Annexe A

 

Internal Audit and Counter Fraud

Quarter 3 Progress Report 2022/23

 

 

 

 

CONTENTS

1.      Summary of Completed Audits

2.      Counter Fraud and Investigation Activities

3.      Action Tracking

4.      Amendments to the Audit Plan

5.      Internal Audit Performance

 

 

 

 

 

 

 

1.      Summary of Completed Audits

Building Condition Asset Management Follow-Up

1.1     In 2018/19, an audit was conducted to assess the adequacy of the arrangements in place to maintain the Council’s properties and to ensure that property assets comply with relevant health and safety regulations.  In completing this work, we were only able to provide an audit opinion of partial assurance, with a number of areas for improvement being identified, including the need to:

·           Carry out a full programme of building condition surveys across the estate to facilitate an effective preventative maintenance programme; and

·           Consolidate property records held across a number of different platforms which, at the time, was making them more difficult to access, subsequently impacting on management’s ability to make informed decisions.

1.2     The purpose of our follow-up review was to assess the extent to which the actions agreed with management to improve control had been implemented.  Having reviewed the action taken, we were able to provide a revised opinion of reasonable assurance.  We found that the commissioning and procurement of a programme of condition surveys across the estate was completed, and this programme was subsequently carried-out between 2019 and 2021.  We also found that, through the implementation of Tech Forge (the new Property Asset Management System), information is generally held centrally and is accessible to authorised officers.

1.3     Only one issue was identified where improvement was necessary.  This related to the need to ensure information and records relating to non-maintenance work completed are also easily accessible and held in one place to facilitate decision-making, where currently it can be held on several platforms to allow access by teams across the Council.  In response, management have agreed to address this through the further consolation of information to as few platforms as possible.

i-Connect Application Audit

1.4     i-Connect is the cloud-based portal used by organisations, including ESCC, that are part of the East Sussex Pension Fund (ESPF) to help manage the flow of employee information and changes from payroll to the pensions administrator system (Altair).  ESPF is keen to roll-out i-Connect to all employers within the ESPF by 31st March 2023 and ESPF have their own “employer on-boarding” manual/guide.   

1.5     The purpose of this review was to provide assurance that:

·           Access is restricted to appropriately authorised individuals and the permissions provided to those users are in line with job functions;

·           Data processed through interfaces is authorised, accurate, complete, securely processed and written to the appropriate file;

 

 

·           Outputs produced are complete, accurate, reliable, distributed on time and with confidentiality where appropriate;

·           Updates and enhancements are performed in a consistent manner and subject to sufficient testing and authorisation before implementation, and;

·           Appropriate support arrangements are in place to manage changes within the application.

1.6     In providing an opinion of reasonable assurance, we found a number of areas of good practice, including that:

·           A system owner has been assigned;

·           A contract is in place between the ESPF and the provider which details service requirements and responsibilities;

·           The Information Security Team is aware of the i-Connect portal and a technical risk assessment is planned imminently;

·           Appropriate access controls are in place, with the use of complex passwords and different levels of access;

·           Full administrative rights are restricted to a small number of users within the ESPF administration team;

·           Employer i-Connect users are only able to view information that is applicable to their organisation;

·           Data validation takes place within i-Connect using set tolerance levels; and

·           Appropriate detail and support is provided to the ESPF and onboarded employees, for scheduled and completed updates.

1.7     Only minor areas for improvement were identified and actions to address these were agreed with management.

Modernising Back Office Systems (MBOS)

1.8     The MBOS programme was approved by the Corporate Management Team (CMT) in September 2019 to enable the Council to go to market for a replacement to the current version of SAP. Following a procurement process, Oracle Fusion was selected as the replacement.

1.9     Whilst our planned work has been paused to reflect delays in programme delivery, we continue to provide ad-hoc advice, support and guidance to the Programme Board, Programme Director, key workstreams and key stakeholders.

1.10   Plans to continue to deliver a programme of work to support the implementation of the system remain in place and timelines will be updated to reflect the revised programme timetable.

LCS / ContrOCC

1.11   The Liquid Logic Children's System (LCS) is the Council’s records/case management and authorisation system for children in need, looked after children and adoption, whilst ContrOCC is the Council’s contracts and budget management system for Children’s Social Care clients.  The system is used to make payments to care providers.  An automated interface allows LCS and ContrOCC to share key information.  In 2020/21, £30 million was paid to care providers in over 57,000 payments from ContrOCC.

