Annexe A
Internal Audit and Counter Fraud
Quarter 1
Progress Report 2021/22
CONTENTS
1. Summary of Completed Audits
2. Counter Fraud and Investigation Activities
3. Action Tracking
4. Amendments to the Audit Plan
5. Internal Audit Performance
1. Audits Completed in Q1 (April to June)
Procure to Pay
1.1 Procure to Pay is the end-to-end process from procurement of goods or services to the payment of the supplier. The central Accounts Payable team is responsible for the processing of payments to suppliers using SAP, the Council’s main financial system.
1.2 The purpose of the audit was to provide assurance that controls are in place to meet the following objectives:
• All payments (including non-order invoices, cheque requisitions and urgent payments where appropriate) are only made for valid goods, works or services that have been received;
• Payment runs are subject to appropriate review and authorisation;
• Only creditors that meet the needs of the Council and that do not already exist in the Accounts Payable system are set up. All creditors’ details are maintained accurately in the Accounts Payable system; and
• Transactions in the Accounts Payable system are completely and accurately transferred to (and reflected in) the General Ledger.
1.3 In providing an opinion of reasonable assurance, our sample testing indicated that the procure to pay system is operating effectively, with the majority of necessary key controls found to be in place. However, our work identified some opportunities to further strengthen the process, including in relation to:
• Ensuring mandate forms for Direct Payment recipients are fully completed with the required information, including vendor details, prior to upload into SAP, to help reduce any instances of incorrect payments;
• Completing a review of user permissions in SAP to ensure that members of staff do not have inappropriate and/or conflicting access rights; and
• Promoting compliance with Council procedures in relation to the raising of purchase orders through an education and awareness raising programme.
1.4 A robust action plan was agreed with management to address these issues.
Pension Fund Investments and External Control Assurance
1.5 East Sussex County Council (ESCC) administers and manages the East Sussex Pension Fund (the Fund) on behalf of 127 employers. The Fund is responsible for managing assets for the long-term benefit of scheme members in accordance with statutory regulations.
1.6 The Fund is a member of the ACCESS Pool, a collaboration of 11 LGPS Administering Authorities who are working together to reduce investment costs and gain economies of scale. The ACCESS Pool currently has a value of £53.9bn, with the ESPF representing £3.9bn of this.
1.7 As part of this audit, we reviewed the arrangements to manage investments, including pooling arrangements, and the internal controls of external fund managers. We considered the following objectives:
· Investment performance is in line with the expectations of the fund; · Investment returns are received in full in a timely manner; · Investment transactions are accurately reflected within the accounting system; · The ACCESS operator, fund managers and the custodian maintain adequate systems of internal control; and · Benefits of economy of scale deliver cost savings and value for money.
1.8 Based on the work carried out, we were able to provide substantial assurance in this area. Only a small number of opportunities for improvement were identified, including the need for:
· One of the investment managers to provide external control assurance reports in a timely manner in order to allow the Fund to assure itself that investments are appropriately safeguarded and to take the necessary action where this is not the case; · Quarterly reconciliations between the Fund and custodian to be subject to secondary checks to ensure the accuracy of accounts; and · Process documentation and best practice guidance to be easily accessible to reduce key person risk and help ensure consistency in Fund accounting.
1.9 Actions to address these areas were agreed with management as part of a formal management action plan. |
|
Pension Administration Information Governance
1.10 The Council, as the administering authority and data controller for the Fund, hold significant volumes of personal data in order to accurately administer and manage the Fund and to satisfy the legal obligations outlined within the Local Government Pension Scheme Regulations (LGPS). This includes, but is not limited to, names, addresses, contact telephone numbers and email addresses as well as information relating to dependents/nominated beneficiaries and, special category data such as health status. Failure to adequately protect scheme member data can result in a personal data breach.
1.11 The Council has produced and published a Memorandum of Understanding regarding Compliance with Data Protection Law in relation to the LGPS which is available on the Council’s website. This document details the basis on which data will be shared between interested parties and the administering authority’s expectations of scheme employers.
