Appendix A

Lancashire Combined Fire Authority

Internal Audit Service

Annual report of the Head of Internal Audit for the year ended 31 March 2024

 


1                Introduction

Purpose of this report

1.1            This report summarises the work that the Internal Audit Service undertook during 2023/24 and the key themes arising in relation to risk management, governance and internal control.

The role of internal audit

1.2            The Internal Audit Service is an assurance function designed to evaluate and improve the effectiveness of risk management, control and governance processes. Public Sector Internal Audit Standards (PSIAS) require the head of internal audit to provide an opinion on the frameworks of governance, risk management and control of Lancashire Combined Fire Authority and a written report to those charged with governance, timed to support the annual governance statement.

1.3            This report is based upon the work the Internal Audit Service performed during 2023/24 in relation to the 2023/24 audit plan, approved by the Audit Committee in March 2023.

1.4            The scope of our work, management and audit’s responsibilities, the basis of my assessment, and access to this report are set out in Annex 1 to this report. The levels of assurance the Internal Audit Service provides are set out in Annex 2.

1.5            An Internal Audit Service Charter is in place that establishes the framework within which Lancashire County Council's Internal Audit Service operates to best serve the Combined Fire Authority and to meet its professional obligations under applicable professional standards.

Acknowledgements

1.6            I am grateful for the assistance that has been provided to the Internal Audit Service by the staff of Lancashire Fire and Rescue Service in the course of our work during the year.

 

 

Andrew Dalecki

Head of Internal Audit, Lancashire County Council

June 2024


2                Overall opinion on governance, risk management and internal control

Overall opinion

2.1             Overall, I can provide substantial assurance regarding the adequacy of design and effectiveness in operation of the organisation's frameworks of governance, risk management and control.

2.2             Systems and processes are generally working effectively and ensures staff are aware of correct processes. We have discussed the issues we raised during the year with senior managers and agreed action plans. The table in 3.1 details the audit assignments completed with the relevant assurance levels.

2.3             In forming my opinion, I have considered the work undertaken by the Internal Audit Service throughout the year as well as information available from less formal sources than planned audit engagements.

Wider sources of assurance available to the Combined Fire Authority

2.4             Assurance is also provided by Grant Thornton as the Authority's external auditor. At the March 2024 Audit Committee Grant Thornton reported that the 2022/23 audit of the financial statements was substantially completed, and they expected to issue an unqualified opinion. They also confirmed that there were no significant weaknesses in the arrangements for financial sustainability, governance and economy, efficiency and effectiveness in the use of resources.

2.5             His Majesty's Inspectorate of Constabulary and Fire & Rescue Services inspection on the service’s effectiveness, efficiency and how well it looks after its people has been delayed from 2024 until 2025.

2.6             Assurance over the operation of the Pension Fund has been obtained from work conducted directly by Lancashire County Council's Internal Audit Service and by KPMG for the Local Pension Partnership (Investments) Ltd (LPPI). Further assurance was also received from LPPI's Audit and Assurance Faculty (AAF) 01/20 Type II Service Auditor's Assurance Report. The Local Pensions Partnership (Administration) Ltd, (LPPA) Internal Audit Service has supported LPPA in its achievement of the AAF 01/20.

3                Internal audit work undertaken

3.1            The table below reports the status of each audit completed during the year and the assurance opinion. This shows that all the budgeted days (80) have been used to deliver the internal audit plan. All 2023/24 work has been completed.

 

3.2            During the year, there have been no matters arising which have impacted on the independence of the Internal Audit service and there have been no inappropriate scope or resource limitations on internal audit work.

