28/01/2014 Page 1 of 48

Protocol for Joint Working between LBB

Assurance Group and Capita
In relation to CSG and RE Services






28/01/2014 Page 2 of 48
Version control
Version Date Author(s) Summary of Changes
V1 28/1/14 LBB Assurance
various
Capita - various








28/01/2014 Page 3 of 48
Contents
1. Introduction .................................................................................................................................. 5
2. Internal Audit ............................................................................................................................... 6
2.1. Respective roles of auditors ..................................................................................................... 6
2.2. LBB Risk-based Audit Programme ............................................................................................ 7
2.3. Areas where LBB Assurance are likely to place reliance on Capita Internal Audit................... 9
2.3.1. Transferred Services ............................................................................................................ 9
2.3.2. Wider Assurance Governance Standards ......................................................................... 9
2.3.3. Follow-up of previous recommendations ........................................................................... 9
3. Anti-Fraud ...................................................................................................................................10
4. Risk Management .....................................................................................................................14
5. Liaison Meetings.......................................................................................................................15
6. Appendix A Contact Details ...............................................................................................18
7. Appendix B Transferred Services .....................................................................................19
8. Appendix C Risk Escalation ...............................................................................................20
9. Appendix D: Contract Clauses, Definitions & Policy List ..............................................21
9.1. Contract Clauses .....................................................................................................................21
9.2. Definitions - Governance Standard ........................................................................................21
9.3. Governance Standards Compliance checklist ........................................................................22
9.3.1 CSG Governance Standards extract* .............................................................................. 23
9.3.2. Re Governance Standards extract*. DRAFT subject to finalisation ............................. 34
9.4. Definitions Assurance and priority ratings ..........................................................................41
9.4.1. LBB Assurance: .................................................................................................................. 41
9.4.2. Capita: ................................................................................................................................ 41
9.5. Policy List ................................................................................................................................42
10. Appendix E Annual Timetable of Activity .......................................................................43
10.1. Planning ..................................................................................................................................43
10.1.1. LBB Assurance.................................................................................................................... 43
10.1.2. Capita ................................................................................................................................. 43
10.2. Reporting and Meeting Dates ................................................................................................43
10.2.1. LBB ..................................................................................................................................... 43

28/01/2014 Page 4 of 48
10.2.2. Capita ................................................................................................................................. 44
11. Appendix F Documents Checklist ....................................................................................44
12. Appendix G: Internal Audit Decision Tree .........................................................................46
13. Appendix H: CAFT Decision Tree ........................................................................................47


























28/01/2014 Page 5 of 48
1. Introduction
The London Borough of Barnets (LBB) Operational Assurance (referred to herein as LBB
Assurance) function sits within the Assurance Group. It consists of Internal Audit, Anti-Fraud
and Risk Assurance and is responsible for ensuring coverage of the core aspects of the
Councils governance and control environment in order to support achievement of the Councils
overall objectives. The functions are summarised as follows:

Internal Audit will provide independent and objective assurance to the Council, its
Members, the Strategic Commissioning Board (including the Chief Operating Officer) to
support them in discharging their responsibilities under S151 of the Local Government
Act 1972, relating to the proper administration of the Councils financial affairs.
The Anti-Fraud strategy and team demonstrates the Councils commitment to a zero
tolerance approach to fraud, corruption or bribery and works to prevent, detect and
deter fraud within the Council whilst actively pursuing fraudsters and seeking redress.
Risk Assurance is responsible for delivering a robust risk assurance function through
the risk management framework that ensures the Council meets the highest standards
of risk management.

This protocol seeks to set out the proposed working relationship between LBB Assurance and
Capita for internal audit, anti-fraud and risk management. The objective of this protocol is to
provide a framework which will optimise the benefits of the relationship between LBB
Assurance and Capita, whilst enabling chief officers within the Council to discharge their
respective responsibilities. It sets out how both parties will work together to provide information
and to deliver the essence of the contractual agreement in practical terms.

The protocol aims to:
clarify the respective roles of LBB Assurance and Capita
1

highlight areas where LBB Assurance are likely to require assurance from Capita; and
establish a framework for co-operation in the planning, conduct and reporting of Internal
Audit, Anti-Fraud and Risk Management.

Overall the protocol should promote an effective working relationship, within the bounds of the
respective roles of both parties, maximising benefit and minimising effort and duplication across
both organisations.

This protocol covers all aspects of contract clauses in relation to internal audit, anti-fraud and
risk management arrangements and will be reviewed annually in April, in order to include LBBs
provisional Audit Committee dates for the coming year.


1
The respective roles of LBB and Capita are viewed within the context of the contract that has been
signed between LBB as a whole (as opposed to the LBB Assurance Group). Regarding the transferred
services (see Appendix B) roles can be defined as follows:
RACI Assessment* (R) Responsible (A) Accountable (C) Consult (I) Inform

Capita LBB Client LBB Assurance
R A C, I



28/01/2014 Page 6 of 48
The following sections provide more detail on the assurance expectation within each function
and the forum in which activities will be coordinated and information shared.

2. Internal Audit
Included within the contract are clauses to ensure the provision of information relating to
internal audits carried out on services provided on the behalf of LBB. This includes information
about the intended annual plan of audit activity, any limited or no assurances included within
quarterly summary reports and the annual audit opinions.

Additionally, the Public Sector Internal Audit Standards (PSIAS) require that the chief internal
auditor must include in the risk-based plan the approach to using other sources of assurance
and any work required to place reliance upon those other sources.
2.1. Respective roles of auditors
The following table outlines the respective roles of LBB Assurance and Capita. The roles and
objectives are different but complementary. There are therefore benefits to be gained from
working together.
LBB Assurance Capita
Internal Audit is defined in the Public Sector
Internal Audit Standards (PSIAS) as an
independent, objective assurance and
consulting activity designed to add value and
improve an organisations operations. It helps
an organisation accomplish its objectives by
bringing a systematic, disciplined approach
to evaluate and improve the effectiveness of
risk management, control and governance
processes. Internal Audit must have a
Charter that accords with the requirements of
the PSIAS.
The key output from Internal Audit is the
annual opinion on the Council's control
environment which should be reported to the
Audit Committee
Capita Group Internal Audit (GIA) is an
independent function within Capita. Its role
per the GIA Charter is to review the
adequacy and effectiveness of the
organisations governance, processes,
controls and risk management in
implementing agreed strategies across the
whole of the groups activities. It provides
the Board, the Group Audit Committee and
all levels of management with an objective
opinion on the results of its reviews. The
Chartered Institute of Internal Auditors
publishes a Definition of Internal Auditing,
a Code of Ethics and Standards which
are recognised as mandatory for the GIA
function.
GIAs overall objective is to provide
independent assurance to the Capita plc
Board and management on the
effectiveness of risk management and
controls over all of the groups activities.
Internal Audits strategy and plan is risk-
based, is agreed between Internal Audit and
management and is approved by the Audit
Committee. To remain independent and
objective the work of Internal Audit cannot be
directed by other parties
The Director, GIA is responsible for the
development of a risk based plan to
determine the priorities of the internal audit
activity, consistent with the groups goals,
risk management framework and risk
appetite. This is approved by the Group
Audit Committee. GIA is independent of
the activities which it reviews to enable the
unbiased judgements essential to its

28/01/2014 Page 7 of 48
proper conduct and facilitate impartial
advice to management.
Internal Audit reports to the Audit Committee
on a quarterly basis
GIA reports to the Group Audit Committee
on a quarterly basis.
Internal Audit provides assurance as follows:
substantial, satisfactory, limited, no
Please see Appendix D for the basis of these
ratings
GIA provides assurance as follows:
Satisfactory, Improvement Required,
Significant Improvement Required,
Unsatisfactory
Please see Appendix D for the basis of
these ratings
LBB financial year ends on 31
st
March Capita Group financial year ends on 31
st

