate future risks?

5 Trimwg and Awareness

5.1 Does the Council provide data protection awareness training for all staff?

5.2 Does the Council have appropriate training in place to ensure that staff know how to recognise apersonal data breach and what to do if a breach is detected?

5.3 Has the Council incorporated records management within a formal training programme, whichcomprises mandatory induction training with regular refresher material and specialised training forthose with specific records management functions?

5.4 Does the Council have regular information security awareness training for all staff, includingtemporary, locum or contracted employees, to ensure they are all aware of and fulfil theirresponsibilities?

5.5 Has the Council provided adequate training on an ongoing basis for staff that regularly make decisionsabout whether to share personal data with third parties?

5.6 Does the Council have appropriately trained personnel who have responsibility for processing requestsfor personal data and have they been made aware of how to identify and channel requests to theappropriate team or person?

1:\Data\INT_AUD\Corporatc\lnformation Governance 2018−1 9\Findings and Report\final report as at 10.06.1 9.docx

23

AGENDA TEM No

RELi


PAYROLL (REGULARITY): TESTING OF SELECTED KEYCONTROLS

Contents1. Executive Summary 2. Findings and Recommendations 3. Action PlanAppendix 1:Audit grading Appendix 2: Summary of calculation errors identifiedIssued to: Head of People and Organisational Development and Head o f Financial Solutions(Recommendation I Point 3 only)Copied to:Employee Service Centre Manager (and once finalised Executive Directors and Chief Executive)

IS.•

The purpose of this audit was to provide independent assurance on the adequacy and effectiveness of selectedkey controls associated with the processing o f payroll transactions in respect of overtime and other 'special'payments, changes to standing data and the use of payroll output data (including management reports andexception reports).Significant changes have been made in recent years to the organisational environment and the processesundertaken around payroll, with the introduction of an integrated HR and payroll system (iTrent) and thecreation of an Employee Service Centre, which has responsibility for a range of transactional processes. Weissued a series of audit reports in relation to payroll in October 2017, which at that time were assessed asoffering 'limited assurance' meaning that significant control issues were identified and where we consideredsubstantial improvements required to be made by management. A follow−up exercise April 2018 noted thatprogress was being made towards addressing the issues raised.We were pleased to note that, generally, in respect of the objectives tested in this audit, management havetaken appropriate action to address the issues previously raised. In particular we noted that effective controlsare now in place to prevent and/or detect unauthorised and/or incorrect changes to payroll standing data and arange of management and exception reports have been introduced. Based on the results of our work, we havecategorised this audit as offering 'reasonable assurance' meaning the control environment has mainlyoperated as intended although some errors and/or weaknesses have been detected and some improvementsshould be made. The issues which we consider management require to address are detailed at section 3 of thereport and include:

• a number of weaknesses were identified surrounding the authorisation of information being processed onthe payroll system; and

• a number of errors in payments were made due to incorrect input being entered and processed.

Internal Audit Opinion (see definition at Appendix 1) Reasonable assurance (Green − Amber)

Organisational impact (see definition at Appendix I) Moderate


'Audit Team Lynn McCrum (01698 302182), Paula Hendry and Jackie Struthers

i\Dato\INT_AUD\People and Orgattsattortal DevclopmentPayrolI − Testing o f selected key controls 0220201 9_002\Repostinglfinal report as sorted doc

24

I ExecutiveSummary.. −

Obj ecUvts − −The main purpose of this audit was to provide independent assurance on the adequacy and effectiveness ofselected key controls associated with the processing of payroll transactions in respect of overtime and other'special' payments, changes to standing data and the use of payroll output data (including managementreports and exception reports). In particular, the audit sought to provide assurance that there are effectivecontrols in place to prevent and/or detect unauthorised and/or incorrect changes to payroll standing data; thatpayments made to staff are in accordance with contractual entitlement, properly calculated, appropriatelyauthorised and adequately supported; and that there are adequate and effective arrangements in place toensure that appropriate management and exception reports on all payroll outputs are produced andappropriately reviewed by service management thus allowing timely identification of potential or actualissues/errors.Substantive testing of the effective operation of key controls was undertaken on a sample of 56 overtime andother 'special' payments, since September 2018, selected across all Council Services. The exercise excludedstaff employed by arms−length organisations whose salaries are processed via the Council's payroll system.This engagement has been conducted in accordance with the 'Public Sector Internal Audit Standards'. TheInternal Audit section reports formally on conformance with these standards to the Audit and Scrutiny Panel.

2 Findings and R e c m m e n d t i o n s,

Number and category o f recommendations raised 1$ed ' Amber Gren

1 1 2

−− : r− −: − − −. − −.. − . . . − . ' , , , : . • . −: −Key areas lequiring management action (Red)The following key area requiring urgent management action has been identified:

a number of weaknesses were identified surrounding the authorisation of information being processedon the payroll system.

actice identifiedWe noted the following areas of good practice during the audit:

• the Council has an extensive suite of written documentation, including detailed staff terms andconditions and a range of FIR policies and procedures covering a variety of different aspects of staffemployment;

• personnel files and payroll records are held for all staff and these, generally, hold appropriate andadequate documentation to support the individual's employment status and eligibility of payments madeto them;

• arrangements are in place to monitor and review systems audit logs and transactional data on a samplebasis; and

• the Council operates a comprehensive system of delegated control through an authorised signatorydatabase which clearly outlines the categories and values of transactions which authorised signatoriesmay approve.

Other arëàs for improvement (Amber)The following area for improvement was identified:

• a number of errors in payments were made due to incorrect input being entered and processed.

I DatalIN 1_AUD\People and Organisational Devclopmcnt\Payroll Testing o f selected key controls 0220_2019 OO2lRepoiltng\final report as issued,doe 2

25

r−i

—cM

.—cM

—00 .——

E−—

,E

.

4)0)_cs4)

•0

4t

4)

−C

ISC

l)rJ)—

4)−

—>.

