Assurance Group and Capita In relation to CSG and RE Services
28/01/2014 Page 2 of 48 Version control Version Date Author(s) Summary of Changes V1 28/1/14 LBB Assurance various Capita - various
28/01/2014 Page 3 of 48 Contents 1. Introduction .................................................................................................................................. 5 2. Internal Audit ............................................................................................................................... 6 2.1. Respective roles of auditors ..................................................................................................... 6 2.2. LBB Risk-based Audit Programme ............................................................................................ 7 2.3. Areas where LBB Assurance are likely to place reliance on Capita Internal Audit................... 9 2.3.1. Transferred Services ............................................................................................................ 9 2.3.2. Wider Assurance Governance Standards ......................................................................... 9 2.3.3. Follow-up of previous recommendations ........................................................................... 9 3. Anti-Fraud ...................................................................................................................................10 4. Risk Management .....................................................................................................................14 5. Liaison Meetings.......................................................................................................................15 6. Appendix A Contact Details ...............................................................................................18 7. Appendix B Transferred Services .....................................................................................19 8. Appendix C Risk Escalation ...............................................................................................20 9. Appendix D: Contract Clauses, Definitions & Policy List ..............................................21 9.1. Contract Clauses .....................................................................................................................21 9.2. Definitions - Governance Standard ........................................................................................21 9.3. Governance Standards Compliance checklist ........................................................................22 9.3.1 CSG Governance Standards extract* .............................................................................. 23 9.3.2. Re Governance Standards extract*. DRAFT subject to finalisation ............................. 34 9.4. Definitions Assurance and priority ratings ..........................................................................41 9.4.1. LBB Assurance: .................................................................................................................. 41 9.4.2. Capita: ................................................................................................................................ 41 9.5. Policy List ................................................................................................................................42 10. Appendix E Annual Timetable of Activity .......................................................................43 10.1. Planning ..................................................................................................................................43 10.1.1. LBB Assurance.................................................................................................................... 43 10.1.2. Capita ................................................................................................................................. 43 10.2. Reporting and Meeting Dates ................................................................................................43 10.2.1. LBB ..................................................................................................................................... 43
28/01/2014 Page 4 of 48 10.2.2. Capita ................................................................................................................................. 44 11. Appendix F Documents Checklist ....................................................................................44 12. Appendix G: Internal Audit Decision Tree .........................................................................46 13. Appendix H: CAFT Decision Tree ........................................................................................47
28/01/2014 Page 5 of 48 1. Introduction The London Borough of Barnets (LBB) Operational Assurance (referred to herein as LBB Assurance) function sits within the Assurance Group. It consists of Internal Audit, Anti-Fraud and Risk Assurance and is responsible for ensuring coverage of the core aspects of the Councils governance and control environment in order to support achievement of the Councils overall objectives. The functions are summarised as follows:
Internal Audit will provide independent and objective assurance to the Council, its Members, the Strategic Commissioning Board (including the Chief Operating Officer) to support them in discharging their responsibilities under S151 of the Local Government Act 1972, relating to the proper administration of the Councils financial affairs. The Anti-Fraud strategy and team demonstrates the Councils commitment to a zero tolerance approach to fraud, corruption or bribery and works to prevent, detect and deter fraud within the Council whilst actively pursuing fraudsters and seeking redress. Risk Assurance is responsible for delivering a robust risk assurance function through the risk management framework that ensures the Council meets the highest standards of risk management.
This protocol seeks to set out the proposed working relationship between LBB Assurance and Capita for internal audit, anti-fraud and risk management. The objective of this protocol is to provide a framework which will optimise the benefits of the relationship between LBB Assurance and Capita, whilst enabling chief officers within the Council to discharge their respective responsibilities. It sets out how both parties will work together to provide information and to deliver the essence of the contractual agreement in practical terms.
The protocol aims to: clarify the respective roles of LBB Assurance and Capita 1
highlight areas where LBB Assurance are likely to require assurance from Capita; and establish a framework for co-operation in the planning, conduct and reporting of Internal Audit, Anti-Fraud and Risk Management.
Overall the protocol should promote an effective working relationship, within the bounds of the respective roles of both parties, maximising benefit and minimising effort and duplication across both organisations.
This protocol covers all aspects of contract clauses in relation to internal audit, anti-fraud and risk management arrangements and will be reviewed annually in April, in order to include LBBs provisional Audit Committee dates for the coming year.
1 The respective roles of LBB and Capita are viewed within the context of the contract that has been signed between LBB as a whole (as opposed to the LBB Assurance Group). Regarding the transferred services (see Appendix B) roles can be defined as follows: RACI Assessment* (R) Responsible (A) Accountable (C) Consult (I) Inform
Capita LBB Client LBB Assurance R A C, I
28/01/2014 Page 6 of 48 The following sections provide more detail on the assurance expectation within each function and the forum in which activities will be coordinated and information shared.
2. Internal Audit Included within the contract are clauses to ensure the provision of information relating to internal audits carried out on services provided on the behalf of LBB. This includes information about the intended annual plan of audit activity, any limited or no assurances included within quarterly summary reports and the annual audit opinions.
Additionally, the Public Sector Internal Audit Standards (PSIAS) require that the chief internal auditor must include in the risk-based plan the approach to using other sources of assurance and any work required to place reliance upon those other sources. 2.1. Respective roles of auditors The following table outlines the respective roles of LBB Assurance and Capita. The roles and objectives are different but complementary. There are therefore benefits to be gained from working together. LBB Assurance Capita Internal Audit is defined in the Public Sector Internal Audit Standards (PSIAS) as an independent, objective assurance and consulting activity designed to add value and improve an organisations operations. It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes. Internal Audit must have a Charter that accords with the requirements of the PSIAS. The key output from Internal Audit is the annual opinion on the Council's control environment which should be reported to the Audit Committee Capita Group Internal Audit (GIA) is an independent function within Capita. Its role per the GIA Charter is to review the adequacy and effectiveness of the organisations governance, processes, controls and risk management in implementing agreed strategies across the whole of the groups activities. It provides the Board, the Group Audit Committee and all levels of management with an objective opinion on the results of its reviews. The Chartered Institute of Internal Auditors publishes a Definition of Internal Auditing, a Code of Ethics and Standards which are recognised as mandatory for the GIA function. GIAs overall objective is to provide independent assurance to the Capita plc Board and management on the effectiveness of risk management and controls over all of the groups activities. Internal Audits strategy and plan is risk- based, is agreed between Internal Audit and management and is approved by the Audit Committee. To remain independent and objective the work of Internal Audit cannot be directed by other parties The Director, GIA is responsible for the development of a risk based plan to determine the priorities of the internal audit activity, consistent with the groups goals, risk management framework and risk appetite. This is approved by the Group Audit Committee. GIA is independent of the activities which it reviews to enable the unbiased judgements essential to its
28/01/2014 Page 7 of 48 proper conduct and facilitate impartial advice to management. Internal Audit reports to the Audit Committee on a quarterly basis GIA reports to the Group Audit Committee on a quarterly basis. Internal Audit provides assurance as follows: substantial, satisfactory, limited, no Please see Appendix D for the basis of these ratings GIA provides assurance as follows: Satisfactory, Improvement Required, Significant Improvement Required, Unsatisfactory Please see Appendix D for the basis of these ratings LBB financial year ends on 31 st March Capita Group financial year ends on 31 st
