Planned Audit Reviews

 

Review Name

Outline Objective

Accounts Payable (Procure to Pay)

 

 

 

To review the processes and key controls relating to the accounts payable system, including those in place for ordering, the creation and maintenance of vendor details, the payment of invoices, goods receipting and promptness of payments.

Accounts Receivable

 

 

To review the processes and key controls relating to the accounts receivable system, including those in place for ensuring the accuracy of customer details, completeness, accuracy and timeliness of invoicing, recording and matching payments to invoices, and debt recovery.

Payroll

 

 

To review controls in relation to the staff payment system, including those relating to starters, leavers, temporary and permanent payments, variations of pay, and pre-employment checks.

East Sussex Pension Fund

 

 

The following audits and activities will be completed in relation to the East Sussex Pension Fund in accordance with the Internal Audit Pension Fund Strategy and Plan:

·           Governance

·           Investments and Accounting

·           Cash Management

·           The Administration of Benefit Payments

·           I-Connect – Application Controls

·           Pension Fund Cyber Security

·           Pension Board/Committee Attendance and Advice

·           Pension Fund Strategy and Plan Preparation

Financial and Benefits Assessments (Adult Social Care)

To review the key controls in place for the financial and benefits assessment process (where new processes have recently been introduced) to ensure the correct calculation of contributions from care clients and that accurate payments are made.

Public Health Grant

To review the processes and structure set-up for financial management, including monitoring, of the ring-fenced public health grant.

Corporate Governance

To review the arrangements in place in relation to corporate governance within the Council.

MBOS Programme Support and Other Delivery

As part of our support to the MBOS programme, we will support the Programme Board with ad-hoc support and advice through attendance at the Programme Board meetings.  To enhance our support, specific deliverable work has been agreed with the Programme Board and will provide assurance over the following areas: Business processes (both on and off system); System Security; User access, authentication and authorisations; Testing Arrangement; Data Cleansing, Governance & Migration; Interfaces and reconciliation; Disaster Recovery & Business Continuity; Training.  Additional areas may be added as identified and agreed with the Programme Board.

Use of Consultants

To review the arrangements in place over the use of consultants within the Council in order to provide assurance that consultancy is subject to appropriate controls, is transparent and justifiable, and effective in achieving value for money. To review the initial assessment of need and decision to procure consultancy services, the procurement of consultants, ongoing management arrangements of consultancy contracts and the termination and review of these.

Contract Management

To assess the adequacy and effectiveness of contract management arrangements withing the Council, specifically focussing on compliance with the Council’s contract management framework. A sample of high-risk, high-profile contracts will be selected for review in order to provide assurance over the management of these.

Climate Change

In 2019, the Council declared a climate emergency and set a target of achieving carbon neutrality from its activities by 2050 at the latest, in line with the target agreed by Parliament in 2019.  We will review the project management arrangements in place within the Council to deliver this ambition.

Beacon/Grove Park Project – Project Management

The majority of SEND school capacity in East Sussex is under academy control.  Grove Park School is an all-through (age 4-19) maintained SEND school; however, part of its capacity is located on the campus of the nearby Beacon Academy.  The Beacon/Grove Park Project is a development of parts of the Beacon campus to increase SEND capacity for Grove Park.  This review will provide assurance that the project is properly managed to increase the likelihood that it is delivered to time, cost and quality.

 

 

Property Asset Management System Replacement

To provide pro-active support, advice and assistance to the property asset management system replacement programme.

Health and Safety

Following on from audit work in 2021/22 to review the health and safety framework and governance arrangements in place within the Council, this review will seek to ensure that health and safety policy and guidance is being complied with.  A sample of Council establishments will be selected for this purpose.

Adult Social Care Reform

In September 2021, the government set out its new plan for adult social care reform in England. This included changes to how people will pay for their social care. To provide audit advice and support over the new processes that will be developed and implemented in order to meet the statutory requirements of the reform.

Adults’ Safeguarding

To review the adult safeguarding process within the Council to ensure all safeguarding cases are appropriately investigated and any potential issues are addressed with corrective action being taken in a timely manner.  In addition, the audit will specifically review the safeguarding framework in place in preparation for the 2021 Health and Care Bill’s inspection programme by the Care Quality Commission.

Schools

 

 

We will continue our audit coverage in schools which will involve a range of assurance work, including key controls testing in individual schools and follow-ups of previous audit work where appropriate.  We will also work with our Orbis partners to provide information bulletins and guidance for schools on risk, governance and internal control matters.

