Transcription
Agenda item 1Audit and Assurance CommitteeDate:7 June 2018Item:Internal Audit Quarter 4 Report 2017/18This paper will be considered in public1Summary1.1 The purpose of this report is to inform the Committee of the Internal Audit workcompleted in Quarter 4 of 2017/18, the work in progress at the end of Quarter 4,the work planned for Quarter 1 of 2018/19 and the status of agreed auditactions.2Recommendation2.1 The Committee is asked to note the report.3Background3.1 The Head of Internal Audit is required to provide an annual report in support ofher opinion on the internal control framework. Quarterly reports are presented tothe Committee in anticipation of the annual report.4Work Done4.1 The chart below shows the number of Internal Audit Reports and other outputs,including advisory/ consultancy reports and memorandums, issued duringQuarter 4, the 2017/18 year-end together with comparative figures for 2016/17.PCPoorly controlledRIRequires improvementACAdequately controlledWCWell Controlled
4.2 Internal Audit issued 17 reports and other outputs during Quarter 4; the full listis in Appendix 1. Where applicable, the affected business area has agreedmanagement actions to address the issues, and Internal Audit is monitoringcompletion. The appendix shows the date by which the last management actionis due to be completed, or confirms that the audit has been closed, as at thedate of this report.Third Line Assurance Activity - Internal Audit4.3 One of the internal audit reports published in Quarter 4 was concluded as‘Poorly Controlled’ and is summarised as follows:Preparation for the General Data Protection Regulation (GDPR) (Internal AuditReport issued P11 2018)4.4 Our audit reviewed the effectiveness of TfL’s preparations for meeting theGDPR requirements. This included specific focus on the structures in place forproviding advice and support to high-risk business areas, as well as themechanisms used to monitor progress toward GDPR compliance. We identifiedsix priority 1 issues, and four priority 2 issues.4.5 The priority 1 issues highlighted areas for improvement including the need for acentral coordination and oversight resource, completion of business unitcompliance plans, modification of data processor agreements, completion of thepersonal data mapping exercise, and implementation of process and/ortechnical solutions to enable fulfilment of data subjects’ rights.4.6 The Head of Information Governance submitted a GDPR progress report to theCommittee meeting of 6 March 2018. The report outlined the progress madesince the audit was completed, and highlighted the steps taken to facilitateimplementation of the agreed management actions, some of which werealready complete. The final action is due for implementation by 31 July 2018,but the closure date is being kept under review.4.7 Other notable reports issued during Quarter 4 are as follows:Commercial Management within City Planning4.8 Our audit focused on the effectiveness of the control environment in relation toCity Planning’s procurement process. We identified three priority 1 issues, andone priority 2 issue, highlighting areas for improvement with regard to thecontract ‘Call-Off’ process (Tendering, Evaluation and Selection), and recordretention processes. The last action is currently on track for completion by 14December 2018.
Topographical Testing4.9 Our audit focused on the control environment in relation to Taxi and PrivateHire’s Topographical Testing arrangements. We identified one priority 1 issue,and two priority 2 issues, highlighting areas for improvement, includingprocesses for the storage, and security of assessment papers (questions andanswers), clarity around the longer-term strategy for assessment centres, andcommunication of information to assessment centres. Work was already inprogress to address some of the issues identified, and the last action is on trackfor completion by 31 July 2018.4.10 Work in progress at the end of Quarter 4 is shown in Appendix 2 and work dueto start in Quarter 1 of 2018/19 is shown in Appendix 3.Follow-up of audit actions4.11 Internal Audit monitors the completion of all audit actions and confirms whetherthey have been adequately addressed by management. The table at Appendix5 shows the numbers of open audit actions by business area and the extent towhich these are overdue.4.12 Where actions are 60 days or more overdue the Director with responsibility forthe actions may be invited to attend the Committee meeting, to discuss them.There are a number of actions more than 60 days overdue, as discussed in thefollowing paragraphs.Finance4.13 The overdue action relates to our audit of Fares Refunds within the FinancialServices Centre (FSC), specifically the availability of reports to enablemonitoring of Web Account credits (WACs).4.14 The Head of the FSC attended the December 2017 Committee meeting andprovided an overview of the challenges experienced in the closure of the action.At the March 2018 Committee meeting, we reported that an updated Refundspolicy had been drafted, and would be published on 1 April 2018. Publicationwas dependent on necessary changes to the underlying system so thatmonitoring reports could be produced.4.15 We understand that the FSC continues to experience challenges getting thenecessary reports created; the knock on effect renders the revised policyunenforceable. We have decided not to invite the Head of FSC to attend themeeting on this occasion, however acknowledging the length of time the actionhas remained open, we have asked him to consider whether alternativemitigating solutions could address the risk, or to determine if the risk is withinacceptable tolerances.Surface Transport4.16 The two overdue actions relate to our audit of Payment Card Industry DataSecurity Standard (PCIDSS) compliance in the Compliance, Policing and Onstreet Operations Directorate (CPOS); formerly Enforcement and On-streetOperations (EOS).
