APPENDIX A

Bentley Jennison

RISK MANAGEMENT LTD

WESTMINSTER CITY COUNCIL

DRAFT INTERNAL AUDIT PLAN 2006/07

CONTENTS Section 1) Introduction 2) Audit Needs Assessment Methodology 3) Emerging Issues 4) Strategy for Internal Audit 5) Planned Coverage Page 2 3 4 5 6

Appendices Departmental Plans A) Corporate B) Finance Department C) Customer Services Department D) Transportation Department E) Policy and Communications F) Planning and City Development G) Environment and Leisure H) Corporate Property I) Legal and Administrative Services J) Children Services K) Children and Families, Lifelong Learning L) Housing M)Adult Social Care Community Protection 10 13 16 18 20 22 23 24 25 26 27 29 32 34

L)

1.

INTRODUCTION

Purpose This document sets out the proposed Westminster City Council annual Internal Audit plan for 2006/07. The plan has been derived from the 5-year plan agreed by the Director of Finance and reported to the Audit and Performance Overview and Scrutiny Sub-Committee. The plan has been reviewed and updated in view of findings arising from 2005/06 audit work and with reference to departmental business plans and risk registers. A consultation process has been undertaken during March with Departmental management to ensure the audit coverage for each department reflects key risks. The policy context of the Internal Audit Service is to ensure: Effective control over Council activities by: Monitoring, appraising and reporting upon the Councils internal control procedures. Investigating and reporting upon any suspected areas of fraud or irregularity.

The purpose of Internal Audit is to provide the Council, through the Audit and Performance Sub-Committee and the Director of Finance with an independent and objective opinion on risk management, control and governance and their effectiveness in achieving the Council's objectives. This opinion forms part of the framework of assurances that the Council receives and is to be used to help inform the annual Statement on Internal Control (SIC). Internal Audit also has an independent and objective consultancy role to help line managers improve risk management, governance and control. Our Responsibilities Our professional responsibilities as Internal Auditors are set out in the CIPFA Code of Practice for Internal Auditing in Local Government (2004). In line with these requirements, we perform our Internal Audit work with a view to reviewing and evaluating the risk management, control and governance arrangements that the Council has in place to: Establish and monitor the achievement of the Councils objectives Identify, assess and manage the risks to achieving the Councils objectives

Formulate and evaluate policy, or provide policy advice, within the responsibilities of the Section 151 Officer Ensure the economical, effective and efficient use of resources Ensure compliance with established policies, procedures, laws and regulations, including the Councils own governance arrangements Safeguard the organisations assets and interests from losses of all kinds, including those arising from fraud, irregularity or corruption Ensure the integrity and reliability of information, accounts and data

As well as the planned audits detailed in the Annual Audit Plan, Internal Audit will also undertake the following work during the forthcoming year: 1 Follow-up Recommendations arising from audits will be followed up to confirm that agreed actions have been implemented. Audits which receive No Assurance will be followed up on an ongoing basis until all priority 1 recommendations have been implemented. Audits which receive Limited Assurance will be followed up 3 months after the final report is issued. Audits which receive Substantial Assurance will be followed up six months after issue of the final report. Follow ups include testing of key recommendations to ensure that they have been implemented. A report will be issued in respect of all follow ups with a revised action plan for the implementation of outstanding recommendations. A revised assurance level will also be stated which reflects audits opinion of the system of control after the recommendations of the original report have been implemented. Ad-hoc Advice and Support Will be provided throughout the year on a range of issues including; risk management, money laundering, freedom of information, control improvement, governance, application of Financial Regulations and Standards etc. 2. AUDIT NEEDS ASSESSMENT METHODOLOGY Our audit approach is risk based. In order to identify the areas that require Internal Audit coverage, we need to understand the risks facing the Council. Therefore as a starting point the Councils risk register is used to inform the audit needs assessment. Departmental risk registers are not however consistently in place across all departments which unfortunately means that we are unable to place reliance on them. Where risk registers have been provided, Internal Audit have reviewed and evaluated them.