1.12 The purpose of the audit was to provide assurance that controls are in place to meet the following objectives:
· Employees within the pension service are aware of their roles and responsibilities under the relevant legislation including, the General Data Protection Regulations, Data Protection Act and Local Government Pension Scheme Regulations in relation to the security and ownership of data;
· There are clear processes in place that are instigated should there be a suspected data protection breach;
· The Council have issued a Privacy Notice which is available to all scheme members and pensioners and outlines the information they hold and how it is safeguarded;
· The Pension Fund systems (including the employer portal) are maintained to the required standard and system administration exercises and updates are completed by appropriately qualified officers;
· The “Principle of Least Privilege” is adopted for all pensions fund systems and information sources meaning that users are given the minimum levels of access/permissions needed to perform their role/responsibilities;
· Data sharing agreements are in place with all relevant parties; and
· Data Protection system requirements are being incorporated into the procurement process for the new sovereign Pension Fund system.
1.13 Based on the work carried out, we were able to provide an opinion of reasonable assurance over the control environment. Whilst areas of good practice were identified, some opportunities for improvement were also found, including the need to ensure that data subjects are provided with access to a Summary Privacy Notice and that the Full Privacy Notice is complete, ensuring compliance with General Data Protection Regulations. In addition, we found opportunities to ensure consistency between the length of time data is retained and the information provided to data subjects regarding data retention.
1.14 Actions to address these issues were agreed with management within a formal management action plan.
Building Security
1.16 As a result of these two incidents, and the lack of clarity around the reporting of the first incident, weakening the Council’s response, we carried out a review of building security, including arrangements to manage the access card and CCTV systems. This included system administration and the issuing of access cards. The review also covered the way the thefts were handled and reported.
The scope of the audit covered the following objectives:
• Management arrangements are in place to ensure Council buildings are secure from inappropriate access; and
• Arrangements are in place to ensure the effects of any breaches of security are minimised, culprits are identified, losses are made good (where possible), and security is strengthened where any gaps are identified.
1.17 Our work identified that controls were weak in a number of areas and, as a result, we were only able to provide an opinion of partial assurance. In giving our opinion, we acknowledged that a number of these weaknesses had already be identified by management and that policies and procedures were being drafted to strengthen controls.
1.18 A robust action plan was agreed with management. This included measures to:
• strengthen governance arrangements by finalising and implementing documented policies and procedures, including the identification of clearly structured roles and responsibilities;
• improve the process for cancelling door access cards when people, including consultants, leave the Council, supported by routine house-keeping procedures to identify any individuals whose cards remain active after they have left the Authority;
• make use of the full functionality of the access card system by configuring cards to give access that is more appropriate to users’ needs and run exception reports to identify cards’ potentially inappropriate use;
• improve records that identify keys (as opposed to access cards) to Council buildings, and the names of officers to whom they have been allocated, to ensure that they are complete, to reduce the risk of inappropriate access.
1.19 As we have given an opinion of partial assurance, we shall carry out a follow-up review to ascertain progress made in implementing the agreed actions.
Property Asset Management System (PAMS) Business Processes
1.20 The Property Asset Management System (PAMS) project is focussed on transferring all functions that were carried out on the former Atrium system onto a new asset management system (Tech Forge). In addition, it will ensure that all property functions required to achieve a full holistic property database are integrated and interfaced with the eventual SAP replacement.
1.21 The objective of the audit was to provide assurance that business process risks and issues within, and alongside, the new system are known, managed and suitably controlled, covering the following objectives:
· Risks to the performance and function of the system are known and clearly documented;
· Business processes are well documented, understood by the service and provide an effective control environment;
· Service items and associated costs receive appropriate approval within the new system prior to them being undertaken;
· Testing arrangements are in place prior to full implementation to help ensure the successful embedding of processes in the new system;
· User accounts and associated permissions are aligned to their role within the organisation.
1.22 This audit focussed on those processes covered under phase 1 of the PAMS project, with further work planned as the project progresses. The modules included under this phase were:
· Plant;
· Property;
· Estates;
· Help-call & Instructions;
· Inspections;
· Contracts;
· Questionnaires;
· Asbestos;
· Contactor Portal; and
· Mobile Apps.