December
Re Financial year ends on 31
st
March
2.2. LBB Risk-based Audit Programme
Capita has its own Internal Audit function and therefore LBB does not anticipate undertaking a
risk-based audit programme involving Capita staff unless:
Capita do not undertake internal audit reviews that provide assurance over Transferred
Services (see Appendix B), specifically the Barnet business-arm and therefore LBB
transactions;
An audit is planned that has a scope involving both LBB and Capita employees;
LBB has concerns in respect of the Transferred services; or
LBB is unable to rely on the audits and work completed by Capitas internal auditors.
Refer to Appendix G for the audit contract clauses decision tree.
Any audits undertaken by LBB will be discussed with the LBB Commercial team also to ensure
transparency over any potential impact to the contract.
Contract clauses 28.5.2 (CSG) / 36.5.2 (Re) and 28.6.1 (CSG) / 36.6.2 (Re) state the
timeframes within which Capita must provide certain information to LBB Assurance. This
information and the deadlines are summarised in the table below:
Required information
Deadlines
Consult with the Authority prior to finalising its Annual Internal Audit
Plan
Date not stated -
suggest September
Submit its own Annual IA Plan By the end of April
in each contract
year suggest
earlier i.e. once
formally approved
Submit IA reports reports that provide assurance over Transferred Submit within 15

28/01/2014 Page 8 of 48
Services, including any Governance reviews completed Business Days of
the agreed
quarterly date

Limited or no assurance submitted

Submit within 5
working days
(CSG)
Submit
immediately (Re)
Undertake audits of all IPR used in the performance of the Services Submit yearly
Provide the Authority (and / or its agents or representatives) with all
reasonable co-operation and assistance in relation to each audit being
undertaken by LBB
Within two (2)
Business Days
(unless agreed
otherwise by the
parties acting
reasonably) (CSG)
On demand (Re)

LBB Assurance will undertake a programme of work to assess whether it can rely on the audits
undertaken by Capitas internal auditors. A provisional list of the evidence that will be gathered
to inform this view has been included at Appendix F.
This will be an annual review to be completed by the end of LBBs quarter 2 to ensure that if
there are issues it will be possible to undertake the risk-based audits required within quarters 3
and 4.
Where clause 28.5.4 (CSG) / 36.5.4 (Re) is invoked, whereby Capita must bear the cost of any
audit work undertaken by LBB Assurance, the charges will be as follows:
Core (non-specialist) audits: 359 per day
Specialist (IT, Projects and Programmes etc) audits: 513 per day
These charges will be subject to review on an annual basis.
Schools audits
LBB will continue to carry out its rolling programme of schools internal audits. Liaison
arrangements with the Schools Finance Service Manager (now part of CSG) will remain as they
were before the service was transferred to Capita. LBB will continue to provide the Schools
Finance Service Manager with copies of all final internal audit reports issued regarding schools
in the borough.

28/01/2014 Page 9 of 48
2.3. Areas where LBB Assurance are likely to place reliance on Capita Internal
Audit
2.3.1. Transferred Services
LBB Assurance will seek to take assurance from any Capita Internal Audit work over LBB
transactions specifically for the services being conducted on the Councils behalf. These are
listed within Appendix B for the respective contracts with Capita.
The council assurance function will retain responsibility for the exercise of powers under the
joint employment arrangements within Re, the associated Scheme of delegation, and also for
audits relating to managed contracts, for example highways network management contracts.
The Parties agree that during the annual planning cycle, they will review any proposed audits
which may address part of the processes relating to these retained council activities, and in so
far as appropriate and agreed one of the audit functions will review the end to end process. For
example, if Capita Internal Audit propose an audit of Re managing agent activity, the Council
may determine that it would be appropriate as part of that audit for Capita to also review
Council retained activities, such as policy setting and authorisations, in which event Capita and
the Council assurance team will review the scope of the proposed audit to assess whether it
would be appropriate to incorporate a review of these retained activities.
Any actions identified relating to a retained function will be sent in draft to the LBB Commercial
team and Assurance team prior to finalising the report, and implementation of those actions will
be monitored by the LBB Assurance team.


2.3.2. Wider Assurance Governance Standards
LBB Assurance will also be looking for assurance over general controls impacting on the
service provided. This will involve review of any Governance audits undertaken by Capita and a
review of the agreed Governance Standards compliance see Appendix D section 9.3
Governance Standards.
2.3.3. Follow-up of previous recommendations
The following tables outlines the respective responsibilities as it relates to the follow-up of LBB
audit recommendations
LBB Assurance Capita
To provide Capita with copies of the most
recent Internal Audit reports relating to the
transferred services (see Appendix B).
To follow-up any Priority 1 recommendations
that were made by LBB Assurance.
To follow up on any transferred Priority 2
and Priority 3 recommendations made by
LBB Assurance when the area is next
under review.


28/01/2014 Page 10 of 48
3. Anti-Fraud
Under Section 151 of the Local Government Act 1972 the Council has a statutory obligation to
ensure the protection of public funds and to have an effective system of prevention and
detection of fraud and corruption.
Within the Council structure the Corporate Anti-Fraud Team (CAFT) sits within the Assurance
Group, and is a dedicated independent, objective activity designed to add value and improve
the Councils operations. It helps the Council achieve its objectives by bringing a systematic,
disciplined approach to investigation, evaluating and improving the effectiveness of fraud
prevention and detection and the subsequent prosecution of individuals and organisations
where appropriate.
Capita has a dedicated anti-fraud function which sits at group level and has responsibility for
the investigation of staff fraud within each of the Capita business services.
Capita has a dedicated anti-fraud function which sits at group level and has responsibilities
which include the investigation of staff fraud within each of the Capita business services.
The Capita Group Fraud Policy is the minimum standard for all contracts involving Capita staff,
this may be supplemented by but not reduced by the LBB Fraud Policy.
Capita employees are required to undertake mandated Fraud Awareness training.
Capita Group employs a Head of Special & Fraud Investigations; this is a fully qualified and
accredited counter fraud specialist role.
All potential or actual incidents will be reported to the group function who will liaise with the
local business management to ensure each report is correctly investigated.
The Capita Group Fraud Investigation function provides advice, support and investigation
services to the business management as required by each incident. Each incident is assessed
and the appropriate plan instituted to achieve a positive result for any investigation.
In accordance with the agreed liaison as set out in Table 2; Notifications Capita Group will liaise
with LBB CAFT and agree on necessary disciplinary action, possibility of reporting the incident
to the police and or any regulatory authorities or legal action as appropriate to each case
involving Capita staff in relation to either a LBB provided service or fraud matter involving LBB
public funds.
Monthly reports for significant investigations are made to the Director Group Risk and
Compliance who reports to the Capita Group Executive and Capita Audit Committee.
The Capita business will maintain an incident log and in conjunction with Capita group fraud will
provide regular updates on progress of investigations as agreed within this protocol
LBB will provide Capita local management and the Capita Head of Special & Fraud
Investigations with a regular update on all investigations with potential Capita, Capita staff or
Capita processing involvement or implications.
Both LBB and Capita have a zero tolerance approach to fraud and other irregularity committed
against those services contracted out on behalf of the LBB and that both organisations will work

