Annex B
1. Audits Completed in Q4 (December to March)
Accounts Receivable
1.1 The Accounts Receivable function is responsible for ensuring that all income due to the Council is collected effectively and efficiently, banked promptly and is correctly accounted for.
1.2 This audit aimed to provide assurance over the key controls operating within the Accounts Receivable system, including those in place for ensuring the accuracy of customer details, the accuracy of invoicing, the recording and matching of payments to invoices, and completeness of debt recovery.
1.3 As a result of our work, we were able to provide an opinion of reasonable assurance in this area.
1.4 A small number of areas for improvement were identified, however, including the need to:
· identify the underlying cause for the increased value and volume of credit memoranda raised compared with the previous year;
· improve systemic controls to enforce segregation of duties, to ensure no one individual can raise and approve a credit memorandum;
· strengthen the monitoring of debt write-offs to provide assurance that they are supported by appropriate documentation;
· improve checks to identify duplicate customers so that they can be blocked from use, to reduce the risk that debts are chased after they have been paid; and
· strengthen controls to avoid the risk of duplicate invoices being raised.
1.5 Robust actions were agreed with management to address these issues.
Payroll
1.6 Employees’ salary payments account for a large proportion of the organisation’s expenditure. The average gross salary payments for ESCC for the 2021/22 financial year was £20.4 million per month, with average net salary payments to employees of £15.3 million per month. The Council’s Payroll Service is responsible for paying employees accurate amounts, on time, in accordance with organisational and regulatory policies.
1.7 The purpose of the audit was to provide assurance that controls are in place to ensure that:
· Only genuine starters are set up, approved, and pay accurately calculated from the correct date;
· Leavers are removed from the payroll in a timely manner and paid correctly and accurately to the correct dates;
· Permanent variations to pay accurately reflect employees’ grades and/or changes to their contracts, calculated and paid from the correct dates;
· Payruns and BACS transmissions are correct and authorised;
· Payroll data is accurately reflected in the General Ledger;
· Temporary payments (including additional hours, expense claims and payment to casual staff) are only made for hours worked and expenses incurred legitimately as a result of employment;
· Changes to standing data are reviewed, authorised and input accurately.
1.8 In providing an opinion of reasonable assurance, we found a number of areas of good practice, including that appropriate pre-employment checks are completed, pay is calculated correctly and controls over leavers, payruns and BACS transmissions were operating as expected, with appropriate segregation of duties and authorisation in place. We also found that payroll data is regularly reconciled to the general ledger and that changes to payroll standing data were subject to thorough review, testing and authorisation, prior to changes being made.
1.9 We did, however identify some areas where improvement was required, including the need to:
· Analyse the value and number of overpayments year on year to identify adverse trends so that these can be corrected where found; and
· Ensure travel and expense claims are always supported by appropriate receipts.
1.10 Actions to address these issues were agreed with management within a formal management action plan.
Climate Change
1.11 In October 2019, East Sussex County Council declared a climate emergency, and set a target of achieving carbon neutrality from activities as soon as possible, and in any event by 2050, in line with the new target for the UK agreed by Parliament in 2019.
1.12 The purpose of the audit was to provide assurance that appropriate measures are in place to help achieve the Council’s aim of carbon neutrality, including in relation to governance and programme management, resourcing, monitoring and reporting, and that appropriate consideration has been given to ensuring that the Council can adapt to unavoidable climate change appropriately, in order to ensure the integrity of service delivery is maintained.
1.13 In completing this work, we provided an opinion of partial assurance. Although we found that significant work had already taken place within the Council to help achieve the aim of carbon neutrality, there were opportunities to further improve arrangements, whilst acknowledging though that the programme is continually evolving, and that work was often already in progress in the areas that we highlighted, which included the need to:
· Evaluate the adequacy of resourcing relative to the Council’s climate change programme and ambitions beyond March 2025, recognising that the programme and action plan to that date is adequately resourced;
· Ensure the forward planning process takes the Council’s carbon reduction targets into consideration, where decisions taken will impact climate change;
· Further clarify project structure and roles through an updated terms of reference;
· Ensure processes are in place to assess and monitor the impact of measures taken to reduce carbon output, on service delivery and residents;
· Have climate-specific roles in key areas of the Council, including Procurement and Property;
· Ensure that plans and processes are in place to support service delivery where climate related factors may have an impact, so that the Council is well-adapted and resilient.
1.14 In discussing these areas with management, a formal action plan, with responsible officers and agreed target implementation dates, was agreed, and we will complete a follow-up review later in 2023/24.
Use of Consultants
1.15 The objective of the audit was to provide assurance that controls are in place to meet the following objectives:
· There is clear policy and guidance over the engagement and use of consultants;
· Consultants are only engaged where their use meets the needs of the Council, and no satisfactory alternatives are available;
· The procurement of consultants complies with Procurement and Contract Standing Orders and the requirements of IR35;
· Robust contract management arrangements are in place for the use of consultants; and
· Arrangements are in place to ensure appropriate knowledge transfer from consultants to the Council.
1.16 As a result of our work, we were able to provide an audit opinion of reasonable assurance, with controls in place and operating effectively in most cases, including clear briefs and monitoring arrangements in place to ensure that expectations were delivered.
1.17 However, we identified further opportunities to strengthen controls in order to:
· Clarify the difference between procuring consultants and using agency staff, which may have contributed to a high number of transactions incorrectly coded to consultancy, reducing the Council’s understanding of how and where we are using consultants, or how much is being spent on them;
· Ensure that evidence of checks on consultants’ professional indemnity and public liability insurances is retained and that checks are made to ensure that contractors maintain their insurances throughout the life of the contract; and
· Ensure that the consultants’ skills and knowledge are transferred to officers, to reduce future dependency on their use.
