Annexe B
Audits Completed in Q4 (December to March)
Pension Fund Governance 2020/21
1.1 East Sussex County Council (ESCC) administers and manages the East Sussex Pension Fund (the Fund) on behalf of 127 employers. The Fund is responsible for managing assets for the long-term benefit of scheme members in accordance with statutory regulations. The Pension Committee is responsible for making arrangements for the administration and investment of the Fund, receiving advice as appropriate from the Pension Board, which is a statutory requirement to assist the Scheme Manager (ESCC) in securing compliance with all relevant pensions' law, regulations and directions.
1.2 The purpose of this audit was to provide assurance that controls are in place to meet the following objectives:
· Governance arrangements are resilient and provide sufficient and effective oversight;
· Risk management arrangements are robust;
· Communication is efficient and effective; and
· Reporting arrangements ensure that poor performance is identified and corrected.
1.3 In completing this work, we were able to provide an audit opinion of reasonable assurance. We found that the Pension Board and Pension Committee meet regularly and have good oversight of the Fund. Adequate arrangements are in place for risk management with appropriate scrutiny of risks and mitigation measures. Both Board and Committee members undergo knowledge assessments and training to ensure that they possess sufficient knowledge to exercise adequate governance.
1.4 However, two minor opportunities for improvement were identified, i.e. to ensure that:
· The fund continues to work with the other members of the ACCESS Pool to strengthen its governance arrangements by finalising and implementing the Governance Manual and establishing a performance management process for fund managers; and
· Contact details for Pension Board representatives are published, so that members can contact their representative where required.
1.5 A formal action plan to address these areas was agreed with management.
Pension Fund - Altair Data Governance
1.6 Until recently, the administration of the Pension Fund has been managed through a collaboration with Surrey County Council as part of Orbis Business Operations. However, there is currently a project in place to disaggregate the Administration Team and bring East Sussex pension administration back in-house.
1.7 The current contract for the pension administration system, Altair, was due to expire in early 2021, and a new contract between the Pension Fund and Aquila Heywood was negotiated for the provision of Altair at a total cost of approximately £1.7m over five years, beginning April 2021.
1.8 Given the timescales involved in the project to transfer to the new system, with the original planned go-live on 1 April 2021, there was only limited time to provide audit advice and support into this. We therefore agreed to focus specifically on reviewing the arrangements for data migration and testing, where there were clear information governance risks and risks to the quality, completeness and accuracy of data.
1.9 In completing our work, we identified various issues/risks for consideration by project management in ensuring the data migration and management process was adequately controlled. These included the need to ensure:
· Member data temporarily held in Surrey County Council’s (SCC) version of Altair, for business continuity reasons, is adequately protected;
· Reconciliation controls are in place before and after data transition to ensure the accuracy of data;
· System administration access is properly controlled;
· Risks identified as part of the risk management process are assigned to individual owners to manage; and
· Issues arising from user acceptance testing are adequately resolved prior to go-live.
1.10 In discussing the above with project management, we were comfortable that adequate arrangements were in place to address the areas raised. The decision to go-live was made by the project on 26 March 2021.
Commissioning and Delivery of Property Projects
1.12 The capital programme, which runs to 2022/23, includes planned gross expenditure of £282 million, which will be financed through a range of funding streams, including £158.9 million from non-specific grants and £80 million from borrowing.
1.13 Our review in this area focused on the commissioning, planning and delivery of a sample of projects, to provide assurance that adequate arrangements exist to ensure:
· Only projects that meet the strategic needs of the Council are commissioned;
· Project initiation documents for property works are aligned to Council priorities and are supported by clear and robust plans covering specification, timescales, costs and cash flow;
· Outline and detailed project design take into account all relevant factors to enable accurate costs to be calculated;
· Project governance arrangements deliver projects on time, to the agreed specification and within budget;
· Procurement at all stages in the project delivers value for money; and
· Project slippage and potential cost variations are reported in sufficient time to allow effective decision making.
1.14 We reviewed a sample of property projects that were at different stages of the project lifecycle and were being delivered across Council departments.