28/01/2014 Page 11 of 48
together in order to support this approach and ultimately protect the public purse through the
following contractual and agreed working arrangements.
Included within the Capita contract are clauses to ensure the provision of information relating to
the prevention of Fraud and Bribery in relation to the services contracted out on behalf of LBB.
This protocol aims to clarify those clauses into agreed working arrangements.
It is acknowledged within this protocol that the sole responsibility for third party / external fraud
investigations relating to LBB Housing Benefit, National Non Domestic Rates and Council Tax
Benefit, Council Tax Support and Disabled Blue Badge lies with the Councils CAFT. It is
agreed that all referrals relating to any of these services should be directed in the first instance
to the Councils CAFT and not to Capita Group Fraud.
LBB Fraud Policies
The contract states (CSG - 45.1.1, Re 53.1.1) that the service provider (Capita) is required to
certify in writing to the Council that it will take all reasonable steps to act in accordance with the
Councils Counter Fraud Framework and Financial Regulations (part 4) to prevent Fraud by
service users, staff and the service provider in connection with the receipt of monies from the
authority.
As stipulated within the contract (CSG - 45.1.5 (b), Re 53.1.6 (b)) LBB will look to seek this
assurance from each of the services contracted out on behalf of the LBB on annual basis by
certification from Capita in writing on an annual basis.
The schedule of policies attached to each contract (Schedule 22 for CSG and Schedule 33 for
Re) of which Capita must comply includes the counter fraud framework. The contract also
states under section 45.1.6 that it will comply with the Councils anti-bribery policy. This policy
is included with the Councils counter fraud framework.
Counter Fraud Framework - 2013
- Counter Fraud Framework Introduction
- Fraud Policy Statement and Procedure
- Bribery Policy Statement and Procedure
- Prosecution Policy statement
- Anti-Money Laundering Policy Statement and Procedure
- Whistleblowing Policy Statement and Procedure
- Regulation of Investigatory Powers (RIPA) Act 2000 Policy Statement and Procedure
(directed surveillance)
Whistleblowing
It is agreed within this protocol that Capita staff should utilise the Councils Whistleblowing
Policy (under 2.3 or 4.1 of the policy) in relation to reporting a matter in accordance with the
policy relating to a CSG or Re service. However it is also acknowledged that Capita staff may
also choose to report such matters under their equivalent Capita Speak up Policy. Any
referrals received under the relevant LBB or Capita policy will be notified to the relevant parties
in accordance with the agreed notification timescales detailed within table 2. It is agreed that it
is Capitas responsibility to actively promote and raise awareness of this within Capita in
accordance with principles of openness and transparency and joint commitment to protect
public funds.

28/01/2014 Page 12 of 48
Contract Clauses
Refer to Appendix H for the fraud contract clauses decision tree.
Contract clause 45.1.8 states that the service provider must respond promptly to the
Authoritys enquires. It is agreed within this protocol that LBB and Capita will deem any
enquiries to fall within two categories of urgent and standard and for the purpose of this
protocol would define then as follows:
Category Definition Agreed response
timescale
Urgent The information is critical to an investigation where
any delay could compromise the ability to take legal
action or create an unacceptable risk of loss / harm
to the Council.
Within 24 hours
Standard The information that is required to identify the level
of criminal activity where the continued risk of loss /
harm to the Council is deemed to be medium to low.
Within 5 days

Table 1 definitions
Prevention & Detection
The primary responsibility for the awareness, prevention, detection and deterrence of fraud,
corruption, bribery or money laundering activity lies with the individual services contracted out
on behalf of LBB and not with Capita Group fraud service nor the Council or the Councils
CAFT. The relevant Directors / Head of service responsibility within Capita includes ensuring
that Capita staff (and partners and subcontractors) are aware of both the implications of fraud,
bribery and money laundering and the risks of fraud, bribery and money laundering across their
service area. LBB will seek assurances from Capita around this responsibility from each of the
services (CSG and Re) within the annual compliance statement.

Internal Fraud relating to a LBB provided service Reporting, Notification, Investigation
and sanction process
The primary responsibility for the investigation of any suspected fraud, corruption, bribery or
money laundering activity found in a service area lies with both Capita group fraud and the
Councils CAFT.
Capita group fraud currently operates a staged assessment process of referrals that are
passed to them, and in line with this process both LBB CAFT and Capita have agreed to adopt
the following approach in relation to referrals that are received either Capita group fraud and
related to either the CSG or Re services.
Referral Definition Agreed reporting process and
timescale
Stage 1 Fact finding stage Capita Monthly report to CAFT

28/01/2014 Page 13 of 48
Stage 2 Requires further investigation Urgent - within
24 hours
Standard -
within 5 days
Stage 3 Requires sanction action (e.g.
disciplinary action/police
intervention/legal action)
A joint assessment of action and
responsibility between Capita and
LBB CAFT on an individual case by
case basis.
Whistleblowing Referral recd under Councils
Whistleblowing Policy or Capita
Speak up policy relating to CSG
or Re services.
Urgent - within 24
hours
Standard -
within 5 days
Table 2 Notifications
Retained Council Information Systems / Council data / Access to provided LBB Services
data
The Councils financial regulations (part 4) state that all CAFT Investigation Officers shall have
authority to:
have unrestricted access to, search, and remove any and all records, documents and
correspondence, including electronically held correspondence, documents and records.
In order to support this requirement Capita will ensure that the CAFT officers have direct
access (high level) to all requested IS systems holding LBB data, including the relevant Capita
systems (and future replacements), and will continue to provide training and support on those
systems to CAFT officers.
All access to systems for CAFT officers will be approved by either the Assistant Director of
Assurance or CAFT Counter Fraud Managers.
Current systems include (but not exclusively limited to):
Incase
Civica
SAP (plus new replacement)
Saffron
Sword fish
Diraq
Wisdom
CM (contact Manger)
Web based systems like:
LOCTA
Equifax

28/01/2014 Page 14 of 48
Call Credit
In relation to LBB retained organisation investigation Capita will provide nominated staff to
provide high level support to CAFT relating to investigations that CAFT may be conducting.
This support normally relates to (but not exclusively) access to LBB staff email / outlook,
including deleted items and recovery of deleted items, files, documents, as well as internet
usage data.
Any such requests will be deemed for CAFT officers will be approved by either the Assistant
Director of Assurance or CAFT Counter Fraud Managers, in writing and be categorised in
accordance with the agreed definitions and reporting timescales within this protocol of urgent
or standard.

4. Risk Management
The Councils primary responsibilities when commissioning services and working in
partnerships is to ensure that the partnership has effective risk management procedures and to
provide assurance that the risks are being identified, prioritised and appropriately managed.
The purpose of risk management in this context is as follows:
To ensure proper identification and understanding of risks associated with a
commissioned service including delivery risks, joint risks and retained risks
To support clear allocation of responsibilities for managing and monitoring risk
To agree the risk appetite for management of risks amongst all partners
To align the response to identified risks with corporate priorities
To provide a framework for information sharing regarding risks and performance
management

The contract (clause 28.5.2 CSG, 36.5.2 Re) states the contractor shall operate a sound
system of internal control including appropriate risk management processes. As per schedule
22 of the contract the service provider should comply with section 4.2 of the Councils Risk
Management Policy with the providers overall risk management arrangements in an equivalent
policy to be approved by the Council. In order for the Council to maintain its responsibilities for
overseeing the management of risks a collaborative approach for managing, monitoring and
reporting on risk (key or joint) must be agreed. Outlined below are relevant policy and
procedure excerpts from section 4.2 of the Councils Risk Management Policy.
Currently, Capita has a commitment to use the JCAD system and scoring for all Corporate
Programmes projects; operational risks will be managed according to Capitas risk
management policy
2
which has been reviewed by the Council.
Risk allocation and responsibility
In general it is expected that most risk will clearly be allocated to either the Council or Capita,
however a small number of risks may be joint risks, i.e. a shared risk where both parties have a
role in managing the risk.. Joint risks will be recorded in the Councils risk management system

2
Capital Non-Financial Service Division Risk Management Policy and Process V2 (July 11)

28/01/2014 Page 15 of 48
(JCAD) with the responsibilities and actions of each party clearly defined. The principles on
how a joint risk will be managed are as follows:
LBB Contract manager will be assigned the risk and facilitate the management and
monitoring of the risk.
The actions tab, in JCAD, will be used to assign and manage activity to individuals
3
rd
party access to JCAD should be limited and will be considered on a case by case
basis
3
.
Monitoring Risks
Risks should be managed and monitored regularly as part of business as usual and escalated
whenever required including new emerging risks that would score 12 or more and/or any
serious risk incidents that occur (see Appendix C). Over the course of the service contract it is
likely that the risk profile will evolve therefore provision is made through this protocol to build a
relationship with an open dialog and develop an effective approach, based on common
understanding of risks management (processes and terminology) and of the objectives of the
partnership.
Quarterly contract performance reporting will include risks wholly owned by LBB, joint risks and
significant operational risks (with a rating of 12 or more using LBBs scoring methodology). The
full LBB risk register (including any risks rated below 12) will be appended to the performance
summary.
Section 4.2 of the Councils Risk Management Policy describes the requirement for an outline
plan for risk management strategy in the forthcoming year. This requirement will be satisfied as
part of liaisons meetings (section 5) where changes to and the effectiveness of risk
management arrangements will be discussed.

