Annexe A

 

Internal Audit and Counter Fraud

Quarter 3 Progress Report 2021/22

 

 

 

 

CONTENTS

1.      Summary of Completed Audits

2.      Counter Fraud and Investigation Activities

3.      Action Tracking

4.      Amendments to the Audit Plan

5.      Internal Audit Performance

 

 

 

 

 

 

 

1.      Summary of Completed Audits

East Sussex Pension Fund (ESPF)

 

1.1       East Sussex County Council (ESCC) administers and manages the East Sussex Pension Fund (the Fund) on behalf of 130 employers. The Fund is responsible for managing assets for the long-term benefits of scheme members in accordance with statutory regulations. The Pension Committee is responsible for making arrangements for the administration and investments of the Fund, receiving advice as appropriate from the Pension Board, which is a statutory requirement to assist the Scheme Manager in securing compliance with all relevant pensions' law, regulations and directions. The administration of the Pension Fund is now undertaken by ESCC, having previously been carried out by Orbis Business Operations.

1.2       The ESPF pools funds with another 10 funds as part of the ACCESS Pool, a collaboration of central, eastern and southern shires.  The ACCESS pool has assets of £32.9bn with the ESPF representing £2.3bn of these. 

 

1.3       The following paragraphs summarise our work relating to the Fund in quarter 3 which has been delivered in accordance with the pension fund internal audit strategy and plan. 

Pension Fund Governance

1.4       We reviewed the adequacy and effectiveness of governance arrangements over the Fund, to provide assurance that strategic oversight, risk management, reporting and communication processes are in place to maximise the likelihood that the Fund’s objectives are met. We looked to ensure that:

·           Governance arrangements are resilient and provide sufficient and effective oversight;

·           Risk management arrangements are robust;

·           Communication is efficient and effective;

·           Reporting arrangements ensure that poor performance is identified and corrected; and

·           Checks and guarantees on funding levels of new and existing employers is robust.

1.5       In completing this work, we were able to provide an opinion of reasonable assurance. We found that there is effective oversight by the Pension Board and Pension Committee to ensure that regulation is adhered to, and good practice principles are applied. A risk register is in place that is subject to regular scrutiny from the Board and Committee, and which is updated regularly.

1.6       Some opportunities for improvement were, however, identified, including in relation to:

·           Finalising and implementing the governance manual for the Access Pool and establishing a performance management process for fund managers.  At the time of our review, we found that, although the Fund had made efforts to gain agreement within the ACCESS Pool to finalise and implement this, it still required approval from the pool’s Joint Committee prior to its implementation; and

·           Completing annual satisfaction surveys of employers to help ensure opportunities to improve the performance of the Fund are taken.

1.7       Actions to address these areas were agreed with management within a formal management action plan.

 

1.8       As part of the 2020/21 Pensions Administration audit, the scope included a review of the arrangements in place to ensure checks and guarantees on funding levels of newly admitted employers are robust. Whilst improvements had been made, at the time of this review, the action had only been partially implemented as documented procedures were in draft and templates were in development for the electronic admissions portal, which will provide greater control over the process for admitting new employers. This issue was not raised again as part of this audit but will be reviewed with management through the Internal Audit action tracking process.

 

Pension Fund – Compliance with Regulatory Requirements

1.9       The Council has statutory responsibility to administer and manage the fund in accordance with the rules of the Local Government Pension Scheme (LGPS), which are set out in the following regulations:

·           The Local Government Pension Scheme Regulations 2013;

·           The Local Government Pension Scheme Transitional Provisions, Savings and Amendment Regulations 2014; and

·           The Local Government Pension Scheme (Management and Investment of Funds) Regulations 2016.

1.10     The purpose of this audit was to provide assurance that controls are in place to ensure scheme governance, investment management and pension administration arrangements meet regulatory requirements.