_c4

c,

4)

00

.−

—0

0C

4)

4)

"04)

,C

c4

).

22

C4)

04

)C

CC

Ica

4)0

E0

−o

°−

Eca'

ci)0

_—

'−o

•E

cue

:

4)

r−

4)i..4

)4

)00

cofl.

0a•<.ECIS

L>0C

)

4)4

)0

4)

0)

4)

0Q>.>−

CK

S•:

0

v•..

.2:•−

E22°

−•

i−r−

mCIS

cz=0

—04)

CIS

to4

)0

CIS

)CA

i−>−o4

).

04

)i

−−

C4

4)

4)E

4)0

4)

00

00

00

_Q00D

4).5lu

CI

S.

cc

04

)0

0c

•.

OC

QO

0>•s

&)4)

—−

—CIS

C.

4)•

_•

1−

I−cI•

ca—

.>

—.

5'

−−>−

CIS−

4).

—0

−c

ci0

4)

4)

4)

V0

"0

00

Q)4

.Zi

−c

i—

•−−0c

EU−

o0

−0

—.

4)4)

L..ci14J

4)

C−

09m.

>>

E2

−•

Ci

4)>

ciC

i4)

—C

ciJ

Cc

>4

)4)

04)4)L

.0

AE

2−@

LC

)(

)g

e−−r

04

)C

lD

−.

Ci

>4)C

i4)−

aCA

o

−Ci

)..

Oc

ic

n0

ci

C)

C4)−000

..

.

−.

—

26

c'.

4.cz0.—f,)

NN

I−C)C)

C)C

)−

EE

VC)

C)C

)

ONC.)

C)C)

C)

C3o

0

Cl)(P

2

L.:HC)

..−..._

C)v

−.C

).2

03C

)X

C−

E0

(1)

tao−−

1−−−C

3C

)C

)

2C)

Nj

::

toQC

)

C)C

J.

..

..

D_.Q

−D

>C

)_

o_

_C

).—−

O

14 −I−,

E

−.

.>,

−C

U

•−•(/C

mU

rE

.−;::−c1!−ca

•4

−.

•,

oE

C)C

)Ez

••C).

Q0

0C)

CU

>C

)C

C)N

−−

o−.

—c

>r

−1

50

(−

0C)

•C

)C

C)•Q

C)0.

C)C

)C

EC

C)

C)

C)C)

−0Q

C).

rc

0C)

C)C)

>C)

0—

C)C

CC

Ct

−C

)C

)C

)0to

C−)

C)(/)

20C

)Q

C)02

•−

.C

)__C)Q

.—

•−2

o

•..

—0

−C)

0

•

I

.E

CtE ;C

)−

h

−C)to

−

X

—'j

C—−

−••_C

)•4i−

oO

C)

C)−

0°

C)

C)

dC:

.0

Ct

—.

C)

>C

tC

tC

tCd)

Cd

C)C

).

•C

ID

Ct

C)

0C)

0C

C0

O

−0

−cu

.:

ii

lh

Hi

tH

IJ

iH

1iiilflHfl

5−

27

Cd

ellCd

Cd

clCd

Cd

0'.

Cd

0Cd

.−Cd,

I−—

?N

•'−−

C)

CO

O

)C)

−C

c=

C)

C)

00

0C

13

0L)−

o>

•'2C

)°

−C13

C4

C)

−Q

•r'c

0cu

co

to

ca

".2

(#C)C

)−

EE

<

o.E.9−d

'•

.—o

'g.•

.—

.C

_C)

C)0.)0

C's−05t2cd

.0.)

00

.)

C).C

)

*..0

In

EC

)Q

CC

)C

)D

O<

.C

IS

to

.(ca

−•

q−

−

C)

(

0.)

E−.E

—C

)C

O

•—

(l

00

cO

)C

)C

)'0.)O

C)'−0

E0

E—

>−

.C)

C)

=CU−r

to

m

−

00

In

.•

C)

°o

>0

oo>

.2

E−

F

•CO

E00)o

—°

−o

o.2

C)'C

O'

°oE0

C6

C)C

(IDo

.H

.H

..

28

ir0CCzC

51

fill

C.−−

C'

0(N

N− E

).)

−(.−

01−.

•−0)−

E;IIJ

.•

ERoo

−E

00)

−i=C

CC

E−

'0)

E−

L)ci

−C

C•

(i

C13t

:

V(#

0>00)0)

c2

SIT

0)

2.CU

O

0)

0)

ci._C.0

Nato11

UO

•F

.flhoz

−ci

I−

'•

;.

•−C

CC

O

E•E2Eo−−g

C000)

ci0

..

.c

.c

ic

O0)00)ci

Cci—'

41

o•.E

.>

−04

oci

−•

.i0)7141C

•0)

•coo

£.

−20

)0

cC

..−0

)a

mci−00

0=

>−

−CC

Szi

ci>

0)

0)0)to

;g

0)

0C

i

−o0)p•

Eo2rul C

0CC

29

Appendix 1 − Audit Grading−

Audit reports are graded with an overall assurance opinion, and any issues and associated recommendationsare classified individually to denote their relative importance, in accordance with the definitions in the tablesbelow.

Definition o f audit assurance and recommendation categories


Assurance opinion−

−

There are minimal or minor control weaknesses that present low risk to theGreen Substantial control environment. The control environment has substantially operated

Assurance as intended although some minor errors have been detected. Very few orno improvements are needed.



be made.

There are significant control weaknesses that present medium to high risk

Amber − Red Limited to the control environment. The control environment has not operated asAssurance intended. Significant errors have been detected. Substantial improvementsshould be made.

There are fundamental control weaknesses that present an unacceptable

Red No level of risk to the control environment. The control environment hase Assurance fundamentally broken down and is open to significant error or abuse.


Organisational impact

M •The weaknesses identified during the review have left the Council open to significant risk.

Major If the risk materialises it would have a major impact upon the organisation as a whole.