 

Audit review

Audit days

 

Status

Assurance Opinion

Planned

Actual

Variation

Governance and business effectiveness

Overall governance, risk management and control arrangements

3

3

0

Completed

Service delivery and support

Equality impact assessments

10

10

0

Final

˜ Substantial

January 2024

Management of change within LFRS

10

9

1

Final

 

˜ Substantial

November 2023

District planning activity

10

13

-3

Final

 

˜ Limited

January 2024

Business processes

Accounts payable

9

8

1

Final

˜ Moderate

April 2024

Accounts receivable

6

6

0

Final

˜ Substantial

April 2024

General ledger

6

6

0

Final

˜ Substantial

April 2024

HR/ Payroll

10

11

-1

Final

˜ Substantial

December 2023

Treasury management

4

4

0

Final

˜ Substantial

April 2024

Follow up audit activity

Follow up activity

2

0

2

No actions to follow up

N/A

Other components of the audit plan

Management activity

9

9

0

Completed

National Fraud Initiative

1

1

0

Total

80

80

0

 

 

 

 

     

Follow up work

3.3            Under the Public Sector Internal Audit Standards, management has responsibility for ensuring that agreed actions in audit reports are implemented. Internal Audit should obtain assurances that actions have been implemented as agreed or that senior management has accepted the risk of not taking action. There has been no follow up work in 2023/24.

4                Extracts from Audit Reports

4.1         Extracts of assurance summaries are shown in Appendix 1 for the audits finalised since the March 2024 Audit Committee.

5                Fraud/ special investigations    

5.1         There have been no incidences of fraud or irregularity brought to our attention that are a result of a weakness in the control environment.

             National Fraud Initiative (NFI)

5.2         The NFI is a statutory data matching process for health, local government and other public sector providers managed by the Cabinet Office. It flags inconsistencies in data within payroll, pensions, creditors and procurement which may indicate fraud or highlight emerging fraud risks.        

5.3         Following the submission of data in October and November 2022, the resulting matches were released by the Cabinet Office in January and February 2023. The table below details the total number of matches and the progress that has been made.

Category of data

Number of matches identified

Number of matches processed

Number of matches cleared

Number of matches investigating

Frauds Identified

Errors Identified

Value of savings identified

Pensions

25

20

19

5

0

1

£0

Payroll

24

22

22

2

0

0

£0

Creditors

213

109

109

0

0

0

£0

Totals

262

151

150

7

0

1

£0

6                Implications for the Annual Governance Statement

6.1         In making its annual governance statement the Combined Fire Authority should consider this report in relation to internal control, risk management and corporate governance.

6.2         We do not consider there are any matters arising from the audit work conducted during 2023/24 that require specific identification in the annual governance statement.

7                        Internal audit quality assurance and improvement

              Client satisfaction

7.1         Internal Audit invites feedback on the quality of service provided by issuing a ‘satisfaction questionnaire’ at the end of each audit. This is an important process in terms of identifying how the audit was received and it is also an important means of identifying aspects of the audit process that can be improved.

7.2         Our auditees have told us in every case that, overall, they were satisfied with the way we conducted our work with them. We also seek more detailed feedback in relation to our audit planning, the audit process and reporting, our behaviour, and our management and service to our auditees. Our auditees have provided positive feedback across all these areas. There were no common themes in the responses received that highlighted any particular areas for improvement.

7.3         A sample of comments received in response to the questionnaire is included below:

              It is a pleasure to work with the Auditor during the audits. They were professional, helpful and easy to get along with. They explained everything very clearly and requests and considers any feedback from us in the scoping, the evidence gathering and final stages of the audit and seeks clarification where necessary.

              Communication of needs and information prior to the audit is well defined. During the audit the Auditor communicated with the Payroll & HR Team Manager to ensure that all documentations and questions were answered in a timely manner.

              Ongoing and periodic assessments

7.4         In accordance with the Public Sector Internal Audit Standards (PSIAS) the Council’s Internal Audit function is required to have an external quality assessment (EQA) undertaken at least once every 5 years as part of its Quality Assurance Framework.