1.11     As a result of our work, we were able to provide an opinion of substantial assurance in this area and there were no findings in our report.  There were three findings in our previous report, and we were pleased to note that these had all been implemented.

1.12     We found that:

·           all the required governance structures were in place and operating effectively;

·           investments are well controlled through an investment strategy, and appropriate advice is taken where required to ensure regulatory compliance; and

·           appropriate policies and procedures promote compliance with regulatory requirements.

 

 

 

 

Pension Fund - Implementation of Altair

 

1.13     Until April 2021, the administration of the Fund was managed through a collaboration with Surrey County Council as part of Orbis Business Operations.  In April, responsibility transferred to East Sussex County Council and a new, locally hosted, version of the administration software (Altair) was established.  Altair is the same system that was used by Surrey County Council to manage the East Sussex Pension Fund.

1.14     The objective of our work was to provide assurance that the implementation of the new version of Altair was properly controlled.  We looked to ensure that:

·           Data transfer, including scanned documentation, was complete and accurate;

·           Access rights to Altair were set-up appropriately, in accordance with users’ needs; and

·           Governance arrangements, including procedures and guidance, were effective in minimising the risk of risk of fraud or error.

 

1.15     Based on the work completed, we found that robust controls were in place over the transfer of data.  Whilst a small number of issues relating to user access and governance arrangements were identified, these had already been picked-up and reported on through our work in other pension fund audits and, as a result, it wasn’t necessary to raise these again.  Similarly, we didn’t provide an audit opinion on this occasion as the findings had already influenced the audit opinions of other audits. For completeness, the findings related to ensuring:

 

·           All users and their associated access copied over from the previous system, were appropriate; and

·           There is a structured set of documented procedures and guidance for Altair users.

Revenue Budget Management

1.16     Budget management is fundamental in ensuring that the Council manages its funds effectively, allocates and delivers services to its residents, monitors performance and meets the defined priority outcomes. Robust budget management provides a process to identify potential and actual areas of overspend/underspend at an early point, so that the appropriate action can be taken to address these.

1.17     The purpose of the audit was to provide assurance that controls are in place in relation to the setting, forecasting, monitoring and reporting of budgets, training for budget managers, and action taken to address budget variances.

1.18     We were able to provide reasonable assurance over the controls in place for the management of revenue budgets.  We found robust processes across the organisation to facilitate the setting of detailed budgets and financial forecasts, including the use of department specific data, the Office of National Statistics (ONS) inflation data and pay award intelligence from trade unions.  Medium term financial planning (MTFP) is in place and subject to regular review, and performance against the MTFP is monitored as part of the Reconciling Policy, Performance and Resources (RPPR) process.  Budget holders are supported by Finance Officers on a regular basis through budget monitoring meetings, with the frequency of meetings determined by the level of risk assessed for each budget area.

1.19     A few areas were, however, identified, where improvements could be made. These included:

·           Scope to provide additional training for budget holders in some circumstances; and

·           Ensuring budgets are always assigned to appropriate officers in SAP (the Council’s main financial system) to ensure that oversight and monitoring is exercised.

1.20     Appropriate actions were agreed with management to address these areas.

Contract Management

1.21     The purpose of this audit was to ensure that a corporate framework is in place which supports effective contract monitoring and reporting in accordance with statutory and stakeholder expectations. The framework should provide the following:

 

·           Requirements for the use of contracts to ensure that third party expenditure have the appropriate contractual agreements;

·           Adequate guidance and training support for contract managers;

·           Adequate financial control to ensure delivery in accordance with the agreed budget and contract amount;

·           Corporate risk management arrangements that support effective contract delivery and data protection;

·           Adequate guidance to ensure that contractors are financially viable, properly insured and have effective business continuity planning; and

·           Adequate processes for managing any variations to the contracts and which comply with regulatory requirements.

 

1.22     In addition, following the completion of the framework review above, a limited review was performed to assess the level of compliance with the framework; including a survey of contract managers across departments in the Council.