5. Liaison Meetings
To ensure effective co-operation between LBB Assurance Group and Capita quarterly liaison
meetings will be held for planning, to review programmes of work and discuss other issues of
mutual interest. Exceptional meetings will be arranged as appropriate for specific issues or
events, e.g. Audit Committee.
The following are examples of areas the liaison meetings will cover by function:
Function Description Expectation
Audit Capita internal audit
plan
Capita will consult with the Authority prior to
finalising its Internal Audit annual plan to ensure
that an appropriate level of assurance is available
over the risk areas affecting LBBs operations.
(Contract clause 28.5.2 (b) CSG / 36.5.2 (b) Re)
Audit Quarterly reporting In order to meet LBB Assurance quarterly reporting

3
3
rd
party access is still being investigated so this statement is assuming access is possible and agreed by LBB.

28/01/2014 Page 16 of 48
and Audit Committee deadlines liaison meetings will need to occur at the
most appropriate times during the year.
Capita attendance at Audit Committees may be
required if issues are being reported that involve
Capita in its role as being responsible for delivery of
services on the Councils behalf.
Audit LBB Assurance and
reliance on Capita
Internal Audit work
During the External Assurance work programme if,
in LBB Assurance Groups judgement, it is unable
to rely on the work undertaken by Capitas internal
auditors, LBB Assurance shall carry out a risk-
based audit programme in relation to the services
that are being provided by Capita on behalf of the
Council.
Audit External audits review
of Capita Internal
Audits work
LBB Assurance should be informed of the outcome
of Capitas external auditors review of Capitas
internal audit service. Any issues or reports
regarding this review should be shared with LBB
Assurance as soon as they are finalised.
Audit Audit Scoping and
ToR
An opportunity to discuss any audits being
undertaken that are of relevance to either party.
If appropriate, LBB Assurance will involve Capita in
any scoping meetings, when agreeing the terms of
reference for the review, during the fieldwork, and
when agreeing the final report.
Audit Compliance,
performance against
audit contract clauses
For audit related clauses opportunity to discuss
any referrals that LBB Assurance have had to make
to the partnership manager regarding information
not being provided by Capita in line with
requirements.
For other clauses opportunity to discuss any
concerns raised by the partnership manager or as a
result of audits that have been undertaken.
Risk Risk Management Changes to and the effectiveness of risk
management arrangements. This will be in addition
to the general Corporate Performance Reporting
and contractual Service Performance Reporting
which is managed with the commercial team within
the LBB.
CAFT Anti-Fraud For Fraud related clause opportunity to discuss
any referrals that have been made in accordance
with the agreed notification process as well as any
relevant on-going anti-fraud or policy compliance
issues.
Table 3: Liaison Meetings

28/01/2014 Page 17 of 48

A timetable of activity is appended to this protocol outlining key dates and meetings for the first
year, with due regard for the dates that Capita Internal Audit quarterly reports will be available,
Audit Committee and Strategic Commissioning Board Assurance dates and how the protocol
will dovetail into these.
Additionally there is a list of documents in Appendix F which will be required initially, upon
finalising the protocol, and on-going.
Effective, timely information sharing is essential; the two parties shall communicate promptly to
the other any significant concerns / exceptions / breaches arising that it is felt should be dealt
with other than through the usual reporting and liaison arrangements set out in this protocol.
When sharing any information both the Freedom of Information Act and the Data Protection Act
requirements shall be observed by both parties. It is recognised that there should not be a need
within the relationship to share personal data unless appropriate to the requirements of both
parties and subject to the controls set out by the Councils Information Sharing Policy.


28/01/2014 Page 18 of 48
6. Appendix A Contact Details

London Borough of Barnet
Assurance Group
North London Business Park, 1
st
Floor Building 2
Oakleigh Road South, London N11 1NP
Director of Assurance
Maryellen Salter
maryellen.salter@barnet.gov.uk
02083593167
Assurance Assistant Director
Clair Green
clair.green@barnet.gov.uk
020 8359 7791
Head of Internal Audit (Chief
Internal Auditor)
Caroline Glitre
caroline.glitre@barnet.gov.uk
020 8359 3721
Risk Assurance Manager
Courtney Davis
courtney.davis@barnet.gov.uk
020 8359 4901
Counter-Fraud Manager
Declan Khan
declan.khan@barnet.gov.uk
020 8359 3721
External Auditor
Grant Thornton UK LLP

Paul Hughes
paul.hughes@uk.gt.com
020 7728 2256

Capita
[71 Victoria Street, London, SW1H 0XA]
Finance Director (Audit Liaison
Lead - CSG)
Tom Evans
tom.evans@capita.co.uk
07824 868650
Commercial Director (Audit
Liaison Lead Re)
Mike Eastwood
mike.eastwood@capita.co.uk
07557 287247
Director, Group Internal Audit
(HoIA opinion)
Clive Smith
clive.smith@capita.co.uk
07917 307988
Director, Group Internal Audit -
Non-FS Divisions
Moyra Armstrong
moyra.armstrong@capita.co.uk
07917 307991

28/01/2014 Page 19 of 48
Group Director of Risk & Fraud
Chris Terry
chris.terry@capita.co.uk
07736 599761
Head of Anti-Fraud & Special
Investigations
Debbie Morris
debbie.morris@capita.co.uk
07733 361432
Internal Audit Manager (who will
be undertaking reviews of LBB
transactions)
TBC
External Auditor
KPMG
Any liaison of discussions with Capita Auditors
should be directed via Tom Evans
7. Appendix B Transferred Services
CSG Re
Customer Services;
Estates;
Finance;
Human Resources, Payroll and
Pensions;
IT Infrastructure and Support;
Procurement;
Revenues and Benefits; and
Corporate Programmes

Planning and Development
Management;
Building Control;
Land Charges;
Environmental Health;
Trading Standards and Licensing;
Cemetery and Crematorium;
Highways;
Strategic Planning; and
Regeneration



28/01/2014 Page 20 of 48
8. Appendix C Risk Escalation












Strategic
Commissioning
Board (SCB)
Cabinet
Resource
Committee
Commercial
Contract
Manager
Risk Identified
Delivery Board
Risk
Assurance
Audit
Committee
Approves SCB Risk
Register to be
published
Key:
Oversight
Escalation
Decision
Operations
Board

28/01/2014 Page 21 of 48
9. Appendix D: Contract Clauses, Definitions & Policy List
9.1. Contract Clauses
The CSG contract clauses that underpin this protocol are as follows:
28 Service Providers Records and Audit [Authority Policy Clause]
45 Termination on Corrupt Gifts and Fraud [Authority Policy Clause]
See these clauses of the CSG contract via the link below:
http://www.barnet.gov.uk/downloads/download/1241/csg_main_contract
Please note that the corresponding clause numbers within the Re contract are 36and 53
respectively and can be seen via the link below:
http://www.barnet.gov.uk/downloads/download/1267/drs_main_contract
9.2. Definitions - Governance Standard
Capita will, in line with contract clause 28.5.1 (CSG) / 36.5.1 (Re), comply with this Governance
Standard definition, and will provide a compliance statement by January of each year. This is in
order to inform LBBs Annual Governance Statement and by providing this in January it will
allow for any additional audit work to be completed, if required, by LBB by the end of March.
It is expected that Capita will meet the governance standards required to support LBBs Chief
Finance Officers responsibilities as per the Councils constitution.
In broad terms, Capitas control framework will need to meet control objectives including:
Anti-Fraud
Asset Management
Audit & Assurance Framework
Business Continuity
Data Quality
Equalities
Financial Management
Governance
Health, Safety & Wellbeing
Information Management & Governance
Partnerships
People Management
Performance Management
Procurement & Contracts Management
Project Management