1.23 Overall, we were able to provide reasonable assurance over the developing control environment, with new processes being executed as part of the Tech Forge implementation being well documented through detailed process maps. However, whilst these processes were used as the basis for user acceptance testing (UAT) and the configuration build for the new system, they have not always been subject to review and formal approval by management prior to the system configuration.
1.24 Financial authorisation controls have been implemented within the new system that are in line with the Council's Financial Regulations, with the system enforcing appropriate separation of duties. User access and permissions were also found to be appropriate.
1.25 Whilst a well-documented user acceptance testing (UAT) programme has been undertaken, with detailed test scripts and documentation to track issues in place, in some cases, further clarity was required as to how test failures were resolved, or appropriate action taken, before the new system was implemented.
Information Governance (Remote Working)
1.26 Information Governance (IG) sets out the way organisations process information. It covers personal information, i.e., that relating to service users and employees, and corporate information, such as financial records. The Information Commissioner's Office can issue fines of up to 4% of a company's annual turnover, or £20 million (whichever is greater) for the worst data offences.
1.27 Working arrangements at the Authority have changed dramatically due to the Covid-19 pandemic, with more staff working remotely and in more unfamiliar ways. As a result, there is an increased need for effective controls to ensure IG compliance.
1.28 The objective of this audit was to provide assurance that key controls are in place and are operating as expected to help ensure the storage, usage and sharing of information complies with IG laws, focussing on the following control objectives:
· Staff are aware of policy/procedure changes related to remote working;
· Service directors/managers are confident in their team’s knowledge in the reporting processes for data breaches and staff comply with IG policies and processes in place;
· Processes are in place to ensure data breaches are investigated and reported;
· New software/processes work smoothly with minimal IG issues;
· Authority equipment is used for official council business only;
· Digitised data is only accessible to authorised personnel and held securely.
1.29 Based on the work completed, we were able to provide substantial assurance over the controls operating in this area.
1.30 Relevant policies and guidance documents are available relating to remote working and information governance and these have been subject to recent review. IG has been heavily supported by the Data Protection Officer (DPO) and IG team who have proactively and reactively worked to ensure that IG has remained a key focus for the Authority, providing advice on changes to processes, driving and actively monitoring completion of the mandatory IG training.
1.31 We also confirmed that an effective data breach reporting system and log has continued to be updated throughout the pandemic by IG Officers, with actions taken following investigation of the breaches. IG has remained a priority during the pandemic for services that are processing high volumes of personal and sensitive data, with evidence of a good understanding of the importance of IG among the managers.
1.32 One medium risk finding was identified during our audit and an agreed action was implemented by management prior to the report being issued as final.
IT Asset Management During Covid
1.33 Since the outbreak of the COVID-19 pandemic and the UK being subject to lockdown measures, the need for officers to be able to work remotely has increased significantly for many organisations, including local councils, to be able to continue to provide services to the residents. This has put significant demands on authorities to provide IT assets to its staff to enable them to work remotely. In many cases, these officers were office based prior to the pandemic, so IT departments have had to respond by providing mobile devices (e.g. laptops and mobile phones) to a significant number of staff, as well as other peripheral items such as monitors and mice, to support Display Screen Equipment (DSE) requirements.
1.34 The objective of the audit was to provide assurance that controls are in place and are operating as expected to support effective ICT asset management during remote working arrangements, covering the following areas:
· Governance arrangements are in place for the procurement of hardware assets;
· There are recording and monitoring arrangements in place for all IT hardware assets, including those held away from an officer's main place of work;
· IT hardware assets are recovered in a timely manner when no longer required with records of any transfer maintained; and
· Appropriate security arrangements are in place for the storage of hardware assets.
