Annex B
1. Audits Completed in Q4 (December to March)
HR/Payroll
1.1 Employees’ salary payments account for a large proportion of the Council’s expenditure. The average gross and net monthly salary payments, for 2020/21, was £19.6 million and £14.7 million, respectively. The Council’s payroll department is responsible for paying employees accurate amounts, on time, in accordance with organisational and regulatory policies.
1.2 As of 31 July 2021, there were 9,313 people (7,190 non-teaching and 2,123 teaching) employed by East Sussex County Council. The purpose of this audit was to provide assurance that controls are in place to meet the following objectives:
· Starters are properly approved, and pay is calculated and paid from the correct dates;
· Leavers are removed from the Payroll in a timely manner and paid correctly and accurately to the correct dates;
· Permanent variations to pay are properly approved, calculated and paid from the correct dates;
· Pay runs and BACS transmissions are correct and authorised;
· Payroll data is regularly reconciled to the General Ledger;
· Temporary payments (including additional hours, expense claims and payment to casual staff) are correctly authorised prior to processing; and
· Changes to data are reviewed, accurately input and authorised.
1.3 As a result of our work, we were able to provide an opinion of reasonable assurance, with the majority of controls operating as expected. However, we did identify some areas where controls could be strengthened further, and the following actions were agreed:
· Arrangements for approving the pay-run will be reviewed to ensure that appropriate segregation of duties is in place to reduce the risk of error;
· The recording of eligibility to work documentation will be improved to ensure that checks on new employees’ right to work can be evidenced;
· Controls to ensure that new starters’ letters are retained on their employment files will be strengthened, to ensure that all relevant contractual details are readily available if challenge arises; and
· Managers will be required to ensure that that overtime paid to higher grade employees are paid at standard rates and that any exceptions are approved in accordance with agreed authorisation levels and evidenced as such.
1.4 A small number of low-risk actions were also agreed with management.
Pension Fund Investments
1.5 East Sussex County Council (ESCC) administers and manages the East Sussex Pension Fund (the Fund) on behalf of 127 employers. The Fund is responsible for managing assets for the long-term benefit of scheme members in accordance with statutory regulations.
1.6 The Fund is a member of the ACCESS Pool, a collaboration of 11 LGPS Administering Authorities who are working together to reduce investment costs and gain economies of scale. The Pool became live on 1 April 2018, in line with the deadline set by Central Government. As of 30 June 2021, members of the ACCESS Pool had assets worth £59.0bn, of which £32.6bn were managed by the Pool itself (with the remainder still being managed by the individual funds). The figures for the East Sussex Pension Fund were £4.5bn and £2.3bn, respectively.
1.7 The purpose of the audit was to provide assurance that controls are in place to meet the following objectives:
· Investment performance is in line with the expectations of the Fund;
· Investment returns are received in full in a timely manner;
· Investment transactions are accurately reflected within the accounting system;
· The ACCESS Operator, Fund Managers and the Custodian maintain adequate systems of internal control; and
· Benefits of economies of scale deliver cost savings and value for money.
1.8 Following our work, were able to provide an audit opinion of substantial assurance because there are robust processes in place to ensure that investments are aligned with the expectations of the Fund, which include the review, monitoring, and quarterly reporting to the Pension Committee. Investment decisions are based on appropriate guidance from professional investment advisors and are made within the terms of the framework set by the Pension Committee to maximise the likelihood that investment performance meets the requirements of the Fund. The Custodian (Northern Trust) collects, records and reports on dividends/income earned on investments on behalf of the Fund in a timely manner.
1.9 However, a small number of areas were identified where controls could be strengthened further, including a need to:
· Produce process notes covering the management of investments, to ensure a consistent approach is applied and to provide resilience in the absence of key staff;
· Chase Fund Managers more robustly for explanations where control weaknesses are identified in their internal control reports, to obtain assurance that the weaknesses do not impact on the East Sussex Pension Fund’s investments; and
· Post journals more promptly to ensure that SAP reflects the Fund’s current position.
1.10 A robust action plan was agreed with management to address all of these issues.
LAS/ContrOCC
1.11 Liquidlogic (LAS) is the Council’s information management and authorisation system for Adult Social Care clients’ care needs. ContrOCC is the Council’s contracts and budget management system for Adult Social Care clients. The system is used to make payments to care providers and to collect contributions from clients towards the cost of their care. An automated interface allows LAS and ContrOCC to share key information. These are considered key financial systems, with £150 million of payments generated on an annual basis.