December Re Financial year ends on 31 st March 2.2. LBB Risk-based Audit Programme Capita has its own Internal Audit function and therefore LBB does not anticipate undertaking a risk-based audit programme involving Capita staff unless: Capita do not undertake internal audit reviews that provide assurance over Transferred Services (see Appendix B), specifically the Barnet business-arm and therefore LBB transactions; An audit is planned that has a scope involving both LBB and Capita employees; LBB has concerns in respect of the Transferred services; or LBB is unable to rely on the audits and work completed by Capitas internal auditors. Refer to Appendix G for the audit contract clauses decision tree. Any audits undertaken by LBB will be discussed with the LBB Commercial team also to ensure transparency over any potential impact to the contract. Contract clauses 28.5.2 (CSG) / 36.5.2 (Re) and 28.6.1 (CSG) / 36.6.2 (Re) state the timeframes within which Capita must provide certain information to LBB Assurance. This information and the deadlines are summarised in the table below: Required information Deadlines Consult with the Authority prior to finalising its Annual Internal Audit Plan Date not stated - suggest September Submit its own Annual IA Plan By the end of April in each contract year suggest earlier i.e. once formally approved Submit IA reports reports that provide assurance over Transferred Submit within 15
28/01/2014 Page 8 of 48 Services, including any Governance reviews completed Business Days of the agreed quarterly date
Limited or no assurance submitted
Submit within 5 working days (CSG) Submit immediately (Re) Undertake audits of all IPR used in the performance of the Services Submit yearly Provide the Authority (and / or its agents or representatives) with all reasonable co-operation and assistance in relation to each audit being undertaken by LBB Within two (2) Business Days (unless agreed otherwise by the parties acting reasonably) (CSG) On demand (Re)
LBB Assurance will undertake a programme of work to assess whether it can rely on the audits undertaken by Capitas internal auditors. A provisional list of the evidence that will be gathered to inform this view has been included at Appendix F. This will be an annual review to be completed by the end of LBBs quarter 2 to ensure that if there are issues it will be possible to undertake the risk-based audits required within quarters 3 and 4. Where clause 28.5.4 (CSG) / 36.5.4 (Re) is invoked, whereby Capita must bear the cost of any audit work undertaken by LBB Assurance, the charges will be as follows: Core (non-specialist) audits: 359 per day Specialist (IT, Projects and Programmes etc) audits: 513 per day These charges will be subject to review on an annual basis. Schools audits LBB will continue to carry out its rolling programme of schools internal audits. Liaison arrangements with the Schools Finance Service Manager (now part of CSG) will remain as they were before the service was transferred to Capita. LBB will continue to provide the Schools Finance Service Manager with copies of all final internal audit reports issued regarding schools in the borough.
28/01/2014 Page 9 of 48 2.3. Areas where LBB Assurance are likely to place reliance on Capita Internal Audit 2.3.1. Transferred Services LBB Assurance will seek to take assurance from any Capita Internal Audit work over LBB transactions specifically for the services being conducted on the Councils behalf. These are listed within Appendix B for the respective contracts with Capita. The council assurance function will retain responsibility for the exercise of powers under the joint employment arrangements within Re, the associated Scheme of delegation, and also for audits relating to managed contracts, for example highways network management contracts. The Parties agree that during the annual planning cycle, they will review any proposed audits which may address part of the processes relating to these retained council activities, and in so far as appropriate and agreed one of the audit functions will review the end to end process. For example, if Capita Internal Audit propose an audit of Re managing agent activity, the Council may determine that it would be appropriate as part of that audit for Capita to also review Council retained activities, such as policy setting and authorisations, in which event Capita and the Council assurance team will review the scope of the proposed audit to assess whether it would be appropriate to incorporate a review of these retained activities. Any actions identified relating to a retained function will be sent in draft to the LBB Commercial team and Assurance team prior to finalising the report, and implementation of those actions will be monitored by the LBB Assurance team.
2.3.2. Wider Assurance Governance Standards LBB Assurance will also be looking for assurance over general controls impacting on the service provided. This will involve review of any Governance audits undertaken by Capita and a review of the agreed Governance Standards compliance see Appendix D section 9.3 Governance Standards. 2.3.3. Follow-up of previous recommendations The following tables outlines the respective responsibilities as it relates to the follow-up of LBB audit recommendations LBB Assurance Capita To provide Capita with copies of the most recent Internal Audit reports relating to the transferred services (see Appendix B). To follow-up any Priority 1 recommendations that were made by LBB Assurance. To follow up on any transferred Priority 2 and Priority 3 recommendations made by LBB Assurance when the area is next under review.
28/01/2014 Page 10 of 48 3. Anti-Fraud Under Section 151 of the Local Government Act 1972 the Council has a statutory obligation to ensure the protection of public funds and to have an effective system of prevention and detection of fraud and corruption. Within the Council structure the Corporate Anti-Fraud Team (CAFT) sits within the Assurance Group, and is a dedicated independent, objective activity designed to add value and improve the Councils operations. It helps the Council achieve its objectives by bringing a systematic, disciplined approach to investigation, evaluating and improving the effectiveness of fraud prevention and detection and the subsequent prosecution of individuals and organisations where appropriate. Capita has a dedicated anti-fraud function which sits at group level and has responsibility for the investigation of staff fraud within each of the Capita business services. Capita has a dedicated anti-fraud function which sits at group level and has responsibilities which include the investigation of staff fraud within each of the Capita business services. The Capita Group Fraud Policy is the minimum standard for all contracts involving Capita staff, this may be supplemented by but not reduced by the LBB Fraud Policy. Capita employees are required to undertake mandated Fraud Awareness training. Capita Group employs a Head of Special & Fraud Investigations; this is a fully qualified and accredited counter fraud specialist role. All potential or actual incidents will be reported to the group function who will liaise with the local business management to ensure each report is correctly investigated. The Capita Group Fraud Investigation function provides advice, support and investigation services to the business management as required by each incident. Each incident is assessed and the appropriate plan instituted to achieve a positive result for any investigation. In accordance with the agreed liaison as set out in Table 2; Notifications Capita Group will liaise with LBB CAFT and agree on necessary disciplinary action, possibility of reporting the incident to the police and or any regulatory authorities or legal action as appropriate to each case involving Capita staff in relation to either a LBB provided service or fraud matter involving LBB public funds. Monthly reports for significant investigations are made to the Director Group Risk and Compliance who reports to the Capita Group Executive and Capita Audit Committee. The Capita business will maintain an incident log and in conjunction with Capita group fraud will provide regular updates on progress of investigations as agreed within this protocol LBB will provide Capita local management and the Capita Head of Special & Fraud Investigations with a regular update on all investigations with potential Capita, Capita staff or Capita processing involvement or implications. Both LBB and Capita have a zero tolerance approach to fraud and other irregularity committed against those services contracted out on behalf of the LBB and that both organisations will work
28/01/2014 Page 11 of 48 together in order to support this approach and ultimately protect the public purse through the following contractual and agreed working arrangements. Included within the Capita contract are clauses to ensure the provision of information relating to the prevention of Fraud and Bribery in relation to the services contracted out on behalf of LBB. This protocol aims to clarify those clauses into agreed working arrangements. It is acknowledged within this protocol that the sole responsibility for third party / external fraud investigations relating to LBB Housing Benefit, National Non Domestic Rates and Council Tax Benefit, Council Tax Support and Disabled Blue Badge lies with the Councils CAFT. It is agreed that all referrals relating to any of these services should be directed in the first instance to the Councils CAFT and not to Capita Group Fraud. LBB Fraud Policies The contract states (CSG - 45.1.1, Re 53.1.1) that the service provider (Capita) is required to certify in writing to the Council that it will take all reasonable steps to act in accordance with the Councils Counter Fraud Framework and Financial Regulations (part 4) to prevent Fraud by service users, staff and the service provider in connection with the receipt of monies from the authority. As stipulated within the contract (CSG - 45.1.5 (b), Re 53.1.6 (b)) LBB will look to seek this assurance from each of the services contracted out on behalf of the LBB on annual basis by certification from Capita in writing on an annual basis. The schedule of policies attached to each contract (Schedule 22 for CSG and Schedule 33 for Re) of which Capita must comply includes the counter fraud framework. The contract also states under section 45.1.6 that it will comply with the Councils anti-bribery policy. This policy is included with the Councils counter fraud framework. Counter Fraud Framework - 2013 - Counter Fraud Framework Introduction - Fraud Policy Statement and Procedure - Bribery Policy Statement and Procedure - Prosecution Policy statement - Anti-Money Laundering Policy Statement and Procedure - Whistleblowing Policy Statement and Procedure - Regulation of Investigatory Powers (RIPA) Act 2000 Policy Statement and Procedure (directed surveillance) Whistleblowing It is agreed within this protocol that Capita staff should utilise the Councils Whistleblowing Policy (under 2.3 or 4.1 of the policy) in relation to reporting a matter in accordance with the policy relating to a CSG or Re service. However it is also acknowledged that Capita staff may also choose to report such matters under their equivalent Capita Speak up Policy. Any referrals received under the relevant LBB or Capita policy will be notified to the relevant parties in accordance with the agreed notification timescales detailed within table 2. It is agreed that it is Capitas responsibility to actively promote and raise awareness of this within Capita in accordance with principles of openness and transparency and joint commitment to protect public funds.
