Annexe A
Internal Audit and Counter Fraud
Quarter 1 Progress Report 2022/23
CONTENTS
1. Summary of Completed Audits
2. Counter Fraud and Investigation Activities
3. Action Tracking
4. Amendments to the Audit Plan
5. Internal Audit Performance
1. Summary of Completed Audits
Accounts Receivable
1.1 The Accounts Receivable function is responsible for ensuring that all income due to the Council is collected effectively and efficiently, banked promptly and is correctly accounted for.
1.2 This audit aimed to provide assurance over the key controls operating within the Accounts Receivable system, including those in place for ensuring the accuracy of customer details, the accuracy of invoicing, the recording and matching of payments to invoices, and completeness of debt recovery.
1.3 Overall, we were able to provide an opinion of substantial assurance in this area. We found the system to be well-controlled, with areas of good practice including that:
· An up-to-date income collection policy is in place and available to all staff via the intranet;
· Invoices requests are supported by adequate proof of debt;
· There is a robust process for dealing with incorrectly raised debts and overpayments;
· Credit notes are appropriately authorised;
· Unallocated income is held in suspense accounts which are regularly reviewed to ensure the correct allocation of monies; and
· An aged debt analysis is completed and distributed to nominated officers to review on a monthly basis.
1.4 Whilst we were able to provide a substantial audit opinion in this instance, a small number of areas for improvement were identified, including the need to ensure that reconciliations, undertaken to confirm that customer balances match the relevant control accounts, are approved in a timely manner. Actions to address this and some other minor actions were agreed with management.
Procure to Pay
1.5 Procure to Pay is the end-to-end process from the purchasing of services to the payment of the supplier. The central Accounts Payable (AP) Team is responsible for the processing of payments to suppliers using the AP system, which is a sub-module within SAP, the Council’s main financial system.
1.6 This audit aimed to provide assurance over the key controls operating within the Procure to Pay system, including those in place for ensuring the accuracy of vendors’ details, processing of invoices, goods receipting and promptness of payments.
1.7 As a result of our work, we were able to provide an audit opinion of substantial assurance in this area, with key controls in place and operating as expected. Only a small number of actions were agreed with management to further improve controls, including the need to remind cost centre approvers of their responsibilities in checking non-order invoice payments prior to approval.
Pension Fund Administration – People, Processes and Systems
1.8 East Sussex County Council (ESCC) is the designated statutory administering authority of the East Sussex Pension Fund. The Council has statutory responsibility to administer and manage the fund in accordance with the Local Government Pension Scheme (LGPS) Regulations. The day-to-day administration of the Fund was previously provided by Orbis Business Operations, but this responsibility was transferred to the Pensions Team at ESCC on 1 April 2022.
1.9 This audit tested the controls employed by management in relation to the calculation and payment of pension benefits; transfers to and from the Pension Fund; and the collection and recording of pension contributions (including contributions from admitted and scheduled bodies).
1.10 In completing this work, we were able to provide an opinion of reasonable assurance over the adequacy and effectiveness of controls in place. However, whilst a number of areas of good practice were identified, including the majority of actions agreed as part of the previous audit being implemented, some opportunities for improvement were also found, including the need to ensure that:
· When submitting monthly pension contributions and returns, employers, via their Section 151 Officer or equivalent, certify that the returns are correct, thus helping to ensure that all contributions due are accurate and received;
· Historical data, that sits outside of the pension system and relates to members transferring into the scheme, is properly safeguarded via password protection and only retained for as long as is necessary in line with General Data Protection Regulations (GDPR);
· Procedure notes are in place to cover the many processes undertaken by the Pension Team;
· Data integrity is maintained when setting up new members in the pension system and that no assumptions are made where key data is missing e.g., title, gender, etc., with the need to seek clarification where necessary; and
· Checklists, which are used to ensure calculations are correct, are fully completed.