1.12   This purpose of this audit was to provide assurance that controls are in place to meet the following objectives:

·           Robust system administration controls ensure that access to the system is secure (including any third-party access);

·           Service provision only takes place after appropriate approval has been received;

·           Payments are complete, accurate and timely, and are only made to genuine providers of care in respect of approved services provided to ESCC care clients;

·           Scheduled system processes are adequately controlled to ensure that automated interfaces between ContrOCC and SAP run complete and as expected; and

·           Client contributions are correctly calculated, received in full, and accurately recorded.

1.13     As a result of our work, we were able to provide an opinion of reasonable assurance.  We found that the system maintains adequate audit trails for all users, that management are required to approve payments before they are made with sufficient reminder processes in place to reduce delays, and that there are robust controls to prevent duplicate accounts from being created.

1.14     Whilst, generally, we found robust controls in place, some areas for improvement were identified. These included ensuring that:

·           New user account requests are supported by appropriate authorisation;

·           Inactive users (those who have not used the system in three months) are removed; and

·           Guidance documents are up-to-date with appropriate version control, and sensitive information is removed from these.

1.15     Actions to address these issues were agreed with management within a formal management action plan.

Children’s Data Handling

1.16     It is important for organisations to ensure that data is retained, handled, and held securely over its entire life cycle.  Data handling and data integrity controls are important to ensure the data is managed appropriately in a secure environment and is accurate and reliable.  Within Children’s Services, front-line staff use a number of tools to obtain records relating to the service users in a digital format, including audio recording and video recording, photographs etc.

1.17     The purpose of this review was to provide assurance that controls are in place to meet the following objectives:

·           Clear roles and responsibilities are in place to ensure the accountability for data access;

·           There are documented retention and disposal procedures to include provision for permanent preservation of archival material and secure disposal of information at the end of its life;

·           Processes and procedures are in place to ensure information is secure from accidental alteration or erasure, and the accuracy and reliability of data provided to management that will be used to inform decisions; and

·           Clear policy, guidance and training is available to Council officers in relation to the information/data handling of personal and/or sensitive information and keeping responsibilities, through learning or awareness programmes and guidance.

1.18     In completing this work, we were only able to provide an audit opinion of partial assurance.  We found that, whilst there are sufficient controls in place over the service’s case management system, Liquid Logic, including in relation to the restriction of records, user access to the system, and monitoring of amendments to client records, there were areas where controls could be improved through ensuring that:

·           There is appropriate guidance in place for staff over the handling of video, photo and voice media relating to service users;

·           There is appropriate guidance in place in relation to how videos, photos and voice media relating to service users are obtained and retained in accordance with relevant data protection legislation; and

·           Policies and guidance relation to data handling are up-to-date, and that staff are required to formally confirm that they have read and understood these.

1.19     A formal management action plan to address the issues identified was agreed with management.  We will conduct a follow-up review in 2023/24 to assess the extent to which the agreed improvement actions have been implemented.

UK Community Renewal Fund

1.20     The UK CRF invests in skills, community and place, local business, and supports people into employment.  The Fund is managed by the Department for Levelling up, Housing and Communities (DLUHC) working in collaboration with local partners and communities across England, Wales, Scotland and Northern Ireland.

1.21     ESCC was assigned as a lead authority to issue invitations for bids within East Sussex, and to assess and submit a shortlist of bids/projects to the DLUHC.  In 2021, the Council submitted eligible bids which, in its view, most strongly met the fund and local priorities. When this was taking place, we reviewed the arrangements to ensure that procedures for bid applications from project deliverers were in accordance with government guidelines, that the application process developed was clear and accessible, and that the assessment and selection process was fair and transparent.  As reported to Audit Committee previously (in our 21/22 Q1 Progress Report), we found robust arrangements in place over these areas, with a small number of opportunities for improvement which were agreed with management.

1.22     More recently, we have reviewed the adequacy of the monitoring arrangements in place within the Council to ensure that the projects selected to receive funding are complying with the terms and conditions of the agreements.  As per our previous review, this was advisory work with no audit opinion.  It was undertaken with the aim of supporting the project in ensuring robust monitoring arrangements are in place to reduce the associated risks of projects not being delivered and/or an inability to reclaim funding at the end of the delivery period / funding being withdrawn.