1.15 In completing this work, we were only able to provide an opinion of minimal assurance because:
· Roles and responsibilities for Council officers and consultants were not sufficiently well defined, weakening accountability and project governance arrangements;
· A robust project management framework that outlines the project lifecycle and processes is not always followed for all property projects undertaken. This has led to inconsistent and ineffective project management;
· Key project documentation, including the Project Initiation Document (PID) and project management plan, were not used to support the delivery of all the projects;
· Engagement, collaboration and communication between client departments and the Property team is not always timely and effective. Feasibility studies are not always completed to provide cost estimates for business cases and, where they are, their limitations are not always understood by client departments. Greater collaboration between Property and client departments is needed to reduce incidences of projects being approved, based on significantly underestimated costs; and
· Change control processes are not always clear. Some changes are approved where no costs or cost estimates had been produced. This is particularly significant where foreseeable costs have not been included as part of the planning process, and prior to the contract being let, which can lead to contract variations throughout the project, increasing the overall cost. In some cases, consultants are able to agree changes, certify that work has been completed, approve costs of the work and are paid on a percentage of the contract value, reducing their incentive to control costs.
1.16 Management was very responsive when we reported our findings and, in addition to agreeing a robust action plan, put arrangements in place to monitor its implementation. These monitoring arrangements include regular liaison with Internal Audit. A formal follow-up review will also be undertaken during 2021/22 to assess the implementation of the agreed actions.
1.17 In September 2020, a paper was presented to the Capital Strategic Asset Board to “update Capital Board on the reasons for increases in costs” of the project to extend the SEN facility at Robertsbridge Community College. The paper reported that the full programme of planned works was now forecast to cost £2.9m, compared with the original budget of £1.31m.
1.18 As a result of this increase in costs, we were requested to review the management of the project. Specifically, we were asked to review the project’s inception, procurement arrangements, change control, financial reporting and communication arrangements between all parties throughout.
1.19 It was recognised that the impact of the Covid 19 pandemic might have been a contributory factor in the increase in costs. The objective of the review was to ascertain the reasons for this increase and to identify any lessons that may be learnt from the project, focussing on the following areas:
• The original business case and costings were based on robust information;
• All changes to the scope of the project were necessary to the successful delivery of the project, were fully costed and subject to the appropriate approval;
• Project/contract management arrangements were effective in controlling costs; and
• Accurate and timely financial reporting ensured the early identification of potential over-spends and effective corrective action.
1.20 Our testing identified several areas where significant improvement was needed. Whilst the onset of Covid 19 had caused delay and additional costs, most of the difference in cost between the business case (£1.31m) and the then projected out-turn (£2.9m) was caused by poor planning and project management. Figures from the quantity surveyor indicate that £380K of the over-spend was due to Covid 19.
1.21 Our findings correlated strongly with the above audit on the Commissioning and Delivery of Property Projects that was already underway (see 1.11 onwards). Instead of providing an audit opinion, therefore, we focussed on lessons learned with a view to strengthening controls. Throughout our work, management was fully engaged with the process and responded positively to our findings. A robust management action plan was agreed to address our findings and the Property team continues to liaise with us during its implementation.
1.22 The main areas where controls needed strengthening included:
• The improvement of collaboration across the Council to ensure that business cases identify significant costs at the outset and that project planning is effective. This includes the need to carry out surveys recommended in feasibility studies before key decisions are made;
• The clarification of what costs are, or are not, included in feasibility studies because the approval of the project, and subsequent, significant, changes to its scope were made on the basis of significantly understated cost estimates;
• Improving project governance arrangements, to include clearly defined roles and responsibilities, and the use of project initiation documents and project management plans for all stages of the project;
• Ensuring that changes to projects are only made after consultation with the client department (CSD) and after having been costed appropriately and formally approved;
• Strengthening budget management by ensuring that projects are managed to the correct budget and that decisions are taken based on an accurate understanding of the budgetary position; and
• Placing less reliance on external contract administrators so that they do not undertake feasibly studies, approve contract variations, retain all change control documentation, and produce cost reports and project management plans (where present), which weakened the Council’s control over the project.
Accounts Receivable
1.23 The Accounts Receivable function is responsible for ensuring that all income due to the Council is collected effectively and efficiently, banked promptly and is correctly accounted for.
1.24 Between the 1 April 2019 and 31 March 2020, 73,494 invoices were raised totalling £99.6m, which were offset by 566 credit notes totalling £3.9m. This compares with 69,769 invoices with a value of £86.3m in the 2018/19 financial year. These were offset by 603 credit notes with a value of £4.8m.