1.11 Actions to address these areas were agreed with management within a formal management action plan.
Commissioning and Delivery of Property Projects Follow-Up
1.12 In undertaking an audit of Commissioning and Delivery of Property Projects, which was completed in April 2021, we concluded an audit opinion of minimal assurance. The review focussed on the commissioning, planning and delivery of a sample of property projects within the Council. In providing this opinion, we found fundamental weaknesses in relation to various parts of the commissioning and delivery of projects.
1.13 Whilst this work was being undertaken, details of an overspend on the project to extend the SEND facility at Robertsbridge Community College (RSENP) emerged. We were therefore requested to carry out specific work to identify the reasons why this project’s budget had over-spent. Because the control issues were common to both audits, no audit opinion was provided for this additional review, but an action plan for improvement was agreed with management.
1.14 As a result of the opinion given, we undertook a follow-up audit to provide assurance that all the agreed actions had been implemented. As the control weaknesses identified in both audits were similar, and many of the agreed management actions in the resultant reports were identical, we combined the results of our follow-up testing into a single report. This allowed us to agree, with management, a single, consolidated, action plan to provide a clear way forward to address any outstanding issues.
1.15 Overall, we found that significant progress had been made by management in addressing the findings of our previous reviews. As a result, we were able to give an improved opinion of reasonable assurance.
1.16 Whilst clear improvement had been achieved, there were some actions that had only been partially implemented and these were consolidated into a plan containing seven new findings, all of which we deemed medium risk. These related to the need to:
· Further strengthen project governance arrangements by defining roles and responsibilities more clearly;
· Document the circumstances when project initiation documents (PID) are not required, to promote consistency and improve project control;
· Produce further guidance on change control and contract variations, to help control costs more effectively;
· Strengthen risk management arrangements;
· Ensure that the scope and any limitations to feasibility studies are fully understood by client teams before they make decisions based on them;
· Provide further support to client teams in the production of their business cases; and
· Include guidance to ensure that any changes to a project’s scope are agreed by the client.
1.17 Robust actions with new timescales were agreed with management to address all of these findings.
Adult Social Care Being Digital Programme – Governance Arrangements
1.18 The Adult Social Care and Health (ASCH) Being Digital Programme was established to improve and increase digitisation across the department. We were asked by management to undertake a high-level review of the governance arrangements for this programme as these were being developed, to ensure they were robust and to manage key risks to the achievement of the programme’s delivery. Due to its real time nature, this was a non-audit opinion piece of work.
1.19 Based on the work we completed, we found appropriate governance and risk management arrangements in place. However, some areas were identified to further strengthen these which were discussed and agreed with management and will be incorporated into current governance arrangements. These included:
· Reviewing and updating terms of reference for the Steering, Inclusion and Project groups of the programme where staff changes had occurred, to ensure they accurately reflect the responsibilities and membership of the group;
· The development of a Programme Initiation Document; and
· Regular review and update of programme level risks.
Contract Management Follow-Up - APEX Prime Care
1.20 Apex Prime Care Ltd is one of ESCC’s top providers, by value, of homecare services. It provides homecare for the elderly and specialist support for anyone who cannot wholly look after themselves. Apex Prime Care Ltd is responsible for ensuring that the homecare service provided meets the Council’s needs, including compliance with safeguarding requirements.
1.21 The Apex Prime Care Ltd contract commenced on 25 October 2014 and was due to run until 26 October 2021. Due to COVID-related delays in re-procuring its replacement, the contract was extended until January 2023.
1.22 An audit of the contract management arrangements of this contract was completed in June 2019 and we provided an opinion of partial assurance. We have, therefore, undertaken a follow-up review to assess the extent to which the agreed actions from the previous audit had been implemented. Based on our work, there had been an improvement in control and, as a result, we were able to provide an opinion of reasonable assurance. We found that:
· Provider performance is managed through regular provider meetings and liaison. Performance issues are identified and monitored through provider data and user feedback;
· Risks are captured, discussed and assessed;
· Market intelligence from the Care Quality Commission (CQC) is utilised to provide assurance that Home Care suppliers are financially viable and have the resources needed to provide, and continue to provide, services to the required standards; and
· Contract variations are controlled by Adult Social Care (ASC) procurement. Variations are routinely made as part of the operational recommissioning process.