1.23     Overall, we were able to provide an opinion of reasonable assurance. We found that a robust framework is in place which was developed by the Council’s Contracts and Commercial Advisory (CCA) Team. The framework is subject to regular updates to enhance its content and usefulness to contract managers. It is supported by guidance, templates and checklists available to contract managers to help them perform their responsibilities effectively. 

1.24     Management is also developing additional training that is specific and suitable to the needs of contract managers, and a new contract handover pack is being produced that will be provided to contract managers as soon as a new contract goes live, to further clarify their roles and responsibilities.

1.25     However, in conducting our testing, we identified the following improvement opportunities to enhance the framework, and to help ensure that departments comply with its requirements:

·           The results of the survey of a sample of contract managers indicated that not all were aware of the Council’s contract management framework or the guidance on the intranet.  Some also felt that they had not received sufficient training or did not understand their responsibilities for managing contracts;

·           Enhancing the framework through the inclusion of further information on the roles and responsibilities of contract managers, and signposting of guidance and templates;

·           Undertaking analysis and reporting to identify potential service areas that might not be complying with the Council’s Procurement and Contract Standing Orders relating to the use of standard contracts for spend in excess of £24,999;

·           Ensuring that all contracts held in the contracts management system (In-Tend) clearly identify the relevant contract managers; and

·           Ensuring that Key Performance Indicators (KPIs) are in place on contracts where appropriate.

1.26     Actions to address the above areas were agreed with management within a comprehensive management action plan. A more in-depth review of compliance with the corporate framework will be completed in 2022/23.

Vehicle Use

1.27     In recent years, we have received referrals raising concerns relating to the potential misuse of fleet vehicles. This includes allegations of personal use of vehicles and failure to keep up-to-date vehicle log- books.  We therefore completed a review over vehicle usage to provide assurance that:

·           There is a policy in place that provides clear guidance on the use of the Council’s fleet vehicles;

·           There is a policy in place providing guidance on employee responsibilities when driving on Council business;

·           Fleet vehicles are used for business purposes only;

·           Individual teams maintain vehicle logs in line with Council policies; and

·           Individual teams are maintaining up-to-date records of staff driving licences and insurance details in line with Council policies.

1.28     In completing this work, we were only able to provide an opinion of partial assurance.  Although there are several policies in place over the use of vehicles, the policies are not always adhered to.  In particular, we found that mileage logs are not always completed in a clear and transparent manner and, as a result, we were unable to confirm that vehicles are not being used for private journeys.  In some instances, we found that fuel fill-ups were not being recorded and that reconciliation of mileage logs to fuel purchases by line managers is not taking place.  There were also instances identified where line managers were not annually checking staff driving licences and insurance documentation.

1.29     A number of actions were agreed with management to address these issues, including:

·           Reissuing of key guidance, including ‘The Safe Use of Motor Vehicles’ and ‘The Minibuses and People Carrier Operation Guidance’;

·           Sharing an example of a properly completed vehicle mileage log, demonstrating the key information that is required;

·           Reminders to line managers to retain and review mileage logs and fuel receipts, and to undertake timely reconciliation of these; and

·           Reminders to line managers to obtain and review staff driving licences (against the National Vehicle and Driver File for penalties and endorsements) and insurance certificates, on an annual basis.

1.30     We will undertake a formal follow-up review in this area as part of the 2022/23 internal audit plan.

Adoption South-East

1.31     Adoption South-East (ASE), a regional adoption agency, is a partnership of services from East and West Sussex County Councils, Brighton and Hove City Council, and Surrey County Council, with the aim of bringing the four adoption services together to offer best practice and experience from each. The formal partnership was established under a Section 75 pooled budget arrangement, with ESCC as the host authority.  The partnership became live on 1 April 2021 after a two-year period of development. For 2020/21, the annual budget for ASE was £5.5m, split as a percentage between the participating authorities (ESCC 26%, West Sussex 32%, Brighton and Hove 19% and Surrey 23%).