A comprehensive risk based Internal Audit approach has been adopted which ensures that risk is integrated into strategic and operational reviews, processes and practices. A summary of our approach is as follows: Identification of risk areas; Performance of a risk assessment to gauge the degree of risk or materiality associated with a particular area; Risk is categorised and rated in accordance with; corporate importance, corporate sensitivity, inherent risk and control risk; Calculation of the audit risk index; The audit areas are ranked by reference to the risk index and classified as high, medium or low priority; Internal Audit resources are focused on the areas of highest risk. We used cumulative knowledge of the organisation from previous Internal Audit work to identify areas that would benefit from Internal Audit coverage From the Councils own risk register and analyses, we identified the priorities afforded to the risks by the Council The Audit Needs Assessment also identified areas of coverage that do not appear as high priority risks, but where Internal Audit can provide tangible input to assurance, for example: Requirements of management Minimum Internal Audit coverage requirements e.g. key controls audit and documentation of key information flows Areas of concern flagged by management or the Audit Committee Emerging issues; and Need for ongoing assurance in relation to key aspects of internal control 3. EMERGING ISSUES 2006/7 Key emerging issues in 2005/6 which have shaped the 2006/7 Internal Audit Planning process are: Focus on key financial systems All core financial systems will be audited in 2006/07. This has been requested by the Director of Finance following on from several audits of key financial processes which have resulted in significant recommendations. It also reflects the revised External Audit methodology resulting from changes in International Accounting Standards which requires an authority to continually update its key control information in core areas. The audit work will also complement the substantial revision of financial regulations and procedures which is currently

being undertaken in the Finance Department. In addition the majority of the audits undertaken in departments will include testing to ascertain whether financial regulations and the Procurement Code are being complied with. One issue of particular concern is the extent to which Purchase Orders are used in accordance with financial regulations. As a result of the enhanced focus on compliance issues a sample of 5 invoices will be extracted from the main accounting system each month. The extent to which control systems within departments are robust enough to ensure the invoice was authorised in accordance with Financial Regulations will then be verified. An allocation of 90 days has been made within the plan for completing this compliance review work. This will be reviewed during the year in light of the findings of completed reviews.

Schools Financial Management Standard The Department for Education and Skills requires all Secondary schools to be accredited as compliant with its new financial standards by March 2007. In subsequent years all schools will need to achieve this standard. The Director of Finance will be required to certify the number of schools reaching the standard at the end of each financial year. The Schools audit programme is therefore being developed and reprogrammed to enable Internal Audit to certify compliance with the standard at all secondary schools by March 2007. Line Management Self Assurance The Chief Executives Steering Group and Corporate Management Board have agreed to the Head of Risk and Audits proposals to incorporate a new system of line management self assurance of the control environment which they are responsible for . Internal Audit are currently developing a framework to trial in the Finance Department. The system will then be developed across the Council. It is essentially a self-assessment exercise which provides an overall assurance level for the service area, highlights service specific risks, and identifies any significant control weaknesses and actions proposed. Internal Audit will verify the information provided on a sample basis. Key benefits of the system are as follows: Support managers in the delivery of services and achievement of objectives Provide a consistent framework for management monitoring and accountability across the Council Address external audit concerns about weaknesses in control systems and support improvement of the CPA score in this area

 Support the external auditors plans for increased emphasis on review of financial systems Underpin the implementation of revised financial regulations and procurement code Demonstrate compliance with corporate policies and procedures Support the preparation of the Statement of Internal Control A contingency allocation has been included in the 2006/7 plan of 30 days to enable a programme of self assurance work to be carried out RAG Status All audits from 1 April 2006 will be given a Red, Amber or Green Audit Opinion depending on the risk status of the area to be audited and the assurance level resulting from the Audit. The purpose is to increase the clarity of audit reporting and focus management attention on the most significant issues. The RAG status will be used as part of the performance reporting of internal audit to the Head of Risk and Audit and the Audit and Performance Committee. Audits will be accorded a RAG status as set out in Matrix below: OPINION MATRIX Risk/impact High Medium Green Low Full Substantial Limited None ASSURANCE Green Amber Amber Amber Green Amber Amber Red Red Red Red

Escalation Strategy In order to ensure that all audit recommendations are implemented on a timely basis an escalation strategy is being produced in conjunction with the Head of Risk and Audit. A monthly report will be produced for all audits which it has not been possible to finalise within one month of issue and all significant recommendations which have not been implemented by the time of the follow up. These audits will be reported to the Head of Finance and the Chief Officer of the relevant Department and to the Director of Finance and the Chief Executive.