1.23 Only two actions had not been fully implemented relating to the need to:
· Clarify roles and responsibilities for commissioning, contract management and procurement to help ensure intended outcomes are achieved;
· Establish a contract management plan.
1.24 Measures to address these findings were agreed with management, with opportunities to further strengthen controls to be taken following re-procurement, when a new homecare contract goes live.
Managing Back Office Systems (MBOS) Programme
1.25 The Modernising Back Office Systems Programme (MBOS) was approved by the Corporate Management Team (CMT) in September 2019 to enable the Council to go to market for a replacement to its current Enterprise Resource Planning (ERP) tool - SAP. The MBOS Programme is seeking to implement a new system that better meets the current and future needs of the Council and which provides optimal return on its investment. The current SAP ERP system was implemented in 2004 and will no longer be supported beyond 2025.
1.26 Whilst we have not concluded any specific audit work in this quarter, we continue to support the programme through attendance at the Programme Board and Working Groups where we provide ad-hoc advice, challenge and support. A program of audit work has been agreed with the Board to support the programme going forward, and work currently in progress includes reviewing the adequacy of controls within proposed business processes, providing assurance over data quality and archiving, as well as revisiting and re-reviewing governance arrangements as the programme prepares to move into the post-procurement stage.
1.27 Electronic signatures deliver a way to sign documents online and their use is increasing across the organisation. This can make Council processes more efficient due to the ability to sign documents remotely, particularly at a time when many people are working at home. The use of electronic signatures makes document creation and signing seamless and retains the value of an, historically, offline process.
1.28 The purpose of this audit was to provide assurance that:
· Adequate arrangements are in place to ensure the Council is aware of electronic signature usage and has had the opportunity to ensure that risks associated with this are properly managed, prior to implementation; and
· Adequate controls exist over the implementation and usage of electronic signatures.
1.29 In completing this work, we found that the use of electronic signatures falls into two broad categories. Firstly, the use of external software/electronic signatures such as ADOBE Sign and DocuSign which can pose risks to the Council if the level of security and protection of the systems are not assessed and controlled. Secondly, the use of scanned images of handwritten signatures which are retained and appended to documents as required.
1.30 Overall, we were able to provide an audit opinion of reasonable assurance over the adequacy and effectiveness of controls in place. Whilst a number of areas of good practice were identified, including the Council’s Information Security and Governance Team having a robust risk assessment process for the roll out of electronic signature systems, some areas for improvement were identified, including the need to:
· Ensure technical risk assessments are performed prior to using electronic signature software, and to increase awareness of this requirement;
· Establish corporate guidance which specifies the Council’s expectations over the use and control of electronic and scanned signature usage; and
· Improve controls over the management of scanned signatures where these are used, including in relation to the retention and deletion of these.
1.31 Actions for improvement relating to these findings were agreed with management.
Post Brexit Information Governance
1.32 On 31st January 2020, Brexit saw the UK withdraw from the European Union (EU). This was followed by a transition period lasting until 31st December 2020, during which time the UK remained subject to EU laws. These laws included regulations relating to information governance, such as the EU’s General Data Protection Regulation (GDPR), intended to strengthen data protection rights for individuals within the EU.
1.33 This audit sought to provide assurance that Council data is being stored appropriately and in line with relevant legislation, following the Brexit transition period.
1.34 At the time of this work, we noted that no changes to information governance arrangements had been required post-Brexit and that controls are in place to identify any changes to regulations and action needed going forward. In addition, proactive work is taking place to future-proof arrangements
should the current situation change.