28/01/2014 Page 22 of 48
Risk & Issue Management
The compliance checklist can be found below at 9.3.1 and 9.3.2.
* the spreadsheet that will be completed and returned to LBB Assurance includes further detail
to support the self-assessment of whether the controls in place are effective.
9.3. Governance Standards Compliance checklist









28/01/2014 Page 23 of 48
Responsible Person:

Question Assessment Notes
1.00 Internal Audit

1.01 Audit arrangements are in line with section 2 of the protocol

2.00 Anti-Fraud

2.01 Anti-Fraud arrangements are in line with section 3 of the protocol
3.00 Risk Management

3.01 Risk management arrangements are in line with section 4 of the protocol

4.00 Performance Management & Data Quality

4.01 There is a Performance Management Framework in place that has been approved by the Council and there is evidence of
this approval
As required
by the
contract
Schedule 22
4.02 Baselines set for performance indicators are supported by robust data sets

4.03 Performance against contractual PIs, KPIs and Super KPIs is regularly monitored and reviewed by senior personnel

4.04
The delivery unit complies with the Council's Data Quality policy and can evidence checks of this compliance
As required
by the
contract
Schedule 22
4.05
Systems and processes are fit for purpose and adequate and effective controls are in place during the input, reporting and
output of data

Controls are in place to ensure the performance data reported to the Council meets the Council's Data Quality requirements
of:


4.06 Accuracy data is without errors, and adheres precisely to any applicable definition.

9.3.1 CSG Governance Standards extract*


28/01/2014 Page 24 of 48
4.07 Reliability data reflects stable and consistent collection and capture processes across collection points and over time.
These processes should minimise manual intervention and maximise the automation of data collection and manipulation.


4.08 Timeliness data is captured as quickly as possible after the event or activity, and is used in a timely fashion.

4.09 Relevance data is applicable to the issue and provides the answers needed

4.10 Completeness data collected and captured comprises of all necessary elements

4.11 A clear audit trail a documented process for obtaining and using the data, which is understood by all involved in
producing the data, and is accessible to those who rely on the data or have an interest in it. Clear and complete audit trails
must be maintained to demonstrate accuracy for all data used for decision-making.


4.00 People Management
4.01 All relevant staff are aware of the responsibilities under the Council's HR regulations and have been adequately trained to
discharge those responsibilities
As required
by the
contract
Schedule 22
- HR
Regulations
are part of
the
Council's
constitution

Click here for HR regulations (revised May 2013):
http://barnet.moderngov.co.uk/documents/s8923/UHRRegulations.doc.pdf


4.02 HR policies and procedures are in place and are updated in line with legislative or other required changes
4.03 Changes to HR policies and procedures for LBB are approved by the Council
4.04 HR Business Partners are fully aware of HR policies and procedures, and communicate these to officers across the Council

28/01/2014 Page 25 of 48
4.05 HR Business Partners provide support to officers across the Council to facilitate the correct application of HR policies and
procedures

4.06 HR Business Partners provide officers across the Council with the data, access to systems or reports they need to manage
performance within their delivery unit

4.07 Safer Recruitment - corporate pre-employment checks and agreed recruitment protocols are being followed. On-going
Safeguarding checks are undertaken for current employees


4.08 Organisational structures which reflect the composition of the Council's workforce and current vacancies are up to date and
accurate.


4.09 Roles & Responsibilities across the Council are clearly defined and supported by up to date job descriptions

5.00 Financial Management

5.01 All relevant staff are aware of the responsibilities under part four of the Council's financial regulations and have been
adequately trained to discharge those responsibilities
As required
by the
contract
Schedule 22
- Financial
Regulations
are part of
the
Council's
constitution
Click here for Financial regulations (revised May 2013):
http://barnet.moderngov.co.uk/documents/s8919/RAmendedFinancialRegulations030513.doc.pdf


5.02 Financial Management policies and procedures are in place and are updated in line with legislative or other required
changes


5.03 Changes to Financial Management policies and procedures for LBB are approved by the Council

5.04 Finance Business Partners are fully aware of Financial Management policies and procedures, and communicate these to
officers across the Council



28/01/2014 Page 26 of 48
5.05 Finance Business Partners provide support to officers across the Council to facilitate the correct application of Finance
policies and procedures


5.06 Finance Business Partners provide officers across the Council with the data, access to systems or reports they need to
manage delivery unit budgets


5.07 The Key Financial System services below, which CSG provides on the Council's behalf, have been audited by Capita
Internal Audit within the past 12 months.


Where this is not the case, please confirm what assurance you have obtained over risk and key controls for those systems.
See links to separate tabs for:


5.08 Treasury Management

5.09 Pension Fund Management

5.10 Payroll

5.11 Cashbook

5.12 Fixed Assets

5.13 Income and Debt Management

5.14 Accounts Payable



5.15 Financial transactions within the finance service are processed through SAP (until replacement finance system introduced in
April 2014), or written approval has been obtained via the Customer Services and Information Management Board agreeing
to the use of other systems.


5.16 Reconciliations are undertaken between the systems that feed into the Annual accounts (e.g. Housing Benefit, Council Tax,
NNDR) and the main accounting system.


5.17 Any issues identified through the reconciliation process are addressed in a timely manner.

5.18 IT general and application controls over the general ledger are designed and operating effectively, as assessed by External
Audit


5.19 Staff ensure that adequate procedures are in place to maintain proper accounting records and entries in them are properly
authorised.



28/01/2014 Page 27 of 48
5.20
There is a timetable in existence to support the closure of the Council's annual accounts. This includes key milestones and
appropriate liaison with external audit.


6.00 Asset Management
6.01 All relevant staff are aware of the responsibilities under parts 4 (Financial Management including Capital) and 5.6 (Assets) of
the Council's financial regulations and have been adequately trained to discharge those responsibilities
As required
by the
contract
Schedule 22
- Financial
Regulations
are part of
the
Council's
constitution
Click here for Financial regulations (revised May 2013):
http://barnet.moderngov.co.uk/documents/s8919/RAmendedFinancialRegulations030513.doc.pdf


6.02
All relevant staff are aware of the responsibilities under the Council's Management of Asset, Property and Land Rules and
have been adequately trained to discharge those responsibilities


Click here for The Management of Asset, Property and Land Rules (revised May 2013):
http://barnet.moderngov.co.uk/documents/s8922/TAssetsPropertyandLandRulesv1020130320.doc.pdf
As required
by the
contract
Schedule 22
- The
Managemen
t of Asset,
Property
and Land
Rules are
part of the
Council's
constitution
Asset Management policies and procedures are in place and are updated in line with legislative or other required changes

Changes to Asset Management policies and procedures for LBB are approved by the Council


28/01/2014 Page 28 of 48
Estates staff are fully aware of Asset Management policies and procedures, and communicate these to officers across the
Council as required


Estates staff provide support as required to officers across the Council to facilitate the correct application of Asset
Management policies and procedures


Estates staff provide officers across the Council with any data, access to systems or reports they need to manage delivery
unit assets


The Fixed Asset Register is up to date and systems to support this aim are adequate

Rent reviews are processed in a timely fashion through SAP (until replacement finance system introduced in April 2014) to
ensure rent data is complete and accurate


There are clear links between the CSG Estates function and the CSG Finance function and respective roles and
responsibilities are clear


8.00 Governance

8.01 The service provider has corporate governance arrangements in place that are in line with the recommendations of the
Cadbury report



http://www.icaew.com/en/library/subject-gateways/corporate-governance/codes-and-reports/cadbury-
report