1.32     Our work in this area focussed on the governance and financial management of the agency, looking to ensure that:

·           Governance arrangements are effective in providing clear strategic direction for the partnership;

·           Harmonised policies produce a consistent and clear framework within which to work and ensure compliance with regulatory requirements;

·           The partnership complies with GDPR requirements; and

·           Adequate arrangements are in place to manage the pooled budget effectively.

1.33     Based on the work we completed, we were able to provide an audit opinion of substantial assurance in this area, for the following reasons:

·           There is a clear partnership agreement in place;

·           There is a well-defined governance structure, which is documented in the partnership agreement; 

·           An effective risk management process has been developed, helping to ensure that risks and issues are identified, evaluated and managed. This is regularly reviewed and updated;

·           The partnership is developing a Quality Assurance Framework with the aim of bringing an integrated approach to quality assurance across the service;

·           ASE has effective finance monitoring and reporting mechanisms in place; and 

·           There is a data sharing agreement in place for the partnering authorities of ASE which has been developed in consultation with data protection professionals. 

1.34     Two opportunities for improvement were identified.  One of these related to declarations of interest, where staff are currently required to declare potential conflicts of interest in the respective authorities’ Registers of Interests, but there is no process in place for sharing this information across the wider partnership.  The other was concerned with the fact that there is no means of confirming that all staff have undertaken the relevant GDPR and information governance training, which is currently the responsibility of individual sovereign authorities.  Actions to address these areas were agreed with management.

Robotic Process Automation (RPA) - Archive Electronic HR Files

 

1.35     Robotic Process Automation (RPA) is an emerging form of technology that uses software to perform tasks that programmers have specifically designed them to undertake, by reproducing actions that a human user will have previously performed. It is important to differentiate this from more traditional automation technology, which involves processes being undertaken, using technology, with minimal human intervention.

 

1.36     The Council wish to automate the process for archiving HR files for when an employee leaves. The process will consider the amount of time their electronic file needs to be retained for, which varies according to their employment history.

 

1.37     The aim of this audit was to provide assurance that controls were in place to meet the following objectives:

 

·           Clear documentation of processes is available in relation to the process of archiving of electronic HR files, which contain sufficient oversight controls;

·           Roles and responsibilities for the HR RPA are clearly documented and known by the relevant officers involved;

·           Sufficient legacy/succession system documentation is in place to ensure that the RPA can continue to be evolved and updated even when key people leave;

·           The RPA functions undertaken can be monitored and traced to ensure that accountability can be maintained, with sufficient testing taking place prior to go-live; and

·           The RPA operates in line with relevant data protection legislation.

 

1.38     In completing this review, we were able to provide substantial assurance over the controls in place with easily accessible process and guidance documents available to officers to help support the continued working of the ‘robot’ following implementation. We also found robust monitoring arrangements in place to ensure that the ‘robot’ is working as expected and to prevent errors from occurring.

 

1.39     While there were many areas of good practice, an opportunity to further strengthen controls was identified in relation to documenting and consulting with all key stakeholders linked to this process, including the Data Owner, who is the strategic decision-maker and ultimately accountable for the data.

 

1.40     In discussing this issue with management, appropriate actions were agreed to address it.

 

Public Sector Bodies (Website and Mobile Applications) Accessibility Regulations

 

1.41     The Public Sector Bodies (Website and Mobile Applications) Accessibility Regulations 2018 came into force in September 2018. All public sector bodies are required to comply with these regulations and failure to do so would constitute a breach of the Equality Act 2010. The regulations mean that the Council has a legal duty to make sure all its websites and applications meet accessibility requirements. They state public sector bodies must make their websites and mobile applications more accessible by making them ‘perceivable, operable, understandable and robust’. The people who need to use them are often the people who find them hardest to use.

