Appendix A
Internal Audit and Counter Fraud
Quarter 2 Progress Report 2021/22
CONTENTS
1. Summary of Completed Audits
2. Counter Fraud and Investigation Activities
3. Action Tracking
4. Amendments to the Audit Plan
5. Internal Audit Performance
1. Summary of Completed Audits
Pension Administration - People, Processes and Systems
1.1 The Council is the designated statutory administering authority of the East Sussex Pension Fund. The Council has statutory responsibility to administer and manage the Fund in accordance with regulations of the Local Government Pension Scheme (LGPS). The governance of the Fund is the responsibility of the East Sussex Pension Committee, and the Pension Board, supported by the Chief Finance Officer for East Sussex County Council. The day-to-day administration of the Fund is provided by the Pensions Administration Team (PAT).
1.2 As at 31 March 2020, the Fund comprised 127 scheme employers with 25,002 active, and 31,234 deferred, scheme members. The most recent actuarial valuation of the Fund was carried out under Regulation 62 of the Local Government Pension Scheme Regulations 2013, as at 31 March 2019. The valuation found that the funding level has improved from 92% in 2016 to 107% in 2019.
1.3 The purpose of the audit was to provide assurance that controls are in place to meet the following objectives:
· Payments made to pensioners are correct and on time;
· Income due to the Fund is received in full and in a timely manner;
· Clear and effective governance processes exist over pension administration to ensure efficient and effective delivery of the administration service;
· The funding levels of new and existing employers is appropriate to meet their liabilities;
· Transactions, data, and outputs from the system are complete and accurate.
1.4 Based on the work performed, we were able to provide an opinion of reasonable assurance over the control environment for Pension Administration. Following the previous audit in 2019/20, in which an opinion of minimal assurance was provided, management has taken positive action to address the issues identified and this has resulted in the strengthening of controls in several areas. This has happened during the Covid-19 pandemic and also at a time of significant change within the Administration service, including the dissolution of the Orbis Pensions Partnership between East Sussex County Council (ESCC) and Surrey County Council (SCC), and the project to introduce the new East Sussex pension database. The Hymans data improvement plan has particularly enhanced the quality of data in Altair and improved the process of issuing Annual Benefit Statements to members.
1.5 One of the key issues flagged in the previous audit was the use of manual spreadsheets for the calculation of lump sum and transfer out payments, without checking back to the source information held in Altair. We found that the spreadsheets have now been discontinued and replaced with the Immediate Payment module. The launch of the second module (Admin to Pay) anticipated for September 2021 should fully address the issue of manual calculations outside of Altair.
1.6 Some opportunities to strengthen controls further were identified, including the need to ensure:
· agreements for admitted bodies to the Fund are clearly worded and updated appropriately where requirements change and are agreed, to avoid confusion and uncertainty over the need to obtain bonds;
· there are formal documented procedures which define the end-to-end processes performed by the Pension’s Administration Team;
· key service standards in the Pension Fund’s Strategy document are tracked on the monthly scorecards, to ensure that service and delivery levels are monitored and reported on; and
· pension calculations are evidenced by checks performed by another member of the team, to confirm the accuracy of the calculation undertaken.
1.7 Actions to address these areas were agreed with management within a formal management action plan.
Treasury Management
1.8 Treasury management is the management of the Authority’s investments and cash flows, its banking, money market and capital market transactions; the effective control of the risks associated with those activities; and the pursuit of optimum performance consistent with those risks.
1.9 The Council’s treasury management activities are regulated by a variety of professional codes, statutes and guidance. The County Council has adopted the CIPFA Code of Practice for Treasury Management in the Public Sector and operates the service in compliance with this code.