Agreement of Annual Plan / Circulation of Internal Audit Work The 2006/07 Plan will be discussed and agreed with each Departmental Management Team. The circulation of all audit briefs and audit reports will also be agreed at the DMT meetings as will a protocol in respect of which officers can sign off briefs and audit reports. Generally all briefs and draft reports will be signed off by the relevant Departmental management team member with a copy of the final report being sent to the relevant Chief Officer. Some chief officers have asked to see draft reports prior to sign off. Following DMT approval the 2006/07 Plan will also be circulated to the Chief Executives Steering Group for discussion and agreement. Audit Circulars Audit circulars will be issued quarterly to all Chief Officers and Heads of Finance In 2006/07 we will also issue directives to all Chief Officers and Heads of Finance as and when instances of non compliance which have corporate importance are found . All Chief Officers will be required to respond confirming implementation of recommendations made in Audit Circulars. Typically the areas of non compliance which will be reported will cover: Procurement Code Financial Regulations Standing Orders/Constitution Value for Money Issues Identified Contract Monitoring Response to and implementation of audit recommendations 4. STRATEGY FOR INTERNAL AUDIT WORK

The timing of audits, that is, how soon they will be undertaken in the cycle will depend upon: The priority for each area of coverage for Internal Audit, in terms of levels of risk to the Council When the last audit of the area was undertaken and what was the outcome When the risk to be considered is likely to impact upon the organisation Whether there are management concerns about the area Whether or not there have been significant systems, staff or organisational changes since the last audit.

In the course of the period covered by the Internal Audit Strategy, the priority and frequency of audit work will be subject to amendment in order to recognise alterations in audit needs assessment/risk analysis, caused by changes within the Council. A formal update will be performed each year to inform each years periodic plan, but changes may be necessary in-year and these will be agreed with the Head of Risk and Audit who is responsible for managing the Councils Internal Audit Contract. There is a monthly review process in place whereby the contractor will discuss and agree changes to the plan with the Head of Risk and Audit. Our professional judgement has been applied in assessing the level of resource required for the audits identified in the strategic cycle. The level of resource applied is a product of: The complexity of the system in place Factors such as number of locations, number of transactions or frequency of transactions The assurance which can be brought forward from previous years audits The type of audit undertaken.

The audit needs assessment is prepared with regard to constraints such as time and resources. Its purpose is to: Determine priorities and establish the most cost effective means of achieving audit objectives Assist in the direction and control of all audit work Ensure that adequate attention is devoted to critical aspects of audit work Included within the days allocated to each audit is::

A follow-up allocation. All audits are followed up according to a timetable dependent on the level of assurance received. The purpose of the follow up is to assess the degree of implementation achieved in relation to recommendations agreed by management during the audit. The level of implementation is reported to the Audit and Performance Sub-Committee. 5 PLANNED COVERAGE The recommended level and scope of audit coverage is set out in the 5- year strategic plan. The 2006/07 plan allows for 1700 days of audit work. The audits identified in this report total approximately 1800 days with the addition of the line management self assurance and compliance review work identified. Generally the reassignment of programmed dates as the result of timing changes during the year means that approximately 100 days of audit work is deleted or carried over into the following audit year. The audit programme will be delivered using the following staffing structure.

INTERNAL AUDIT STATUTORY AUDIT TEAM

Name Chris Harris Statutory Audit Debbie Chisman Marie Males Kodjo Abolou Karen Hughes Frank McVeigh Carl Walters Stuart Bartlett IT Audit Tim Moynihan Terry Day Tom Rybinski Job Title Contract Manager Audit Manager Principal Auditor Principal Auditor Senior Auditor Senior Auditor Senior Auditor Trainee Auditor Principal IT auditor IT Audit Director IT Auditor Contact Number 2820 2820 2463 2463 2463 2463 2820 2820 5211 5211 5211

The plan is divided into the following areas: Corporate Areas Finance Department Customer Services Department (includes Licensing) Transportation Planning & City Development Environment & Leisure Legal & Administrative Services Children & Community Services (includes Children & Families Social Services, Older People, Disability & Health and Specialist Social Care Services & Development) Education (includes Schools, Lifelong Learning) Housing ( including City West Homes) Community Protection Policy & Communications (includes IT audit)

Details of the individual audits planned for each Department are set out below:

10

APPENDIX A CORPORATE AUDITS

The following projects are proposed in 2006/07: Contract Compliance Related Audits: 1 Corporate Contract Monitoring High Risk-25 Days Departmental arrangements will be reviewed for monitoring and reporting key contracts in compliance with the Procurement Code. In particular risk identified as part of the corporate risk management process will be reviewed. This will include the risks of dishonest contractors, insufficient client monitoring, poor providers of services, payment of unnecessary costs, failure of service, inflexible operating controls and failure to achieve best practice. This audit has been discussed with the Head of Procurement . It has been agreed that this audit will focus on the role of Departmental Contracts Boards in monitoring the operational and financial performance of contracts . 2 Tendering Processes Major Contracts High Risk-20 Days A review of the adequacy of controls operated for tendering major contracts. In particular the audit will consider the extent of compliance with Financial Regulations and the Procurement Code. After discussion with the Head of Procurement it has been agreed that this audit will focus on the letting of the catering contract (and possibly printing and reprograpics). Reviews will be carried out of the letting of the catering contract at three stages; specification, responses to Invitation to Tender and at Award stage. 3 Corporate Procurement Code Compliance High Risk-20 Days The Procurement Code provides the corporate framework for letting and managing contracts for the City Council. This audit review will perform an assessment of compliance with the Procurement Code. The review scheduled for 2005/06 was postponed until 2006/07 because the Code was in the process of being re-drafted. At managements request this audit will be in two stages. A review of the new code prior to implementation and a subsequent review 3 months after implementation to assess the impact of the code.