 

1.42     The objectives of the review were to ensure:

 

·           Governance arrangements in place in relation to accessibility are robust;

·           There are adequate procurement and contract management arrangements in place to ensure that third party suppliers comply with accessibility legislation when handling information on behalf of the Council;

·           Officers are provided with appropriate and relevant guidance and training to aid compliance;

·           Roles and responsibilities in relation to accessibility are clearly defined to ensure sufficient oversight;

·           There is appropriate separation of duties in place to ensure that documents and web pages meet accessibility requirements prior to being published; and

·           Regular checks of published pages and documents are carried out to ensure that accessibility requirements continue to be met, including those that are managed centrally and those that are managed locally.

 

1.43     In providing an opinion of reasonable assurance, we found there to be clear governance structures in place with a senior officer providing oversight to the implementation of the accessibility regulations across the Council and reporting lines back to the Corporate Management Team.

 

1.44     Furthermore, comprehensive guidance and training was found in place to support those officers with responsibilities for ensuring accessibility regulations were being complied with, along with working groups to allow officers to discuss known issues and share best practice.

 

 

1.45     Despite robust governance and training available to Council officers, the current officers supporting implementation have not been released from their ‘business as usual’ role to allow for dedicated resources to focus on achieving the Council deadline for complying with the regulations. Given the resources that had been made available and the existing workloads, it was felt that achieving this deadline was optimistic.

 

1.46     In addition, checks to ensure that new IT systems procured were compliant with accessibility regulations were not present, increasing the risk of non-compliance, financial loss and reputational damage.

 

1.47     Actions to address all the issues raised have been agreed with management as part of a comprehensive management action plan.

 

Email Communication (Personal and Sensitive Encryption)

 

1.48     Email encryption is used to secure confidential data shared by email and can prevent email hijacking, as well as stop authorised recipients taking unintended actions with sensitive information.  It is important for organisations to maintain email protection to support management of the risk of cyber threats like social attacks that target organisations via email.  Further, securely encrypted emails help to prevent data breaches. 

 

1.49     The audit sought to provide assurance over the effectiveness of the arrangements for email communication involving personal and sensitive information. The review also considered the methods used to encrypt emails, training/awareness of staff and a high-level review of compliance across the Council.

 

1.50     The objectives of the audit were to ensure:

 

·           Clear policy and training is available to Council officers in relation to the communication of personal and/or sensitive information;

·           A system is in place to allow for the sharing of personal and/or sensitive information via email;

·           Personal and/or sensitive information is only sent to appropriate and validated recipients; and

·           Support is provided to service users to enable them to access the secure email protocols made available.

 

1.51     In providing an opinion of reasonable assurance, we found that:

·           There is evidence of clear comprehensive policies and guidance available governing the use of email for personal and sensitive communication; 

·           There is a robust secure email sharing system in place that has been fully integrated with Office 365 native email that is fully supported by ESCC IT&D;

·           ESCC governance officers are robust with regard to email security and routinely remind staff about good practice when sending sensitive and secure emails.  However, there is no system available to check whether the user is sending an email that should be encrypted; and

·           ESCC have multiple security processes in place and have employed third parties to routinely check email configuration and report back and inform ESCC if any issues are identified. 

1.52     Despite the framework of controls being in place, including appropriate technical controls, an end user questionnaire completed during our review did highlight that there is evidence of non-compliance and/or lack of awareness of the training and expectations placed on end-users when sending personal or sensitive information via email.  Actions were agreed to improve the awareness and expectations on end-users when sending emails that contain personal or sensitive information.

Modernising Back Office Systems (MBOS) Programme Support

 

1.53     The MBOS programme was approved by the Corporate Management Team (CMT) in September 2019 to enable the Council to go to market for a replacement to the current version of SAP.  A replacement system has now been selected. 

 

1.54     We have agreed a package of assurance work with the Programme Board along with the provision of ad-hoc advice and guidance on probity, control and governance issues as the programme progresses.  We continue to support the programme through attendance at the Programme Board.  Further updates will be provided in future reports as our ongoing work progresses in this area.