28/01/2014 Page 12 of 48 Contract Clauses Refer to Appendix H for the fraud contract clauses decision tree. Contract clause 45.1.8 states that the service provider must respond promptly to the Authoritys enquires. It is agreed within this protocol that LBB and Capita will deem any enquiries to fall within two categories of urgent and standard and for the purpose of this protocol would define then as follows: Category Definition Agreed response timescale Urgent The information is critical to an investigation where any delay could compromise the ability to take legal action or create an unacceptable risk of loss / harm to the Council. Within 24 hours Standard The information that is required to identify the level of criminal activity where the continued risk of loss / harm to the Council is deemed to be medium to low. Within 5 days
Table 1 definitions Prevention & Detection The primary responsibility for the awareness, prevention, detection and deterrence of fraud, corruption, bribery or money laundering activity lies with the individual services contracted out on behalf of LBB and not with Capita Group fraud service nor the Council or the Councils CAFT. The relevant Directors / Head of service responsibility within Capita includes ensuring that Capita staff (and partners and subcontractors) are aware of both the implications of fraud, bribery and money laundering and the risks of fraud, bribery and money laundering across their service area. LBB will seek assurances from Capita around this responsibility from each of the services (CSG and Re) within the annual compliance statement.
Internal Fraud relating to a LBB provided service Reporting, Notification, Investigation and sanction process The primary responsibility for the investigation of any suspected fraud, corruption, bribery or money laundering activity found in a service area lies with both Capita group fraud and the Councils CAFT. Capita group fraud currently operates a staged assessment process of referrals that are passed to them, and in line with this process both LBB CAFT and Capita have agreed to adopt the following approach in relation to referrals that are received either Capita group fraud and related to either the CSG or Re services. Referral Definition Agreed reporting process and timescale Stage 1 Fact finding stage Capita Monthly report to CAFT
28/01/2014 Page 13 of 48 Stage 2 Requires further investigation Urgent - within 24 hours Standard - within 5 days Stage 3 Requires sanction action (e.g. disciplinary action/police intervention/legal action) A joint assessment of action and responsibility between Capita and LBB CAFT on an individual case by case basis. Whistleblowing Referral recd under Councils Whistleblowing Policy or Capita Speak up policy relating to CSG or Re services. Urgent - within 24 hours Standard - within 5 days Table 2 Notifications Retained Council Information Systems / Council data / Access to provided LBB Services data The Councils financial regulations (part 4) state that all CAFT Investigation Officers shall have authority to: have unrestricted access to, search, and remove any and all records, documents and correspondence, including electronically held correspondence, documents and records. In order to support this requirement Capita will ensure that the CAFT officers have direct access (high level) to all requested IS systems holding LBB data, including the relevant Capita systems (and future replacements), and will continue to provide training and support on those systems to CAFT officers. All access to systems for CAFT officers will be approved by either the Assistant Director of Assurance or CAFT Counter Fraud Managers. Current systems include (but not exclusively limited to): Incase Civica SAP (plus new replacement) Saffron Sword fish Diraq Wisdom CM (contact Manger) Web based systems like: LOCTA Equifax
28/01/2014 Page 14 of 48 Call Credit In relation to LBB retained organisation investigation Capita will provide nominated staff to provide high level support to CAFT relating to investigations that CAFT may be conducting. This support normally relates to (but not exclusively) access to LBB staff email / outlook, including deleted items and recovery of deleted items, files, documents, as well as internet usage data. Any such requests will be deemed for CAFT officers will be approved by either the Assistant Director of Assurance or CAFT Counter Fraud Managers, in writing and be categorised in accordance with the agreed definitions and reporting timescales within this protocol of urgent or standard.
4. Risk Management The Councils primary responsibilities when commissioning services and working in partnerships is to ensure that the partnership has effective risk management procedures and to provide assurance that the risks are being identified, prioritised and appropriately managed. The purpose of risk management in this context is as follows: To ensure proper identification and understanding of risks associated with a commissioned service including delivery risks, joint risks and retained risks To support clear allocation of responsibilities for managing and monitoring risk To agree the risk appetite for management of risks amongst all partners To align the response to identified risks with corporate priorities To provide a framework for information sharing regarding risks and performance management
The contract (clause 28.5.2 CSG, 36.5.2 Re) states the contractor shall operate a sound system of internal control including appropriate risk management processes. As per schedule 22 of the contract the service provider should comply with section 4.2 of the Councils Risk Management Policy with the providers overall risk management arrangements in an equivalent policy to be approved by the Council. In order for the Council to maintain its responsibilities for overseeing the management of risks a collaborative approach for managing, monitoring and reporting on risk (key or joint) must be agreed. Outlined below are relevant policy and procedure excerpts from section 4.2 of the Councils Risk Management Policy. Currently, Capita has a commitment to use the JCAD system and scoring for all Corporate Programmes projects; operational risks will be managed according to Capitas risk management policy 2 which has been reviewed by the Council. Risk allocation and responsibility In general it is expected that most risk will clearly be allocated to either the Council or Capita, however a small number of risks may be joint risks, i.e. a shared risk where both parties have a role in managing the risk.. Joint risks will be recorded in the Councils risk management system
2 Capital Non-Financial Service Division Risk Management Policy and Process V2 (July 11)
28/01/2014 Page 15 of 48 (JCAD) with the responsibilities and actions of each party clearly defined. The principles on how a joint risk will be managed are as follows: LBB Contract manager will be assigned the risk and facilitate the management and monitoring of the risk. The actions tab, in JCAD, will be used to assign and manage activity to individuals 3 rd party access to JCAD should be limited and will be considered on a case by case basis 3 . Monitoring Risks Risks should be managed and monitored regularly as part of business as usual and escalated whenever required including new emerging risks that would score 12 or more and/or any serious risk incidents that occur (see Appendix C). Over the course of the service contract it is likely that the risk profile will evolve therefore provision is made through this protocol to build a relationship with an open dialog and develop an effective approach, based on common understanding of risks management (processes and terminology) and of the objectives of the partnership. Quarterly contract performance reporting will include risks wholly owned by LBB, joint risks and significant operational risks (with a rating of 12 or more using LBBs scoring methodology). The full LBB risk register (including any risks rated below 12) will be appended to the performance summary. Section 4.2 of the Councils Risk Management Policy describes the requirement for an outline plan for risk management strategy in the forthcoming year. This requirement will be satisfied as part of liaisons meetings (section 5) where changes to and the effectiveness of risk management arrangements will be discussed.