4.17 The outstanding PCI DSS actions (two priority 2 actions) relate to processdocumentation and data retention controls. These actions are interrelated, anddependent on the implementation of a new payment system. CPOS iscontinuing to focus on completion of these actions, but a decision in respect ofthe technical solution is outstanding. The preferred option is to adopt the samesystem used by the Metropolitan Police Service (AWARE). However, at the dateof this report, CPOS has not been able to confirm the decision andimplementation timeline.4.18 The Director of CPOS attended the March 2017 Committee meeting andprovided an overview on the challenges experienced in the closure of theaction. CPOS has submitted evidence to the external Qualified SecurityAssessor who is preparing a proposal for implementation in July. The (TfL)Internal Security Assessor has had sight of this evidence and draft workinginstructions to implement the proposal when agreed.4.19 We have not asked the Director to attend the meeting again to discuss theseactions; however, if the actions are still open by the time of the SeptemberCommittee meeting he will be invited to attend at that time.Second Line Assurance Activity – Integrated Assurance4.20 The Integrated Assurance team within Risk and Assurance issued 13 HSE andTechnical audit reports during Quarter 4, none of which was concluded as‘Poorly Controlled’. One audit report was concluded as ‘Requires Improvement’and is summarised below. The majority of the audits were technical in natureagainst Strategic Risk 14 and were given an ‘Adequately Controlled’ conclusiondue to documented systems being in place with supporting evidence of theirimplementation. Recommendations were made to address improvements orareas of minor non-conformance.09TS and S-Stock (New Rolling Stock) Handover Arrangements4.21 The objective of the audit was to provide assurance that the requiredinformation, process and materials had been adequately handed over from thesupplier to enable maintenance of the fleets by TfL teams.4.22 The report identified two priority 1, nine priority 2, and one priority 3 issues. Thepriority 1 issues concerned ineffective use of document control systems,unavailability of current and approved documents and the use of the assetmanagement database to record modification levels of serialised spares andcomponents. Both of the Priority 1 actions have been closed.Second Line Assurance Activity – Project Assurance4.23 The Project Assurance team completed 20 Assurance Reviews (ARs) duringQ4, which included reviews of five sub-programmes. IIPAG provided oversightand guidance on 13 out of the 20 ARs completed.4.24 The five sub-programme reviews were as follows, none of which identified anycritical issues:(a) LU Rolling Stock Renewals;(b) LU Track Renewals;(c) LU Major Stations;
(d) Technology and Data; and(e) Public Transport.4.25 Three of the other ARs identified critical issues as follows:(a) LU Maintenance Modernisation – there were two critical issues, relating tothe cost and risk provision. These have now been addressed in the 2018/19budget;(b) Cycle Superhighway 11 – there was one critical issue relating to the busjourney time impacts through the Swiss Cottage junction. Furthermitigations are planned as part of the bus priority programme; and(c) Harrow on the Hill Bus Station Accessibility – there were four critical issues,relating to the work required before entering into the joint venture with thedeveloper. The requirements were still in development and the temporarybus stopping arrangements while the station is closed for up to two yearshad not been devised. Further development is underway in advance ofsigning the development agreement.5Control Environment Trend Indicators5.1 The Committee, at its meeting on 7 March 2018, approved a set of ControlEnvironment Trend Indicators. Data for some of the indicators is not yetavailable, but is under development, and we hope to be able to start reportingagainst these in 2018/19. The Quarter 4 indicators are attached as Appendix 5.6Customer Feedback6.1 At