1.10 The purpose of this audit was to provide assurance that:
· the Council has established an appropriate Treasury Management Policy & Investment Strategy;
· all lending and borrowing decisions are based on robust cash flow forecasting over the short, medium and long term;
· investments are made with approved counterparties within approved limits, are correctly paid, authorised and are repaid by counterparties with the correct amount of interest;
· borrowings are made only from approved organisations, are correctly authorised and repaid to counterparties with the correct amount of interest;
· there is regular and independent reconciliation between the treasury management record, the bank account and the general ledger; and
· officers and elected Members receive regular and informative training and performance monitoring information.
1.11 In completing our work, we found that robust controls were in place and we were able to provide an opinion of substantial assurance. A small number of findings were made, including a medium rated finding, relating to the need to formalise reconciliation processes. Appropriate actions were agreed with management to address these findings.
Risk Management
1.12 As with all local authorities, there is an element of risk in all the activities undertaken by the County Council in its daily operations. Risks are recorded and managed both within departments and at a strategic level, and are subject to review by either the Corporate, or Departmental, Management Teams, as appropriate.
1.13 Considering the current economic climate and the pressures that local authorities are facing, many risks are becoming increasingly hard to mitigate. In addition to this, the Council's changing risk appetite may result in an increased acceptance of risks that would previously have been avoided, at both departmental and strategic levels.
1.14 The purpose of this audit was to provide assurance that controls are in place to meet the following objectives:
· The Council has in place a robust Risk Management Framework which facilitates the effective identification, assessment, and response (where appropriate) to risks.
· Management ensure that risks are subject to appropriate identification, assessment and response (where appropriate) in accordance with the organisation’s Risk Management Framework.
· Effective mitigations are in place to minimise the impact and / or likelihood of occurrence of the risks identified.
· Robust reporting arrangements are in place to allow for effective senior officer and Member oversight.
1.15 We were able to provide an opinion of reasonable assurance over the control environment because there is an updated Risk Management Framework in place which defines the process for the identification and management of risks at both strategic and departmental levels, and is in line with best practice guidance. In addition, there are robust processes for identifying and recording new risks within departments that could impact upon the achievement of objectives. Risks at both departmental and strategic level are reported to senior management and Members, appropriately, and in a timely manner.
1.16 Some areas where improvements could be made to further strengthen the arrangements include:
· the need for formal training and/or refresher training for officers responsible for risk management across the organisation.
· regular contact between the coordinators of departmental risks and officers within their departments, to ensure that risk registers are updated with adequate risk ratings and mitigations.
· a defined process for the identification of new and emerging risks, to enhance the ability to implement appropriate measures.
1.17 A formal action plan to address the findings of the review has been agreed with management.
COVID-19 - Procurement Risk
1.18 The Covid-19 pandemic has resulted in a number of changes to the environment and working practices in relation to procurement, which has led to increased risks in a number of areas.
1.19 In response to the outbreak of Covid-19, the Cabinet Office issued two Public Procurement Notices (PPNs), which set out guidance on public procurement regulations to expedite procurement of goods, services and works in extreme urgency. Authorities are permitted to do this using regulation 32(2)(c) under the Public Contract Regulations 2015. The PPNs outlined measures that are considered necessary to ensure continuity of service provision in the short term, protect essential supply chains in the longer-term and, in particular, to retain capacity post-Covid-19. As a result, changes to processes were made that may have affected the control environment.
1.20 The total estimated cost of direct awards to ESCC suppliers for urgent goods and services was £13.3m (£8.9m of which was for protective personal equipment). In addition, there were 61 contract extensions or modifications (c.£3.1m) and 66 contracts (c.£18m) were listed on the Council’s waivers log.
1.21 The purpose of this audit was to provide assurance that controls are in place to meet the following objectives:
· Supplier relief (including hardship payments for services not provided) complies with statutory regulations, Council requirements and delivers sustainable services and value for money.
· Repurposing of suppliers’ services complies with statutory regulations, meets genuine need and delivers value for money.
· Transition to business as usual is effective in mitigating the risks of providing poor quality services and suppliers going into voluntary liquidation.
· All emergency purchases using P-cards comply with the statutory regulations provided in the PPNs.