11

4 Approved List High Risk- 25 Days The 2005/06 audit was postponed until 2006/07 due to a change in the system. This audit is to focus on compliance with controls to ensure only appropriate contractors are included on the list and that departments use the list in accordance with the Procurement Code. At managements request this audit will be carried out October/November to allow a new software system to be purchased and installed. Assurance Framework Related Audits: 5 Risk Management High Risk 15 Days Audit to focus on the arrangements in place for the implementation and monitoring of the Councils risk management policy. Sufficient work will be carried out to inform the risk management aspect of our annual opinion. In particular internal audit will be reviewing the risk management arrangements to ensure Council members and senior management know that key risks are being managed effectively. This audit will be carried out in the second half of the year and co-ordinated with the work of other review agencies such as the Audit Commission. The changing requirements of the CPA process in respect of risk management will be taken into account. 6 Governance High Risk 20 Days The following areas will be covered will be covered: The KLOE on risk management and internal audit. Policies and Procedures a review of how the authority ensures that it makes policies and guidance available to all staff, that they have read the guidance, and where necessary accepted it. Statement on Internal Control review of the processes in place to allow the authority to make a meaningful Statement on Internal Control (SIC). . This audit will also cover compliance with key aspects of the Councils Code of Governance, Constitution and Financial Regulations. 7 Performance Management and Business Planning - High Risk-20 Days In 2006/7 this review will focus on the Councils Business Planning Process. In the early part of the year there will also be a review of the completeness of a sample of Best Value Performance Indicators prior to external audit review.

12

8 Compliance Reviews High Risk 90 Days As a result of the enhanced focus on compliance issues a sample of 5 invoices will be extracted from the main accounting system each month. This sample will cover 5 separate departments each month and will concentrate on high value invoices. The extent to which control systems within departments are robust enough to ensure the invoice was authorised in accordance with Financial Regulations will then be verified. 9 Line Management Self Assurance 30 Days A contingency sum has been allocated for audit involvement in the new programme of line management Self Assurance. (See 3 above). In 2006/07 responsible managers for all core financial systems will be asked to assess and report on the extent to which their systems are compliant with financial regulations. This audit will take place in the second quarter of the year after new financial regulations have been issued.

13

FINANCE DEPARTMENT For 2006/07 the focus of internal audit work will be on core financial systems. All core financial systems will be audited against a set of expected key controls which will be agreed with the external auditors prior to the audits being undertaken. The key financial controls will reflect the Council financial regulations and Cipfa and the Audit Commissions published key control schedules. The following projects are proposed in 2006/07: 1 Housing Benefit High Risk -25 Days (CORE FINANCIAL SYSTEM) This audit will concentrate on the operation of controls to ensure that the possibility of fraudulent receipt of benefits is minimised and that adequate controls exist over the payment and reconciliation of benefit. The audit will include auditing of key controls including compliance with financial regulations and documentation of information flows in accordance with ISA315 (International Accounting Standards). 2 Loans & Investments Medium Risk -15 days (CORE FINANCIAL SYSTEM) The focus of this audit will be the Treasury Management Function, particularly controls over the movement and reconciliation of funds and compliance with financial regulations. 3. Council Tax Medium Risk -20 days (CORE FINANCIAL SYSTEM) Controls over charging, billing, collection and enforcement. This review is to encompass an audit of key controls, and documentation of key information flows. 4 NNDR Medium Risk -12 days (CORE FINANCIAL SYSTEM) Focus upon key controls, reconciliation and the collection fund. 5 Debtors High Risk -15 days (CORE FINANCIAL SYSTEM) Review of the level of debt and the effectiveness of the debt recovery process. Attention will be focused on those areas of the Council identified in the performance monitoring reports to Corporate Management Board as under-performing. This review will include an assessment of the extent to 14