the end of every audit, we send out a customer feedback form to the principalauditee(s), requesting their views on the audit process and the report. Asummary of the responses to the questionnaire, together with comparativefigures for the previous Quarter, is included as Appendix 6.List of appendices to this report:Appendix 1 – Audit Reports Issued in Quarter 4 2017/18Appendix 2 – Work in Progress at the end of Quarter 4 2017/18Appendix 3 – Work Planned for Quarter 1 2018/19Appendix 4 – Overdue Audit ActionsAppendix 5 – Control Environment Trend IndicatorsAppendix 6 – Customer Feedback Form – Summary of Responses Quarter 4List of Background Papers:Audit reports.Contact Officer:Number:Email:Dili Origbo, Head of Internal Audit020 3054 7952diliorigbo@tfl.gov.uk
Appendix 1Transport for London Audit and Assurance CommitteeInternal Audit Reports and other outputs Issued Quarter 4 2017/18Strategic RiskDelivery ofKeyInvestmentProgrammesDirectorateRefAudit TitleFinance17631Benefits RealisationTo review whether TfL has an effectiveprocess for planning, managing andmeasuring the benefits achieved frominvestment and whether projects areutilising this process throughout theproject lifecycle, including completion ofbenefits realisation reviews.City Planning17627CommercialManagement withinPlanningTo review commercial managementprocesses within Planning to provideassurance over compliance with TfLpolicies and good practice.Mobilisation of the panTfL Cleaning Contract(Phase 2)To provide assurance that there are robustplans and procedures in place for theeffective mobilisation of the Pan-TfLCleaning contract17634Pan TfLMobilisation of the panTfL Cleaning Contract(Phase 2) final ographical Testingarrangements17500Semi-AnnualConstruction Report(SACR) reporting processA review of the SACR process to ensurethat the underlying data is sound.NAWCClosed00017506Disposal of CrossrailAssetsA review of the arrangements contractorshave in place for the disposal of assets, inparticular, items of plant and machineryNAACClosed000A review of Ricardo Rail's ability to deliveragainst the NoBo / AsBo contract.08/01/2018ACClosed001A review of the compliance with Crossrailundertakings and /2018ACF/up0011751817521Readiness for handoverof LUA review of the preparedness of LondonUnderground to receive the CRL assets - inparticular the compliance with the ninerequirements of Handover.17522Readiness for handoverof MTR CrossrailA review of the preparedness of MTRCrossrail to receive the CRL assets - inparticular the compliance with the ninerequirements of Handover.17523Readiness for handoverof Rail for London (RFL)A review of the preparedness of RFL toreceive the CRL assets - in particular thecompliance with the nine requirements ofHandover.N/AACClosed00017530ATC management ofsub-contractorsA review of the management of subcontractors by the Tier 1 contractorN/AMemoClosed00015609Fraud Risk in projectsand contracts within theStation WorksImprovementProgramme (SWIP)To review the adequacy and effectivenessof controls in place to manage Fraud risk inprojects and contracts within SWIP andassess against a Fraud risk maturity tionProgramme –Workstream tyStandardsConclusionRicardo Rail: Capabilityto deliver theAssessment Contract Notified Body (NoBo)/Assessment Body (AsBo)Undertakings yTo provide assurance that there are robustplans and procedures in place for theeffective mobilisation of the Pan-TfLCleaning contractTo provide assurance over the revisedprocess and controls around ry ofthe ElizabethLineObjectivePreparation for theGeneral Data ProtectionRegulation (GDPR)DLR KAD ( Keolis AmeyDocklands) SafetyAssurancearrangementsTo provide assurance on the effectivenessand application of the transition assuranceprocess for ensuring workstreams areready for their new organizationalstructures to go live.To provide assurance that TfL'spreparations for the GDPR are appropriate,timely robust and effectiveTo provide assurance that TfL is seekingappropriate assurance from the relevantfranchisees over safety risk controls andmanagement systemsGrand TotalStatus telycontrolledWCWell ControlledMemoConAMemorandumConsultancyAdvisory