8.02 Staff conduct themselves in line with the Nolan principles of public life i.e. Selflessness, Integrity, Objectivity, Accountability,
Openness, Honesty, Leadership



http://www.public-standards.gov.uk/






28/01/2014 Page 29 of 48
8.03 All relevant staff are aware of the Council's decision making processes, as defined in the Constitution Part 1 and Article 12,
and adhere to these processes:
As required
by the
contract
Schedule 22
- Decision
making
processes
are part of
the
Council's
constitution
Click here for Part 1 of the Constitution (revised May 2013):
http://barnet.moderngov.co.uk/documents/s8895/Part%201%20-%20Decision%20Making.pdf


Click here for Article 12 of the Constitution (revised May 2013)
http://barnet.moderngov.co.uk/documents/s8907/HArticle12DecisionMaking.doc.pdf


8.04 Assurances are obtained that the Constitutional decision making processes are being followed.

8.05 There is a staff Code of Conduct / Code of Ethics in place and staff adherence to these requirements is monitored.

8.06 Anti-Bribery arrangements are in place and the Council's Bribery Policy Statement and Procedure are complied with. As required
by the
contract
Schedule 22
8.07 Legislation - The impact of new legislation on the delivery unit is considered in a formal and structured way and the
response clearly documented.


8.08 Equalities - The delivery unit complies with an Equalities Policy which the Council has approved As required
by the
contract
Schedule 22
8.09 Equalities - The Equalities duty is complied with i.e. the duty to consult

9.00 Procurement & contracts management


28/01/2014 Page 30 of 48
9.01 All procurement undertaken on behalf of the Council is done so in accordance with the requirements of the Council's
Contract Procedure Rules
As required
by the
contract
Schedule 22
- Contract
Procedure
Rules are
part of the
Council's
constitution
Click here for Contract Procedure Rules (CPRs) (revised May 2013):
http://barnet.moderngov.co.uk/documents/s8920/SContractProcedureRulesFinal130513.doc.pdf


9.02 The Code of Procurement Practice, including the '10 essentials that must be followed when carrying out Procurement', is
understood and adhered to by staff undertaking procurement activities on behalf of the Council
As required
by the
contract
Schedule 22
- the Code
of
Procuremen
t Practice is
part of the
Council's
constitution
Click here for the Code of Procurement Practice (revised May 2013):
http://barnet.moderngov.co.uk/documents/s8921/S2ProcurementCodeofPracticeRevisionv06100313.do
c.pdf


9.03 Procurement policies and procedures are in place and are updated in line with legislative or other required changes

9.04 Changes to Procurement policies and procedures for LBB are approved by the Council

9.05 Procurement Business Partners are fully aware of Procurement policies and procedures, and communicate these to officers
across the Council



28/01/2014 Page 31 of 48
9.06 Procurement Business Partners provide support to officers across the Council to facilitate the correct application of
Procurement policies and procedures and best practice regarding contract management


9.07 Procurement Business Partners provide officers across the Council with the data, access to systems or reports they need to
manage delivery unit contracts

9.08 Conflicts of interest are effectively managed when letting contracts. There is Monitoring and Control of the Conflict of Interest
Protocol and Register (Sch 31) and staff compliance with this.


9.09 Supply chain risks are considered and controls are in place to mitigate these risks

9.10 All contracts and consultancy arrangements clearly identify the key deliverables, SLAs and performance monitoring
processes that demonstrate that the Council receives best value


9.11 All contracts are recorded on a central Contracts Register by the Procurement function of CSG. This is kept fully up to date.

9.12 There is a clear contract renewal process and this is undertaken in a timely manner.

10.0
0
Information Management & Governance

10.0
1
Processes are in place to ensure staff are aware of their responsibilities in dealing with personal data and work in
accordance with the Data Protection Act.

10.0
2
Data loss breaches are reported for assessment and dealt with appropriately in line with the Council's Data Protection
Incident Reporting Procedure.
As required
by the
contract
Schedule 22
10.0
3
Procedures are in place to review all records in line with DPA and the Council's Information Management Policy. As required
by the
contract
Schedule 22

28/01/2014 Page 32 of 48
10.0
4
Staff are aware of and adhere to the Information Governance Framework policies that should be complied with under the
contract schedule 'Authority's Policies'. Where the service provider should have an equivalent policy to be approved by the
Council, this approval can be evidenced
As required
by the
contract
Schedule 22
11.0
0
Project Management

11.0
1
All key projects in the delivery unit have been identified and Corporate Programmes are aware

11.0
2
There is a Project Management policy in place which is in line with the One Barnet Project Toolkit and best practice, for
example the Prince II methodology.


11.0
3
The Project Management policy is kept up to date in line with best practice

11.0
4
Key documents outlined in the Council's One Barnet's project methodology are in place, for example a business case.
These are reviewed, agreed and signed off by relevant project members and stakeholders.


11.0
5
Project Management outputs e.g. Business Cases are fit for purpose and can be relied upon by decision makers

11.0
6
Checks are made that the Project Management policy is being applied consistently in practice

12.0
0
Partnerships

12.0
1
Partnership working with other Delivery Units and other public sector bodies is effective; the cross-cutting strategic KPIs
within the contract are met


13.0
0
Business Continuity Plans

13.0
1
Delivery Unit has an up-to-date BC plan(s) including a list of all key contacts covering key / critical staff, partners and
suppliers.


13.0
2
All staff are aware of the plan and how to respond in the event the plan is activated.

13.0
3
These BC plans have recently been tested/exercised.


28/01/2014 Page 33 of 48







14.0
0
Health, Safety and Wellbeing

14.0
1
Risk Assessments of work activities and premises are carried out and the plan is risk-based.

14.0
2
Premises audits are completed and the schedule is risk-based.

14.0
3
Health & Safety policies and procedures are in place and are updated in line with legislative or other required changes


14.0
4
Where the service provider should have equivalent Health & Safety policies to be approved by the Council, this approval can
be evidenced
As required
by the
contract
Schedule 22
14.0
5
Changes to Health & Safety policies and procedures for LBB are approved by the Council
15.0
0
Other significant Internal Control Issues

15.0
1
Apart from the issues raised above, are there any significant control or other matters arising in your Delivery Unit which
could adversely affect the signing of the Council's Annual Governance Statement (AGS)? E.g. Fraudulent activity, major
overspends, European contract non-compliance; non-compliance with any other policies, laws or regulations. Please provide
details below and assess as per the above questions.



28/01/2014 Page 34 of 48






Responsible Person:

Question
Assessmen
t
Notes
1.00 Internal Audit

1.01 Audit arrangements are in line with section 2 of the protocol

2.00 Anti-Fraud

2.01 Anti-Fraud arrangements are in line with section 3 of the protocol
3.00 Risk Management

3.01 Risk management arrangements are in line with section 4 of the protocol

4.00 Performance Management & Data Quality

4.01 There is a Performance Management Framework in place that has been approved by the Council and there is evidence
of this approval
As required
by the
contract
Schedule 33
- Authority's
Policies
4.02 Baselines set for performance indicators are supported by robust data sets

4.03 Performance against contractual PIs, KPIs and Super KPIs is regularly monitored and reviewed by senior personnel

9.3.2. Re Governance Standards extract*. DRAFT subject to finalisation



28/01/2014 Page 35 of 48
4.04
The delivery unit complies with the Council's Data Quality policy and can evidence checks of this compliance
As required
by the
contract
Schedule 33
4.05
Systems and processes are fit for purpose and adequate and effective controls are in place during the input, reporting
and output of data

Controls are in place to ensure the performance data reported to the Council meets the Council's Data Quality
requirements of:


4.06 Accuracy data is without errors, and adheres precisely to any applicable definition.

4.07 Reliability data reflects stable and consistent collection and capture processes across collection points and over time.
These processes should minimise manual intervention and maximise the automation of data collection and manipulation.