which financial regulations are complied with in the management of debts and include a review of key controls and documentation of key information flows as per ISA315 6 Creditors High Risk - 25 days (CORE FINANCIAL SYSTEM) Focus on compliance with financial controls in respect of use of the ordering system correctly prior to entering into commitments to purchase. This review is to encompass a key controls compliance review and documentation of key information flows as per ISA315. The sample of transactions tested will cover compliance with financial regulations for the authorising of payments across the Council. 7 Insurance Medium Risk -12 Days This audit will focus on controls in place to ensure the Council has adequate insurance arrangements in place and that these are operating effectively. 8 Duplicate Payments High Risk- 20 Days This audit will concentrate on the controls in place to prevent duplicate payments. Data mining analysis will be used to detect possible duplicate payments, which will be referred to management for recovery. 9 Cash & Banking Control High Risk -20 Days (CORE FINANCIAL SYSTEM) Focus on the progress made towards achievement of full monthly reconciliation of the bank account. This audit will include an audit of key financial controls and documentation of key information flows as per ISA315. Cash accounting controls within the Councils cash receipting system will also be examined. 10 Main Accounting System High Risk25 days (CORE FINANCIAL SYS) Review to focus on the monthly management accounts process and controls to ensure that all expenditure on WIMS is accrued for/correctly stated. A review of suspense accounts will also take place to ensure that suspense accounts are being managed effectively. Key account reconciliations between feeder systems and the General Ledger will also be reviewed. WIMS is recorded as an Amber risk in the Departmental Risk register with two key risks identified:

15

 Main financial system (WIMS) or support systems fail or not being developed to keep up with business needs. Inadequate staff IT training Risks; lack of financial controls, inaccurate recording, non-compliance with statutory requirements, unable to meet legal/operational needs, qualification of accounts and potential for fraud. 11 Budgetary Control High Risk 20 Days (CORE FINANCIAL SYSTEM) This audit will review the budgetary control framework including procedures for forecasting income and expenditure in a number of selected departments. The audit will concentrate on those areas where performance monitoring information has shown problems in controlling budgets. This audit links with a key risk identified by the Council which is a potentially difficult financial situation arising from reduced central government financial settlements. The level of compliance with financial regulations relating to budgetary control across the Council will be included in this audit. 12 Fixed Assets Medium Risk 10 Days The focus of this audit will be on maintenance of the fixed asset register, correct accounting for fixed assets and the reconciliation of control accounts. This review is to encompass a key controls element and documentation of key information flows

16

CUSTOMER SERVICES DEPARTMENTS

The following projects are proposed in 2006/07: 1 On Street Parking (3 audits) High Risk 40 Days The audit will take place in the second quarter of the year. It will examine contract monitoring arrangements in place to ensure they comply with financial regulations and the procurement code. The precise scope of the audit will be discussed with management prior to the audit commencing but may include audit work on contractors fixed costs and CCTV. In addition to the above an audit of the ICPS progressions process was requested by management in April 2006 and will be reported in the 2006/07 financial year. An audit of the key controls required in the system for the disposal of vehicles will also be carried out in the first quarter of the year as requested by management. 2 Off Street Parking (2 audits) Contract Monitoring-High Risk- 30 Days (2 audits) This area of audit work has been discussed with management . It has been agreed that the audit work will take place in the 3rd quarter of the year. Two pieces of audit work will be performed: The first will focus on the contract monitoring system in place including financial controls and compliance with financial regulations and the procurement code. The second audit will review the adequacy of the barrier controls, cash handling, reconciliation and security systems in operation at the car parks. The audit will also review cash collection arrangements from the car parks. 3 Review of Vertex Payments/Governance of CSi Related Projects High Risk - 20 Days Review the control framework for ensuring that work performed by Vertex and paid for by the Council has been delivered to specification. The audit will also review the Governance of CSi related projects and the management of project delivery. The audit will cover the extent to which financial regulations and the Procurement Code have been 17

followed in respect of payments will be reviewed. After discussion with management it was agreed that this audit would take place in November after the internal review had reported. 4 Library Services Low Risk 25 days (3 audits) In order to maximise the value of internal audits carried out on the library service it was agreed that audit work on the libraries would be carried out on specific issues across all libraries at the same time. For 2006/07 the audit will focus on two issues: income reconciliation and the receipt of external income from third parties. In addition a current audit review of stock procurement in the libraries service will be reported in 2006/07.