Transport for London Audit and Assurance CommitteeAppendix 2Internal Audit - Work In Progress at the end of Quarter 4 2017/18Strategic RiskDirectorateRef.Report TitleObjectiveTo provide assurance that management standards and arrangementseffectively implement the requirements of noise at work legislation andeffectively control the risk of noise exposure. Also that there areappropriate ongoing management 2nd line of defence activitiesTo provide assurance that revised rules and arrangements for site controlhave been implemented and are being monitoredTo provide assurance on the adequacy and effectiveness of controls in placeover the recruitment and management of NPL, including use of personalservice companiesProvide assurance that the year-end outturns on the scorecard indicatorsare being reported accuratelyTo ensure that the procurement process used for single sourcing ismanaged effectively, including the frequency and legitimacy of singlesourcing, and the robustness of the approval process.TotalPan TfL17 761Arrangements formanaging occupationalnoiseLondonUnderground17 751Possession Site Controland MonitoringHR17 117Controls over AgencyTemporary WorkersFinance18 100TfL ScorecardsLondonUnderground17 612Single SourcingGovernance Assurance(LU)Delivery ofCommercial RevenueTargetsCustomers,Communication andTechnology (CCT)18 028Public Cellular NetworkTo provide assurance over the project and financial controls in place for thePCN Project1GovernanceSuitabilityLondonUnderground17 112Data Privacy andProtection – SurveillanceCameras LUTo provide assurance that LU's use, management, and control ofsurveillance cameras are in accordance with the relevant TfL policies, lawsand relevant codes of practice.1Managing Railway orStrategic RoadNetwork Asset BasePan TfL17 729Asset InformationManagementTo provide assurance that the design and operating effectiveness ofoperational asset management is effective117 507Disposal of Crossrailnon-railway assetsSafety ity17 520Delivery of theElizabeth LineCrossrail17 52417 51118 504LTMLondon TransportMuseum17 110Crossrail HandoverStrategy and PlanAsset information andalignment betweenCrossrail and its partnerorganisationsA review of arrangements for disposal of non-permanent assets, forexample, staff mobile devices and PC’s, including data security aspects ofthe disposal.A review of Crossrail readiness for handover, focusing on the nine keyrequirements of the Handover Strategy and Plan.A review of the quality of asset information and identification of assets, andalignment of asset information requirements / expectations with what willbe deliveredA review of the Testing and Commissioning Strategies and Plans fordelivering the Crossrail Project, focusing on a sample of delivery teams andcontractorsTo review the arrangements for delivering OSD, including constructionDelivery of Over Siteassurance where developments are being progressed through Crossrail /Development (OSD)TfL.To review the range of management information available to enable LTMLTM Managementmanagement and the Trustee Board to monitor LTM’s financial and tradingInformationperformanceGrand TotalTesting andCommissioning1111111111114
Transport for London Audit and Assurance CommitteeAppendix 3Internal Audit - Work Planned to start in Quarter 1 ctiveTo provide assurance that ST has a SupplierQuality Assurance System that ensures risks toTfL objectives are identified, controlled andassured throughout the contract life cycleTo provide assurance on the adequacy andeffectiveness of controls in place for short andlong term forecasting of cashPlannedPeriodTotal2018/19 P112018/19 P3117 000ST Supplier Assurance(non-rail)18 106Cash Forecasting18 129Revenue ApportionmentTo provide assurance over the apportionment ofto Train Operatingrevenue to TOCsCompanies2018/19 P1118 117Contract PaymentApproval Form (CPAF)process2018/19 P2118 600Single SourcingGovernance Assurance(ST)2018/19 P2118 123Congestion Charging –Financial and BusinessControls (Capita)2018/19 P2118 000Management of FraudRisk