1.12 The purpose of the audit was to provide assurance that controls are in place to meet the following objectives:
· Only approved care packages are set up in LAS in accordance with the Council’s delegated authority;
· Payments to providers are complete, accurate, timely and only for services delivered; and
· Client contributions are correctly calculated, received in full, and accurately recorded.
1.13 In completing our work, we were able to provide substantial assurance that controls are in place and operating effectively. We found that controls ensured that amounts paid are in accordance with agreed care packages, appropriate monitoring arrangements are in place to identify any changes or errors and that contracts are in place before payments are made to new providers.
1.14 However, two findings were raised where we identified opportunities to improve the control environment and an action plan was agreed with management to ensure that:
· Some flowcharts, policies and procedures are updated to ensure they remain relevant and cover recent legislation; and
· The recording of decisions and actions within the LAS and ContrOCC systems is consistent and clearly evidences the approval of care packages.
Buzz Active – Follow-Up
1.15 Buzz Active is a non-profit service within East Sussex County Council that provides outdoor activities from three sites: Eastbourne, Cuckmere Haven and Bushy Wood. The Bushy Wood site is run under a co-operation agreement with the Scouting Association, allowing Buzz Active to offer activities on behalf of the Scouting Association. The activities offered by Buzz Active range from windsurfing and stand up paddleboarding, to first aid training.
1.16 An audit of Buzz Active was completed in 2019/20 and received an audit opinion of Partial Assurance. As part of our planned work for 2021/22, we agreed with management to undertake a follow up review of the audit of 2019/20, to provide assurance that the actions agreed had been implemented.
1.17 In completing this work, we found that appropriate action had been taken against a number of control issues previously identified. As a result, we were able to provide an opinion of reasonable assurance. However, despite these improvements, we identified the need for further improvement where some previously agreed actions had not been implemented or had only been partially implemented, including in relation to:
· ensuring that additional DBS checks take place following periods where seasonal staff have not been active);
· reviewing the staff training and qualifications log to ensure all qualifications remain up to date;
· ensure that mandatory induction training takes place for all new staff; and
· ensure that casual staff complete declarations in the register of interests at the beginning of the season rather than at the end.
1.18 Actions to address the outstanding issues identified were agreed with management as part of a management action plan.
Management of Social Value Requirements Follow-Up
1.19 The Public Services (Social Value) Act 2012 requires public authorities to factor in economic, social and environmental well-being in connection with public services contracts. The Social Value Charter, developed by Orbis Procurement, considers social value in all contracts over £100,000. The social value benefits that have been identified can then be measured and monitored through contract key performance indicators (KPI’s). It is the responsibility of the contract manager to ensure these social value outcomes are delivered as part of the contract.
1.20 An audit of the management of social value requirements was completed in November 2019 with an opinion of partial assurance. We therefore conducted a follow-up review to assess the implementation of the improvement actions agreed as part of the original review.
1.21 In completing this work, we were able to provide an updated opinion of substantial assurance. Since the original review, an extensive refresh of existing guidance, procedural documentation and social value processes had taken place, with the aim to embed social value in commissioning, procurement and contract management activities across the Council. In addition, in conjunction with Surrey County Council, a Social Value Measurement Charter had been introduced to bring about a clear and objective way of identifying and evaluating social value in supplier bids.
1.22 Whilst there was clear improvement, some previously agreed actions had not yet been fully implemented and revised actions were agreed with management to:
· Set an overarching Council performance target on the ultimate delivery of social value within contracts; and
· Design a formal social value framework programme to facilitate decision-making on the social value approach adopted.
MBOS Programme Governance and Risk Management Follow-Up
1.23 The MBOS programme was approved by the Corporate Management Team (CMT) in September 2019 to enable the Council to go to market for a replacement to the current version of SAP. Following a procurement process, Oracle Fusion was selected as the replacement, and this is expected to go live in quarter 1 of the 2023/24 financial year.
1.24 This follow-up sought to assess and provide assurance on the progress made in implementing the agreed actions from the 2020/21 Programme Governance and Risk Management audit which received an audit opinion of partial assurance.