ModerateThe weaknesses identified during the review have left the Council open to medium risk. If

1 0 erate the risk materialises it would have a moderate impact upon the organisation as a whole.


Recommendation priority




I\Data\LNT_AIJD\People and Orgamsattonal Development\Paysoll − Tcsttng o f sloctcd key cootrols 02202019002\Reportthglf.oal rcport as sssnd doc 7

30

to

−C)

−C)

(1

ctjC

'sN

C)CO

C)(0

2)

00

−C

)

−0

0−

−•

F−

(00

0>

CO(IC

•<

−−

−−

−0

.−

44−

0−

.C

O(IC

toV

−

−−

,.C)

<•o

—−

C)

CO

0−

−

CISa

C−

−S00

(0C

)C

)cz

−−

0.

−00

—−−−

VI

••−−

−0

o−

..(

00

C)C

)−

O_

(O.

>0_'

0

0c

Cd

00

−c

u0

:2r4−

00

0()0

C)C

)>

C).0

−.

C)

to.o

0cd

−a−−

−−−0.

0—

0.

0.−

...

—0

0.

C)

−−

C)0

−−

(0E−

.>

—.0E

el

lQ

C)

−(

IC

C)

0>C

)Ncq

CI

C.0

C)

(I

C•

C)C

)Q

C)lID

2b−

•−−

−(IC

−L.0

0(IC

_0

0.

00

−r

Qm

03C

).

0C−.

•.

0(IC

.0

00

.E−

.0

C)

j−

.0

0C

)0

C)(0

−:

(0C)••

−−

0C)

E0−20

−−−

>.

—.−.

(N0

−CO

C)>

(0

00

•g

oo

oc

oo

−a

.1

.'

•i

10−

0)0)

C)

2−

−a

>—

−o

oE

—C)

CO−

−o

0•

>0

•—

NC

)—

C)—

•−C)

00E

CO—

tn

..

•—

..CO

.−>

0c

−−.$

C)CO

COF−°−

0−

•oj

0C)tb

CO0

C)

cl

,C

O

CO−

−CO

0.

C)71ZE

n

0

E−J3

•C

O.

−0−

C)0

((.0

C)

C)

0C

)(

)().0.

−2

23

0)

03−

CO−−.0

—C)

−0

—"U−0

00

—0.

•.−

0.—−.

(IC•.

0.−

F−EC

)

•C).

MC

O(0

0C

O.O

4)−,..C

O.0

QC

O.0>.C

O10

0F−

F−−

•C(

0−

>•

.0CO

(ICC

O.−0

C)C))

CO0

>0

00C

OCO

•C)C

).−.

,C)

−0

−CO

Xe−C

).

C)

2.0

C)

00

00

ci,0

ci,0

0?•

C)

•C)

C).−..

CO

c0?

COCO

C)O

rfLU

W.

LL.LI

31

00

rA©Q©E(ID

.—

•C)

C)

−d>

.2a

C)

U06

•.s

.v

EC

d−

−−

C)

.EC

E>.C

IS•

−.−

_O

C)−

9E

CI

I)

0C

O>

'3

;'

C)

44

a9

.C

)

−g

>−

−•

.−.−

_O0

.o

C)>

OC

)0

mU−

cu,mu

CO.2E

C)'C

−

•−

.−

_oN

.o−°

COoo=sE

C)−o

−

.−

>.

m0

0>

._

−C

)>0'

00

0.

°E

°>

0—

0

•o

(−'Ic

−.

._C

)0

.C

IC

•−

0E

−C

O−

−9

C)c

aC

)

2I..

0Ej

•C

)−•−

−ca0000

CU

CO

a

COEo

Er

O−O

CDC)

•C)C0−CIS

02cu

222

>c

i>

CO>−,

.°C)

>._

_•

COCOO

•_m

O9

em2

.−°

CLC

)

E2

22

>>−

C)••

>••C)

C)>•

=C)

C)cu

CO−

CO−

.CO

00

H0−L1.CO

0−.−LC)

cH

—.

0COcO

0C

O0.

0..•

ox•

EC

O

—EC

)C

)CO

._

CO.

_.._

CO.0

C)C

OC)

−C

O0

0C

O0

0>

ca0._C

O

48

o−

xx

xx

CI

OH

>

Ii

iI

II

I

•C)

C)C)

C)

In.

.2.

—.9

e−

•E−

.C

OIn

C).

9C

)C

)C)

O0

000L

LX

uLLJ

O

32

O\

C.

08DI−z

0

AGENDA ITEM No.Ll−irIcshire

Council


CREDITORS

Contents 1. Executive Summary 2. Findings and recommendations 3. Action PlanAppendix 1: Audit grading

Issued to: Head of Financial Solutions, Head of Asset and Procurement Solutions

Copied to: Creditors Manager, Procurement Manager, Executive Directors and Chief Executive

This audit was a brief high level review designed to provide assurance on the adequacy and effectiveness ofselected key controls associated with the processing of creditor payments. The particular focus of this exercisewas on controls associated with changes to standing data held within the creditors system and controls in respectof the processing of invoices for payment.With regard to changes to standing data, we are satisfied that the arrangements in place for creating new creditoraccounts and making amendments to existing creditor account details appear generally satisfactory and to beoperating effectively. We also consider that controls in respect of the processing of invoices for payment aregenerally adequate and operating effectively.Based on the results of our work, we have categorised this audit as offering reasonable assurance meaning thecontrol environment has mainly operated as intended although some errors and/or weaknesses have beendetected and some improvements should be made. The issues which we consider management require toaddress are as detailed at Section 3 of the report and include:

• Invoices were not always authorised for payment by individuals who had delegated authority to authorisesuch payments;

• Substantive testing of a sample of invoices processed for payment identified some compliance issueswhich Services need to bring to the attention of relevant staff; and

• No independent management checks are conducted on new supplier accounts created or changes tosupplier bank details and/or other standing data.