5. Liaison Meetings To ensure effective co-operation between LBB Assurance Group and Capita quarterly liaison meetings will be held for planning, to review programmes of work and discuss other issues of mutual interest. Exceptional meetings will be arranged as appropriate for specific issues or events, e.g. Audit Committee. The following are examples of areas the liaison meetings will cover by function: Function Description Expectation Audit Capita internal audit plan Capita will consult with the Authority prior to finalising its Internal Audit annual plan to ensure that an appropriate level of assurance is available over the risk areas affecting LBBs operations. (Contract clause 28.5.2 (b) CSG / 36.5.2 (b) Re) Audit Quarterly reporting In order to meet LBB Assurance quarterly reporting
3 3 rd party access is still being investigated so this statement is assuming access is possible and agreed by LBB.
28/01/2014 Page 16 of 48 and Audit Committee deadlines liaison meetings will need to occur at the most appropriate times during the year. Capita attendance at Audit Committees may be required if issues are being reported that involve Capita in its role as being responsible for delivery of services on the Councils behalf. Audit LBB Assurance and reliance on Capita Internal Audit work During the External Assurance work programme if, in LBB Assurance Groups judgement, it is unable to rely on the work undertaken by Capitas internal auditors, LBB Assurance shall carry out a risk- based audit programme in relation to the services that are being provided by Capita on behalf of the Council. Audit External audits review of Capita Internal Audits work LBB Assurance should be informed of the outcome of Capitas external auditors review of Capitas internal audit service. Any issues or reports regarding this review should be shared with LBB Assurance as soon as they are finalised. Audit Audit Scoping and ToR An opportunity to discuss any audits being undertaken that are of relevance to either party. If appropriate, LBB Assurance will involve Capita in any scoping meetings, when agreeing the terms of reference for the review, during the fieldwork, and when agreeing the final report. Audit Compliance, performance against audit contract clauses For audit related clauses opportunity to discuss any referrals that LBB Assurance have had to make to the partnership manager regarding information not being provided by Capita in line with requirements. For other clauses opportunity to discuss any concerns raised by the partnership manager or as a result of audits that have been undertaken. Risk Risk Management Changes to and the effectiveness of risk management arrangements. This will be in addition to the general Corporate Performance Reporting and contractual Service Performance Reporting which is managed with the commercial team within the LBB. CAFT Anti-Fraud For Fraud related clause opportunity to discuss any referrals that have been made in accordance with the agreed notification process as well as any relevant on-going anti-fraud or policy compliance issues. Table 3: Liaison Meetings
28/01/2014 Page 17 of 48
A timetable of activity is appended to this protocol outlining key dates and meetings for the first year, with due regard for the dates that Capita Internal Audit quarterly reports will be available, Audit Committee and Strategic Commissioning Board Assurance dates and how the protocol will dovetail into these. Additionally there is a list of documents in Appendix F which will be required initially, upon finalising the protocol, and on-going. Effective, timely information sharing is essential; the two parties shall communicate promptly to the other any significant concerns / exceptions / breaches arising that it is felt should be dealt with other than through the usual reporting and liaison arrangements set out in this protocol. When sharing any information both the Freedom of Information Act and the Data Protection Act requirements shall be observed by both parties. It is recognised that there should not be a need within the relationship to share personal data unless appropriate to the requirements of both parties and subject to the controls set out by the Councils Information Sharing Policy.
28/01/2014 Page 18 of 48 6. Appendix A Contact Details
London Borough of Barnet Assurance Group North London Business Park, 1 st Floor Building 2 Oakleigh Road South, London N11 1NP Director of Assurance Maryellen Salter maryellen.salter@barnet.gov.uk 02083593167 Assurance Assistant Director Clair Green clair.green@barnet.gov.uk 020 8359 7791 Head of Internal Audit (Chief Internal Auditor) Caroline Glitre caroline.glitre@barnet.gov.uk 020 8359 3721 Risk Assurance Manager Courtney Davis courtney.davis@barnet.gov.uk 020 8359 4901 Counter-Fraud Manager Declan Khan declan.khan@barnet.gov.uk 020 8359 3721 External Auditor Grant Thornton UK LLP
Paul Hughes paul.hughes@uk.gt.com 020 7728 2256
Capita [71 Victoria Street, London, SW1H 0XA] Finance Director (Audit Liaison Lead - CSG) Tom Evans tom.evans@capita.co.uk 07824 868650 Commercial Director (Audit Liaison Lead Re) Mike Eastwood mike.eastwood@capita.co.uk 07557 287247 Director, Group Internal Audit (HoIA opinion) Clive Smith clive.smith@capita.co.uk 07917 307988 Director, Group Internal Audit - Non-FS Divisions Moyra Armstrong moyra.armstrong@capita.co.uk 07917 307991
28/01/2014 Page 19 of 48 Group Director of Risk & Fraud Chris Terry chris.terry@capita.co.uk 07736 599761 Head of Anti-Fraud & Special Investigations Debbie Morris debbie.morris@capita.co.uk 07733 361432 Internal Audit Manager (who will be undertaking reviews of LBB transactions) TBC External Auditor KPMG Any liaison of discussions with Capita Auditors should be directed via Tom Evans 7. Appendix B Transferred Services CSG Re Customer Services; Estates; Finance; Human Resources, Payroll and Pensions; IT Infrastructure and Support; Procurement; Revenues and Benefits; and Corporate Programmes
Planning and Development Management; Building Control; Land Charges; Environmental Health; Trading Standards and Licensing; Cemetery and Crematorium; Highways; Strategic Planning; and Regeneration
28/01/2014 Page 20 of 48 8. Appendix C Risk Escalation
28/01/2014 Page 21 of 48 9. Appendix D: Contract Clauses, Definitions & Policy List 9.1. Contract Clauses The CSG contract clauses that underpin this protocol are as follows: 28 Service Providers Records and Audit [Authority Policy Clause] 45 Termination on Corrupt Gifts and Fraud [Authority Policy Clause] See these clauses of the CSG contract via the link below: http://www.barnet.gov.uk/downloads/download/1241/csg_main_contract Please note that the corresponding clause numbers within the Re contract are 36and 53 respectively and can be seen via the link below: http://www.barnet.gov.uk/downloads/download/1267/drs_main_contract 9.2. Definitions - Governance Standard Capita will, in line with contract clause 28.5.1 (CSG) / 36.5.1 (Re), comply with this Governance Standard definition, and will provide a compliance statement by January of each year. This is in order to inform LBBs Annual Governance Statement and by providing this in January it will allow for any additional audit work to be completed, if required, by LBB by the end of March. It is expected that Capita will meet the governance standards required to support LBBs Chief Finance Officers responsibilities as per the Councils constitution. In broad terms, Capitas control framework will need to meet control objectives including: Anti-Fraud Asset Management Audit & Assurance Framework Business Continuity Data Quality Equalities Financial Management Governance Health, Safety & Wellbeing Information Management & Governance Partnerships People Management Performance Management Procurement & Contracts Management Project Management
28/01/2014 Page 22 of 48 Risk & Issue Management The compliance checklist can be found below at 9.3.1 and 9.3.2. * the spreadsheet that will be completed and returned to LBB Assurance includes further detail to support the self-assessment of whether the controls in place are effective. 9.3. Governance Standards Compliance checklist
28/01/2014 Page 23 of 48 Responsible Person:
Question Assessment Notes 1.00 Internal Audit
1.01 Audit arrangements are in line with section 2 of the protocol
2.00 Anti-Fraud
2.01 Anti-Fraud arrangements are in line with section 3 of the protocol 3.00 Risk Management
3.01 Risk management arrangements are in line with section 4 of the protocol
4.00 Performance Management & Data Quality
4.01 There is a Performance Management Framework in place that has been approved by the Council and there is evidence of this approval As required by the contract Schedule 22 4.02 Baselines set for performance indicators are supported by robust data sets
4.03 Performance against contractual PIs, KPIs and Super KPIs is regularly monitored and reviewed by senior personnel
4.04 The delivery unit complies with the Council's Data Quality policy and can evidence checks of this compliance As required by the contract Schedule 22 4.05 Systems and processes are fit for purpose and adequate and effective controls are in place during the input, reporting and output of data
Controls are in place to ensure the performance data reported to the Council meets the Council's Data Quality requirements of:
4.06 Accuracy data is without errors, and adheres precisely to any applicable definition.
9.3.1 CSG Governance Standards extract*
28/01/2014 Page 24 of 48 4.07 Reliability data reflects stable and consistent collection and capture processes across collection points and over time. These processes should minimise manual intervention and maximise the automation of data collection and manipulation.
4.08 Timeliness data is captured as quickly as possible after the event or activity, and is used in a timely fashion.
4.09 Relevance data is applicable to the issue and provides the answers needed
4.10 Completeness data collected and captured comprises of all necessary elements
4.11 A clear audit trail a documented process for obtaining and using the data, which is understood by all involved in producing the data, and is accessible to those who rely on the data or have an interest in it. Clear and complete audit trails must be maintained to demonstrate accuracy for all data used for decision-making.
4.00 People Management 4.01 All relevant staff are aware of the responsibilities under the Council's HR regulations and have been adequately trained to discharge those responsibilities As required by the contract Schedule 22 - HR Regulations are part of the Council's constitution
Click here for HR regulations (revised May 2013): http://barnet.moderngov.co.uk/documents/s8923/UHRRegulations.doc.pdf
4.02 HR policies and procedures are in place and are updated in line with legislative or other required changes 4.03 Changes to HR policies and procedures for LBB are approved by the Council 4.04 HR Business Partners are fully aware of HR policies and procedures, and communicate these to officers across the Council
28/01/2014 Page 25 of 48 4.05 HR Business Partners provide support to officers across the Council to facilitate the correct application of HR policies and procedures
4.06 HR Business Partners provide officers across the Council with the data, access to systems or reports they need to manage performance within their delivery unit
4.07 Safer Recruitment - corporate pre-employment checks and agreed recruitment protocols are being followed. On-going Safeguarding checks are undertaken for current employees
4.08 Organisational structures which reflect the composition of the Council's workforce and current vacancies are up to date and accurate.
4.09 Roles & Responsibilities across the Council are clearly defined and supported by up to date job descriptions
5.00 Financial Management
5.01 All relevant staff are aware of the responsibilities under part four of the Council's financial regulations and have been adequately trained to discharge those responsibilities As required by the contract Schedule 22 - Financial Regulations are part of the Council's constitution Click here for Financial regulations (revised May 2013): http://barnet.moderngov.co.uk/documents/s8919/RAmendedFinancialRegulations030513.doc.pdf
5.02 Financial Management policies and procedures are in place and are updated in line with legislative or other required changes
5.03 Changes to Financial Management policies and procedures for LBB are approved by the Council
5.04 Finance Business Partners are fully aware of Financial Management policies and procedures, and communicate these to officers across the Council
28/01/2014 Page 26 of 48 5.05 Finance Business Partners provide support to officers across the Council to facilitate the correct application of Finance policies and procedures
5.06 Finance Business Partners provide officers across the Council with the data, access to systems or reports they need to manage delivery unit budgets
5.07 The Key Financial System services below, which CSG provides on the Council's behalf, have been audited by Capita Internal Audit within the past 12 months.
Where this is not the case, please confirm what assurance you have obtained over risk and key controls for those systems. See links to separate tabs for:
5.08 Treasury Management
5.09 Pension Fund Management
5.10 Payroll
5.11 Cashbook
5.12 Fixed Assets
5.13 Income and Debt Management
5.14 Accounts Payable
5.15 Financial transactions within the finance service are processed through SAP (until replacement finance system introduced in April 2014), or written approval has been obtained via the Customer Services and Information Management Board agreeing to the use of other systems.
5.16 Reconciliations are undertaken between the systems that feed into the Annual accounts (e.g. Housing Benefit, Council Tax, NNDR) and the main accounting system.
5.17 Any issues identified through the reconciliation process are addressed in a timely manner.
5.18 IT general and application controls over the general ledger are designed and operating effectively, as assessed by External Audit
5.19 Staff ensure that adequate procedures are in place to maintain proper accounting records and entries in them are properly authorised.
28/01/2014 Page 27 of 48 5.20 There is a timetable in existence to support the closure of the Council's annual accounts. This includes key milestones and appropriate liaison with external audit.
6.00 Asset Management 6.01 All relevant staff are aware of the responsibilities under parts 4 (Financial Management including Capital) and 5.6 (Assets) of the Council's financial regulations and have been adequately trained to discharge those responsibilities As required by the contract Schedule 22 - Financial Regulations are part of the Council's constitution Click here for Financial regulations (revised May 2013): http://barnet.moderngov.co.uk/documents/s8919/RAmendedFinancialRegulations030513.doc.pdf
6.02 All relevant staff are aware of the responsibilities under the Council's Management of Asset, Property and Land Rules and have been adequately trained to discharge those responsibilities
Click here for The Management of Asset, Property and Land Rules (revised May 2013): http://barnet.moderngov.co.uk/documents/s8922/TAssetsPropertyandLandRulesv1020130320.doc.pdf As required by the contract Schedule 22 - The Managemen t of Asset, Property and Land Rules are part of the Council's constitution Asset Management policies and procedures are in place and are updated in line with legislative or other required changes
Changes to Asset Management policies and procedures for LBB are approved by the Council
28/01/2014 Page 28 of 48 Estates staff are fully aware of Asset Management policies and procedures, and communicate these to officers across the Council as required
Estates staff provide support as required to officers across the Council to facilitate the correct application of Asset Management policies and procedures
Estates staff provide officers across the Council with any data, access to systems or reports they need to manage delivery unit assets
The Fixed Asset Register is up to date and systems to support this aim are adequate
Rent reviews are processed in a timely fashion through SAP (until replacement finance system introduced in April 2014) to ensure rent data is complete and accurate
There are clear links between the CSG Estates function and the CSG Finance function and respective roles and responsibilities are clear
8.00 Governance
8.01 The service provider has corporate governance arrangements in place that are in line with the recommendations of the Cadbury report
8.02 Staff conduct themselves in line with the Nolan principles of public life i.e. Selflessness, Integrity, Objectivity, Accountability, Openness, Honesty, Leadership
http://www.public-standards.gov.uk/
28/01/2014 Page 29 of 48 8.03 All relevant staff are aware of the Council's decision making processes, as defined in the Constitution Part 1 and Article 12, and adhere to these processes: As required by the contract Schedule 22 - Decision making processes are part of the Council's constitution Click here for Part 1 of the Constitution (revised May 2013): http://barnet.moderngov.co.uk/documents/s8895/Part%201%20-%20Decision%20Making.pdf
Click here for Article 12 of the Constitution (revised May 2013) http://barnet.moderngov.co.uk/documents/s8907/HArticle12DecisionMaking.doc.pdf