1.25 Overall, we found that there has been an improvement in the control environment within the MBOS programme and we were able to provide an updated opinion of reasonable assurance as a result. We found that:
· A comprehensive programme plan has been introduced which outlines the required programme activities, tasks, resourcing and timing, and this is actively monitored;
· Roles and responsibilities of those involved in the programme have been formally documented;
· Other key programme documents are now in place, including a Project Initiation Document, programme structure chart and change management documentation; and
· Risk management arrangements have improved with significant risks being presented to the MBOS Board.
1.26 Despite these improvements, not all the agreed actions from our previous review had been implemented (either fully or partially), including ensuring that:
· The Business Case for the programme is complete and includes information on costs and critical success factors;
· Gaps in programme resources are properly filled; and
· Board papers and highlight reports are published sufficiently in advance of meetings.
1.27 Working with programme management, further actions have been agreed to enable the continued improvement of the governance of this key Council programme.
Property Asset Management System (PAMS) Replacement - Phase 2 Business Processes
1.28 The Property Asset Management System (PAMS) is used to hold asset management data on all Council property and operates as a works order management system for repair and maintenance. It also interfaces with the Council’s current SAP ERP system.
1.29 The PAMS project is focussed on transferring all functions currently carried out on the ‘Atrium’ system onto a new asset management system (‘Tech Forge’). In addition, it aims to ensure that all property functions required to achieve a full holistic property database are integrated and interfaced with the eventual SAP replacement.
1.30 This review focussed on the progress that has been made in establishing, reviewing and testing business processes for Phase 2 of the PAMS replacement project. The following elements were considered:
· Documentation and understanding of business processes;
· Recording of risks in relation to business processes;
· Approval of service items and associated costs;
· Testing arrangements; and
· User accounts and permissions.
1.31 Due to the fact that the Phase 2 work was at an early stage, we were unable to provide assurance over some areas of the control environment and so issued a position statement for project officers which highlighted our findings and observations to date, including the need to ensure that:
· There is appropriate, formal sign-off of future processes by management;
· Risks relating to process changes are appropriately captured in the risk log; and
· Future User Acceptance Testing (UAT) would include appropriate commentary and a record of actions taken where test failures occur (previously lacking in Phase 1).
1.32 We will continue to provide support and advice in this area and will undertake further audit work to support the project during the year.
Digital Postal Hub Application Audit
1.33 The Digital Postal Hub (DPH) is a service allowing all inbound post to go to one place within the Council via SharePoint, where it is scanned and directly sent to the addressee. Similarly, outgoing post can be sent through a 'print and post' function, allowing post to be automatically printed, enveloped, and franked in the post room and then sent via Royal Mail.
1.34 The purpose of the audit was to provide assurance that controls are in place to meet the following objectives:
· System access is restricted to appropriately authorised individuals and the permissions provided to those users are in line with job functions;
· Data processed through interfaces is authorised, accurate, complete, securely processed and written to the appropriate file;
· Outputs produced by the system are complete, accurate, reliable, distributed on time and with confidentiality where appropriate;
· System updates and enhancements are performed in a consistent manner and subject to sufficient testing and authorisation before implementation; and
· Appropriate support arrangements are in place to manage changes within the system.
Pension System – Altair Application Audit
1.36 Altair is a pension administration platform, provided by Heywood Pension Technologies, which is used for both the back-office administration of the East Sussex Pension Fund as well as allowing members to self-serve through the Pension Portal.
1.37 Until recently, the administration of the Pension Fund was managed through a collaboration with Surrey County Council as part of Orbis Business Operations. In April 2021, responsibility transferred to ESCC and a new, locally hosted instance of the administration software (Altair) was established.
1.38 This review assessed all major input, processing and output controls of the main Altair application. It also covered the controls over the interface with the employer portal (I-Connect), to ensure appropriate system ownership and responsibilities are defined.
1.39 The audit sought to provide assurance that:
· There is no unauthorised or inappropriate access to confidential information;
· Only correct data is input into the system resulting in accurate records being held by the East Sussex Pension Fund;
· System outputs are correct, enhancing management information and leading to informed decision-making;
· System updates and enhancements are introduced in a controlled manner, reducing the risks to service delivery and/or vulnerabilities to malicious attacks against the system;
· The introduction of the employer portal interface (i-Connect) is well controlled and ensures that data is correctly transferred, outputs are accurate and that the risk of data breaches is mitigated against; and
· Changes to the system are communicated and supported effectively, reducing the risk of a negative impact on service delivery.