· Payments to suppliers under revised payment terms are processed correctly and no duplicate payments are made.
· Extensions and variations to contracts comply with statutory regulations and the Council’s requirements.
· Transactions, data and outputs from financial and procurement systems are complete and accurate.
1.22 Based on the work carried out, we have been able to provide an opinion of reasonable assurance over the controls in this area, with a high level of compliance with the statutory procurement policy notices (PPNs) issued by the government.
1.23 A waiver log has been maintained which includes reasons for the waiver, spend value and approvals obtained, and our tests of waiver requests noted in all cases that these were approved by the appropriate heads of service, chief officer and Head of Procurement. Emergency procurements, direct awards, contract extensions and relief granted to suppliers were also subject to an appropriate level of scrutiny by the Council’s Procurement, Finance and Legal teams. These were all formally documented, approved and monitored on the emergency log maintained by Procurement.
1.24 The following areas for improvement were identified:
· The need to publish contracts within 90 days of the contract award as required by the Official Journal of the European Union (OJEU) or the relevant UK notification service called Find a Tender (FTS), to avoid breaches to statutory requirements.
· Pre validation checks are performed before PPE’s are ordered, to minimise the risk of delivery of counterfeit products and non-compliance with health and safety requirements.
· Contract variation letters for supplier relief granted are always formally signed off between representatives of the Council and suppliers, to prevent avoidable losses to the Council.
1.25 A formal action plan to address the findings above has been agreed with management.
DWP/Searchlight System Security Compliance (2021/22)
1.26 In February 2021, the Department of Works and Pensions (DWP) wrote to all S151 Officers and Senior Responsible Officers for Security (as defined by the DWP) for support in addressing an upward national trend in the number of suspected data breaches involving the inappropriate access by local authority staff to the DWP & HMRC personal customer data held within the DWP's Searchlight System.
1.27 The data held within Searchlight, accessible by staff within the Adult Social Care Financial Services and Blue Badge teams’, includes service user’s confidential benefit information held by the DWP. There are approximately 22 staff with access to the data, along with six members of staff with administrator rights to enable the adding/removing of staff from the system.
1.28 This review was an addition to the agreed Internal Audit Plan for 2021/22 in response to the above-mentioned letter from the DWP and sought to provide assurance over the level of compliance within the Council with the expectations contained within the letter.
1.29 Overall, we were able to provide an overall opinion of reasonable assurance on the basis that:
· Training undertaken by staff to embed sound data security principles within departments and as part of organisational GDPR training, helps to ensure that staff are suitably aware of the seriousness and potential consequences of a data breach incident.
· ‘Management checks’ for which the user is required to provide evidence of a genuine business reason to access the record are undertaken, which helps to embed the message that staff must only access the system for a legitimate purpose.
· There is a comprehensive training guide in place to help ensure that staff are aware of their data security responsibilities, along with a training checklist which assures the administrator that all relevant checks and training have been completed.
1.30 Although the DWP have set a deadline of 20th April 2022 for all staff Baseline Personnel Security Standard checks to have been completed, at the time of our audit, arrangements and responsibilities for completing these checks had not been formally agreed. Appropriate actions have been agreed with management to address this and to help share good practice across the organisation.
Libraries Asset Management Follow up
1.31 The Library and Information Service (LIS) has 17 libraries and a central warehouse at Ropemaker Park, holding stock of approximately 500,000 books (including reserve stock and specialist collections). In recent years, budget reductions have resulted in the closure of a number of libraries and the Schools’ Library and Museum Service (SLAMS), with the service disposing of around 50,000 books a year.
1.32 An audit of Libraries Asset Management was completed in 2020/21, in which an audit opinion of partial assurance was given. The audit contained 12 actions agreed with management, including two rated as high priority. As a result, we undertook a follow up audit to provide assurance that the agreed actions from the previous audit had been implemented.
1.33 Our follow up work identified that, of the 12 actions agreed, five had been implemented in full, whilst three had been partially implemented. Both high-risk actions had been implemented. As a result of the improvements we identified, we were able to issue an improved opinion of reasonable assurance over the controls in place.