1.35 Overall, we were able to provide reasonable assurance over the control environment. In summary:
· There has been no change in the procurement process of assets during Covid-19 working arrangements. New assets procured and received into the IT&D department are added to asset registers expeditiously;
· Documented procedures are in place to control the deployment and location of assets, with processes specifically designed for new starters during the Covid-19 period, allowing for assets to be delivered to new staff working from home in a secure manner;
· Whilst there has been no requirement to recover any assets surplus to requirements during the pandemic, there remains a need to develop documented processes covering this area;
· Although assets are stored securely within County Hall, with employees only able to access the storerooms via key card access, opportunities exist to review and refine the number of staff holding this access.
1.36 In all cases where controls require strengthening, appropriate actions have been agreed with management.
Modernising Back Office Systems Programme (MBOS)
1.37 The MBOS programme was approved by the Corporate Management Team (CMT) in September 2019 to enable the Council to go to market for a replacement to the current version of SAP. The MBOS Programme will look to implement a new system(s) that better meets the current and future needs of the Council and which provides optimal return on its investment.
1.38 The current SAP system was implemented in 2004 and will no longer be supported beyond 2025. The MBOS programme is expected to run until August 2024 with the new system(s) to be implemented in August 2023. The overall cost of the system is expected to be circa £25m.
1.39 We have agreed a package of assurance work with the Programme Board along with the provision of ad-hoc advice and guidance on probity, control and governance issues as the programme progresses. Whilst we have not undertaken any specific audit work this quarter, we continue to support the programme through attendance at the Programme Board. Further updates will be provided in future reports as our ongoing work progresses in this area.
ASC Transformation
1.40 The Adult Social Care and Health (ASCH) Transformation Programme aims to deliver a model for the future delivery of ASCH which aligns with Council priorities and that takes full account of the impact of the Covid-19 pandemic and any resulting requirements, including a review of the ASCH core offer to ensure the financial consequences are fully considered.
1.41 This programme is expected to be completed by August 2021, after which new processes and ways of working will be proposed for approval, and, if agreed, their implementation will commence.
1.42 Whilst there are numerous components within the programme, we agreed with management to focus, initially, on the projects relating to Commissioning and Income, due to the associated high financial risks in these areas. Further to previous updates on our work, we completed the following activities in quarter one:
· The Commissioning New Ways of Working project has been completed, and the lessons learned will be taken forward into business as usual. We have fed into the closure report for this project and have agreed with management to undertake a retrospective review of these processes to ensure they are robust;
· We have issued a progress report to the ASCH Departmental Management Team (DMT to update it on the Internal Audit work completed. Following this, we met with all members of DMT individually to discuss potential legislative and process changes in their areas. These conversations will be ongoing throughout the year in order to continue to develop a collaborative and proactive approach between Internal Audit and ASCH, to ensure we are focused on reviewing the appropriate areas;
· In addition, we have met with the members of the ASCH Being Digital Strategy to discuss how Internal Audit can support this work going forward, from a risk and control perspective. This programme is reviewing mechanisms to enable those accessing ASCH services and those providing ASCH services, to become more digital, for example, the use of an Online Financial Assessment tool, which will support the implementation phase of the ASCH Transformation Programme.
1.43 Our advice work in this area will continue beyond the programme’s completion in August 2021.
UK Community Rehabilitation Fund (UK CRF)
1.44 The UK Community Renewal Fund (UKCRF) provides £220 million additional funding to help local areas across the UK prepare for the UK Shared Prosperity Fund from April 2022 onwards. The fund invests in skills, community and place, local business, and supports people into employment. It is managed by the Ministry of Housing, Communities & Local Government (MHCLG), working in collaboration with local partners and communities across England, Wales, Scotland and Northern Ireland. The Fund is administered through a competitive process with no pre-set eligibility, and the government has identified 100 priority places based on an index of economic resilience in Great Britain.