1.40 In completing this work, we were able to provide reasonable assurance over the controls in place. Areas of good practice included:
· Access to the system being appropriately controlled though unique user identification and password controls, with accounts being locked once attempts reach a pre-set limit;
· Access to Administrator level permissions within the Altair system, including the creation of new accounts, is restricted to a small number of appropriate users; and
· Data validation controls are in place in relation to the i-Connect system, to reduce the risk of erroneous data being input into the Altair system.
1.41 A small number of areas for improvement were identified and actions agreed with management to address these.
School Audits
1.42 We have a standard audit programme in place for all school audits, with the scope of our work designed to provide assurance over key controls operating within schools. The key objectives of our work are to ensure that:
• Governance structures are in place and operate effectively to ensure there is independent oversight and challenge by the Governing Body;
• Decision-making is transparent, well documented and free from bias;
• The school is able to operate within its budget through effective financial planning;
• Unauthorised or inappropriate people do not have access to pupils, systems or the site;
• Staff are paid in accordance with the school’s pay policy;
• Expenditure is controlled, and funds are used for educational purposes;
• Value-for-money is achieved on contracts and for larger purchases;
• All unofficial funds are held securely and used in accordance with their agreed purpose; and
• Security arrangements keep data and assets secure and are in accordance with data protection legislation.
1.43 At the time of writing, school audits were continuing to be delivered through remote working arrangements.
1.44 Three school audits were delivered in quarter four. The table below shows a summary of the schools audited, together with the final level of assurance they received. As all three audits received opinions of partial assurance, some of the key areas for improvement identified at each of the schools are summarised in more detail.
|
Name of School |
Audit Opinion |
Areas Requiring Improvement |
|
Alfriston Primary School |
Partial Assurance |
· Payments to staff should be paid in line with organisational policy, including sufficient deductions for tax and national insurance at source, and appropriate approvals prior to payment. · Public Liability Insurance for contractors should be checked to ensure that sufficient and relevant levels of cover are in place. · The Head Teacher should provide independent review and approval over the monthly salary reconciliation process. · Purchase orders should be raised for all invoice purchases, prior to an order being placed with the supplier. |
|
Forest Row Church of England Primary School |
Partial Assurance |
· The Scheme of Delegation, delegating financial approvals from the Governing Body to members of school staff, should be approved by Governors. · A staffing and class structure review, which has been identified as required, should be undertaken to manage future years’ budget provision. · Purchase orders should be raised for all invoice purchases, prior to an order being placed with the supplier. · A business continuity plan should be implemented to aid the school in continuing education should an incident occur. |
|
West Rise Junior School |
Partial Assurance |
· The structure of the Governing Body should be reviewed to ensure that there is not over-reliance on one individual, and that vacancies are filled. · Declarations of interest should be accurately completed by all employees, with approval from the Head Teacher or an appropriate senior member of staff / Chair of Governors. · Governor’s interests should be checked to ensure accuracy where there is a known relationship or conflict. · There should be formal, evidenced, approval of payroll and bank reconciliations, staff expense claims and purchase orders by the Head Teacher. |
2. Counter Fraud and Investigation Activities
Counter Fraud
2.1 Internal Audit are continuing to liaise with services to ensure that matches from the National Fraud Initiative are being reviewed and processed. In addition, the team are working with District and Borough colleagues to explore opportunities for further developing countywide data matching capabilities for the prevention and detection of fraud. We also continue to monitor intelligence alerts and share information with relevant services when appropriate.
Summary of Completed Investigations
Abuse of Position – Education Improvement Programme (EIP) Remuneration
2.2 During a routine audit at a school, it was identified that some off payroll payments to senior staff, relating to EIP activities, had been made without appropriate approval and without the necessary deductions being made at source. Whilst we were unable to find any explicit guidance provided to EIP’s or their Chairs on the permitted or expected usage of delegated funding to cover this work, our investigation identified a number of concerns regarding the procedures followed. These were reported to the Children’s Services Head of Education Improvement with a view to strengthening controls around the processing of EIP payments. Repayment of all the original sums concerned was agreed with the individuals to enable payment to be made through the correct route (payroll) with the necessary deductions at source.
Spear Phishing Attempt
2.3 The team provided advice following the submission of false invoices for payment in respect of Housing Repairs and Property Voids being sent to the S151 Officer. The invoices claimed that ESCC owed in excess of £29million in respect of work conducted for housing repairs and reducing outstanding property voids in Hastings. Clearly, no payments were made, and the false invoices were reported to the Police, the National Anti-Fraud Network and the bank’s Fraud Team.