Intrnal AuditOpinion (see definition at Appendix 1) J Reasonable assurance (Green−Amber)

Organisational impact (see definition at Appendix ) Minor

rt status FINAL Audit ref 0210/2019/002 J DatIissued 5 June 2019

Team Elaine MacDonald (01698 302184), Paula Hendry and Liz Sweeney

i \1)a,\1NT AUD\CI1 EXEC\Creththr 2(31e−19\A− R p o n s & . u b s q e i o e p o d c\Fu, report a ssud do

33

L. Executive Summary

ObjectivesThis audit was a brief high level review designed to provide assurance on the adequacy and effectiveness ofselected key controls associated with the processing of creditor payments. The particular focus of this exercisewill be on controls associated with changes to standing data and payment of invoices.The audit sought to address the following issues:(1) Does the Council have adequate and effective controls in place to ensure that only eligible and properly

authorised invoices are processed and paid?(2) Does the Council have adequate and effective controls in place to ensure that all changes to standing data

on the creditors system (including new additions) are valid and properly authorised?The work involved a substantive test based exercise using a sample of transactions during the period Octoberto December 2018 drawn from across all Council services and activities.This engagement has been conducted in accordance with the Public Sector Internal Audit Standards. TheInternal Audit section reports formally on conformance with these standards to the Audit and Scrutiny Panel.

2 Findings and Recommendations −.

Number and category o f récommendatiohs raised Red Amber Green(see definition o f pnonty at Appendix 1) r &

1 2 3

Key areas, requiring management action (Red)The following key area requiring urgent management action has been identified:

• Invoices were not always authorised for payment by individuals who had delegated authority to authorisesuch payments.

Good practice identified

We noted the following areas of good practice during the audit:

• Orders placed via the PECOS purchasing system are subject to robust system−imposed controls including:

• segregation of duties between the individual raising the order and the individual authorising theorder;

• only allowing officers with sufficient delegated authority to raise/approve orders/invoices;

• allowing invoices matched to PECOS orders to be approved for payment only where they agree toor are within pre−set tolerance limits of the purchase order.

• Where manual orders are raised, the price, quantity and description from the invoices are reconciled priorto being passed for payment; and

• Documentation is held on file to support new supplier records created and/or amendments to supplierstanding data.

Other areas for improvement (Amber)We noted some areas for improvement during the audit:

• Substantive testing o f a sample of invoices paid identified some compliance issues which Services need tobring to the attention of staff and address; and

• No independent management checks are conducted on new supplier accounts created or changes to supplierbank details and/or other standing data.

I \Daia'JNT_AiJD\CH_EXEC\Ccdtors 2018−MA . Reports & subsequent co spondcocc'FnaJ report os ncoed doco 2

34

C.

C)

EC.)

C)

CD

−C)

o5

−C.)

=C

)−

C)C)

C)

•z

−z

C)

OvE

zC)

&D

tbt

ocq

C)C

C)

C)

−−

.>

.•

.−.

C)

−−

C−

.−

−.

−C)

C

C−

zC

C)

CC

•C•−

C)C

−•

SC

C.−>E

•E.E

C):—

>L)

CC

−C)

—C

v

C_.5−c,_Jv•

"E

C)CC)

CCC−

CC)

−u

Di

4)

CC

)

−−

)•−•C

)

>s

coC−C

C)

C)

b−:;−

cc −−o?a

cm

C)C

CMC'

Ci

C)

CC

)

C)

.−

•EC

•8−

−C

)C

CC

)−

−C

•−C)

•C)

—>

C)C)

_C>

cqjC

co•

_2

C)

C)

CM

>C

)C

cou

cl.−e

Ez

c.

0C)

._•C

CP

CC

•E

C)C

C)

C)

CC

)C

)O

0C

)C

Q−

o—

•0

.C

2.−

_z

C)

C:2

CC

)−

−−

o_>

−.

)−

•−

−C.

C−C)

C)•_

−−

0C

oC

C)D

5_

CJD

•−

−E

_0

0•

CMC

ca

CCC_

CC

M.

C)C

CM

C)

)0

E0

−E

oCC

cn

oCCo

CM

0Z3−−−i

C)C

)2C)

)C

)C

−.

−O

0C

MC

)c

oE

.C

CO

C)

CM

C)

.C

).

EC

−O

C)

C)

C)

.C

.E

C)

C)

C−4)

r•

_.E

°j

!:

U;

..

:

C)..9

CMQC)

3C

)CM

CM

C−C−

C.−oC

MzoC

−zC−C

)C−C

)−0C)C

)EC−.z

C)

C)

CC

−C

−

09

F•

2

CC

)C

)C

)CC

)C

−;

−>

•−

c0

z0

C)

C

cu'

−C

a.

=C

)C)C

)C)Q

CC−C

.cu>:

)0

C)

Ez

o•

C)

CC

2C

CC

)CC

)CC

0

LC

C)

90

C)

0

75

—=

20

−C

C)

•P

99

−

C

)5

−cd

wC

C.

)O

CC

.C

).

C)

•_

CiC

)CM

•C

)−

zC

)C

−C

−C

CC

0C

•C

'C

44

)C

C)

C.

−C

)C/)C

)C

)2

C0

−C

)4

du

cao

fl>

C−C

EC)

−.E−

zo

<

en

35

..i

r1r−1

='E

—−

.=

.−

−−.=

C

C.

2E

El

1•10

z:>

•−

−cr

•1aC

()HC

...0

ca

−

'−•

−−

,.

−

−o

a−a

c.−0

C−

−.−

°E−E

ICIL

C−

>−

−−

−.

C

•;.0

co0

•−

−>

C−

−C

C)C

.2

−=

−•

:

2)

C)

)C

.−

CE

−−a.

−C

1)

Q.

C)

OC

.cC.

−−C

)0

Z3ca

E72

>

cZ3

CV

−>−C

)

•C

C)(

0LL.

c.

4).