1.34 The actions that had not been implemented related to the need to:
· strengthen the valuation process before the Council’s assets are sold;
· maximise income by widening the pool of vendors who purchase our assets;
· improve transaction details in SAP to clarify the nature of the sale;
· document procedures for offering surplus books internally within the Council (e.g. to the Keep) before a decision is taken to dispose of them; and
· ensure all officers complete declarations in the register of interests.
1.35 Revised timescales were agreed with management for all of these actions along with those previously only partially implemented.
Adult Social Care Transformation Programme
1.36 The Adult Social Care and Health (ASCH) Transformation Programme aims to deliver a model for the future delivery of ASCH which aligns with Council priorities and takes full account of the impact of the Covid-19 pandemic and any resulting requirements, including a review of the ASCH core offer to ensure the financial consequences are fully considered.
1.37 Whilst there are numerous components within the programme, we agreed with management to focus, initially, on the projects relating to Commissioning and Income, due to the high financial risks associated with these activities. Further to previous updates on our work, we completed the following activities in quarter two:
· Building on the advice provided in quarter one for the Income Project, we attend the Direct Payment Project Group meetings, to provide advice from a risk and control perspective. This group has developed from the Income Project, whose work has now concluded.
· We have issued a Position Statement for the Direct Payments Intake Project, in which we detailed areas of consideration for management to take forward, and which have been agreed. We have also provided advice on the proposed process for the Direct Payments Invoice Payment Project.
· We have attended meetings of the Personalised Care Strategic Review Board, which has discussed the initial scoping of personalised care, its delivery and associated risks.
· As part of our continuing work with ASCH, we have provided advice over the Infection Control Fund process, which involves the allocation of grant funding to support care providers in East Sussex, to assist with continuation of their service. Proposed areas of consideration to strengthen controls were discussed and agreed with management.
1.38 Our support for the programme will continue as it develops towards its implementation stage.
Troubled Families Grant Certification
1.39 The Troubled Families (TF2) programme has been running in East Sussex since January 2015 and is an extension of the original TF1 scheme that began in 2012/13. The programme is intended to support families who experience problems in certain areas, with funding for the local authority received from the Ministry of Housing, Communities and Local Government (MHCLG), based on the level of engagement and evidence of appropriate progress and improvement.
1.40 Children’s Services submit periodic claims to the MHCLG to claim grant funding under its ‘payment by results’ scheme. The MHCLG requires Internal Audit to verify 10% of claims prior to the local authority’s submission of its claim. We therefore reviewed 20 of the 203 families included in the July/September 2021 grant.
1.41 In completing this work, we found that valid ‘payment by results’ (PBR) claims had been made and outcome plans had been achieved and evidenced. All of the families in the sample of claims reviewed had firstly met the criteria to be eligible for the TF2 programme and had either achieved significant and sustained progress and/or had moved from out of work benefits into continuous employment. We therefore concluded that the conditions attached to the TF2 grant determination programme had been complied with.
Bus Service Operators Grant (BSOG)
1.42 BSOG payments from the Departments for Transport (DfT) are made to local authorities for running community transport and bus services. BSOG aims to benefit passengers by:
· helping to keep fares down; and
· enabling operators to run services that might otherwise be unprofitable and could lead to their closure.
1.43 The grant is ring-fenced and can be used to fund the provision of supported bus services or other related transport provision. Internal Audit is required to audit a sample of routes and payments made to operators, annually. The audit aims to ensure that payments are calculated accurately, in accordance with the formulae provided by the DfT, and that the conditions attached to the grant are complied with. We were able to confirm that payments were correct and that the Council had complied with the terms of the grant, and a signed declaration was returned to the DfT within the required timescales.