in LondonUndergroundTo ensure that the procurement process usedfor single sourcing is managed effectively,including the frequency and legitimacy of singlesourcing, and the robustness of the approvalprocessTo provide assurance on the adequacy andeffectiveness of financial and business controlsin place within Congestion Charging followingthe move to CapitaTo provide assurance that fraud risks are beingmanaged across all areas of LU and that there isan awareness of fraud risk amongst personnel2018/19 P1117 204Exterion CapitalExpenditure ProgrammeTo review and provide assurance over thedelivery of the Capital Expenditure programme2018/19 P1118 603Sponsorship of theElizabeth Line (formerlyPartnership/Sponsorship Marketing)To provide assurance that the procurement ofthe sponsor for Elizabeth Line is carried out in anefficient and effective manner.2018/19 P21SurfaceTransportLondonUndergroundReport TitleProvide assurance that revised controls over theuse of CPAFs are operating as intended.Delivery ivery ofKeyInvestmentProgrammesPan TfL18 605Re-Tender ofProfessional ServicesFramework PSF (EPMF4)To provide assurance that the Procurement ofthe Professional Services Framework is carriedout in an efficient and effective manner2018/19 P31SurfaceTransport18 008Bus Contracting ProcessTo provide assurance over the processesgoverning changes to key processes affectingrevised bus contracts2018/19 P3118 007Operational Reliability The impact ofattendance withinLondon UndergroundTo provide assurance that attendance at work isappropriately managed to ensure thatoperational reliability is not adversely affected.2018/19 P3118 403Cyber Security Strategyand Operating model2017/18 P2118 400The strategic approachto Cloud ComputingGovernance2018/19 P3118 404Pensions Data – AccessSecurity2018/19 ure or aCyber AttackLondonUndergroundCustomers,Communicationand Technology(CCT)Pension FundEvaluate TfL’s cyber security strategy andoperating model to assess whether it is designedappropriately to meet strategic objectives andindustry best practice.To review the arrangements that manage the useof cloud computing, including policies andprocedures, architectural design, and securitycontrols. Provide assurance that the securitycontrols are operating effectively.To provide assurance on the adequacy andeffectiveness of security controls over access topension data
Transport for London Audit and Assurance CommitteeAppendix 3Internal Audit - Work Planned to start in Quarter 1 2018/19StrategicRiskTfL’s ImpactonEnvironmentDelivery ofthe ElizabethLineLTMDirectoratePan TfLRef.ObjectiveTo provide assurance that the environmentalchecks that have been incorporated into theprocurement process (prepared by HSE) are beingused and environmental risks and opportunitiesare being identified and actionedTo review the arrangements for training ofoperations staff (e.g. signallers) and maintenancestaffTo review Estates Management followingdemobilisation and the closing down of Crossrailsites, covering both health & safety, andcommercial risks.PlannedPeriodTotal2018/19 P312017/18 P212018/19 P3118 024Identification ofenvironment risk andopportunities duringprocurement17 526Training of operators18 500Estates Managementfollowingdemobilisation18 501Employers’ CompletionProcessTo review the closeout dashboard and theunderlying evidence, covering quality, NCRs, riskand commercial aspects.2018/19 P1118 502Crossrail ComplaintsCommissioner AccountsA review of the Crossrail ComplaintsCommissioner Accounts to ensure accuracy2018/19 P3118 503Management ofStakeholders, Sponsorsand InterfacesA review of the arrangements for managingCrossrail stakeholders as the activity transitionsto TfL.2018/19 P1118 505Demobilisation of StaffA review of the demobilisation process, includingreadiness and effectiveness of the transfer ofany staff from Crossrail to TfL.2018/19 P3118 119LTM new web shopTo provide assurance over the new arrangementsfor the web shop including IM and stock controls2018/19 P31CrossrailLondonTransportMuseumReport TitleGrand Total23