1.25 This audit provided assurance over the key controls operating within the Accounts Receivable system, including those in place for ensuring the accuracy of customer details; the accuracy of invoicing; the recording and matching of payments to invoices; and completeness of debt recovery. In addition, evidence was sought that the agreed actions in the 2019/20 audit had been implemented.
1.26 In completing our work in this area, we were able to provide an audit opinion of substantial assurance for the following reasons:
· The Accounts Receivable system is well controlled, and our testing of a sample of invoices raised indicated that the service operates to a high level of accuracy;
· Refunds for incorrectly raised debts and/or overpayments had been completely and accurately paid and recorded in the Council’s accounts in line with established protocols;
· Evidence of write-offs is maintained and appropriate approval for these is given;
· Unallocated income held in the Council’s suspense accounts is regularly reviewed to ensure the appropriate allocation of monies received;
· Reconciliations are undertaken on a regular basis, and where appropriate, discrepancies are investigated; and
· An aged debt analysis at a customer level is completed and distributed monthly to nominated officers within departments, to help ensure that all debt is managed appropriately.
1.27 Some opportunities for improvement were, however, identified and these were agreed with management as part of a formal management action plan. These included the need to:
· Update the Income Collection Policy to reflect changes agreed by senior management;
· Continually encourage the prompt raising of accounts after the goods/services have been delivered or rendered; and
· Regularly review user permissions and approval levels within the SAP system help ensure that members of staff do not have inappropriate access rights and/or authorisation levels.
Education, Health and Care Plans
1.28 In 2019, almost 15% of young people nationally were recorded as having a special educational need or disability (SEND). A child or young person is recorded as SEND if they have a learning difficulty and/or a disability that means they need special health and education support. The SEND Code of Practice 2014 and the Children and Families Act 2014 gives guidance to health and social care, education and local authorities to make sure that children and young people falling within this group are properly supported.
1.29 Under the Children and Families Act 2014, the Council must ensure that every child or young person can be supported to facilitate their development and to help them achieve the “best possible educational and other outcomes”. If a child or young person needs, or may need, more support than their school or other setting can give them, then the Council must carry out an Education, Health and Care needs assessment. This assessment may lead to an Education, Health and Care plan (“EHC plan”) being produced for them. An EHC plan will set out the additional support the child or young person needs and the school or other institution they will go to. Once special educational provision has been specified in an EHC plan, there is a legal duty to provide it.
1.30 The purpose of this audit was to provide assurance that controls are in place to meet the following objectives:
· A co-ordinated process is in place to assess a child’s educational, health and care needs;
· The assessment process is undertaken in a timely manner, in accordance with the SEND Code of Practice;
· EHC plans are monitored and reviewed annually and providers are challenged where the support set out in the EHCP is not being delivered; and
· There is adequate budget management around the EHC plan element of the SEND service.
1.31 In completing this work, we were able to confirm that management has established a SEND strategy, a monthly EHCP monitoring process and a firm control of the SEN high needs block budget. We were also able to provide assurance that EHC plans are being monitored annually. As a result, we were able to provide an audit opinion of reasonable assurance.
1.32 Some opportunities for improvement were identified, however, including the need to:
· Reduce reliance on one individual to perform key tasks such as extracting information to generate SEND monthly monitoring reports and the calculation of additional monthly top-up and exceptional funding for schools; and
· Ensuring professional advice from other bodies (which are used to facilitate the assessment and decision process over the issue of EHCP’s) are received in a timely manner, in accordance with the SEND Code of Practice.
1.33 A formal action plan to address these findings was agreed with management.
Adult Social Care Transformation Programme
1.35 The programme aims to deliver a model for the future delivery of ASCH which aligns with Council priorities and which also takes full account of the impact of the Covid 19 pandemic and any resulting requirements, including a review of the ASCH core offer to ensure the financial consequences are fully taken into account.
1.36 Whilst there are numerous components within this programme, we agreed with the management to focus, initially, on the projects relating to Commissioning and Income, due to the associated high financial risks in these areas.
1.37 To date, we have been included in the Income Working Group meetings in order to provide advice on proposed process changes within ASC Financial Services, which feeds into the Income Project. As part of this, we have advised on the potential risks of the use of electronic signatures and the possible controls to be included in the process. In addition, we have reviewed proposed process changes for carers personal budget (CPB) payments and highlighted potential areas of consideration for management.