Schools
1.44 During the quarter, two school audits were completed, one of which (Heathfield Community College) was a follow up audit after an opinion of partial assurance had been given in November 2019. School audits review the adequacy of arrangements in place in the following areas:
· Governance and decision-making;
· Budget management;
· School security;
· Payments to staff;
· Expenditure;
· Income; and
· The security of assets.
|
Name of School |
Audit Opinion |
Areas Requiring Improvement |
|
Etchingham County Primary School |
Reasonable Assurance |
The school needs to ensure that: · They formalise the governance arrangements to clarify responsibilities across the federation; · The full range of pre-engagement checks are carried out on contractors, including safeguarding and public liability insurance; · All new staff complete declarations in the register of interests. |
|
Heathfield Community College (Follow up) |
Reasonable Assurance |
The college needs to ensure that: · It complies with Procurement and Contract Standing Orders to ensure that value for money is achieved; · Purchase orders are raised in a timely manner in accordance with Financial Regulations; and · Budget Share funds (public money) is kept strictly separate from the School Fund (private funds) in accordance with the Scheme for Financing Schools. |
2. Counter Fraud and Investigation Activities
Counter Fraud Activities
2.1 During the quarter, three Fraud Awareness sessions have been delivered to Business Operations staff focusing on the risks to the Council of bank mandate fraud and cyber fraud.
2.2 In addition, the Council’s Counter Fraud Strategy has been reviewed and updated, and was presented to the Audit Committee on 17 September 2021 and subsequently approved by the Governance Committee. The Fraud Risk Assessment has also been reviewed to ensure that the current fraud threat for the Council has been considered and appropriate mitigating actions identified.
2.3 Internal Audit are continuing to liaise with services to ensure that matches from the National Fraud Initiative are being reviewed and processed, and the team continue to monitor intelligence alerts and share information with relevant services as and when appropriate.
Summary of Completed Investigations
Mandate Fraud
2.4 A referral was made to Internal Audit following a member of staff receiving an email alerting them that their bank account had changed within the payroll system. The change had not been instigated by the member of staff. Following an investigation, we were able to confirm that controls were in place to prevent such attempts but on this occasion the correct process had not been followed within the service responsible. The staff concerned have now attended Fraud Awareness Training and the incident has been reported to Sussex Police.
Deprivation of Capital
2.5 Internal Audit has provided advice and support to Adult Social Care in respect of two cases where clients, who had made an application for a Direct Payment, had potentially transferred assets away from their ownership before their financial assessments took place (known as deprivation of assets). This is a fraudulent means of reducing a client’s net worth, which would increase the amount of financial support they would receive and is a criminal offence. One case was referred to the police. In the second case, we provided advice to the service relating to potentially false documentation, leaving the service to determine whether the client had deliberately deprived themselves of capital.
3. Action Tracking
3.1 All high priority actions agreed with management as part of individual audit reviews are subject to action tracking. As at the end of quarter two, 100% of high priority actions due had been implemented.