18

TRANSPORTATION DEPARTMENT The following projects are proposed in 2006/07: 1 Highways High Risk 20 Days Detailed scope of this audit will be agreed with line management prior to commencement. Likely to focus on financial and IT controls surrounding payments to contractors. The audit will also review temporary carriageway reinstatements This audit will commence in the first quarter. 2. Contractor Payments 2005/06 High Risk 20 Days At the request of line management an audit will be carried out in the first quarter relating to budgetary control and invoicing systems exercised by a contractor . The precise scope of the audit is to be agreed with line management prior to the commencement of the audit. 3. School Crossing Patrol Service Risk Register (Amber) 15 Days An audit is likely to be carried out in the second quarter concerning the implementation of any recommendations arising from the Health and Safety Executive and/or the Coroners report. There are two other audit areas which may be audited in 2006/07. Discussions will be held with line management during the year in respect of these audits and the potential scope and timing of the work: They are: Completion of Paddington LTVA Risk Register (status not assigned) The following risks were identified: - Cancellation of railway possessions by London Underground or Network Rail - Uncertainty over the replacement traffic scheme for LTVA +2 taxi tunnel which was blighted by Crossrail - Uncertainty over traffic arrangements at the Harrow Road roundabout caused by alternative proposals by a developer - Project accident causes damage or closure of Paddington Station. .

19

Electricite de France Risk Register (Amber) Review of the progress made towards the achievement of an improved service. Documentation of management processes and control measures. Audit to be considered after joint discussions with Transport for London and the Corporation of London have been completed.

20

POLICY AND COMMUNICATIONS The following projects are proposed in 2006/07: 1 Payroll Contractor Progress & Key Controls High Risk-20 Days ( Core Financial System) This audit will review the control framework in place to control and reconcile payments made to staff. The audit will identify progress made against the concerns raised in the 2005/06 audit and will encompass a review of key controls. This audit will take place in the 3 rd quarter of the year. 2 Occupational Health Service Medium Risk-15 Days This is a new service. The audit will focus on the provision of the Occupational Health Service, meeting of service objectives and clients needs. 3 Performance Management Medium Risk 25 Days An audit will be carried out in the first quarter of the systems in respect of the processes within Department for supporting BVPI information. The audit will also cover mechanisms for collecting, analysing and reporting management information. year covering preparing and the corporate performance

4 Comprehensive Performance Assessment Medium Risk 20 Days An audit will be carried out in the 4th quarter of the year to assess the extent to which the Council has robust systems to ensure effective action is taken to meet the expectations of the Audit Commissions Key Lines of Enquiry. The audit will also seek to confirm that an adequate audit trail is being maintained. 5. Worksmart - High Risk 20 Days An audit will be carried out in the last quarter of the year on the Worksmart programme, the success of which is key to the achievement of the Councils financial and operational objectives. The audit will review the extent to which the programme is meeting its objectives. The audit will focus on known areas of weakness to be agreed with Line Management prior to the commencement of the audit

21

Corporate IT Audits Following discussions with the Head of IT , three corporate IT exercises are proposed in the 2006/07 audit programme. 6 IT FM Review High Risk 40 Days This audit will be a Value for Money review of the costs and services provided by the Councils IT Facilities Management Contractors. The audit will include a review of the costs and effectiveness of work undertaken in respect of change requests and new projects. Post Implementation Review Migration to Active Directory- High Risk 40 Days This will be a post implementation review of the effectiveness of the project to migrate to active directory on the Councils network. The review will establish the extent to which the projects objectives have been achieved. 7 Physical/Network Security High Risk 20 Days This audit will examine high risk issues around the security of the Council's network. It will include an evaluation of the improvements made to back up and recovery procedures and external penetration testing. Other Audits: CRB Checks: To be discussed with line management whether a corporate audit should be carried out in respect of CRB checks as this has cross departmental value and has been raised by other departments:

22

PLANNING & CITY DEVELOPMENT The following project is proposed in 2006/07: 1 Building Control Medium Risk-19 Days This audit wil review the effectiveness of invoicing and debt collection procedures within the Building Control section together with operational, financial and quality control procedures. At the request of the department the scope of the audit will include processing and banking of fees received for land charge searches and historic records.

23

ENVIRONMENT & LEISURE (L CODES) The following projects are proposed in 2006/07: 1 Commercial Waste High Risk- 19 Days The 2005/06 audit focused on the move from Whitespace and consisted of an IT applications audit. This audit will focus on financial control in respect of commercial waste. In particular the audit will focus on billing, collection, debt recovery and write off procedures as well as account reconciliations . 2 Refuse Collection High Risk-20 Days Areas to be covered include contract monitoring and financial controls. The audit will cover compliance with the procurement code and financial regulations.

24

CORPORATE PROPERTY DIVISION Corporate Property High Risk 20 Days The internal audit work in this area will focus on implementation of recommendations arising from the external reviews carried out in 2005/06. The audit will include an assessment of whether management has established effective procedures for ensuring compliance with corporate policies and procedures.