1.45 ESCC have been assigned as a lead authority to issue invitations for bids, and to assess, and submit to the MHCLG, a shortlist of bids/projects. Technical rules and guidelines for spending under the fund are set out in the Government’s technical note to lead authorities, whilst the objectives of the fund and how delivery will be achieved is defined in the UKCRF prospectus 2021/22. 1.46 We were asked to review the proposed arrangements in place within ESCC for the administration, invitation, assessment and submission of bids. A terms of reference for this review was developed and agreed with the Head of Economic Development, Skills and Infrastructure. Given the tight timelines involved in the bid submissions, we agreed to provide audit input, advice and progress reports at different stages of the project. Our work was focussed on the following objectives: · Procedures are in accordance with the UK Government guidelines for bid application, assessment, and shortlist of projects submitted to MHCLG; · Effective publicity is given to the launch of the fund, including media and press releases in the local communities; · The application process is clear, accessible, and bids submitted are safeguarded from potential alterations; and 1.47 In completing our work in this area, we found robust arrangements in place to deliver the requirements of the UK CRF. There were, however, some opportunities to strengthen the proposed processes. These were discussed with the project as it progressed and appropriate action was taken in respect of these. 1.48 Future audit work in this area will include reviewing the arrangements in place to ensure that funds are used in accordance with government guidelines.
Broadband UK 1.49 The 'e-Sussex' project, led by ESCC in partnership with Brighton & Hove City Council, was launched to improve internet access for homes and businesses in East Sussex. The project is overseen by Broadband Delivery UK (BDUK), part of the Department for Digital, Culture, Media and Sport. 1.50 During the first two phases of the programme, the Council received £10.7m and £3m of grant funding, respectively. Under the third phase, the Council received no grant funding and incurred expenditure of £1.9m. The purpose of our work was to confirm that expenditure had been incurred in accordance with the terms of the programme and that the figures stated in the return were correct. We also checked progress against the milestones in the programme to confirm that progress was as stated in the return. 1.51 No formal audit opinion was given with this work, but we were able to sign the return as correct. There were no findings arising and therefore no actions for improvement were needed. Troubled Families 1.52 The Troubled Families (TF2) programme has been running in East Sussex since January 2015 and is an extension of the original TF1 scheme that began in 2012/13. The programme is intended to support families who experience problems in certain areas, with funding for the local authority received from the Ministry of Housing, Communities and Local Government (MHCLG), based on the level of engagement and evidence of appropriate progress and improvement. 1.53 Children’s Services submit periodic claims to the MHCLG to claim grant funding under its ‘payment by results’ scheme. The MHCLG requires Internal Audit to verify 10% of claims prior to the Local Authority’s submission of its claim. We therefore reviewed 19 of the 192 families included in the April/June 2021 grant. 1.54 In completing this work, we found that valid ‘payment by results’ (PBR) claims had been made and outcome plans had been achieved and evidenced. All of the families in the sample of claims reviewed had firstly met the criteria to be eligible for the TF2 programme and had either achieved significant and sustained progress and/or had moved from out of work benefits into continuous employment. We therefore concluded that the conditions attached to the TF2 grant determination programme had been complied with. Travel-Related Grants 1.55 In addition, we carried out work to certify two further grants. The COVID-19 Emergency Active Travel Fund Grant was provided to support bus companies during the pandemic, at a time when few people were using the services. The Additional Dedicated Home to School & College Transport Grant 2020-21 provides further to support to councils to cover extra costs incurred during COVID-19. In both cases, we sought to provide assurance that grant funding had been used in accordance with the grants’ respective terms and conditions. 1.56 No formal audit opinion was given with this work, but we were able to sign the returns as correct. There were no findings and no actions for improvement were needed. 