4. Amendments to the Audit Plan
4.1 In accordance with proper professional practice, the internal audit plan for the year remains under regular review to ensure that the service continues to focus its resources in the highest priority areas based on an assessment of risk. Through discussions with management, the following reviews have been added to the audit plan so far this year:
|
Planned Audit |
Rationale for Addition |
|
Robotic Process Automation (to archive electronic HR files) |
ESCC wish to automate the process for archiving HR files for when an employee leaves ESCC, using RPA technology. |
|
Heathfield Community College Follow Up |
Postponed due to Covid-19. Reported on above (1.44). |
|
Adoption South East |
Adoption South East (ACE) comprises Services from East and West Sussex, Brighton & Hove and Surrey. A formal partnership has been established under a Section 75 pooled budget arrangement, with East Sussex County Council as the host authority. This is to review the governance and financial management arrangements of the partnership. Reinstated following removal from the 2020/21 audit plan. |
|
UK Community Renewal Fund |
The UK Community Renewal Fund (UKCRF) provides £220 million additional funding to help local areas across the UK prepare for the UK Shared Prosperity Fund from April 2022 onwards. The fund invests in skills, community and place, local business, and supports people into employment. ESCC have been assigned as a lead authority to issue invitations for bids, and to assess, and submit to the MHCLG, a shortlist of bids/projects. We were asked to review the proposed arrangements in place within ESCC for the administration, invitation, assessment and submission of bids. As reported in our Q1 report. |
|
Department for Work and Pensions Searchlight System Security Compliance |
In February 2021, the DWP wrote to all Section 151 Officers and Senior Responsible Officers for Security for support in addressing an upward trend in the number of suspected data breaches involving inappropriate access by local authority staff on the DWP & HMRC personal customer data held within the DWP's Searchlight System. This assignment sought to give assurance to the S151 Officer of the level of compliance with the expectations contained within the letter. Reported on above (1.26). |
|
Vehicle Usage |
Following allegations over the potential misuse of Council fleet vehicles, we have added an audit to review the use of the these to provide assurance that vehicles are only used as per Council policy. |
|
Building Security |
As a result of thefts of ICT equipment from Council property, we carried out a review of building security, including arrangements to manage the access card and CCTV systems. As reported in our Q1 report. |
|
Broadband UK Grant - 2021/22 |
To provide assurance that expenditure complied with the terms of the grant before signing off a return to the Department for Digital, Culture, Media and Sport. As reported in our Q1 report. |
4.2 All of the above work has been resourced from contingency/emerging risk days and, to-date, only one audit (Building Condition Asset Management) has been removed from the original audit plan for the year. This is because the actions from that audit are dependent upon the new Property Asset Management System (PAMS) and separate work is underway to support its introduction.
5. Internal Audit Performance
5.1 In addition to the annual assessment of internal audit effectiveness against Public Sector Internal Audit Standards (PSIAS), the performance of the service is monitored on an ongoing basis against a set of agreed key performance indicators as set out in the following table:
|
Orbis IA Performance Indicator |
Target |
RAG Score |
Actual Performance |
|
|
Quality
|
Annual Audit Plan agreed by Audit Committee |
By end April |
|
The Annual Plan was and approved by the Audit Committee on 26 March 2021. |
|
Annual Audit Report and Opinion
|
By end July |
|
The Annual Report and Audit Opinion was approved by the Audit Committee on 6 July 2021. |
|
|
Customer Satisfaction Levels |
90% satisfied |
|
100% |
|
|
Productivity and Process Efficiency |
Audit Plan – completion to draft report stage |
90% |
|
48.5% achieved to the end of Q2. On course to meet the year-end target of 90%. |
|
Public Sector Internal Audit Standards |
Conforms |
|
January 2018 – External assessment by the South West Audit Partnership gave an opinion of ‘Generally Conforms’ – the highest of three possible rankings July 2021 - Internal Self-assessment completed, no major areas of non-compliance with PSIAS identified. June 2021 - Internal Quality Review completed, no major areas of non-compliance with our own processes identified. |
|
|
|
Relevant legislation such as the Police and Criminal Evidence Act, Criminal Procedures and Investigations Act |
Conforms |
|
No evidence of non-compliance identified |
|
Outcome and degree of influence |
Implementation of management actions agreed in response to audit findings |
95% for high priority agreed actions
|
|
100% |
|
Our staff |
Professionally Qualified/Accredited
|
80% |
|
91% |
Appendix B
Audit Opinions and Definitions
|
Opinion |
Definition |
|
Substantial Assurance |
Controls are in place and are operating as expected to manage key risks to the achievement of system or service objectives. |
|
Reasonable Assurance |
Most controls are in place and are operating as expected to manage key risks to the achievement of system or service objectives. |
|
Partial Assurance |
There are weaknesses in the system of control and/or the level of non-compliance is such as to put the achievement of the system or service objectives at risk. |
|
Minimal Assurance |
Controls are generally weak or non-existent, leaving the system open to the risk of significant error or fraud. There is a high risk to the ability of the system/service to meet its objectives. |