1.35 In giving an audit opinion of substantial assurance, we noted that:
· The Council’s Data Protection Officer (DPO) is aware of the adequacy agreement with the UK relating to the GDPR and the Law Enforcement Directive and what this means in relation to information governance at the authority. The adequacy agreement is anticipated to be in place until at least 2025 (although it could end at any point).
· The ICO website and news bulletins are monitored to ensure that amendments to regulations are quickly identified, and any necessary action is implemented. In addition, the Council has begun to future-proof arrangements in the event that this should happen.
· The Council is aware of where data is held for major systems as this is identified when a Data
Protection Impact Assessment (DPIA) takes place, as well as being recorded by IT&D and
Procurement. This information will be of importance to ensure that appropriate action is
taken if changes to information governance arrangements are required going forward.
1.36 It was noted, however, that there are likely to be instances of “shadow IT” in use at the Authority. This is where systems are used by service areas without IT&D or Procurement awareness. These systems are often free to use or have only a minimal cost associated with them, and cloud-based. In such situations, it is possible that data location is unknown or not recorded, which could pose an increased risk if legislation around data hosting and processing were to be amended.
IT Strategic and Operational Risk Management
1.37 IT risk management is the process to continually identify, assess, and reduce IT-related risk. With organisations placing an even greater reliance on IT and the support provided by their IT departments, the Council should adapt to address IT-related risks accordingly and ensure that ownership is appropriate.
1.38 This audit aimed to provide assurance that appropriate risk management arrangements are in place across the Council in relation to IT&D, with awareness and ownership of risks across all departments, including within IT&D.
1.39 In providing an audit opinion of reasonable assurance, we found that:
· Significant IT-related risks that could impact the Council were found to be included as part of the Council's strategic risk register;
· IT&D have their own departmental risk register covering both strategic and operational levels, which identifies risks for both ESCC, as well as the wider shared partnership of Orbis IT&D;
· Robust processes are in place to identify risks, ensure appropriate action is taken to mitigate these and appropriately assign responsibility within IT&D;
· Risk assessments are undertaken by IT&D for the implementation of new systems, as well as the roll-out of upgrades/patches and the introduction of new elements of the IT infrastructure. Where these exercises identify risks within different departments across the Council, action to mitigate the risk is agreed with the service area, with responsibility appropriately assigned to an officer within that department; and
· Business Partners within IT&D play an important role in ensuring that IT-related risks are known, understood and appropriately accepted by departments and their management teams.
1.40 Despite these areas of good practice, some areas for improvement were identified and agreed with management, including the need to ensure that:
· Agreed actions to mitigate risks are properly recorded in the risk register; and
· Technical risk assessments undertaken by IT&D can be accessed by all relevant stakeholders to allow for a more wholistic approach to IT related risk management.
Schools Audit
1.41 We have a standard audit programme in place for all school audits, with the scope of our work designed to provide assurance over key controls operating within schools. The key objectives of our work are to ensure that:
· Decision making is transparent, well documented and free from bias;
· The school is able to operate within its budget through effective planning;
· Unauthorised or inappropriate people do not have access to pupils, school systems or the site;
· Staff are paid in accordance with the schools pay policy;
· Expenditure is controlled and funds are used for an educational purpose. The school ensures value for money on contracts and larger purchases;
· All income due to the school is collected, recorded and banked promptly;
· All Voluntary Funds are held securely, and funds are used in accordance with the agreed aims; and
· Security arrangements keep data and assets secure and are in accordance with data protection legislation.
1.42 At the time of writing, school audits are being undertaken through remote working arrangements.
1.43 The table below shows a summary of the school audited, together with the final level of assurance it received.
|
Name of School |
Audit Opinion |
Areas Requiring Improvement |
|
Dallington Church of England Primary School |
Substantial Assurance |
· School Local Financial Procedures require updating; · Develop an approved Terms of Reference for the School Fund; · Refreshing declarations of interest for all staff. |
Grants
Supporting Families Programme
1.44 The Supporting Families (SP) programme has been running in East Sussex since January 2015 and is an extension of the original Troubled Families scheme that began in 2012/13. The programme is intended to support families who experience problems in certain areas, with funding for the local authority received from the Department of Levelling Up, Housing and Communities (DLUHC), based on the level of engagement and evidence of appropriate progress and improvement.