Edge of Care Programme

The Children’s Services Edge of Care programme’s overall aim is to deliver a financially sustainable model which supports families to remain together and/or to retain lifelong links. The programme’s goals are:

·      to reduce the number of 11-17 years olds becoming looked after and/or a reduction in the length of time they are accommodated for, with a reduction in high cost, out-of-area placements;

·      to reduce demand across services through effective interventions and positive professional relationships with families (whilst ensuring safe, ambitious plans / outcomes for young people); and

·      to have a skilled, proactive, resilient workforce with strong relationships across partner agencies.

 

We will work with programme management to identify and agree how we can best support the programme, through the provision of independent audit advice, support and assurance.

Elective Home Education Processes

Elective home education is where parents decide to provide education for their children at home, or at home in some other way which they choose, instead of sending them to school full-time.  Where this happens, the Council has a moral and social obligation to ensure such children are safe and suitably educated, where there is a risk of harm and/or a lack of proper education. This audit will review the effectiveness of the Council’s monitoring arrangements in line with statutory guidance.

Home to School Transport

The Department for Education requires local authorities to provide home to school transport (HTST) for eligible children in order to facilitate attendance at school. This audit will assess the adequacy of controls within the HTST process, with specific areas of focus to be determined.

Highways Contract Reprocurement

To provide advice and support in relation to the arrangements for the re-procurement of a new highways’ maintenance contract, advising on risk, governance and internal control matters as they arise. 

UK Community Renewal Fund

The purpose of the UK Community Renewal Fund (UK CRF) is to support people and communities most in need across the UK to pilot programmes and new approaches to prepare for the UK Shared Prosperity Fund.  In continuing our work in this area, we will review the monitoring arrangements devised within the Council to ensure that the projects selected to receive funding are complying with the terms and conditions of the agreements in place.

Waste Management

ESCC and Brighton and Hove City Council have held a Private Finance Initiative contract with Veolia South Downs Ltd since 2003 for the delivery and operation of waste facilities, along with recycling and disposal services for household waste across both authorities. We will work with management to identify key risks associated with the contract for audit review and assurance.

 

External Funding: Grants and Loans

The Council provides a number of different grants and loans to support businesses and other schemes with the county.  This audit will assess the arrangements in place over the bidding and decision-making/approval processes, as well as the monitoring arrangements to ensure funds are being used in accordance with the grant/loan agreements.

Kofax IT Application Audit

Amongst other uses, the Kofax application is used across the Authority to redact personal and sensitive information prior to releasing information as part of Freedom of Information or Subject Access Requests.  This audit will review the effectiveness of the application controls for the Kofax application, including all major input, processing and output controls.  We will review the controls in place to interface with any other systems and ensure appropriate system ownership and responsibilities are known. 

Techforge IT Application Audit

The Techforge application has been implemented as the Council's property asset management system.  The system has a number of modules, from a financial perspective the highest risks relate to the repairs and payment modules.  This audit will review the effectiveness of the application controls, including all major input, processing and output controls.  We will review the controls in place to interface with other systems and ensure appropriate system ownership and responsibilities are known. 

MetaCompliance IT Application Audit

The MetaCompliance application can be used to simulate phishing attacks, provide e-learning, manage policy and manage awareness and privacy management.  This audit will review the effectiveness of the application controls for the MetaCompliance application, including all major input, processing and output controls.  We will review the controls in place to interface with any other systems and ensure appropriate system ownership and responsibilities are known. 

Proactis IT Application Audit

The Proactis system was implemented in April 2021 and is used to control and manage procurement and spend.  The system allows suppliers to upload and manage their own details including bank account information.  This audit will review the effectiveness of the application controls for the Proactis application, including all major input, processing and output controls.  We will review the controls in place to interface with any other systems and ensure appropriate system ownership and responsibilities are known. 

Information Governance (Subject Access Request and Freedom of Information Reporting Arrangements)

The Freedom of Information Act 2000 (FOIA), which came into effect on 1 January 2005, governs and increases rights of access to information held by public authorities (other than personal information which continues to be governed by the Data Protection Act (DPA) 2018). Under the DPA 2018, an individual can submit a Subject Access Request (SAR) for the information which they are entitled to ask for under section 7 of the DPA 2018.  This audit will look to provide assurance that controls are in place to allow the Authority to respond to all FOI and SAR requests in a timely manner and that there is sufficient reporting and governance processes in place to monitor and manage performance.

IT Asset Procurement (Value for Money)

The COVID-19 pandemic has put significant demands on authorities to provide IT assets to its officers to enable them to work remotely. In many cases, these officers were office based prior to the COVID-19 global pandemic, so IT departments have had to respond by providing mobile devices (e.g. laptops and mobile phones) to a significant number of officers, as well as other peripheral items such as monitors and mice, to support Display Screen Equipment (DSE) requirements.  With the expansion of remote working, IT Hardware is in greater demand than ever before.  