Adult Social Care Transformation

1.55     The Adult Social Care and Health (ASCH) Transformation Programme was developed in order to deliver a model for the future delivery of ASCH which aligns with Council priorities and takes full account of the Covid-19 pandemic and any resulting requirements.  On 26th October 2021, the ASCH Programme closure report was presented to the ASCH Departmental Management Team (DMT), which was agreed.  We drafted and presented an Internal Audit Progress Report at this meeting outlining the work completed throughout the programme’s lifecycle, the work in progress and the continuing support and advice we will offer after the programme has concluded.

1.56     Further to the previous updates on our work, we completed the following activities in quarter three:

·           We built on the advice provided as part of our attendance at the Direct Payment Project Group in relation to the invoice reconciliation process for East Sussex managed direct payment accounts and the issuance of Direct Payment Agreements. 

·           In addition, as part of our ongoing and continued work with ASCH, we reviewed and provided advice over the process in place for the Contain Outbreak Management Fund (COMF).  This is grant funding allocated by the Council to care providers in order to reduce the spread of Covid-19 and to enable the continuation of service.  We discussed the proposed controls for the process with management, which were proportionate and robust for the level of risk posed, considering the value of the funding and resource availability to administer the grant.

1.57     We will continue to support the implementation phase of the programme as and when required by management, as well as offering continued support and advice across the service from a risk and control perspective.

Schools

1.58     We have a standard audit programme in place for all school audits, with the scope of our work designed to provide assurance over key controls operating within schools. The key objectives of our work are to ensure that:

 

•     Governance structures are in place and operate effectively to ensure there is independent oversight and challenge by the Governing Body;

•     Decision-making is transparent, well documented and free from bias;

•     The school is able to operate within its budget through effective financial planning;

•     Unauthorised or inappropriate people do not have access to pupils, systems or the site;

•     Staff are paid in accordance with the school’s pay policy;

•     Expenditure is controlled, and funds are used for educational purposes;

•     Value-for-money is achieved on contracts and for larger purchases;

•     All unofficial funds are held securely and used in accordance with their agreed purpose; and

•     Security arrangements keep data and assets secure and are in accordance with data protection legislation.

1.59          At the time of writing, school audits are being undertaken through remote working arrangements. 

1.60     Two school audits were delivered in quarter three.  The table below shows a summary these, together with the final level of assurance reported to them.

Name of School

Audit Opinion

Etchingham CE Primary School

Reasonable Assurance

Five Ashes C of E Primary School

Reasonable Assurance

 

1.61     At the end of quarter three, a further two school audits were either booked or underway.

 

 

Troubled Families

1.62     The Troubled Families (TF2) programme has been running in East Sussex since January 2015 and is an extension of the original TF1 scheme that began in 2012/13.  The programme is intended to support families who experience problems in certain areas, with funding for the local authority received from the Ministry of Housing, Communities and Local Government (MHCLG), based on the level of engagement and evidence of appropriate progress and improvement.

1.63     Children’s Services submit periodic claims to the MHCLG to claim grant funding under its ‘payment by results’ scheme.  The MHCLG requires Internal Audit to verify 10% of claims prior to the Local Authority’s submission of its claim.  We therefore reviewed 20 of the 199 families included in the October/December 2021 grant cohort.

1.64     In completing this work, we found that valid ‘payment by results’ (PBR) claims had been made and outcome plans had been achieved and evidenced.  All the families in the sample of claims reviewed had firstly met the criteria to be eligible for the TF2 programme and had either achieved significant and sustained progress and/or had moved from out of work benefits into continuous employment.  We therefore concluded that the conditions attached to the TF2 grant determination programme had been complied with.

2          Counter Fraud and Investigation Activities

Counter Fraud Activities

2.1       During the quarter, the team have been working to develop a Fraud Manual that documents the processes for progressing investigations and joint working with other services.