1.45 Children’s Services submit periodic claims to the DLUHC to claim grant funding under its ‘payment by results’ scheme. The DLUHC requires Internal Audit to verify 10% of claims prior to the Local Authority’s submission of its claim. We therefore reviewed 17 of the 169 families included in the April/June 2022 grant cohort.
1.46 In completing this work, we found that valid ‘payment by results’ (PbR) claims had been made and outcome plans had been achieved and evidenced. All the families in the sample of claims reviewed had firstly met the criteria to be eligible for the SP programme and had either achieved significant and sustained progress and/or had moved from out of work benefits into continuous employment. We therefore concluded that the conditions attached to the SP grant determination programme had been complied with.
Department for Transport – Local Transport Authority Covid-19 Bus Service Support Grant Restart (Revenue) Grant Determination
1.47 The nationwide lockdown imposed in March 2020 as a result of the COVID-19 pandemic led to a significant drop in patronage on public bus services. To support operators through this time of reduced income, the Department for Transport (DfT) released funding for Local Transport Authorities (LTA’s) to distribute to tendered services that had been affected by, or needed to be adjusted because of, the impact of COVID-19. This funding came in the form of a ‘restart’ grant, which aimed to support operators to increase capacity and enable them to continue operating services which may otherwise have not been financially viable.
1.48 The grant conditions required that the funding could only be spent on supporting services that have been affected by, or need to be adjusted because of, the impact of COVID-19, and that all usual payments, such as contractual payments, concessionary fares and freedom pass payments must be paid at usual levels. We were required to confirm that the funding had been used in line with these conditions.
1.49 We were able to conclude that the grant conditions had been met. Accordingly, a confirmation letter was signed by the Chief Internal Auditor and Chief Executive and returned to the DfT.
Adult Weight Management Grant
1.50 The adult weight management grant is a ringfenced grant available to local authorities to support the commissioning of adult behavioural weight management services. The Department of Health and Social Care (DHSC) provided ESCC with £248,627 for this purpose.
1.51 We conducted appropriate checks that the grant terms and conditions have been complied with and were able to confirm this. A confirmation letter was signed by the Chief Internal Auditor and Chief Executive and returned to the DHSC.
Broadband Grant
1.52 The Department of Digital, Culture, Media and Sport (DCMS) provide funding under the Superfast Broadband Programme for providers to roll-out superfast broadband infrastructure within East Sussex. At the time of this certification, work was being undertaken by Openreach, who provided data as to the Total Homes Passed (THP), i.e., those residential and business premises who now have access to functional superfast broadband.
1.53 Although the claims are made by Openreach, the Council must summarise the claims along with any expenditure incurred by the Council and Openreach in implementing the scheme each year.
1.54 No formal audit opinion was provided for this work, but we were able to sign the return as correct. There were no findings arising and no actions for improvement identified.
2. Counter Fraud and Investigation Activities
Summary of Completed Investigations
Cash Handling
2.1 Following concerns over cash banking arrangements, advice and support was provided to improve arrangements over cash handling at a care home.
Confidential Reporting Disclosure
2.2 A concern was reported through the Confidential Reporting Hotline regarding school testing support provided by the Standards and Learning Effectiveness Service. The concern was not of a financial nature and was passed to the relevant Senior Officer to investigate and review.
3. Action Tracking
3.1 All high priority actions agreed with management as part of individual audit reviews are subject to action tracking. As at the end of quarter, 100% of high priority actions due had been implemented.