25

LEGAL & ADMINISTRATIVE SERVICE (N CODES) The following projects are proposed in 2006/07: 1 Elections Accounting for Expenditure Medium Risk-20 Days This audit will review the adequacy of the control process for accounting for expenditure incurred on the May 2006 Local Elections. This audit will take place in the 4th quarter. 2 Registrars Medium Risk- 15 Days An audit review will be carried out of financial and operational controls. In particular the audit will charging and accounting for new income streams such as Civil Partnerships. This audit will be carried out in the 3rd quarter. 3 Licensing Applications 15 Days An audit will be carried out during the 3 rd quarter . The review will focus on the extent to which financial and IT systems now in place are fit for purpose i.e. can support the legal, financial and operational requirements of the service. 4 Departmental IT Arrangements High Risk 15 Days A computer audit review will be carried out on the extent to which Departmental systems operating on corporate platforms are secure and are robust in respect of business continuity and disaster recovery arrangements. (Scope and timing of review to be agreed with John Enticott prior to commencement).

26

CHILDREN SERVICES (P CODES)) The following projects are proposed in 2006/07: SCHOOLS 1. Schools Information Management Systems (Computer Audit) Medium Risk-14 Days This is an IT application audit covering the security, control and effectiveness of the system. Detailed scope to be agreed with Line Management prior to the audit. 2 School Audits A programme of school audits is carried out on a three year rolling programme. Schools are audited against the Ofsted / Audit Commission guidelines for financial controls in Schools. The Department for Education and Skills requires all Secondary schools to be accredited as compliant with its new financial standards by March 2007. The new standards are an enhancement to the previous guidelines. In subsequent years all schools will need to achieve this standard. The Director of Finance will be required to certify the number of schools reaching the standard at the end of each financial year. The Schools audit programme is therefore being developed and reprogrammed to enable Internal Audit to certify compliance with the standard at all secondary schools by March 2007. It intended that all secondary schools will therefore be audited in 2006/7. 5 days are allocated for each primary school audit and 6.5 days for each secondary school audit. The Audit programme will be adjusted to allow the new requirements to be carried out within existing budgets. The complete list of schools to be audited in 2006/7 is: Secondary Schools Pimlico School s (1st secondary to be audited) Quintin Kynaston School Grey Coat Hospital School St Georges School St. Marylebone School Westminster City School St. Augustines High School North Westminster /School Closure

27

Primary Schools 3. Edward Wilson Millbank Queens Park School St Georges Hanover Square CE School (summer term) St James & St Michaels St Lukes CE School (summer term) St Mary Magdalens School St Peters Eaton Square School St Saviours CE School St Stephens CE School St Vincent De Paul RC School Soho Parish CE Westminster Cathedral School Queen Elizabeth II School Dorothy Gardner Centre (summer term) College Park School

Grant Aided Programs e.g. Surestart High Risk- 20 Days Scope of 2006/07 audit to be agreed. Audit to be carried out in the second half of the year.

CHILDREN AND FAMILES SOCIAL SERVICES 4. Childrens Department High Risk-20 Days Systems audit aimed at reviewing tasks relating to the achievement of objectives of this new Department. First year review to be high-level assessment of the adequacy of arrangements for meeting statutory responsibilities, measuring and managing outputs and budgetary arrangements. 2005/06 audit postponed until 2006/07. LIFELONG LEARNING 5. Adult Education Service Medium Risk-20 Days Scope of this audit is to be agreed. It is likely to focus on the financial control and assurance framework at the Adult Education Service.

28

6.

Cross departmental Audit of Voluntary Sector Grants Medium Risk 15 Days Audit included at request of Department. Scope to be agreed prior to commencement.

7.

Westminster Play centre Service Medium Risk 10 days Audit included at request of Department. Scope to be agreed prior to commencement.

8.

Early Childhood Services Low Risk- 10 Days Scope of 2006/07 audit to be agreed.

9.

Free School Meals Medium Risk-20 Days Review to focus on the systems in place for the provision of free school means including the eligibility criteria, audit trails and accounting to central government. Audit to take place in 1st Quarter.