4)−

.0

C)>1

C)0

−Eto

u•

>o

111E

0.0C

C.C

)C

co−

u•−

C.

C)

I'•LfflU

11

'ItC)

—0

.4

)4

)_

2>

SC

)•−−220

C)

•i−−

—cz

•ci)o

uci)e

−0

.rq

f9

36

ii.—

cc

cc−

Cs

−cc

cc

−0

'O

\

NN

>−.>

00

—I

—

C'

N>−.0

−−

.−

00

−7

0tO

−V

−V

()

0o

•_00

(1•—

•3.o

U—

uN

110

—E

cz

•_

>C

Cj

..*0.00

.EE

0O

VV

QC

−0

dl

0.

E0

>C−

0o

_•

−)0

00.0

.2

00

Z0

C0'c_

°6

0o

EE

EO

.0

QO

90

t—

−5

>9cco

••

UO

caE

V.

0.

−.

0

cur

C00

C

.−5•

H0EllF3

oZS

vV

−

V0

>b

C9

5−

o>

EV

V>C.0VVCl)C

−C

−

0V

−

co

−>

>V

−>−,

C−0

C)O

.0n

C.−.

C'

N0

0C

V0

L4.2

o0

0ca

C

9CV

)V

00

0.Q0C

C_

0C

)>

L#)0

C'

QC

,C

−U

V

.E8

R

VC

VV

V0

0.

0.

C)

V0

CV

V0

0cc

−0

0C

C

VC

)V

::

C•−

0c

—.

.0

0−

?g

ac.9

is

cz

−2

00

00

Co

.0

o?C

15−

E8

C:V

0C

S

C

0.0

0.V

79

VU

−

..

C)

−C0.

0.

SS

S

kn

37

—

©,J

0'0)0)0.0)

(0to

o

.−.r.fl

C•

−b

(00)4)

.

0)

.0E

0

0)−

o.−

2'

.0−

(0

.0)

0cd

00

).

.>

<0)

(013

(.

_0

)0)

−0..−

0°

2()

cl°2

2E

−(00)

.9−a0)00)

2P

C.

)>

(0−

−(0

0)

—

(0−

C(0

0e

0)20)

(0

cr

02

(0(0

(0(0

C0.

"00.04)=

O0()

CO−c

t.0==

..−

00

0)

b0C

C

0)

.u_c•__.

(0

4)

(0c'((

4•

−o2

EcJo..

—0

0

•2

"'o

>0

(0

(001)

o2'−20

)(0

0)

2

c−

..

−(0

z

0)C

0_0−00

S—

0c

co0

0)−

00

—,

..

rt7

−<

U0

r−

um

0.C.0C

4−'4−'I−0

•(0000C

C,,

•cEc

— )−

0)

0)

0)

0)

00)

(00)0

−0.b0−

ilhUIIH

c−'−

o0

.22

Z2

'.−

−LL

,(0

00..9

0.E.

cz,

•−EE

.50o−o©

M0c:E

co;

•'−.92

(0

CL_

−'−'o−000—,.(fl0000)

E

s−

c0

)•

.c

00

)(0000Q

.0)

00

>.0

cr

2h—

Q,−

0)

.0"(s

_()

tj0)

(00

)..

s2

0.E

(0.9

cla

CL

−

01

)._7

00s'fl

•S

S

38

S0)>00)0z(0

JII.

p

0−c00

'O

0_

!i

0V&

)0c&)

−C

)

.2UC.)

:•

C)

0.

−C

1&)

>−−

c.•

,C

)cQ

._C)_....C

)

C.C

)C

−C

.C

C)

−−

−C

)

−.9

−−

"C)

−;

•a

−

.C

ID

>C

_0

EC

c.•rI

..cd.

.

0bCC

cc;t

,C

C)c

d•C

'C

)=.0czCL

••

:C

•

C)

C−

−>05

—−

−C

.C

••

C)

C)

QE

:−

.9

t1

C9•0

a−

(•

_•

c_C)

Ea

.sa

_00

"°

0_

ce

CC

oC..−31.4

>C

0−

•z

C•−

>o

2•

c_

>•

_o

C2

−10)

j−

.!

••

_=

_c

_−

C)C

)C

−−

C_0−

•−.9c_c_oD−cc2

_D−

QC)

.as

>.

EC

LQ

ca−

a.

co

ov

C0

c_

oE

.E

EE

E.

CCc_

_>

2o

oE

−;

._

C5U

CC

C/D

..−,0•

.9—uC

0−C

6−0•

.rC

C.)

C.)

x"Jr07C

39

r1,;—

('1−−

.0

(1E—

0.

0−

C)

ej

ca:

.0

..0.

:caE

(_

)3

biota.020.

cd.

cc−S

d

S−00

'S

−•−

−C

)E

−−

,0

5'

•−

u1−−

0−−=

− 0−'−

6r'−

EoG

ej

0'•'1

•C)

C)C

00

=0

00

−0.0

EC

OO

0•

−

1'•—

:−•−

2SS.

.−0−0

•−'

C)−0

EC

>l

0',

C)

−C

)−

Oo

−•

._.0b

L0

>S

•c•)

C'

tj

0=C

)

.5•c:2

•−

_0

CL

bO0

.—

=

.−

..—

=

'.)

C)0

.0Eto

ou−−C

−'0

00

40

Appendix 1− Audit Grading

Audit reports are graded with an overall assurance opinion, and any issues and associated recommendations areclassified individually to denote their relative importance, in accordance with the definitions in the tables below.

− − .' .. . ' •€... :−−.−," .Definitionof audit assurance and recommendation categories −Assurance Confidence based on sufficient evidence that internal controls are in place, operating

effectively and objectives are being achieved.

Assurance opinion − −There are minimal or minor control weaknesses that present low risk to the





be made.


Amber − Red Limited the control environment. The control environment has not operated asAssurance intended. Significant errors have been detected. Substantial improvementsshould be made.