1.23     Overall, we found a number of areas of good practice, including the monitoring, and financial monitoring of projects, with project deliverers being required to provide updates on project delivery against agreed milestones, for review.

1.24     Some areas for improvement were, however, identified, where there is a need to ensure that project deliverers comply with key conditions of the grant funding agreements, including that they have sufficient levels of insurance, an appropriately managed conflict of interest process, are maintaining records relating to the UK CRF for the specified period, and sound administration and audit processes. 

1.25     Actions to address these areas have therefore been agreed with management who have committed to ensuring appropriate monitoring and necessary processes are in place moving forward.

Council Vehicle Use Follow-Up

1.26     An audit of Council Vehicle Use was completed in 2020/21 following allegations of inappropriate use.  An audit opinion of partial assurance was given due to weaknesses in control.  Specifically, that, where Council vehicles were being used, vehicle mileage logs were not always being completed properly, meaning that it was difficult to confirm that vehicles were only being used for official Council business.  In addition, we found that guidance over Council vehicle use required updating to provide clarity over managers’ responsibilities to ensure mileage logs are retained and reconciled to journeys undertaken.

1.27     We have, therefore, undertaken a follow-up review to assess the extent that the actions to improve control, agreed with management in the original audit, had been implemented.  Whilst it is acknowledged that this is not a strategic risk for the Council or an area of high materiality, it is important that Council vehicles are only used for official Council business, where inappropriate use has reputational and financial implications.

1.28     In completing this follow-up review, we were only able to provide an unchanged opinion of partial assurance.  One of the key actions agreed in the original audit was that the Fleet Management Team within Communities, Economy and Transport (CET) would issue an awareness email to provide clear guidance over the use of vehicles, including reminders to line managers to retain and review vehicle mileage logs and fuel receipts, and to undertake reconciliations of journeys made.  This was duly actioned.

1.29     However, our work found that compliance with the guidance within departments remains low.  We found that vehicle mileage logs continue to be poorly completed, and reconciliation of fuel receipts to mileage logs is not always being carried out, therefore reducing the ability to be able to verify the legitimacy of vehicle use.  Services are also not always checking the driving licences and insurance details of their staff to ensure their suitability to drive on official Council business.

1.30     In discussing these issues with management, it was agreed that further targeted communication would be issued to the Heads of Service where non-compliance was identified within their teams, clearly outlining expectations and requirements, and guidance further clarified where appropriate. 

School Audit Work

1.31     We have a standard audit programme in place for all school audits, with the scope of our work designed to provide assurance over key controls operating within schools. The key objectives of our work are to ensure that:

·           Governance structures are in place and operate to ensure there is independent oversight and challenge by the Governing Body;

·           Decision making is transparent, well documented and free from bias;

·           The school is able to operate within its budget through effective planning;

·           Unauthorised or inappropriate people do not have access to pupils, school systems or the site;

·           Staff are paid in accordance with the schools pay policy;

·           Expenditure is controlled and funds are used for an educational purpose. The school ensures value for money on contracts and larger purchases;

·           All income due to the school is collected, recorded and banked promptly;

·           All Voluntary Funds are held securely, and funds are used in accordance with the agreed aims; and

·           Security arrangements keep data and assets secure and are in accordance with data protection legislation.

 

1.32     At the time of writing, school audits are being undertaken through remote working arrangements.

 

1.33     The table below shows a summary of the one school review completed in Q3, together with the final level of assurance it received and areas for improvement.

 

Name of School

Audit Opinion

  Areas Requiring Improvement

Maynards Green Follow Up

Reasonable Assurance (was previously minimal assurance)

·      Safe keys to be removed from premises overnight and list of key holders to include safe keys;

·      Asset register to be maintained and reviewed annually;

·      Develop and implement a capital plan for premises and assets;

·      Ensure purchase orders are always raised and appropriately authorised prior to goods and services being ordered from suppliers;

·      Complete and maintain a contract register.

 

Grants Related Audit Work

Supporting Families

1.34     The Supporting Families (SF) programme has been running in East Sussex since January 2015 and is an extension of the original Troubled Families scheme that began in 2012/13.  The programme is intended to support families who experience problems in certain areas, with funding for the local authority received from the Department of Levelling Up, Housing and Communities (DLUHC), based on the level of engagement and evidence of appropriate progress and improvement.