2.2       In addition, advice was provided to Children’s Services following two allegations relating to the services’ use of social media, as well as advice and support following a referral relating to the reconciliation of the Adoption Support Fund. The service successfully completed a reconciliation exercise, and no further investigation was therefore required.

2.3       Throughout the year, we are continuing to liaise with the services to ensure that matches from the National Fraud Initiative are being reviewed and processed and we continue to monitor intel alerts and share information with relevant services when appropriate.

Summary of Completed Investigations

Re-procurement of Framework Agreement

2.4       An allegation was received relating to improper procurement practices in relation to the re-procurement of a large framework agreement within the Council.  The framework will be in place for 15 years and it is expected that contracts worth around £1.9m per annum will be let from it.  In response to the allegation, it was agreed that we would review the procurement arrangements.  The objective of the review was to ascertain whether the procurement was conducted fairly and in compliance with Public Contract Regulations.  A further objective was to identify any areas where controls could be strengthened.

2.5       As a result of our work, we concluded that the procurement was carried out fairly and complied with Public Contract Regulations.  However, we identified a need to clarify the governance arrangements around decision-making and ensure that tender documentation was clear to bidders. 

2.6       In particular, the need for to strengthen controls was identified in the following areas:

·           Roles and responsibilities should be defined explicitly to promote transparency and accountability;

·           Decisions and their rationale, including those relating to the pricing methodology, should be documented clearly to ensure that they are fully understood and implemented consistently;  

·           There was a need to define the treatment of capital expenditure more clearly in tender documentation to ensure that all bids could be submitted on a consistent basis and in accordance with the Council’s requirements; and

·           Communication, including the sharing of information, should be strengthened to ensure all evaluators fully understand the scoring methodology.

2.7       A robust action plan was agreed with management to address these issues.

Infection Control Grant

2.8       Intelligence was received from two neighbouring local authority Internal Audit teams that they were independently investigating a specific provider of adult residential care associated with the alleged falsification of documents to support Department of Health Social Care (DHSC) Infection Control Grant expenditure, and the alteration of Council correspondence for financial gain. Following receipt of this intelligence, a targeted investigation took place at ESCC into the Infection Control Grant expenditure by this same provider. Internal Audit reviewed information and invoices provided and undertook independent validation enquiries with suppliers. No irregularity was identified, and the provider was found to have complied with DHSC grant expenditure conditions. An investigation report was issued to the service and the matter was closed.

Pecuniary Interests

2.9       A review of the matches produced as part of the National Fraud Initiative identified a business interest that had not been included on an individual’s Declaration of Interest. A review confirmed that no conflict had arisen, and no personal gain was made. The individual concerned was reminded of their responsibilities in this regard and the Declaration of Interest has now been brought up to date.

False Documents provided to the Pension Service

2.10     Internal Audit provided support and advice to the Pension Service following a potential false Will being submitted as evidence for a claim in respect of a death in service benefit. It was concluded that the Will was in all likelihood a false document, but as this did not change the outcome of the death in service benefit recipient, no further action was taken.

3.         Action Tracking

3.1       All high priority actions agreed with management as part of individual audit reviews are subject to action tracking.  As at the end of quarter three, 100% of high priority actions due had been implemented.

4.         Amendments to the Audit Plan

4.1       In accordance with proper professional practice, the internal audit plan for the year remains under regular review to ensure that the service continues to focus its resources in the highest priority areas based on an assessment of risk.  Through discussions with management, the following reviews have been added to the audit plan so far this year:

Planned Audit

Rationale for Addition

UK Community Renewal Fund

Reported in Q1 progress report.

Building Security

Reported in Q1 progress report.

Broadband UK Grant - 2021/22

Reported in Q1 progress report.

Heathfield Community College Follow Up

Reported in Q2 progress report.

Department for Work and Pensions Searchlight System Security Compliance

Reported in Q2 progress report.