A ppendix 4O uts tanding Internal A udit A c tions S tatis tic sD irec torateNot yet due1 – 30 D ays31 – 60 D ays61-90 D ays91 D aysCity Planning20000Commercial Development20100Crossrail70000Customers Communication ondon Underground0000010000200000390103General CounselSurface TransportMajor ProjectsTotal
Appendix 5Control Environment – Trend IndicatorsAudit indicators%age of audit reports(rolling annual average)that are:Poorly ControlledRequires Improvement orPoorly 4%29.2%3.6%32.7%3.9%32.4%2.0%32.0%2.4%34.0% 16/1792.7%Trend97.7%97.7%97.9%98.0%98.0% 16/17Trend2.5% Finance indicators% invoices submitted bySMEs paid within 10 days% invoices paid withinterms (BVPI8)Payments incorrectly madeto staff who have left TfL Data under developmentCommercial indicators%age of expenditure wherePO issued retrospectively%age of expenditure outsideof approved agreements%age of expenditure that issingle sourcedQ4Q3Q2Q117/18 17/18 17/1817/182.0% 2.3%Not availableData under developmentData under developmentTechnology indicator%age of time internalsystems are availableQ4Q3Q2Q116/17 Trend17/18 17/1817/1817/1899.5% 99.48% 98.68% 99.87% O/S Information Governance indicatorFOI requestsNumber received over pastyear%age responded to on timeQ4Q3Q217/18 17/18 17/183053 3100 5
Appendix 6INTERNAL AUDIT CUSTOMER FEEDBACK FORMSUMMARY OF RESPONSES FOR 2017/18Quarter 4We send a customer feedback form to our principal auditee at the conclusion of each audit. This table sets out the questions asked and the responses, including a selection of the freeform comments that we have received.Customer Feedback Forms Sent: Q4 29 (Q3 20)Customer Feedback Forms Returned: Q4 16 (Q3 20)No score givenASSIGNMENT ASSESSMENT CRITERIAPLANNING AND TIMINGThe assignment timing was agreed with me and there was appropriate consideration of my other commitmentsas the work progressedThe assignment was completed and the report issued within appropriate timescalesCOMMUNICATIONCommunication prior to the assignment was appropriate, including the dates and objectivesVery poor1Poor2Satisfactory3Good4Very good5Average t the assignment I was informed of the work's progress and emerging findingsCONDUCTThe Internal Audit team demonstrated a good understanding of the business area under review and associatedrisks, or took time to build knowledge and understanding as the work progressedThe Internal Audit team acted in a constructive, professional and positive mannerRELEVANT AND USEFUL ADVICE AND ASSURANCEA fair summary of assignment findings was presented in the reportAssignment recommendations were constructive, practical and cost-effectiveMy concerns were adequately addressed and the review was beneficial to my area of responsibility andoperations4.2Overall assessmentOther comments including suggested improvements and areas of good performance:"Due to the number of people involved in the audit, flexibility was required. This was agreed and acted upon very professionally.""Audit report finings were relevant and fair.""I was impressed with the auditor's holistic understanding of the complex problems of handover.""We had plenty of forewarning to enable the audit to sit comfortably within the teams current workload.""The audit team listened to comments made from me and my team in order to understand a balanced perspective.""The audit gave an additional level of focus which very much appreciated as in number occasions it kept us on track when external issues were potentially distracting focus.""We had a number of meetings pre and post audit to ensure there was clarity on what was required.""Ideally, an earlier completion would have been beneficial. The wide scope, and the complex fieldwork, plus changes in the audit team, meant the audit was running a long time."4.44.44.43.94.42.04.23.84.54.34.24.34.1
summary of the responses to the questionnaire, together with comparative figures for the previous Quarter, is included as Appendix 6. List of appendices to this report: Appendix 1 - Audit Reports Issued in Quarter 4 2017/18 . Appendix 2 - Work in Progress at the end of Quarter 4 2017/18 . Appendix 3 - Work Planned for Quarter 1 2018/19