7.5         The last external quality assessment was in February 2023 and the overall opinion was that the Internal Audit team “generally conforms” to the IIA Standards. This is the same overall rating that the service achieved at the last assessment completed in November 2017 and is the highest of the three global grading definitions used in an EQA.

7.6         The Internal Audit Service has designed procedures and an audit methodology that conform to PSIAS and are regularly reviewed. Every auditor in the team is required to comply with these or document the reasons why not, and to demonstrate this compliance on every audit assignment. The audit managers assess the quality of each audit concurrently as it progresses, and a post-audit file review process has been undertaken. These reviews indicate that there is good evidence of compliance with our audit methodology and input from the audit managers to support the work of the auditors.

7.7         In addition, the service's methodology includes a step which requires the head of internal audit to read each report as it is finalised. This does not entail an additional detailed review and the auditors' reports remain theirs, using their own style and wording, but is intended to ensure that each assignment can be adequately understood and is properly communicated.

7.8         In 2024/25 the Internal Audit Service will be introducing an Audit Software Package; this will further help drive the quality and performance of the service forward.

7.9         The Internal Audit Service has a hybrid approach to work, with staff predominantly being home-based but undertaking client site visits as the requirements of the audit has dictated. There are performance management and support arrangements in place to support this including the agreement of delivery timescales with clients and identifying the audits that will aim to be completed for each meeting of the Committee.

.   


                                                                                                                         Appendix 1

Accounts Payable

Overall assurance rating

Audit findings requiring action

˜

 

Extreme

High

Medium

Low

 

Moderate

0

0

3

0

 

 

Financial Regulations and relevant policies are in place and accessible for all staff to view, with the exception of the Contract Standing Order which has recently had a review, but not implemented, the remaining documents were last reviewed in 2018.

Whilst expenditure with suppliers is monitored by the Procurement Officer and overlooked by the Head of Service to ensure that tendering arrangements and contracts are in place for supplies or services exceeding the Contract Standing Order threshold, we did identify suppliers that did exceed the threshold and did not have a contract in place. We were informed that these were overlooked due to staffing changes and resources issues.  

Due to the implementation of Oracle Fusion, there has been no system access checks, as LFRS were unable to obtain hierarchy reports and considered it was a little early to conduct the checks. Although, we can confirm that no one member of staff within LFRS can raise a requisition and convert the requisition into an order, we were unable to confirm that each purchase order or manual payment was approved in accordance with the limits set in Oracle, nor were we able to confirm the hierarchy process of approving requisitions, orders and invoices, as there are no reports available to confirm either of these.

We were unable to download an Accounts Payable Transaction report due to the migration to Oracle Fusion, therefore, after discussing this with the client and Audit Management we decided to use the General Ledger Transaction report for our testing. Additionally, we have done no exercise in relation to data validation; we used the report that was downloaded and assumed everything had migrated from Oracle R12 to Oracle Fusion as it should have, as there were no mechanism or processes in place to do a data validation. LFRS have not done a data validation also for the same reason.

The Lancashire Fire and Rescue Service (LFRS) no longer populate KPI's which included a duplicate payment check as they feel it does not add any value.


Accounts Receivables

Overall assurance rating

Audit findings requiring action

˜

 

Extreme

High

Medium

Low

 

Substantial

0

0

0

0

 

 

There are no findings to report that would have a significant impact on the achievement of service objectives, and a strong control environment continues to be maintained by the Finance Team in relation to the Accounts Receivables area of the KFS review.

A Debt Management Policy is in place and readily available to staff, and appropriate separation of duties is maintained between the invoice requester and the individual who raises the invoices, banks the cheques and any cancels any invoices.

All invoices raised were supported by an invoice request form correctly and accurately raised according to the request form, and any debts outside of the standard reminder period are being monitored and chased on a regular basis.

The access to the accounts receivable system is appropriately limited to the relevant staff, and an aged debt analysis report is produced monthly which shows all outstanding debt and the age of the debt.