Robotic Process Automation (to archive electronic HR files)

See 1.35 above.

Adoption South-East

See 1.31 above.

Vehicle Usage

See 1.27 above.

Procurement Data Analytics

In progress.  Using data analytics techniques to review creditor data, to ensure that the Council’s Procurement and Contract Standing Orders are complied with.

4.2       All of the above work has been resourced from contingency/emerging risk days. To date, one audit, Building Condition Asset Management Follow-Up, was removed because the actions were dependent upon the new Property Asset Management System (PAMS) and separate work is underway to support the new system’s introduction.

 

4.3       The following audit work for the year remains in progress:

 

·           Payroll

·           Accounts Receivable

·           Accounts Payable

·           Pension Fund Administration – People, Processes and Systems

·           Pension Fund – Investments and External Control Assurance

·           Pension Fund – Altair Application Audit

·           Capital Project Management

·           Health and Safety

·           School Audits

·           LAS/Controcc

·           LCS/Controcc

·           Electronic Signatures

·           Property Asset Management System Replacement

·           Children’s Safeguarding Data Handling

·           Post Brexit Information Governance Arrangements

·           IT&D Strategic and Operational Risk Management Arrangements

·           Digital Postal Hub Application Audit

·           Network Access Management

·           Direct Payments Follow-Up

·           MBOS Programme Governance and Risk Management Follow-Up

·           Buzz Active Follow-Up

·           Social Value in Procurement Follow-Up

·           Apex (Home Care) Contract Management Follow-Up

·           Commissioning and Delivery of Property Projects Follow-Up

·           Robertsbridge Follow-Up

·           Procurement Data Analytics

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

5.         Internal Audit Performance

5.1       In addition to the annual assessment of internal audit effectiveness against Public Sector Internal Audit Standards (PSIAS), the performance of the service is monitored on an ongoing basis against a set of agreed key performance indicators as set out in the following table:

Aspect of Service

Orbis IA Performance Indicator

Target

RAG Score (RAG)

Actual

Performance

Quality

 

Annual Audit Plan agreed by Audit Committee

By end April

G

The Annual Plan was and approved by the Audit Committee on 26 March 2021.

Annual Audit Report and Opinion

By end July

G

The Annual Report and Audit Opinion was approved by the Audit Committee on 6 July 2021.

Customer Satisfaction Levels

90% satisfied

G

100%

Productivity and Process Efficiency

Audit Plan – completion to draft report stage

90%

A

64.6% achieved to the end of Q3, against a Q3 target of 67.5%.

Compliance with Professional Standards

Public Sector Internal Audit Standards

Conforms

G

January 2018 – External assessment by the South-West Audit Partnership gave an opinion of ‘Generally Conforms’ – the highest of three possible rankings

July 2021 - Internal Self-assessment completed, no major areas of non-compliance with PSIAS identified.

January 2022 - Internal Quality Review completed, no major areas of non-compliance with our own processes identified.

 

 

Relevant legislation such as the Police and Criminal Evidence Act, Criminal Procedures and Investigations Act

Conforms

G

No evidence of non-compliance identified

Outcome and degree of influence

Implementation of management actions agreed in response to audit findings

97% for high priority agreed actions

G

100%

Our staff

Professionally Qualified/Accredited

 

80%

G

91%


Appendix B

Audit Opinions and Definitions

Opinion

Definition

Substantial Assurance

Controls are in place and are operating as expected to manage key risks to the achievement of system or service objectives.

Reasonable Assurance

Most controls are in place and are operating as expected to manage key risks to the achievement of system or service objectives.

Partial Assurance

There are weaknesses in the system of control and/or the level of non-compliance is such as to put the achievement of the system or service objectives at risk.

Minimal Assurance

Controls are generally weak or non-existent, leaving the system open to the risk of significant error or fraud.  There is a high risk to the ability of the system/service to meet its objectives.