Red No of risk to the control environment. The control environment hase Assurance fundamentally broken down and is open to significant error or abuse.


Organisational impact−

M The weaknesses identified during the review have left the Council open to significant risk. IfMajor the risk materialises it would have a major impact upon the organisation as a whole.

Moderate T h e weaknesses identified during the review have left the Council open to medium risk. Ifthe risk materialises it would have a moderate impact upon the organisation as a whole.


A.

Recommendation prurily −




I T A I j O \ C I− I L X E C C , d l o , s ZIJI − 9\A − R p o f l s & s b q u I o p o o \ I − a I d dx 9

41

AGENDA ITEM No,

NORTH•LANARKSHI RE

_ 4 0 4 ' r o w p —

INTERNAL AUDIT REPORTCOUNCIL

WASTE MANAGEMENTContents 1. Executive Summary 2. Findings and Recommendations 3. Action Plan

Appendix 1: Audit gradingIssued to: Executive Director for Enterprise and Communities, Head of Regulatory Services and Waste SolutionsCopied to: Business Manager (Cleansing) and (when finalised) Chief Executive

Headhnes−"−Thisreview was designed to provide independent assurance to key stakeholders on the adequacy and effectiveness

of certain aspects of the Council's waste management service. In particular, the audit considered:

• whether the Service has appropriate systems and procedures in place for gathering and reporting performanceinformation in relation to waste management and whether reported performance is comprehensive,robust/accurate and, where appropriate, prepared in line with any relevant internal or external guidance; and

• whether the Council has a sound understanding of the current issues, risks and challenges facing the Service indelivering the Scottish Government's targets in relation to reducing waste/increasing recycling and whetherthe Service has a good understanding of the actions required to ensure the Council can meet its responsibilitiesand have these been translated into coherent and realistic plans which are subject to periodic monitoring andreview.

The Scottish Government's 'Zero Waste Plan (2010) 'has set a target of 60% of household waste to be recycled by2020 and 70% of all Scottish waste to be recycled by 2025, with a maximum of 5% sent to landfill. For2017−2018

the Council's recycling rate was 40% compared to a Scottish average of 46%, although the Service expectsthis to increase to 44% on publication of its 2018−2019 figures.A significant amount of work has been undertaken by the service in recent years to increase recycling rates,including a radical overhaul o f the Council's kerbside household waste collection service and an internal review ofkey operational issues affecting the service. The Council has also, in partnership with a number of authorities,entered into a contract (the Clyde Valley Residual Waste contract) which will begin to deliver furtherimprovements in recycling and residual waste treatment from 2019−20 onwards.Despite the considerable improvements made to the Service in recent years, based on the number of areas wherewe consider that substantial improvements still require to be made, we have categorised the audit as offering'limited assurance'. Although the Service acknowledges the need for improvement in a number of areas, itconsiders that the audit findings do not justify this overall grading.Details of the issues raised are included at section 3 of the report. The more significant issues highlighted by ourreport include:

• The Service currently lacks a single comprehensive strategic−level document setting out the Service'slonger−termobjectives and how it plans to meet them and we consider that this should be addressed to enable key

stakeholders to be able to understand more clearly what the Service is trying to achieve and how it plans to doso. The Service does not fully agree with this point but has agreed to present a report to the Environment andTransportation Committee in August which will provide more detail to elected members on the Council'scurrent recycling levels and expected future performance;

• In line with the wider corporate development of the Council's Strategic Performance Framework, there is aneed for improvement to the Service's performance management framework, including the key performanceinformation reported to senior management and elected members; and

• While the Service's risk register is consistent with corporate risk management expectations, it does notcurrently reflect all the key risks/challenges which could impact the achievement of the Service's keyobjectives.

internal Audit Opmion (see definition at Appendix I) Limited assurance (Amber−Red)

OrganisatiOnal impact (see definition at Appendix 1) Moderate


Audit Team, Jacqule Howden (01698 302185), Paula Hendry and Hugh Shevlin

i . \ D a t a \ i N T _ A U D \ i n f r a u c t c \ R e g u i a t o r y Scrvccs & Waste Sotations\Wasic maatagemest 201 8−201 9\Rcpothsg\Fieal report as ssued 12 06 19 doc

42

I ecitivE x e Summary.

•lie: _ − − ; , . ' s s . ' : . −,'−− • :.•._• t . 3 • •− : r••−

This review was designed to provide independent assurance to senior management and elected members onthe adequacy and effectiveness of certain aspects of the Council's waste management service. In particular,the audit considered the following:

• Does the Council have appropriate systems and procedures in place for gathering and reportingperformance information in relation to waste management and is reported performance comprehensive,robust/accurate and, where appropriate, prepared in line with any relevant internal and/or externalguidance; and

• Does the Council have a sound understanding of the current issues, risks and challenges facing theService in delivering the Scottish Government's targets in relation to reducing waste and increasingrecycling and does the Service have a good understanding of the actions required to ensure the Councilcan meet its responsibilities and have these been translated into coherent and realistic plans which aresubject to periodic monitoring and review.

Policy within the area of waste collection and recycling is driven by the Scottish Government's Zero WastePlan 2010, which has a requirement that 60% of all household waste shall be recycled by 2020 with a furthertarget to recycle 70% o f all waste arising in Scotland by 2025 with a maximum of 5% of waste sent tolandfill. In addition, the Waste (Scotland) Regulations 2012 provide a statutory framework to maximise thequantity and quality of materials available for recycling and requires all local authorities to collect recyclatein a manner which facilitates specific treatment. In December 2015, the Scottish Government also launchedthe national 'Household Waste Recycling Charter', which sets out a number of collection strategies aimed atimproving each Council's recycling performance by achieving a more consistent and better quality recyclatefrom local authorities.Work undertaken during the review included substantive testing to validate the accuracy of both externallyand internally reported performance data. We also reviewed the issues raised in the recent internal review ofthe waste management service and considered the adequacy and effectiveness of the Service's governanceand management arrangements, particularly in respect of decisions taken to address the issues and challengesfacing the Service and the actions deemed necessary to meet the Scottish Government's recycling targets.This engagement has been conducted in accordance with the 'Public Sector Internal Audit Standards'. TheInternal Audit section reports formally on conformance with these standards to the Audit and Scrutiny Panel.