8.04 Assurances are obtained that the Constitutional decision making processes are being followed.
8.05 There is a staff Code of Conduct / Code of Ethics in place and staff adherence to these requirements is monitored.
8.06 Anti-Bribery arrangements are in place and the Council's Bribery Policy Statement and Procedure are complied with. As required by the contract Schedule 22 8.07 Legislation - The impact of new legislation on the delivery unit is considered in a formal and structured way and the response clearly documented.
8.08 Equalities - The delivery unit complies with an Equalities Policy which the Council has approved As required by the contract Schedule 22 8.09 Equalities - The Equalities duty is complied with i.e. the duty to consult
9.00 Procurement & contracts management
28/01/2014 Page 30 of 48 9.01 All procurement undertaken on behalf of the Council is done so in accordance with the requirements of the Council's Contract Procedure Rules As required by the contract Schedule 22 - Contract Procedure Rules are part of the Council's constitution Click here for Contract Procedure Rules (CPRs) (revised May 2013): http://barnet.moderngov.co.uk/documents/s8920/SContractProcedureRulesFinal130513.doc.pdf
9.02 The Code of Procurement Practice, including the '10 essentials that must be followed when carrying out Procurement', is understood and adhered to by staff undertaking procurement activities on behalf of the Council As required by the contract Schedule 22 - the Code of Procuremen t Practice is part of the Council's constitution Click here for the Code of Procurement Practice (revised May 2013): http://barnet.moderngov.co.uk/documents/s8921/S2ProcurementCodeofPracticeRevisionv06100313.do c.pdf
9.03 Procurement policies and procedures are in place and are updated in line with legislative or other required changes
9.04 Changes to Procurement policies and procedures for LBB are approved by the Council
9.05 Procurement Business Partners are fully aware of Procurement policies and procedures, and communicate these to officers across the Council
28/01/2014 Page 31 of 48 9.06 Procurement Business Partners provide support to officers across the Council to facilitate the correct application of Procurement policies and procedures and best practice regarding contract management
9.07 Procurement Business Partners provide officers across the Council with the data, access to systems or reports they need to manage delivery unit contracts
9.08 Conflicts of interest are effectively managed when letting contracts. There is Monitoring and Control of the Conflict of Interest Protocol and Register (Sch 31) and staff compliance with this.
9.09 Supply chain risks are considered and controls are in place to mitigate these risks
9.10 All contracts and consultancy arrangements clearly identify the key deliverables, SLAs and performance monitoring processes that demonstrate that the Council receives best value
9.11 All contracts are recorded on a central Contracts Register by the Procurement function of CSG. This is kept fully up to date.
9.12 There is a clear contract renewal process and this is undertaken in a timely manner.
10.0 0 Information Management & Governance
10.0 1 Processes are in place to ensure staff are aware of their responsibilities in dealing with personal data and work in accordance with the Data Protection Act.
10.0 2 Data loss breaches are reported for assessment and dealt with appropriately in line with the Council's Data Protection Incident Reporting Procedure. As required by the contract Schedule 22 10.0 3 Procedures are in place to review all records in line with DPA and the Council's Information Management Policy. As required by the contract Schedule 22
28/01/2014 Page 32 of 48 10.0 4 Staff are aware of and adhere to the Information Governance Framework policies that should be complied with under the contract schedule 'Authority's Policies'. Where the service provider should have an equivalent policy to be approved by the Council, this approval can be evidenced As required by the contract Schedule 22 11.0 0 Project Management
11.0 1 All key projects in the delivery unit have been identified and Corporate Programmes are aware
11.0 2 There is a Project Management policy in place which is in line with the One Barnet Project Toolkit and best practice, for example the Prince II methodology.
11.0 3 The Project Management policy is kept up to date in line with best practice
11.0 4 Key documents outlined in the Council's One Barnet's project methodology are in place, for example a business case. These are reviewed, agreed and signed off by relevant project members and stakeholders.
11.0 5 Project Management outputs e.g. Business Cases are fit for purpose and can be relied upon by decision makers
11.0 6 Checks are made that the Project Management policy is being applied consistently in practice
12.0 0 Partnerships
12.0 1 Partnership working with other Delivery Units and other public sector bodies is effective; the cross-cutting strategic KPIs within the contract are met
13.0 0 Business Continuity Plans
13.0 1 Delivery Unit has an up-to-date BC plan(s) including a list of all key contacts covering key / critical staff, partners and suppliers.
13.0 2 All staff are aware of the plan and how to respond in the event the plan is activated.
13.0 3 These BC plans have recently been tested/exercised.
28/01/2014 Page 33 of 48
14.0 0 Health, Safety and Wellbeing
14.0 1 Risk Assessments of work activities and premises are carried out and the plan is risk-based.
14.0 2 Premises audits are completed and the schedule is risk-based.
14.0 3 Health & Safety policies and procedures are in place and are updated in line with legislative or other required changes
14.0 4 Where the service provider should have equivalent Health & Safety policies to be approved by the Council, this approval can be evidenced As required by the contract Schedule 22 14.0 5 Changes to Health & Safety policies and procedures for LBB are approved by the Council 15.0 0 Other significant Internal Control Issues
15.0 1 Apart from the issues raised above, are there any significant control or other matters arising in your Delivery Unit which could adversely affect the signing of the Council's Annual Governance Statement (AGS)? E.g. Fraudulent activity, major overspends, European contract non-compliance; non-compliance with any other policies, laws or regulations. Please provide details below and assess as per the above questions.
28/01/2014 Page 34 of 48
Responsible Person:
Question Assessmen t Notes 1.00 Internal Audit
1.01 Audit arrangements are in line with section 2 of the protocol
2.00 Anti-Fraud
2.01 Anti-Fraud arrangements are in line with section 3 of the protocol 3.00 Risk Management
3.01 Risk management arrangements are in line with section 4 of the protocol
4.00 Performance Management & Data Quality
4.01 There is a Performance Management Framework in place that has been approved by the Council and there is evidence of this approval As required by the contract Schedule 33 - Authority's Policies 4.02 Baselines set for performance indicators are supported by robust data sets
4.03 Performance against contractual PIs, KPIs and Super KPIs is regularly monitored and reviewed by senior personnel
9.3.2. Re Governance Standards extract*. DRAFT subject to finalisation
28/01/2014 Page 35 of 48 4.04 The delivery unit complies with the Council's Data Quality policy and can evidence checks of this compliance As required by the contract Schedule 33 4.05 Systems and processes are fit for purpose and adequate and effective controls are in place during the input, reporting and output of data
Controls are in place to ensure the performance data reported to the Council meets the Council's Data Quality requirements of:
4.06 Accuracy data is without errors, and adheres precisely to any applicable definition.
4.07 Reliability data reflects stable and consistent collection and capture processes across collection points and over time. These processes should minimise manual intervention and maximise the automation of data collection and manipulation.