 

The objective of the audit is to provide assurance that controls are in place and are operating as expected to ensure value for money is achieved from the procurement of ICT hardware assets.

Mobile Device Management

Mobile devices, such as smartphones and tablet computers, have the capability to store large amounts of data and can present a high risk of data leakage and loss.  Devices are often valuable and are therefore attractive to theft and misuse.   Mobile device management (MDM) involves monitoring, managing and securing mobile devices to ensure that the Council’s information assets are not exposed.  MDM is usually implemented through the use of third-party software.  The Council’s MDM solution is provided by InTune.  This audit will consider the Council’s approach to managing the risks associated with the security and control of the data contained on, and security of, smartphones and tablets. 

Procurement of IT Systems

The procurement of IT systems often forms part of major transformation projects. The emergence of cloud-based systems also means it’s easier than ever for services and departments to procure systems which can store and process significant amounts of Council data without such corporate oversight.  This audit, which complements our IT application audits, will seek to ensure that controls are in place to ensure that all systems procured are subject to appropriate IT oversight and that all Information Security and Information Governance risks are known, understood and appropriately managed.

Cyber Security

Review of the key controls operating for managing the significant risks in relation to Cyber Security.

Building Security Follow-Up

A follow-up of the previous audit completed which received an audit opinion of partial assurance.

Building Condition Asset Management Follow-Up

A follow-up of the previous audit completed which received an audit opinion of partial assurance.

Contract Management Group Cultural Compliance Follow-Up

A follow-up of the previous audit completed which received an audit opinion of partial assurance.

Vehicle Use Follow-Up

A follow-up of the previous audit completed which received an audit opinion of partial assurance.

Transport Capital Grant Certification

To check and certify the grant in accordance with the requirements of the Department for Transport.

Traffic Signals Maintenance Grant Award

To check and certify the grant in accordance with the requirements of the Department for Transport.

Supporting Families (Family Focus) Grant Certification

 

 

Certification of periodic grant claims returns in-year on behalf of Children’s Services to enable the release of funds from the Department for Levelling Up, Housing and Communities.

Bus Subsidy Grant Certification

 

To check and certify the grants (including Covid 19 related grants) in accordance with the requirements of the Department for Transport.

Covid Test and Trace Grant Certification

To check and certify the grant in accordance with the requirements of Public Health England.

European Social Fund Transform Project

To check and certify the grant in accordance with the requirements of the European Social Fund.

Covid Outbreak Management Fund

To check and certify that the funding is used in accordance with the requirements of the Department of Health and Social Care.

Adult Weight Management Grant

To check and certify the grant in accordance with the requirements of the Department of Health and Social Care.

Service Management and Delivery

Review Name

Outline Objective

Action Tracking

 

Ongoing action tracking and reporting of agreed, high risk actions.

Annual Internal Audit Report and Opinion

Creation of Annual Report and Opinion.

Audit and Fraud Management

 

Overall management of all audit and counter fraud activity, including work allocation, work scheduling and Orbis Audit Manager meetings.

Audit and Fraud Reporting

Production of periodic reports to management and Audit Committee covering results of all audit and anti-fraud activity.

Audit Committee and other Member Support

 

Ongoing liaison with Members on internal audit matters and attending Audit Committee meetings and associated pre-meetings.

Client Service Liaison

 

Liaison with clients and departmental management teams throughout the year.

Client Support and Advice

 

Ad hoc advice, guidance and support on risk, internal control and governance matters provided to clients and services throughout the year.

Orbis IA Developments

 

 

Audit and corporate fraud service developments, including quality improvement and ensuring compliance with Public Sector Internal Audit Standards.

Organisational Management Support

 

Attendance and ongoing support to organisational management meetings, e.g. Financial Management Team (FMT), Statutory Officers Group (SOG).

Strategy and Annual Audit Planning

 

Development and production of the Internal Audit Strategy and Annual Audit Plan, including consultation with management and Members.

System Development and Administration

Development and administration of Audit and Fraud Management systems.

Contingencies

Anti-Fraud and Corruption

 

 

To cover the investigation of potential fraud and irregularity allegations as well as proactive counter fraud activities, including the National Fraud Initiative (NFI) data matching exercise.

Emerging Risks

 

 

A contingency budget to allow work to be undertaken on new risks and issues identified by Orbis IA and/or referred by management during the year.

Contingency

 

A contingency budget to allow for effective management of the annual programme of work as the year progresses.