2 F i n d i n g s and Recommendations ' INumber and category o f recomthendations r a i s e d − , * Red Amber Green(see definition o f priority at Appndix r 1 3 1

Key areas 1 requiring management action (Red)The following key area requiring urgent management action has been identified:

• The Service currently lacks a single comprehensive strategic−level document setting out the Service'slonger−term objectives and how it plans to meet them.

& Waste Soh,toss\Wasie masagcmn1 20I8−2019\cporing\F,na) report as ssued 1206 19 dcc

43


• The Clyde Valley Residual Waste project, due to commence in December 2019, will allow the Councilto deliver improved recycling and residual waste treatment through the disposal of its residual waste atan energy from waste facility at Dunbar;

• Significant revisions have been made to the kerbside waste collection service from October 2017, with aview to improving recycling rates and delivering efficiency savings for the Council;

• A benchmarking exercise has recently been commissioned by the Service from external consultants tocompare the overall efficiency of the waste service with that of other local authorities and privatecompanies;

• Senior management has implemented a number of activities to address some of the current operationaldifficulties within the service, including the implementation of a new routing system to reflect therevised kerbside collection service, undertaking a review of operations at recycling centres, tagging ofcontaminated bins and a review of the assisted pull−out service; and

• In addition, a number of further continuous improvement initiatives have been identified by managementincluding the proposed re−development of the former Auchinlea landfill site and the potentialrationalisation of depots.

Other areas fór, improvement (Amber)A number of other areas for improvement were identified:

• There is a need for improvement to the Service's performance management framework, including thekey performance information reported to senior management and elected members.

• While the Service's risk register is consistent with corporate risk management expectations, it does notcurrently reflect all the key risks/challenges which could impact the achievement of the Service's keyobjectives; and

• The Service continues to obtain services from a number of contractors on the basis of contracts whichhave expired and this position should be regularised as soon as possible.

I \Data\INT_AUDInft St we \RgWto ry Services & W s t c SoIut,ons\Wstcmasagment 2018.2019\Report,ng\Eutal report as tossed 120619 dos 3

44

•1...

'−−1

—f

C14

rz

(.

>−))

2

0

•1−

•.•−

a)ci

ci.

−=

;;

−•

c;sE

—O

UE

Eo

E−a

<c

oC

A

00

(U

−>

ncc−

..

E−

ncU

VO

_c

•_

−_

._

ci

ci

OP

i>

c'cao

−)

0i)rj,

•−

2.E

,t

.−

−oC

13ca

UC

's

—

UE

−−

—−

—−

—

•−

.−−−

_−

o—

oU

0ci

−−

>0

U−

•U

UU

>E

CU

.)

>n

jcin•

VU

JB

—9:1.

C13C13V.−

C/)n.

Uc.

M.

C)0

ci.

−—

—C)

U

cn U—

N

•L−&— c−

Ci>

Oc

i−

0c

iC

)Q

VC

'

•• —

−U

−0

ciU

E:

−C

13

•−

−•

•0c

i)ci

−−O

cic

ci)

O0

0c

iU

C)C

)0C

's

_o

go

00.

oc

iE

oo

ci

−E

cio

o.

Ec

ri:

.c

4,

VO

0−

−I

i0

U0

U)

.−

Un

I0U

V•

oCo

O

C's−c

ic

oU

U>

−2

c

oCut

−,5

ci

CM

OO

>0VO

=•

.:

(5E0'ci,C0

0c

i)U

U>

°U

>•−71

ci

••

(0•_c

i0

•O

0n

22

0•

0n

0oo

−−o

tr

°c

i(

)P

Uc

iaO

No

E0

−2cio

−ca•5U

C−.

C13a

•:U

g

−−−0

−−−

.0ci

C)ca

−−−

Uz

;>

Cici

nc

0E

•−

0.

−2

0.

Q5

ci

Uci

oC

iU—

E0o•

oc

ic#

nO

OO

Oc

Icc

i>C

'•

..

2.

E.

UCi

=−

U−

−0

0.

.0

0N

•_c

#C

o−

−'

••

••

__

•U

U0

1U

0U

0−

i20

E0−

ci

0−

0O

—c0

CL=

q0

9:

1.

C)

_c

i−

−U

OU

EC

)U

0>

ci−

−−

.0

'Q

bU

0

V−—−

45

0'−

−

:

−

−'

Lo−

ej,

.1

.C

L

..

cts1.−.

.EF

cTA•0−c

CL

0cu

'

..L

VV

a−

5Co

u•

:•

a.EF

<P

.EE

..0

.E

22−

>o

−.>22

C's−o0

.2.9

EO°EC

IS

•F.

1−.

.−

0Q

(I80

EQ

−>

−0

>−

c..−

VC

.−−#)

1.'

r

Cd

caU

.m

C13C

LC

,S9VaV

c0

>_

0.—.

V=

c.−.V

=−

−&

)

0−

20

−.9rfD

Uas

−>0_

mCZ

CEV

−

0Vcz

joc

−,

o

E0

V>

mo

V>

VV

00−

toC

−•

2E

CV

−c

c.

0V

bo

'−,Q

t−C(E

CJ

.—

>V

V'

V.

_o

.C

'−

Q.

0.E

EV

>o

U.

fi

nt

i•li

Io2E

0'−

c'S−−

.•

C.)−

C.

—)

cl

,I

−−

V−

'C

VV

CC

CC

CZ

U

..0.

,−

E.

E.E

..

.

(.1

'I−)

46

−7

−−0

−c0

0

co

...−−.027.)

Q)C

Cd

E'

−.