General Ledger

Overall assurance rating

Audit findings requiring action

˜

 

Extreme

High

Medium

Low

 

Substantial

0

0

0

0

 

 

There is an SLA in place, which sets out the respective roles and responsibilities of LCC and LFRS. The SLA was signed by LCC (Director of Finance) on 12 March 2024 and signed by LFRS (Director of Corporate Services) on the 19 Jan 2024. Although the SLA should be signed before the commencement of the agreement, we have not raised this as an issue as LCC and LFRS have a long-standing established relationship and understanding. Additionally, there has not been issues or concerns in the past, and LFRS are confident that should there be any issues, they will be able to address them immediately.

We can confirm that all the staff who have GL responsibilities are current LFRS staff. Additionally, the virements and feeder files we sampled were all appropriate with the necessary approval documentations, and the control accounts reconciliations were up to date, and the error corrections had all been cleared.

We can confirm that the 2023/24 budget was approved by the Lancashire Combined Fire Authority Committee and budget monitoring takes place corporately and departmental wise.

A Financial Monitoring Report which sets out the current budget position is produced for the Executive Board and the Resources Committee. Additionally, a Quarterly Measuring Progress Performance Report is also populated for the Senior Management Team and the Performance Committee.

 

 


Treasury Management

Overall assurance rating

Audit findings requiring action

˜

 

Extreme

High

Medium

Low

 

Substantial

0

0

0

0

 

 

Overall, we can provide substantial assurance on the controls operating over treasury management. The system of control is adequately designed and effectively operated. There are no actions proposed in this report. The Treasury Management Strategy provides a framework for treasury management activity, and the strategy has been followed by officers during the period covered by our review. There are appropriate reporting arrangements to enable the client to monitor treasury management activities.

 

 


Annex 1: Scope, responsibilities and assurance

Approach

1          The Internal Audit Service operates in accordance with Public Sector Internal Audit Standards, 2017. The scope of internal audit encompasses all of the governance, risk management and control processes of the Combined Fire Authority including where they are provided by other organisations on their behalf.

Responsibilities of management and internal auditors

2          It is management’s responsibility to maintain systems of risk management, internal control and governance. Internal audit is an element of the internal control framework assisting management in the effective discharge of its responsibilities and functions by examining and evaluating controls.

3          Lancashire Combined Fire Authority has taken the decision to outsource their internal audit provision, and Lancashire County Council's Internal Audit Service was the appointed service provider for 2023/24.

4          It is the role of the Internal Audit Service to provide independent assurance that these risk management, control and governance processes are adequately designed and effectively operated. The PSIAS makes clear that the provision of this assurance is internal audit's primary role and that this requires the head of internal audit to provide an annual opinion based on an objective assessment of the framework of governance, risk management and control.

5          This assessment will be supported by the identification, analysis, evaluation and documentation of sufficient information on each individual audit assignment, and the completion of sufficient assignments to support an overall opinion for the organisation as a whole.

6          Internal auditors cannot be held responsible for internal control failures. However, we have planned our work so that we have a reasonable expectation of detecting significant control weaknesses. We have reported all such weaknesses to you as they have become known to us, without undue delay, and have worked with you to develop proposals for remedial action.

7          The requirement to be independent and objective means that the Internal Audit Service cannot assume management responsibility for risk management, control or governance processes. However, the Internal Audit Service may support management by providing consultancy services. These are advisory in nature and are generally performed at the specific request of the organisation, with the aim of improving governance, risk management and control and will also contribute to the overall assurance opinion.

8          Accountability for responses to the Internal Audit Service’s advice and recommendations for action lies with the Senior Management Team, which either accepts and implements the advice or accepts the risks associated with not taking action. Audit advice, including where the Internal Audit Service has been consulted about significant changes to internal control systems, is given without prejudice to the right of the Internal Audit Service to review and recommend further action on the relevant policies, procedures, controls and operations at a later date.