1.38 We have also issued a position statement on the Shielding Group Project, where we reviewed the processes introduced by the Council in order to meet its statutory duty to those classified as clinically extremely vulnerable (CEV). Based on the work we completed, we were able to provide assurance that the Council had met its statutory duty regarding their responsibilities to the CEV cohort and that governance arrangements over the project had been properly established. Areas for consideration were shared with management in order to strengthen controls going forward and these were incorporated into a ‘lessons learned’ exercise undertaken in May.
1.39 Advice work with the Income Project and the two Commissioning Projects is ongoing into 2021/22, until the completion of the ASCH Transformation Programme.
Modernising Back Office Systems (MBOS) Programme Governance and Risk Management Arrangements (Phase 2)
1.40 The Modernising Back Office Systems Programme (MBOS) was approved by the Corporate Management Team (CMT) in September 2019 to enable the Council to go to market for a replacement to the current version of SAP. The MBOS Programme will look to implement a new system(s) that better meets the current and future needs of the Council and which provides optimal return on its investment.
1.41 The current SAP system was implemented in 2004 and will no longer be supported beyond 2025. The MBOS programme is expected to run until August 2024 with the new system(s) to be implemented in August 2023. The overall cost of the system is expected to be circa £25m. An initial audit, undertaken in June 2020, provided reasonable assurance that effective governance and risk management controls were in place for the programme. We were not able to provide assurance over all key areas as the programme was in its infancy and these areas had not been fully developed.
1.42 With the receipt of bids as part of the procurement exercise, the programme is entering a new phase. The governance structure has also changed since the previous audit with the creation of an Executive Board and the Programme Board becoming the Delivery Board. For these reasons, the Programme Board asked us to revisit the audit and update the assurance provided.
1.43 To save time and reduce the impact on the programme and the board, we have sought to identify areas of change, and did not re-audit areas that have not changed significantly since the last review.
1.44 In completing this work, we provided partial assurance over the governance and risk management arrangements operating within the programme because:
· Whilst a short-term timetable for the current procurement activities is in place, there was no overarching/indicative MBOS programme plan, including any supporting plan that covers the deployment approach for the entire period of the programme;
· Roles and responsibilities for the programme team had not been formally documented, signed-off and communicated, and were therefore found to be unclear;
· Our testing found there had been insufficient independent review of highlight reports prior to presentation to the Board, including a lack of appropriate input from the Subject Matter Experts (SMEs);
· The lessons learned review presented to the Programme Board in February 2021 was undertaken and produced by the former Programme Manager and as such, may not have provided sufficient objectivity and independence;
· Although there is a risk, assumptions, issues, and dependencies (RAID) log maintained at programme level and this is presented to the Board, there is currently no supporting framework/criteria to help in identifying and assessing risks;
· Monthly highlight reports presented to the Board required strengthening, including better information on overall plan delivery; and
· There was no documented framework to manage and approve any potential changes in programme scope, cost, and quality.
1.45 Despite the areas of improvement above, we noted that management had identified the need to improve the governance and risk management and a Programme Management Office (PMO) had been introduced to address the gaps. Based on discussions with the new Programme Lead, we are aware that a rapid discovery review was performed by the PMO and some of the issues noted in our review are already being addressed.
1.46 Actions have been agreed with management to address four high risk and nine medium risk findings identified during the review and we will therefore continue to work with the Programme Board, Programme Sponsor and recently appointed Programme Manager to support further improvements.
Modernising Back Office Systems (MBOS) Programme Governance Support
1.47 As explained above, the MBOS Programme was approved by the Corporate Management Team (CMT) in September 2019 to enable the Council to go to market for a replacement to the current version of SAP.
1.48 We have agreed a package of assurance work with the Programme Board along with the provision of ad-hoc advice and guidance on probity, control and governance issues as the programme progresses.
Cyber Security during COVID
1.49 Cyber-attacks on the Council’s IT systems and devices are a threat to the security of the Council’s data and could have a significant adverse impact on service delivery. Cyber security refers to the measures in place to combat these threats, and is defined as the protection of information systems, the data on them, and the services they provide, from unauthorised access, harm or misuse.
1.50 During the Covid-19 pandemic, the majority of Council employees have been working remotely - a change which was, through necessity, introduced quickly. For this reason, the Council are even more reliant on their IT network infrastructure.
1.51 This audit sought to evaluate whether suitable controls in relation to cyber security have remained in place, taking into account this new way of working and to ensure new controls are introduced where there are new or emerging risks as a result. Arrangements for protecting Council information systems, data and services, and the approach to responding to identified incidents, were also considered, primarily via structured interviews with key staff within the Information Security team.