4.08 Timeliness data is captured as quickly as possible after the event or activity, and is used in a timely fashion.

4.09 Relevance data is applicable to the issue and provides the answers needed

4.10 Completeness data collected and captured comprises of all necessary elements

4.11 A clear audit trail a documented process for obtaining and using the data, which is understood by all involved in
producing the data, and is accessible to those who rely on the data or have an interest in it. Clear and complete audit
trails must be maintained to demonstrate accuracy for all data used for decision-making.











5.00 Asset Management

28/01/2014 Page 36 of 48














5.01 Asset Management policies and procedures are in place and are updated in line with legislative or other required
changes


5.02 The Fixed Asset Register is up to date and systems to support this aim are adequate

6.00 Governance
6.01 All relevant staff are aware of the Council's decision making processes, as defined in the Constitution Part 1 and Article
12, and adhere to these processes:
As required
by the
contract
Schedule 33
- Decision
making
processes
are part of
the Council's
constitution
Click here for Part 1 of the Constitution (revised May 2013):
http://barnet.moderngov.co.uk/documents/s8895/Part%201%20-%20Decision%20Making.pdf



28/01/2014 Page 37 of 48
Click here for Article 12 of the Constitution (revised May 2013)
http://barnet.moderngov.co.uk/documents/s8907/HArticle12DecisionMaking.doc.pdf




6.02 There is a staff Code of Conduct / Code of Ethics in place and staff adherence to these requirements is monitored.

6.03 Anti-Bribery arrangements are in place and the Council's Bribery Policy Statement and Procedure are complied with. As required
by the
contract
Schedule 33
6.04 There is an up to date Scheme of Delegation in place for the delivery unit and this is adhered to.



6.05 Planning - all relevant staff are aware of the requirements of the Council's Members' Planning Code of Practice.

Click here for Members' Planning Code of Practice (revised May 2013):
http://barnet.moderngov.co.uk/documents/s8925/WMembersPlanningCodeofPractice.doc.pdf


6.06 Licensing - all relevant staff are aware of the requirements of the Council's Members' Planning Code of Practice.

Click here for Members' Planning Code of Practice (revised May 2013):
http://barnet.moderngov.co.uk/documents/s8925/WMembersPlanningCodeofPractice.doc.pdf


6.07 Legislation - The impact of new legislation on the delivery unit is considered in a formal and structured way and the
response clearly documented.


6.08 Equalities - The delivery unit complies with an Equalities Policy which the Council has approved
As required
by the

28/01/2014 Page 38 of 48
contract
Schedule 33
6.09 Equalities - The Equalities duty is complied with i.e. the duty to consult

7.00 Procurement & contracts management

7.01 Internal Audit can provide assurance over the Procurement and Contract Management of the delivery unit

7.02 Procurement policies and procedures are in place and are updated in line with legislative or other required changes

7.03 Conflicts of interest are effectively managed when letting contracts. There is Monitoring and Control of the Conflict of
Interest Protocol and Register (Sch 28) and staff compliance with this.


7.04 Supply chain risks are considered and controls are in place to mitigate these risks

7.05 All contracts and consultancy arrangements clearly identify the key deliverables, SLAs and performance monitoring
processes that demonstrate that the JV receives best value


7.06 There is a clear contract renewal process and this is undertaken in a timely manner.

8.00 Information Management & Governance

8.01
Processes are in place to ensure staff are aware of their responsibilities in dealing with personal data and work in
accordance with the Data Protection Act.

8.02
Data loss breaches are reported for assessment and dealt with appropriately in line with the Council's Data Protection
Incident Reporting Procedure.
As required
by the
contract
Schedule 33
8.03
Procedures are in place to review all records in line with DPA and the Council's Information Management Policy. As required
by the
contract
Schedule 33
8.04
Staff are aware of and adhere to the Information Governance Framework policies that should be complied with under the
contract schedule 'Authority's Policies'. Where the service provider should have an equivalent policy to be approved by
the Council, this approval can be evidenced
As required
by the
contract
Schedule 33

28/01/2014 Page 39 of 48
9.00 Project Management

9.01 All key projects in the delivery unit have been identified and Corporate Programmes made aware

9.02
There is a Project Management policy in place which is in line with the One Barnet Project Toolkit or best practice, for
example Prince II.


9.03 The Project Management policy is kept up to date in line with best practice

9.04
Key documents outlined in the Council's One Barnet's project methodology are in place, for example a business case.
These are reviewed, agreed and signed off by relevant project members and stakeholders.


9.05 Project Management outputs e.g. Business Cases are fit for purpose and can be relied upon by decision makers

9.06 Checks are made that the Project Management policy is being applied consistently in practice

10.00 Partnerships

10.01
Partnership working with other Delivery Units and other public sector bodies is effective; the cross-cutting strategic KPIs
within the contract are met


11.00 Business Continuity Plans

11.01 Delivery Unit has an up-to-date BC plan(s) including a list of all key contacts covering key / critical staff, partners and
suppliers.


11.02 All staff are aware of the plan and how to respond in the event the plan is activated.

12.03 These BC plans have recently been tested/exercised.

13.00 Health, Safety and Wellbeing

13.01 Risk Assessments of work activities and premises are carried out and the plan is risk-based.

13.02 Premises audits are completed and the schedule is risk-based.
13.03
Health & Safety policies and procedures are in place and are updated in line with legislative or other required changes



28/01/2014 Page 40 of 48
13.04
Where the service provider should have equivalent Health & Safety policies to be approved by the Council, this approval
can be evidenced
As required
by the
contract
Schedule 33
13.05
Changes to Health & Safety policies and procedures for LBB are approved by the Council
14.00 Other significant Internal Control Issues

14.01 Apart from the issues raised above, are there any significant control or other matters arising in your Delivery Unit which
could adversely affect the signing of the Council's Annual Governance Statement (AGS)? E.g Fraudulent activity, major
overspends, European contract non-compliance; non-compliance with any other policies, laws or regulations. Please
provide details below and assess as per the above questions.



28/01/2014 Page 41 of 48

9.4. Definitions Assurance and priority ratings
9.4.1. LBB Assurance:
The following is a guide to the assurance levels given:

Substantial
Assurance
There is a sound system of internal control designed to
achieve the system objectives.
The control processes tested are being consistently applied.

Satisfactory
Assurance
While there is a basically sound system of internal control,
there are weaknesses, which put some of the clients
objectives at risk.
There is evidence that the level of non-compliance with some
of the control processes may put some of the system
objectives at risk.

Limited Assurance
Weaknesses in the system of internal controls are such as to
put the clients objectives at risk.
The level of non-compliance puts the system objectives at
risk.

No Assurance
Control processes are generally weak leaving the
processes/systems open to significant error or abuse.
Significant non-compliance with basic control processes leaves
the processes/systems open to error or abuse.

Priorities assigned to recommendations are based on the following criteria:
High Fundamental issue where action is considered imperative to ensure that the
Council is not exposed to high risks; also covers breaches of legislation and policies
and procedures. Action to be effected within 1 to 3 months.
Medium Significant issue where action is considered necessary to avoid exposure to
significant risk. Action to be effected within 3 to 6 months.
Low Issue that merits attention/where action is considered desirable. Action usually to
be effected within 6 months to 1 year.

9.4.2. Capita:
Audit Classification
The following are descriptions of audit classifications used:
Satisfactory: No high risk weaknesses were identified in the system and no significant areas of non-
compliance with policy or procedures were noted. Improvements may have been advised to improve or
strengthen existing controls.