9          The head of internal audit will provide an annual report incorporating an overall opinion, a summary of the work that supports that opinion, and a statement of conformity with the PSIAS and the results of the quality assurance and improvement programme.

10       The Internal Audit Service is not responsible for the prevention or detection of fraud and corruption. Managing the risk of fraud and corruption is the responsibility of management. Internal auditors will, however, be alert in all their work to risks and exposures that could allow fraud or corruption and to any indications that fraud and corruption may have occurred. Internal audit procedures alone, even when performed with due professional care, cannot guarantee that fraud or corruption will be detected.

Basis of our assessment

11       Our opinion on the adequacy of control arrangements is based upon the result of internal audit reviews undertaken and completed during the period in accordance with the plan approved by the Audit Committee. We have obtained sufficient, reliable and relevant evidence to support the improvements that we proposed and that have been accepted by management.

Limitations to the scope of our work

12       There have been no limitations to the scope of our audit work.

Limitations on the assurance that internal audit can provide

13       There are inherent limitations as to what can be achieved by internal control and consequently limitations to the conclusions that can be drawn from our work as internal auditors. These limitations include the possibility of faulty judgement in decision making, of breakdowns because of human error, of control activities being circumvented by the collusion of two or more people and of management overriding controls. Also, there is no certainty that internal controls will continue to operate effectively in future periods or that the controls will be adequate to mitigate all significant risks which may arise in future.

14       Decisions made in designing internal controls inevitably involve the acceptance of some degree of risk. As the outcome of the operation of internal controls cannot be predicted with absolute assurance any assessment of internal control is judgmental.

Access to this report and responsibility to third parties

15       This report has been prepared solely for the Combined Fire Authority. This report forms part of a continuing dialogue between the Internal Audit Service, senior officers within Lancashire Fire and Rescue Service and the Audit Committee. It is not therefore intended to include every matter that came to our attention during each internal audit review.

16       We acknowledge that this report may be made available to other parties, such as the external auditors. We accept no responsibility to any third party who may receive this report for any reliance that they may place on it and, in particular, we expect the external auditors to determine for themselves the extent to which they choose to utilise our work.


Annex 2: Audit assurance levels and classification of agreed actions

Note that our assurance may address the adequacy of the control framework's design, the effectiveness of the controls in operation, or both. The wording below addresses all of these options, and we will refer in our reports to the assurance applicable to the scope of the work we have undertaken.

˜        Substantial assurance: the framework of control is adequately designed and/ or effectively operated overall.

˜        Moderate assurance: the framework of control is adequately designed and/ or effectively operated overall, but some action is required to enhance aspects of it and/ or ensure that it is effectively operated throughout.

˜        Limited assurance: there are some significant weaknesses in the design and/ or operation of the framework of control that put the achievement of its objectives at risk.

˜        No assurance: there are some fundamental weaknesses in the design and/ or operation of the framework of control that could result in failure to achieve its objectives.

Classification of residual risks requiring management action

All actions agreed with management are stated in terms of the residual risk they are designed to mitigate.

 

Extreme residual risk: critical and urgent in that failure to address the risk could lead to one or more of the following: catastrophic loss of the LRFS services, loss of life, significant environmental damage or significant financial loss, with related national press coverage and substantial damage to the LRFS reputation. Remedial action must be taken immediately.

 

High residual risk: critical in that failure to address the issue or progress the work would lead to one or more of the following: failure to achieve organisational objectives, significant disruption to the LRFS business or to users of its services, significant financial loss, inefficient use of resources, failure to comply with law or regulations, or damage to the LRFS reputation.  Remedial action must be taken urgently.

 

Medium residual risk: failure to address the issue or progress the work could impact on operational objectives and should be of concern to senior management. Prompt specific action should be taken

 

Low residual risk matters that individually have no major impact on achieving the service's objectives, but when combined with others could give cause for concern. Specific remedial action is desirable.