29

HOUSING (Q Codes)

HOUSING REVENUE ACCOUNT AUDITS (CITYWEST HOMES AUDITS)

1 IT Strategy Review Risk Register High Risk-12 Days The failure of IT to meet the organisations needs in terms of hardware, software and support was identified as a key risk in the risk register. In order to mitigate this risk a review of the current service is to be undertaken. This audit will be carried out after the full Business Strategy Review has been completed. 2 Academy OHMS Interface Medium Risk-16 Days This is an IT audit of the interfaces between the Council Housing Benefit system and the Housing Rents system run by City West Homes. 3 Tenant Management Organisations Medium Risk-18 Days TMOS are run by residents. This audit may be either a broad financial controls audit or may concentrate on problems identified in previous years. The under-performance or failure of TMOs has been identified as a key risk in the risk register. This risk is to be mitigated by close monitoring of performance, governance and finances. The Lead Officer will be consulted as to which organisations are reviewed and the frequency of review which should be no more than every two years for TMOs carrying out major works. 4 Housing Rents Collection/Arrears Including Former Tenant Arrears Medium Risk-18 Days (CORE FINANCIAL SYSTEM) This is a core financial audit . The audit will focus on the financial control framework in respect of collection, accounting for and reconciliation of rent, and the recovery of arrears. 5 Housing Estates Repairs & Maintenance Medium Risk-18 Days Scope to be agreed with Management. Area to be suggested by City West Homes. Likely to focus on the adequacy of the system for commissioning repairs and ensuring that the work is adequately 30

completed. This work will be carried out when the review of simplification of ordering of works is completed. 6 Estate Management Contract Monitoring & Payments to Providers Medium Risk-18 Days This audit will assess the monitoring arrangements in place and payment controls in respect of the new provider contract. Key information flows will be documented. This audit will be carried out once the new contracts have had a chance to bed in. 7 Health & Safety Contractors Compliance Medium Risk-18 Days Scope of 2006/07 audit to be agreed. 8 Rechargeable Works Medium Risk-12 Days Key control review of the monitoring arrangements in place and payment controls. Key information flows will be documented. The Performance and Audit Committee wish to receive assurance on whether we are recovering costs appropriately and whether works have been carried out on properties that should be recharged. 9 Residents Associations-Low Risk-10 Days Audit will focus on Corporate Governance and compliance with key financial controls 10 Void Properties 15 Days A review of the internal control mechanisms in respect of void properties was requested by management. The audit was requested in March 2006 and will be completed as part of the 2006/07 Internal Audit Programnme.

HOUSING GENERAL FUND PROPOSED AUDITS

31

Private Sector Grants Medium Risk-15 Days Systems review aimed at verifying the adequacy of the Councils arrangements for meeting the requirements of the legal/regulatory framework.

2 Housing Options Service - 15 Days Medium Risk This audit was included at Managements request. The audit will focus on a review of systems and controls relating to rent accounting in the HOS. Precise scope of the audit will be agreed with management prior to commencement. This audit is to be carried out in the 3rd quarter.

32

ADULT SOCIAL CARE (R CODES) The following projects are proposed in 2006/07: OLDER PEOPLE, DISABILITY & HEALTH 1 Section 31 Pooled Budgets Medium Risk-20 Days Section 31 is part of the National Health Act which requires disclosure in the financial statements. The focus of the audit will be on the allocation of funds between the health authority and the Council, how the pool is divided up, what monitoring is performed, rules and regulations governing the use of the pooled budget and the governance arrangements. At managements request this audit is to be carried out in the second half of the year. 2 Receiverships/Appointeeships Medium Risk-20 Days This is a 2005/6 review postponed until 2006/7. Review requested by Chris Undrell and Sarah Saward. This audit will cover compliance with financial procedures. This audit is to be carried out in the second half of the year at managements request. 3 Residents Savings & Securities Medium Risk-15 Days Review of the arrangements in place for the safeguarding and protection of residents savings and securities. This audit will encompass a review of key controls and document key information flows. 4. Adoption Allowances Medium Risk-15 Days Systems review aimed at verifying the adequacy of the Councils arrangements for meeting the requirements of the legal/regulatory framework. 5 Social Services Residential Charging Including Debt Recovery & Write-off Medium Risk-20 Days Systems review aimed at verifying the adequacy of the Councils arrangements for meeting the requirements of the legal/regulatory framework. The audit will determine the extent to which financial regulations are complied with. This audit is to be carried out in the first half of the year at Managements request.

33

Residential Placements Medium Risk-20 Days Systems review aimed at verifying the adequacy of the Councils arrangements for meeting the requirements of the legal/regulatory framework.

Meals Services Medium Risk 15 Days This audit will cover financial and operational systems in respect of the Home Meals Service. This audit will be carried out in the second half of the year at managements request.

34

COMMUNITY PROTECTION (S CODES) The following projects are proposed in 2006/07: 1 Residential & Trading Standards Including Renovation Grants Medium Risk 20 Days This audit will review the operational and financial management of the Trading Standards Service and will be carried out in the second quarter. 2 City Guardians Medium Risk 15 Days Scope of 2006/07 audit to be agreed. This audit is likely to assess the operational and financial systems in operation in respect of this service. The audit will be carried out in the second quarter.

35