1.35     Children’s Services submit periodic claims to the DLUHC to claim grant funding under its ‘payment by results’ scheme.  The DLUHC requires Internal Audit to verify 10% of claims prior to the Local Authority’s submission of its claim.  We therefore reviewed 7 of the 71 families included in the October/December 2022 grant cohort.

1.36     In completing this work, we found that valid ‘payment by results’ (PbR) claims had been made and outcome plans had been achieved and evidenced.  All the families in the sample of claims reviewed had firstly met the criteria to be eligible for the SF programme and had either achieved significant and sustained progress and/or had moved from out of work benefits into continuous employment.  We therefore concluded that the conditions attached to the SF grant determination programme had been complied with.

2.   Counter Fraud and Investigation Activities

 

Counter Fraud Activities

2.1     We supported Fraud Awareness week in November 2022 through producing and publishing on the intranet, a fraud awareness bulletin which focussed on current emerging risks.  The team also continue to monitor intel alerts and share information with relevant services when appropriate.

 

Summary of Completed Investigations

 

2.2     Following an allegation that an employee was submitting excessive overtime claims, we conducted an analysis of claim forms and rota information. However, due to poor record keeping by the service, we were unable to establish whether any overpayments had occurred.  Because of this, no action was taken against the member of staff, but the managers responsible for approving claims within the team are being performance managed to ensure that claims are properly checked before being approved for payment. To assist with this, Human Resources have worked with the service to implement a more robust and clear rota system.  Audit work is planned early in 2023/24 to confirm that proper processes and controls are in place and being complied with.

3.         Action Tracking

3.1     All high priority actions agreed with management as part of individual audit reviews are subject to action tracking, whereby we seek written confirmation from services that these have been implemented.  As at the end of quarter three, 92.9% (13 of 14) of high priority actions due had been implemented.

3.2     The one action outstanding relates to the work we completed in relation to the re-procurement of a large framework agreement within the Council (as reported to Audit Committee in our 21/22 Q3 progress report), where we had received an allegation of improper procurement practices. Whilst we concluded that the procurement was carried out fairly and complied with Public Contract Regulations, we identified areas to strengthen governance arrangements around procurement.  One of these was to provide additional oversight of major procurement activity through the introduction of the Orbis Procurement Approval Group (OPAG) which would provide an additional level of quality assurance.

3.3     At the time of this report, the action had only been partially implemented.  The implementation of a new project management system in the Procurement Team has improved oversight, but the proposed OPAG is now to be replaced by a Procurement Review Board, which is due to be implemented in March 2023.

4.         Amendments to the Audit Plan

4.1     In accordance with proper professional practice, the internal audit plan for the year remains under regular review to ensure that the service continues to focus its resources in the highest priority areas based on an assessment of risk.  Through discussions with management, the following reviews have been added to the audit plan so far this year:

Review

Rationale for Addition

Ukraine

Support and advice in relation to cash payments to Ukrainian guests.

Broadband Grant

Additional grant that required certification.

Covid Bus Services Support Grant 22/23

New grant that required certification.

Additional Dedicated Home to School and College Transport Grant 22/23

New grant that required certification.

Department for Levelling Up, Housing and Communities Deep Dive

The provision of support to CET who were compiling a response to DLUHC, which was carrying out a detailed review of expenditure made under grants that were disbursed through the Council. 

Reporting Services Database

Informed of a potential system issue which could have resulted in a significant data breach. 

Appointeeships and Deputyships

A new review requested by management to provide assurance over the Council’s management of clients’ financial affairs, where individuals no longer have the mental capacity to do so themselves.

4.2     In order to allow these additional audits to take place, to-date the following audits have been removed or deferred from the audit plan and, where appropriate, will be considered for inclusion in the 2023/24 plan as part of the overall risk assessment completed during the annual audit planning process. These changes are made on the basis of risk prioritisation and/or as a result of developments within the service areas concerned requiring a rescheduling of audits:

Planned Audit

Rationale for Removal

ASC Charging Reform

In November 2022, there was an announcement of a delay to the implementation of the charging reforms and there is some uncertainty as to how and when this will progress.

Beacon/Grove Park Project – Project Management

The project has not progressed as expected with little to review to date.

Edge of Care Programme

Whilst we will continue working to understand where we can add value on this programme, no focus areas for review have been identified to date.