28/01/2014 Page 42 of 48
Improvement Required: There are medium risk weaknesses in control that, although individually do not
pose a high risk, when taken together indicate a control environment that requires attention.
Significant Improvement Required: There are one or more high risk weaknesses in control, or several
medium risk weaknesses, that expose the Business Unit to a high level of overall risk requiring prompt
action.
Unsatisfactory: There are one or more critical weaknesses in control, or several high risk weaknesses,
exposing the Business Unit to a very high overall level of risk.
Risk Ratings
Each reported finding is assigned a risk rating of Critical, High, Medium or Low as follows:
Critical: Critical control weakness requiring immediate action as it exposes the Business to a very high
risk of imminent significant financial loss, reputational, or severe legal/regulatory sanctions.
High: Control weakness requiring prompt action as it exposes the Business to a high risk of significant
financial loss, reputational damage, or severe legal/regulatory sanctions.
Medium: Control weakness that should be addressed as it exposes the Business to some risk of
financial loss, reputational damage, or legal/regulatory sanction.
Low: Basic internal controls are adequate but improvements could be made to bring procedures in line
with current industry best practice.

9.5. Policy List
See Schedule 22 (CSG): Authorities Policies via the link below
http://www.barnet.gov.uk/downloads/download/1241/csg_main_contract
See Schedule 33 (Re): Authorities Policies via the link below
http://www.barnet.gov.uk/downloads/download/1272/schedules_5-33










28/01/2014 Page 43 of 48
10. Appendix E Annual Timetable of Activity
The annual timetable of activity amalgamates both LBBs and Capitas key planning, reporting
and meeting dates in an effort to coordinate activities, schedule liaison meetings and create a
forward plan of assurance deliverables (see Table 3 Liaison Meetings). The annual timetable of
activity will be produced in quarter one and be the basis of the first liaison meeting of each
year.
The following outlines key information required for developing the timetable.
10.1. Planning
10.1.1. LBB Assurance

Audit & CAFT planning cycle Risk based planning January 2014 to
March 2014
Internal Audit and Anti-Fraud Strategy &
Annual Plan and Risk Management
Approach
Goes to Audit Committee April 2014

Risk Management Framework Goes to Audit Committee April 2014
Annual Audit Opinion Goes to Audit Committee July 2014
CAFT Annual Report Goes to Audit Committee July 2014
Annual Governance Statement Goes to Audit Committee July 2014

10.1.2. Capita
Annual Audit Planning Risk based planning August to October
2013
GIA Annual Plan 2014 Presented to Group Audit Committee
November 2013
Risk Management Framework
Annual Audit Opinion Goes to Audit Committee May 2014

10.2. Reporting and Meeting Dates
10.2.1. LBB
The primary LBB Assurance meetings are Strategic Commissioning Board (SCB) Assurance
and Audit Committee. The calendar of Council meetings, including Audit Committee, is agreed
at Full Council in May. SCB Assurance meets bi-monthly.

28/01/2014 Page 44 of 48
Standard clearance and circulation is 10 working days for reports.
The following table outlines the key remaining dates in this financial year. For the purposes of
clearing LBB Assurance quarterly reports for Audit Committee, these are first taken to SCB
Assurance therefore the corresponding Quarter that will be reported to each meeting has been
included.
LBB Quarter to be
reported
SCB Assurance Audit Committee
Q2

Thursday 24 October
Q3 Tuesday 26th November

Tuesday 28 January
Tuesday 21st January


Q4 Tuesday 18th March

Tuesday 29 April

10.2.2. Capita

Group Audit and Risk Committee
February 25
th
2014
May 27
th
2014
July 22
nd
2014
November 25
th
2014

[Timetable to be produced, needs to consider audit annual planning cycle start and end
dates, LBB Assurance receiving Capita finalised plan, LBB Assurance receiving Capita HoIA
opinion etc]







11. Appendix F Documents Checklist
Documents required at time of agreeing protocol

1. Capita draft 2014 Internal Audit plan relating to services delivered to Barnet

28/01/2014 Page 45 of 48
2. Capita Risk Management Policy
3. Capita Fraud Policy
4. Capita Bribery Policy
5. Capita Anti-Money Laundering Policy
6. Capita Whistle Blowing Policy

Documents required to inform LBB Assurance assessment of reliance on Capita
internal audit
7. Capita Internal Audit Terms of Reference / Charter
8. Capita Internal Audit latest reporting of performance against audit plan
9. Capita Internal Audit accreditation and quality reports (e.g. ISO standards) if
applicable
10. Latest Capita Internal Audit review of compliance with Internal Audit Standards
11. Latest Capita Annual Report (LBB Assurance will be seeking assurance from the
Governance section for example), usually published in April
12. Other documents as agreed between the parties

On-going documents required
1. Internal Audit quarterly reports on LBB services (within 15 days of agreed quarterly
date i.e. 1
st
April, 1
st
July, 1
st
October, 1
st
January)
2. Internal Audit quarterly reporting of progress against audit plan (if separate to
quarterly report)
3. Annual Head of Internal Audit Opinion
4. Internal Audit annual plan
5. Other documents as agreed between the parties



28/01/2014 Page 46 of 48
12. Appendix G: Internal Audit Decision Tree



























Internal Control
Environment Assurance
Governance Standard
Compliance Statement
Received by March
each year
No
Accuracy test: Cross
reference against client
side. Internal control
environment sound?
Concern re: control
environment or services -
Invoke 28.6.1
Escalate to
contract
manager
Does provider
have their own
internal audit
function? (28.5.2a)
Audit Plan Consulted
Submitted 28.5.2 band c
Raise concerns
Via 28.6.1
Yes
No
Yes
Note: consider timing with
client side
Assurances received
regarding adequacy of
internal control
environment
No Yes
Informs HoIA
opinion
Yes No
Carry out risk based
audit programme
based on 28.5.4
Yes
No
Can audit plan be relied
on for wider assurance?
(Assessed via External
Assurance framework)
Escalate to
contract
manager
Does audit plan provide
sufficient coverage on
LBB transactions?
Informs HoIA
opinion
Yes
No
Relevant internal audit
reports submitted (25.5.2
d, e, f)
Yes
Concerns over sufficiency
or accuracy
No
Yes
Informs HoIA
opinion
Raise concerns
Concerns
rectified?
Yes
No
Risk based audit
via 28.5.4 (a)
Clauses Key (note the clause numbers here refer to the CSG
contract):
28.5.2:
A: Establishing its own internal audit function
B: Consultation with the Authority prior to finalising its
Annual Internal Audit Plan
C: Submit its own Annual IA Plan by the end of April in
each contract year
D: Submit IA reports within 15 Business Days of the
agreed quarterly date
E: Limited or no assurance submitted within 5 working
days
F: Undertake yearly audits of all IPR used in the
performance of the Services
28.5.4:Risk-based audit - Capita bears cost longer timeframe
A: The Service Provider doesnt have an internal audit
service
B: The Service Provider has an internal audit service but
the Authority's internal audit service is unable to rely on
the audits and work carried out by the Service Providers
internal audit service
28.6.1 Audit - Bear respective costs shorter timeframe
The Authority or its appointed Auditor may, upon no
less than two Business Days, notice where the Authority
has concerns in respect of the Services, and ten Business
Days notice in all other circumstances.
28
th
November 2013
Date: 28/11/13

28/01/2014 Page 47 of 48

13. Appendix H: CAFT Decision Tree
























Notify the
Authority
directly
The Authority has the
power to audit books,
records and any
relevant documents
under clause
45.1.8.The
End of process;
recommendatio
ns to be made
45.1.10 rules
of termination
Fraud is
suspected.
see 45.1.2
Fraud is known
to have been
committed. See
45.1.7
All loss is
recovered
under clause
45.1.3
The Service
Provider must
give any
reasonable
assistance to
any
investigation
undertaken by
the Authority
see 45.1.5.a
Loss is not
recovered
Final
termination
see 45.1.12
The Authority has the
power to terminate
the contract if there
has been a breach of
45.1.4. Power to
terminate agreement
is stated under
45.1.9
See 45.1.11
End process;
recommendations to
be made
Verify that the
Service
Provider, or a
related party,
agent or
shareholder,
has breached
clause 45.1.4
Escalate to
Contract
Manager

28/01/2014 Page 48 of 48



CAFT Decision Tree Clauses