4.08 Timeliness data is captured as quickly as possible after the event or activity, and is used in a timely fashion.
4.09 Relevance data is applicable to the issue and provides the answers needed
4.10 Completeness data collected and captured comprises of all necessary elements
4.11 A clear audit trail a documented process for obtaining and using the data, which is understood by all involved in producing the data, and is accessible to those who rely on the data or have an interest in it. Clear and complete audit trails must be maintained to demonstrate accuracy for all data used for decision-making.
5.00 Asset Management
28/01/2014 Page 36 of 48
5.01 Asset Management policies and procedures are in place and are updated in line with legislative or other required changes
5.02 The Fixed Asset Register is up to date and systems to support this aim are adequate
6.00 Governance 6.01 All relevant staff are aware of the Council's decision making processes, as defined in the Constitution Part 1 and Article 12, and adhere to these processes: As required by the contract Schedule 33 - Decision making processes are part of the Council's constitution Click here for Part 1 of the Constitution (revised May 2013): http://barnet.moderngov.co.uk/documents/s8895/Part%201%20-%20Decision%20Making.pdf
28/01/2014 Page 37 of 48 Click here for Article 12 of the Constitution (revised May 2013) http://barnet.moderngov.co.uk/documents/s8907/HArticle12DecisionMaking.doc.pdf
6.02 There is a staff Code of Conduct / Code of Ethics in place and staff adherence to these requirements is monitored.
6.03 Anti-Bribery arrangements are in place and the Council's Bribery Policy Statement and Procedure are complied with. As required by the contract Schedule 33 6.04 There is an up to date Scheme of Delegation in place for the delivery unit and this is adhered to.
6.05 Planning - all relevant staff are aware of the requirements of the Council's Members' Planning Code of Practice.
Click here for Members' Planning Code of Practice (revised May 2013): http://barnet.moderngov.co.uk/documents/s8925/WMembersPlanningCodeofPractice.doc.pdf
6.06 Licensing - all relevant staff are aware of the requirements of the Council's Members' Planning Code of Practice.
Click here for Members' Planning Code of Practice (revised May 2013): http://barnet.moderngov.co.uk/documents/s8925/WMembersPlanningCodeofPractice.doc.pdf
6.07 Legislation - The impact of new legislation on the delivery unit is considered in a formal and structured way and the response clearly documented.
6.08 Equalities - The delivery unit complies with an Equalities Policy which the Council has approved As required by the
28/01/2014 Page 38 of 48 contract Schedule 33 6.09 Equalities - The Equalities duty is complied with i.e. the duty to consult
7.00 Procurement & contracts management
7.01 Internal Audit can provide assurance over the Procurement and Contract Management of the delivery unit
7.02 Procurement policies and procedures are in place and are updated in line with legislative or other required changes
7.03 Conflicts of interest are effectively managed when letting contracts. There is Monitoring and Control of the Conflict of Interest Protocol and Register (Sch 28) and staff compliance with this.
7.04 Supply chain risks are considered and controls are in place to mitigate these risks
7.05 All contracts and consultancy arrangements clearly identify the key deliverables, SLAs and performance monitoring processes that demonstrate that the JV receives best value
7.06 There is a clear contract renewal process and this is undertaken in a timely manner.
8.00 Information Management & Governance
8.01 Processes are in place to ensure staff are aware of their responsibilities in dealing with personal data and work in accordance with the Data Protection Act.
8.02 Data loss breaches are reported for assessment and dealt with appropriately in line with the Council's Data Protection Incident Reporting Procedure. As required by the contract Schedule 33 8.03 Procedures are in place to review all records in line with DPA and the Council's Information Management Policy. As required by the contract Schedule 33 8.04 Staff are aware of and adhere to the Information Governance Framework policies that should be complied with under the contract schedule 'Authority's Policies'. Where the service provider should have an equivalent policy to be approved by the Council, this approval can be evidenced As required by the contract Schedule 33
28/01/2014 Page 39 of 48 9.00 Project Management
9.01 All key projects in the delivery unit have been identified and Corporate Programmes made aware
9.02 There is a Project Management policy in place which is in line with the One Barnet Project Toolkit or best practice, for example Prince II.
9.03 The Project Management policy is kept up to date in line with best practice
9.04 Key documents outlined in the Council's One Barnet's project methodology are in place, for example a business case. These are reviewed, agreed and signed off by relevant project members and stakeholders.
9.05 Project Management outputs e.g. Business Cases are fit for purpose and can be relied upon by decision makers
9.06 Checks are made that the Project Management policy is being applied consistently in practice
10.00 Partnerships
10.01 Partnership working with other Delivery Units and other public sector bodies is effective; the cross-cutting strategic KPIs within the contract are met
11.00 Business Continuity Plans
11.01 Delivery Unit has an up-to-date BC plan(s) including a list of all key contacts covering key / critical staff, partners and suppliers.
11.02 All staff are aware of the plan and how to respond in the event the plan is activated.
12.03 These BC plans have recently been tested/exercised.
13.00 Health, Safety and Wellbeing
13.01 Risk Assessments of work activities and premises are carried out and the plan is risk-based.
13.02 Premises audits are completed and the schedule is risk-based. 13.03 Health & Safety policies and procedures are in place and are updated in line with legislative or other required changes
28/01/2014 Page 40 of 48 13.04 Where the service provider should have equivalent Health & Safety policies to be approved by the Council, this approval can be evidenced As required by the contract Schedule 33 13.05 Changes to Health & Safety policies and procedures for LBB are approved by the Council 14.00 Other significant Internal Control Issues
14.01 Apart from the issues raised above, are there any significant control or other matters arising in your Delivery Unit which could adversely affect the signing of the Council's Annual Governance Statement (AGS)? E.g Fraudulent activity, major overspends, European contract non-compliance; non-compliance with any other policies, laws or regulations. Please provide details below and assess as per the above questions.
28/01/2014 Page 41 of 48
9.4. Definitions Assurance and priority ratings 9.4.1. LBB Assurance: The following is a guide to the assurance levels given:
Substantial Assurance There is a sound system of internal control designed to achieve the system objectives. The control processes tested are being consistently applied.
Satisfactory Assurance While there is a basically sound system of internal control, there are weaknesses, which put some of the clients objectives at risk. There is evidence that the level of non-compliance with some of the control processes may put some of the system objectives at risk.
Limited Assurance Weaknesses in the system of internal controls are such as to put the clients objectives at risk. The level of non-compliance puts the system objectives at risk.
No Assurance Control processes are generally weak leaving the processes/systems open to significant error or abuse. Significant non-compliance with basic control processes leaves the processes/systems open to error or abuse.
Priorities assigned to recommendations are based on the following criteria: High Fundamental issue where action is considered imperative to ensure that the Council is not exposed to high risks; also covers breaches of legislation and policies and procedures. Action to be effected within 1 to 3 months. Medium Significant issue where action is considered necessary to avoid exposure to significant risk. Action to be effected within 3 to 6 months. Low Issue that merits attention/where action is considered desirable. Action usually to be effected within 6 months to 1 year.
9.4.2. Capita: Audit Classification The following are descriptions of audit classifications used: Satisfactory: No high risk weaknesses were identified in the system and no significant areas of non- compliance with policy or procedures were noted. Improvements may have been advised to improve or strengthen existing controls.