734)

ilc

g

'.\

Cj

E−

t−.−.−−:.:•

0f

e.

..

•27.)

E−

73

J,

00

_._

_'−

.•4.)

•cJ.−

V

−

7)cl

C.0.

• I

oD−

LnC:−

CD7

3.

7'

73

73

Av

4)

r−

gr

−i

2E

E−0

71)4)•

7.

)t

−−

−4.)

D−

c4)O7.E

•t

E4

)4

)7

.)

EC

Etvto

aEoa:o.

14th

Z

&)

0>

tD−.

−•

_:

_−

−7

37

3.

.7

3

7)77.)20

.I

7−47

—

V.a.

0

—

ON

—.

'—V

0

−0

tu

−sea

>=

−0Es

.•−

−V

rA

ed

:

m

toVa..

Vo−c_cd

cl

VC−)

CAto

alC

Wgel"

=(l)

C)

i−

.−

−>

>t

o0

ca

__

.Q

Vg)

V.−

−.

..

.C

)Q

"V

V..

I−.0

.2E

I−•

•−V

−

C)cl

CU

0.

Cl)—

Vc

0.

C)>

QV.

−V

C)C)

0VE

0r

$°

>V

NL

•E

C13>

−o

2E°

C).cn.(l)0V

1_E

r−−

0C

).0•'−

)_))CI)

−.−

'•4)

−•

>−

C−

.—.2

CJ

.0

VC

—E

VC

CQ

)−

C)

CCd

15

rl)

CC

lC−

−−

.−.−

−E

v

•—

EC

lC)

•o

−C

)Q

C)

C)

−Cl)

.V

−C

−.

−−

−−

00

C)

−>−.

L60

r−GO)C..

—•—V

−

CIn

Wc..

)>

>V

CO

•e

0E

−−

V•

00

00

0o

a0

0

0>

l)E−>.ç

I..0

0C

O..−

0

−C/D

COCl)

−>

• −.

C−...

−−

>>

−01)

−0

CO

0)

−C−)

C−.−00−C

−−._.C)

00

0Cs

C−)C

)C

O..O

0)E

g.Z

0)0V

CO

EV

'−

−o

C>

.cl)9)

•C

l)c

C.

VC

C.

,.

._

CO

00

,−H

g

•

uC

13

C)

>)

−V

C−

)•

cCO

'−C

)

C)

CO

.0

)0,E

V•as

cn

C−48

1−. .−—

C)

MC

IS

cs00

cn

—(ID

•−

9E

C3

OC

L)

caC

L

©>

vs

tu

−•

.——

I.

−.

.CU

=>s

cl0

>=

to

.—.•−:

E

0o

E−.

>

−.

u−−j

−−−

−C,3o

C)

H'

C)

C)

C)

−0

>'

00

C)0

0E°C)>

C)

•.—

__

0C

C)

>u

cuC

)ç

•—0

80(0n−.−0_

−

>−•−>

*>.

Eto

sr−:9

H9

49

00

ON

CC

NN

—0e

ri

0Q

t.−...

eq15

0)2V

cc0

)0

)C

)

ed

cucis

c.

•G

QC

−−.

−C

IS

"c

0)r

.—

a−a

−−0?41

Ee

.on

—a!i

1−

ca

UCOQ

ca

o

−Es

,E−

D

'−

•−:—

cgE

oQE

s

Th−

.2

E−

2−cu

C'sV

0o

–cl

t°

−caU

co

Uo

E0

)0

−•

Ccw

•−<

215

J,

I•

−−

'O

0)

E0

)O

.D)

0)0)0)

CIC

)Q

−

−:

−−

0)C

•.

c0

)t

<0

)c,o

0)

0)

•−

UU

00

V0

)0

<0)C

Ex

000)L.

0)

'−

0)

C.

OO

/)

•(sl0)_

4)

—0

)E

−CJ

• −.

−−

−f—

0)C

•E

c'

•0C

)QC)

C)9

EC

$CCJ

)−C

C<

C)N

EC

)0)

0)0

)—

C/)6)

−−

0)>

U−

2.

−−

•.

•0?

ol

50

[Appendix I;;− Audit ngGradi ,l

Audit reports are graded with an overall assurance opinion, and any issues and associated recommendationsare classified individually to denote their relative importance, in accordance with the definitions in the tablesbelow.

Definition o f autht assurance and recomrnendatióiicat ego ries


Assurance opinion .There are minimal or minor control weaknesses that present low risk to

Green Substantial the control environment. The control environment has substantiallyAssurance operated as intended although some minor errors have been detected.

Very few or no improvements are needed.

There are some control weaknesses that present low to medium risk to

Green − Amber Reasonable the control environment. The control environment has mainly operatedAssurance as intended although errors have been detected. Some improvements

should be made.

There are significant control weaknesses that present medium to high risk

Amber − Red Limited to the control environment. The control environment has not operated asAssurance intended. Significant errors have been detected. Substantialimprovements should be made.

There are fundamental control weaknesses that present an unacceptable

Red No level of risk to the control environment. The control environment hase Assurance fundamentally broken down and is open to significant error or abuse.


• .−.•−.,•...•−• •.−•−•; •. ' • • . − − • •,•−• ...•••,••−..Organisational impact − − −.

NI • orThe weaknesses identified during the review have left the Council open to significant risk.Major If the risk materialises it would have a major impact upon the organisation as a whole.

ModerateThe weaknesses identified during the review have left the Council open to medium risk. Ifthe risk materialises it would have a moderate impact upon the organisation as a whole.


Recommendation priority




I \Data\INT_AUD\Infrastnrctrc\Regulatoty Scrv,ces & Waste SoIutons\WasIe maoagemetrt 2018−20I9\Rertutg\Fot3I report as issued 1206 19 doe to

51

Documents

EXECUTIVE SUMMARIES - North Lanarkshire · 1 Executive Summary Objeètives The purpose of this audit was to provide assurance on the adequacy and effectiveness of the Council's arrangements