1.52 We have not shared the specific details of our findings here, as this information could potentially be used in a successful cyber-attack. However, based upon the testing we have undertaken, we have been able to provide assurance that there have been no significant changes in cyber security arrangements due to remote working and other factors associated with the Council’s response to the Covid-19 pandemic. One previously identified control weakness in relation to cyber security remained in place, presenting a level of ongoing risk.
1.53 Overall we were able to provide an audit opinion of reasonable assurance over the control environment.
Property Asset Management System (PAMS) Data Governance and Migration
1.54 The current ESCC Property Asset Management System (PAMS) is a system known as ‘Atrium’, the provider of which has given notice that it will no longer be supported from 2021. The system is used to hold asset management data on all Council property and operates as a works order management system for repair and maintenance. It also interfaces with the Council’s current SAP ERP system.
1.55 The PAMS project sits under the Modernising Back Office Systems (MBOS) Programme and is governed by the MBOS Board. The project is focussed on transferring all functions carried out on Atrium onto a new asset management system.
1.56 The primary objective of this audit was to provide assurance that effective data governance and migration controls are in place for the PAMS project. Following our review, we were able to provide reasonable assurance over the control environment. In providing this opinion, we found that:
· A Project Definition Document and a specific work package for data migration have been developed, which defined both the scope and deliverables for data migration and archiving processes;
· Prior to the work package being developed, an extensive gap analysis and data quality review was undertaken;
· Data being migrated into the new system is being reviewed for its completeness and new data is being subject to a validation process against the relevant data categories to ensure that the transfer has been successful;
· Responsibilities for sign-off of data have been assigned and documented as part of the work package; and
· A data dictionary has been created and approved in consultation with the different stakeholders using the new system.
1.57 Some opportunities to further strengthen these arrangements were, however, identified, particularly in relation to documenting data migration and archiving processes, ensuing appropriate Data Impact Assessments are completed in all cases where these are required and clarifying data standards where necessary. Actions were agreed with management to improve controls in response to all of the findings identified during the audit.
Troubled Families
1.58 The Troubled Families (TF2) programme has been running in East Sussex since January 2015 and is an extension of the original TF1 scheme that began in 2012/13. The programme is intended to support families who experience problems in certain areas, with funding for the local authority received from the Ministry of Housing, Communities and Local Government (MHCLG), based on the level of engagement and evidence of appropriate progress and improvement.
1.59 Children’s Services submit periodic claims to the MHCLG to claim grant funding under its ‘payment by results’ scheme. The MHCLG requires Internal Audit to verify 10% of claims prior to the Local Authority’s submission of its claim. We therefore reviewed 17 of the 165 families included in the January-March 2021 grant cohort.
1.60 In completing this work, we found that valid ‘payment by results’ (PBR) claims had been made and outcome plans had been achieved and evidenced. All the families in the sample of claims reviewed had firstly met the criteria to be eligible for the TF2 programme and had either achieved significant and sustained progress and/or had moved from out of work benefits into continuous employment. We therefore concluded that the conditions attached to the TF2 grant determination programme had been complied with.
Department for Transport – Local Transport Authority Covid-19 Bus Service Support Grant Restart
1.61 The nationwide lockdown imposed in March 2020 as a result of the COVID-19 pandemic led to a significant drop in patronage on public bus services. To support operators through this time of drastically reduced income, the Department for Transport (DfT) released funding for Local Transport Authorities (LTA’s) to distribute to tendered services that had been affected by, or needed to be adjusted because of, the impact of COVID-19. The second tranche of this funding came in the form of a ‘restart’ grant, which aimed to support operators to increase capacity up to, and over where appropriate, 100% of pre-COVID levels.
1.62 The grant conditions required all bus operators in receipt of funding to provide up to 100% of usual service capacity or agree lower levels with the local authority. Operators receiving the commercial element of the COVID-19 Bus Service Support Grant could not submit a claim for this LTA funding, and were required to confirm that no services would be double funded, whilst local authorities were urged to maintain contractual payments at normal levels throughout the funding period.
1.63 Internal Audit were required to confirm that the funding had been used in line with the grant conditions, with our testing concluding that the grant conditions had been met. A confirmation letter was signed by the Chief Internal Auditor and Chief Executive, which was returned to the DfT on 7th April 2021.