2. Counter Fraud and Investigation Activities Proactive Counter Fraud Work 2.1 Internal Audit deliver both reactive and proactive counter fraud services across the Orbis partnership. Work in quarter 1 has focussed on the following areas: National Fraud Initiative Exercise 2.2 The results from the latest National Fraud Initiative exercise were received on 31 January 2021. We have continued to liaise with services to ensure that matches are reviewed and processed. So far, 4424 matches have been processed and 51 matches are currently under investigation. No financial savings have been recorded to date. Counter Fraud Policies 2.3 Each Orbis partner has in place a Counter Fraud Strategy that sets out their commitment to preventing, detecting and deterring fraud, the previous version of which was approved by Audit Committee on 10 July 2020. We have recently reviewed and updated this document in light of updated national guidance, and this is being presented at this meeting for audit committee endorsement. Fraud Risk Assessments 2.4 Fraud risk assessments are regularly reviewed to ensure that the current fraud threat for the Council has been considered and appropriate mitigating actions identified. We have updated the risk assessment to include new and emerging threats as a result of the COVID-19 pandemic. This includes potential threats to payroll, staff frauds relating to home working and cyber frauds. Fraud Response Plans 2.5 The Fraud Response Plans take into consideration the results of the fraud risk assessments and emerging trends across the public sector in order to provide a proactive counter fraud programme. Fraud Awareness 2.6 The team are continuing to monitor intelligence alerts and the latest fraud bulletin is currently on the Council’s intranet. 2.7 The team are currently developing fraud awareness training that will be delivered to Business Operations in response to the increased threat around bank mandate fraud. Reactive Counter Fraud Work - Summary of Completed Investigations Employed Elsewhere While on Sick Leave 2.8 Internal Audit provided advice to HR following a report that a member of staff who was on sick leave was working as a manager at a care home. The member of staff had already resigned prior to the information coming to the attention of the service. Any overpayment of salary will be recovered from the individual concerned. School Issue 2.9 Advice and support was provided following the receipt of a referral alleging that £2,000 from the school PTA was being held insecurely. There was no evidence that the money was missing, and the school were in receipt of the £2,000. No further action was taken. 3. Audits Completed in Q1 (April to March) 3.1 All high priority actions agreed with management as part of individual audit reviews are subject to action tracking. As at the end of quarter 1, all high priority actions due had been implemented. 4. Amendments to the Audit Plan 4.1 In accordance with proper professional practice, the Internal Audit plan for the year is kept under regular review to ensure that the service continued to focus its resources in the highest priority areas based on an assessment of risk. Through discussions with management, the following reviews were added to the original audit plan during the year:
4.2 All of the above work has been funded through contingency/emerging risk days and, to-date, no audits have been removed from the original audit plan for the year. |
5. Internal Audit Performance
5.1 In addition to the annual assessment of internal audit effectiveness against Public Sector Internal Audit Standards (PSIAS), the performance of the service is monitored on an ongoing basis against a set of agreed key performance indicators as set out in the following table:
Aspect of Service |
Orbis IA Performance Indicator |
Target |
RAG Score |
Actual Performance |
Quality
|
Annual Audit Plan agreed by Audit Committee |
By end April |
G |
Approved by Audit & Standards Committee on 26 March 2021. |
Annual Audit Report and Opinion
|
By end July |
G |
2020/21 Annual Report and Opinion approved by Audit Committee on 6 July 2021 |
|
Customer Satisfaction Levels |
90% satisfied
|
G |
100% |
|
Productivity and Process Efficiency |
Audit Plan – completion to draft report stage |
90% |
G |
23% |
Compliance with Professional Standards |
Public Sector Internal Audit Standards |
Conforms |
G
|
January 2018 – External assessment by the South West Audit Partnership gave an opinion of ‘Generally Conforms’ – the highest of three possible rankings
July 2021 - Internal Self-Assessment completed, no major areas of non-compliance with PSIAS identified. |
|
Relevant legislation such as the Police and Criminal Evidence Act, Criminal Procedures and Investigations Act |
Conforms |
G
|
No evidence of non-compliance identified |
Outcome and degree of influence |
Implementation of management actions agreed in response to audit findings |
95% for high priority agreed actions |
G
|
100% at end of quarter 1. |
Our staff |
Professionally Qualified/Accredited (Includes part-qualified staff and those undertaking professional training)
|
80% |
G |
91% |
Audit Opinions and Definitions
Opinion |
Definition |
Substantial Assurance |
Controls are in place and are operating as expected to manage key risks to the achievement of system or service objectives. |
Reasonable Assurance |
Most controls are in place and are operating as expected to manage key risks to the achievement of system or service objectives. |
Partial Assurance |
There are weaknesses in the system of control and/or the level of non-compliance is such as to put the achievement of the system or service objectives at risk. |
Minimal Assurance |
Controls are generally weak or non-existent, leaving the system open to the risk of significant error or fraud. There is a high risk to the ability of the system/service to meet its objectives. |