28/01/2014 Page 42 of 48 Improvement Required: There are medium risk weaknesses in control that, although individually do not pose a high risk, when taken together indicate a control environment that requires attention. Significant Improvement Required: There are one or more high risk weaknesses in control, or several medium risk weaknesses, that expose the Business Unit to a high level of overall risk requiring prompt action. Unsatisfactory: There are one or more critical weaknesses in control, or several high risk weaknesses, exposing the Business Unit to a very high overall level of risk. Risk Ratings Each reported finding is assigned a risk rating of Critical, High, Medium or Low as follows: Critical: Critical control weakness requiring immediate action as it exposes the Business to a very high risk of imminent significant financial loss, reputational, or severe legal/regulatory sanctions. High: Control weakness requiring prompt action as it exposes the Business to a high risk of significant financial loss, reputational damage, or severe legal/regulatory sanctions. Medium: Control weakness that should be addressed as it exposes the Business to some risk of financial loss, reputational damage, or legal/regulatory sanction. Low: Basic internal controls are adequate but improvements could be made to bring procedures in line with current industry best practice.
9.5. Policy List See Schedule 22 (CSG): Authorities Policies via the link below http://www.barnet.gov.uk/downloads/download/1241/csg_main_contract See Schedule 33 (Re): Authorities Policies via the link below http://www.barnet.gov.uk/downloads/download/1272/schedules_5-33
28/01/2014 Page 43 of 48 10. Appendix E Annual Timetable of Activity The annual timetable of activity amalgamates both LBBs and Capitas key planning, reporting and meeting dates in an effort to coordinate activities, schedule liaison meetings and create a forward plan of assurance deliverables (see Table 3 Liaison Meetings). The annual timetable of activity will be produced in quarter one and be the basis of the first liaison meeting of each year. The following outlines key information required for developing the timetable. 10.1. Planning 10.1.1. LBB Assurance
Audit & CAFT planning cycle Risk based planning January 2014 to March 2014 Internal Audit and Anti-Fraud Strategy & Annual Plan and Risk Management Approach Goes to Audit Committee April 2014
Risk Management Framework Goes to Audit Committee April 2014 Annual Audit Opinion Goes to Audit Committee July 2014 CAFT Annual Report Goes to Audit Committee July 2014 Annual Governance Statement Goes to Audit Committee July 2014
10.1.2. Capita Annual Audit Planning Risk based planning August to October 2013 GIA Annual Plan 2014 Presented to Group Audit Committee November 2013 Risk Management Framework Annual Audit Opinion Goes to Audit Committee May 2014
10.2. Reporting and Meeting Dates 10.2.1. LBB The primary LBB Assurance meetings are Strategic Commissioning Board (SCB) Assurance and Audit Committee. The calendar of Council meetings, including Audit Committee, is agreed at Full Council in May. SCB Assurance meets bi-monthly.
28/01/2014 Page 44 of 48 Standard clearance and circulation is 10 working days for reports. The following table outlines the key remaining dates in this financial year. For the purposes of clearing LBB Assurance quarterly reports for Audit Committee, these are first taken to SCB Assurance therefore the corresponding Quarter that will be reported to each meeting has been included. LBB Quarter to be reported SCB Assurance Audit Committee Q2
Thursday 24 October Q3 Tuesday 26th November
Tuesday 28 January Tuesday 21st January
Q4 Tuesday 18th March
Tuesday 29 April
10.2.2. Capita
Group Audit and Risk Committee February 25 th 2014 May 27 th 2014 July 22 nd 2014 November 25 th 2014
[Timetable to be produced, needs to consider audit annual planning cycle start and end dates, LBB Assurance receiving Capita finalised plan, LBB Assurance receiving Capita HoIA opinion etc]
11. Appendix F Documents Checklist Documents required at time of agreeing protocol
1. Capita draft 2014 Internal Audit plan relating to services delivered to Barnet
Documents required to inform LBB Assurance assessment of reliance on Capita internal audit 7. Capita Internal Audit Terms of Reference / Charter 8. Capita Internal Audit latest reporting of performance against audit plan 9. Capita Internal Audit accreditation and quality reports (e.g. ISO standards) if applicable 10. Latest Capita Internal Audit review of compliance with Internal Audit Standards 11. Latest Capita Annual Report (LBB Assurance will be seeking assurance from the Governance section for example), usually published in April 12. Other documents as agreed between the parties
On-going documents required 1. Internal Audit quarterly reports on LBB services (within 15 days of agreed quarterly date i.e. 1 st April, 1 st July, 1 st October, 1 st January) 2. Internal Audit quarterly reporting of progress against audit plan (if separate to quarterly report) 3. Annual Head of Internal Audit Opinion 4. Internal Audit annual plan 5. Other documents as agreed between the parties
28/01/2014 Page 46 of 48 12. Appendix G: Internal Audit Decision Tree
Internal Control Environment Assurance Governance Standard Compliance Statement Received by March each year No Accuracy test: Cross reference against client side. Internal control environment sound? Concern re: control environment or services - Invoke 28.6.1 Escalate to contract manager Does provider have their own internal audit function? (28.5.2a) Audit Plan Consulted Submitted 28.5.2 band c Raise concerns Via 28.6.1 Yes No Yes Note: consider timing with client side Assurances received regarding adequacy of internal control environment No Yes Informs HoIA opinion Yes No Carry out risk based audit programme based on 28.5.4 Yes No Can audit plan be relied on for wider assurance? (Assessed via External Assurance framework) Escalate to contract manager Does audit plan provide sufficient coverage on LBB transactions? Informs HoIA opinion Yes No Relevant internal audit reports submitted (25.5.2 d, e, f) Yes Concerns over sufficiency or accuracy No Yes Informs HoIA opinion Raise concerns Concerns rectified? Yes No Risk based audit via 28.5.4 (a) Clauses Key (note the clause numbers here refer to the CSG contract): 28.5.2: A: Establishing its own internal audit function B: Consultation with the Authority prior to finalising its Annual Internal Audit Plan C: Submit its own Annual IA Plan by the end of April in each contract year D: Submit IA reports within 15 Business Days of the agreed quarterly date E: Limited or no assurance submitted within 5 working days F: Undertake yearly audits of all IPR used in the performance of the Services 28.5.4:Risk-based audit - Capita bears cost longer timeframe A: The Service Provider doesnt have an internal audit service B: The Service Provider has an internal audit service but the Authority's internal audit service is unable to rely on the audits and work carried out by the Service Providers internal audit service 28.6.1 Audit - Bear respective costs shorter timeframe The Authority or its appointed Auditor may, upon no less than two Business Days, notice where the Authority has concerns in respect of the Services, and ten Business Days notice in all other circumstances. 28 th November 2013 Date: 28/11/13
28/01/2014 Page 47 of 48
13. Appendix H: CAFT Decision Tree
Notify the Authority directly The Authority has the power to audit books, records and any relevant documents under clause 45.1.8.The End of process; recommendatio ns to be made 45.1.10 rules of termination Fraud is suspected. see 45.1.2 Fraud is known to have been committed. See 45.1.7 All loss is recovered under clause 45.1.3 The Service Provider must give any reasonable assistance to any investigation undertaken by the Authority see 45.1.5.a Loss is not recovered Final termination see 45.1.12 The Authority has the power to terminate the contract if there has been a breach of 45.1.4. Power to terminate agreement is stated under 45.1.9 See 45.1.11 End process; recommendations to be made Verify that the Service Provider, or a related party, agent or shareholder, has breached clause 45.1.4 Escalate to Contract Manager