Kofax IT Application Audit

A lower priority/risk audit in the original 22/23 audit plan which has been replaced in-year where emerging risks and ad-hoc pieces of work have superseded it.

Proactis IT Application Audit

A lower priority/risk audit in the original 22/23 audit plan which has been replaced in-year where emerging risks and ad-hoc pieces of work have superseded it.

 

4.3     The following audit work is currently in progress (including those at draft report stage, as indicated) or is scheduled for quarter 4:

In Progress:

 

·           Public Health Grant (draft report)

·           Climate Change (draft report)

·           Accounts Receivable (draft report)

·           Meta Compliance IT Application Audit (draft report)

·           Contract Management Group Cultural Compliance Follow Up (draft report)

·           MBOS Security, Roles and Permissions (draft report)

·           Use of Consultants (draft report)

·           Pension Fund Cash Management (draft report)

·           IT Asset Procurement (Value for Money) – (draft report)

·           Contract Management

·           Adult Safeguarding

·           Accounts Payable

·           Payroll

·           Administration of Pension Benefit Payments

·           Pension Fund Investments and Accounting

·           External Funding - Grants and Loans

·           South Malling School

·           Little Horsted School

·           Westfield School

·           Cyber Security

·           Techforge IT Application Audit

 

Scheduled:

 

·           Financial and Benefit Assessments

·           Corporate Governance

·           Health and Safety

·           Waste Management

·           Appointeeships and Deputyships

·           Home to School Transport Follow Up

·           MBOS Key Control Work – Phase 2

·           Pension Fund Cyber Security Arrangements

·           Procurement of IT Systems

·           Mobile Device Management

·           Information Governance – Subject Access Requests and Freedom of Information Reporting Arrangements

·           MBOS Business Continuity Arrangements

·           Project Asset Management System – Rent Payments and Collection

·           Project Asset Management System – Project Management

·           Tollgate School

5.         Internal Audit Performance

5.1     In addition to the annual assessment of internal audit effectiveness against Public Sector Internal Audit Standards (PSIAS), the performance of the service is monitored on an ongoing basis against a set of agreed key performance indicators as set out in the following table:

Aspect of Service

Orbis IA Performance Indicator

Target

RAG Score (RAG)

Actual

Performance

Quality

 

Annual Audit Plan agreed by Audit Committee

By end April

G

The Annual Plan was and approved by the Audit Committee on 29 March 2022.

Annual Audit Report and Opinion

By end July

G

The Annual Report and Audit Opinion was approved by the Audit Committee on 8 July 2022.

Customer Satisfaction Levels

90% satisfied

G

100% 

Productivity and Process Efficiency

Audit Plan – completion to draft report stage

90%

G

76.9% achieved to the end of Q3, against a Q3 target of 67.5%.  

Compliance with Professional Standards

Public Sector Internal Audit Standards

Conforms

G

Dec 2022 - External Quality Assurance completed by the Chartered Institute of Internal Auditors (IIA).  Orbis Internal Audit assessed as achieving the highest level of conformance available against professional standards with no areas of non-compliance identified, and therefore no formal recommendations for improvement arising. In summary the service was assessed as:

• Excellent in:
Reflection of the Standards
Focus on performance, risk and adding value
• Good in:
Operating with efficiency
Quality Assurance and Improvement Programme
• Satisfactory in:
Coordinating and maximising assurance

 

Relevant legislation such as the Police and Criminal Evidence Act, Criminal Procedures and Investigations Act

Conforms

G

No evidence of non-compliance identified

 

Outcome and degree of influence

Implementation of management actions agreed in response to audit findings

97% for high priority agreed actions

A

92.9% - see Section 3 above.

Our staff

Professionally Qualified/Accredited

 

80%

G

90% 


Appendix B

Audit Opinions and Definitions

Opinion

Definition

Substantial Assurance

Controls are in place and are operating as expected to manage key risks to the achievement of system or service objectives.

Reasonable Assurance

Most controls are in place and are operating as expected to manage key risks to the achievement of system or service objectives.

Partial Assurance

There are weaknesses in the system of control and/or the level of non-compliance is such as to put the achievement of the system or service objectives at risk.

Minimal Assurance

Controls are generally weak or non-existent, leaving the system open to the risk of significant error or fraud.  There is a high risk to the ability of the system/service to meet its objectives.