4. Amendments to the Audit Plan
4.1 In accordance with proper professional practice, the internal audit plan for the year remains under regular review to ensure that the service continues to focus its resources in the highest priority areas based on an assessment of risk. Through discussions with management, the following reviews have been added to the audit plan so far this year:
|
Rationale for Addition |
|
|
Ukraine |
Support and advice in relation to cash payments to Ukrainian guests. |
|
Broadband Grant |
Additional grant that required certification. |
|
Covid Bus Services Support Grant 22/23 |
New grant that required certification. |
|
Additional Dedicated Home to School and College Transport Grant 22/23 |
New grant that required certification. |
|
Department for Levelling Up, Housing and Communities Deep Dive |
The provision of support to CET who were compiling a response to DLUHC, which was carrying out a detailed review of expenditure made under grants that were disbursed through the Council. |
4.2 The following audit work is currently in progress or is scheduled for quarter 2:
In Progress:
· Pension Fund Governance
· Capital Project Management
· Building Security Follow-Up
· LCS/Controcc
· Elective Home Education
· Procurement Data Analytics
· Children’s Safeguarding Data Handling
· Public Health Grant
· UK Community Renewal Fund
· Contract Management
· Use of Consultants
· Network Access Management
· MBOS Key Control Work
Scheduled:
· Adult Social Care Reform
· IT Asset Procurement (Value for Money)
· I-Connect Application Controls (Pensions)
· Climate Change
· Beacon/Grove Park Project Management
· Corporate Governance
· Health and Safety
· Vehicle Use Follow-Up
· Building Condition Asset Management Follow-Up
· Adults Safeguarding
· Waste Management
· Transport Capital Grant Certification
· Bus Services Operators Grant
· Supporting Families – Quarter 2
5. Internal Audit Performance
5.1 In addition to the annual assessment of internal audit effectiveness against Public Sector Internal Audit Standards (PSIAS), the performance of the service is monitored on an ongoing basis against a set of agreed key performance indicators as set out in the following table:
|
Orbis IA Performance Indicator |
Target |
RAG Score (RAG) |
Actual Performance |
|
|
Quality
|
Annual Audit Plan agreed by Audit Committee |
By end April |
G |
The Annual Plan was and approved by the Audit Committee on 29 March 2022. |
|
Annual Audit Report and Opinion |
By end July |
G |
The Annual Report and Audit Opinion was approved by the Audit Committee on 8 July 2022. |
|
|
Customer Satisfaction Levels |
90% satisfied |
G |
100% |
|
|
Productivity and Process Efficiency |
Audit Plan – completion to draft report stage |
90% |
G |
24.1% achieved to the end of Q1, against a Q1 target of 22.5%. |
|
Public Sector Internal Audit Standards |
Conforms |
G |
January 2018 – External assessment by the South-West Audit Partnership gave an opinion of ‘Generally Conforms’ – the highest of three possible rankings. April 2022 – Updated self-assessment against the standards within the PSIAS underway and preparations for the full independent external assessment in progress. June 2022 – Internal quality review identified no major areas of non-conformance. |
|
|
|
Relevant legislation such as the Police and Criminal Evidence Act, Criminal Procedures and Investigations Act
|
Conforms |
G |
No evidence of non-compliance identified |
|
Outcome and degree of influence |
Implementation of management actions agreed in response to audit findings |
97% for high priority agreed actions |
G |
100% |
|
Our staff |
Professionally Qualified/Accredited
|
80% |
G |
94% |
Appendix B
Audit Opinions and Definitions
|
Opinion |
Definition |
|
Substantial Assurance |
Controls are in place and are operating as expected to manage key risks to the achievement of system or service objectives. |
|
Reasonable Assurance |
Most controls are in place and are operating as expected to manage key risks to the achievement of system or service objectives. |
|
Partial Assurance |
There are weaknesses in the system of control and/or the level of non-compliance is such as to put the achievement of the system or service objectives at risk. |
|
Minimal Assurance |
Controls are generally weak or non-existent, leaving the system open to the risk of significant error or fraud. There is a high risk to the ability of the system/service to meet its objectives. |