1.18 An action plan to address these issues was agreed with management.
Modernising Back Office Systems (MBOS) Programme
1.19 The Modernising Back Office Systems Programme (MBOS) was approved by the Corporate Management Team (CMT) in September 2019 to enable the Council to go to market for a replacement to its current Enterprise Resource Planning (ERP) tool - SAP. The MBOS Programme is seeking to implement a new system, Oracle, that better meets the current and future needs of the Council and which provides optimal return on its investment.
1.20 We continue to support the programme through the attendance at the Programme Board where we provide ad-hoc advice, challenge and support. A program of audit work has been agreed with the Board to support the programme going forward, including providing assurance over the adequacy of controls within proposed business processes, disaster recovery and business continuity arrangements, and business readiness and system cutover. Further work is also planned for post go-live in relation to delegations, authorisations and system access.
MBOS – Security, Roles and Permissions (Position Statement)
1.21 The primary objective of this review was to provide assurance that steps have been, or will be, taken to ensure the security of the Oracle system and the data to be held within it. At the time of review, it was acknowledged that not all controls are likely to have been implemented, however, we sought to confirm the process for implementing these as part of the build, and ascertain the steps taken to confirm their existence during User Acceptance Testing (UAT).
1.22 As part of our work, we identified several areas where we felt further assurances were required prior to the system going live. These areas included:
· The completion of technical risk assessments of the system;
· Roles and responsibilities for the system ownership;
· Permissions and delegations within the system;
· Adequacy and completeness of audit trails;
· Ongoing support arrangements; and
· System updates and patching.
1.23 These areas for consideration were provided to the Programme Board in the form of a position statement and will be subject to ongoing review.
Highways Contract Management Group Cultural Compliance Follow-Up
1.24 The Highways Contract Management Group (CMG) is responsible for overseeing the Council’s Highways and Infrastructure contract. The group monitors the performance of the service provider and ensures it is fulfilling its contractual commitments. It also manages the development of an asset management approach to looking after our highways and infrastructure, development of the service and all contract finance and budgets.
1.25 A cultural compliance audit of the Highways Contract Management Group was completed in 2019/20 and we provided an audit opinion of partial assurance. The report contained a high-risk action relating to the appointment and management of consultants. Due to the opinion given, we undertook a follow up review of this audit to ascertain progress made in implementing the agreed actions.
1.26 Our review found that, although controls had been strengthened in some areas, insufficient progress had been made in some key areas and we were unable to improve our audit opinion. In particular, the actions relating to the procurement and management of consultants had not been implemented and action is still needed to ensure that the Council complies with the requirements of Public Contracts Regulations and delivers value for money. In addition, seven findings from the previous audit were repeated, in full or in part, and a small number of new findings were reported. These included actions to ensure that:
· All employees complete declaration forms in the Council’s register of interests, to promote transparency;
· VAT is accounted for correctly, when using purchasing cards, to enable the Council to reclaim VAT;
· The corporate purchasing card is used, where appropriate, including to avoid staff making purchases and reclaiming costs via expense claims; and
· Employees complete mileage claim forms correctly, including the removal of their ordinary commuting mileage and providing sufficient detail to identify the journeys being claimed, to reduce the risk of fraud or error.
1.27 A new management action plan has been agreed with a revised timetable to address those findings that remained outstanding from the previous audit, as well as including actions to address the new findings.
Meta Compliance IT Application Audit
1.28 The Meta Compliance system offers a range of information security and information governance tools, including security awareness training, phishing simulation, cyber security e-learning, privacy management, policy management and incident management. The system went live at the Council earlier this year and is being used for Data Privacy Impact Assessments (DPIAs) and information governance training.
1.29 We completed an IT application audit of the system to provide assurance that:
· System access is restricted to appropriately authorised individuals and the permissions provided to those users are in line with job functions;
· Data processed through interfaces is authorised, accurate, complete, securely processed and written to the appropriate file;
· Outputs produced by the system are complete, accurate, reliable, distributed on time and with
confidentiality where appropriate;
· System updates and enhancements are performed in a consistent manner and subject to sufficient testing and authorisation before implementation; and
· Appropriate support arrangements are in place to manage changes within the system.
1.30 In providing an opinion of reasonable assurance, we found that proportionate controls were in place for the system although, if usage of the system were to be expanded to store additional information, the appropriateness of controls would need to be re-evaluated ahead of any change of use.
1.31 Some opportunities for improvement were, however, identified, where there is a need to:
· Complete a technical risk assessment to identify risks to the security of the system and its data, and possible remedial action where this is needed;
· Implement a more formal process for granting access to the system; and
· Run and review reports of failed log-on attempts to assist in detecting user accounts which may need further investigation or action.
1.32 Actions to address all of these issues were agreed with management.
Public Health Grant Governance Arrangements
1.33 The Public Health Grant (the Grant) for 2022/23 was £28.9 million; the purpose of which was to provide local authorities in England with the funding required to discharge public health functions. The ringfenced grant enables the Council to deliver projects/initiatives which support the government’s public health objectives to improve health outcomes in local populations. Our review therefore looked at the governance arrangements in place within the Council to ensure that these public health outcomes are met, including that:
· There are robust processes and procedures in place to ensure that the Grant conditions are met;
· A comprehensive framework has been adopted to ensure there are effective governance arrangements in place to support the allocation of grant monies to public health initiatives;
· All contracts awarded to deliver approved public health initiatives are monitored to ensure outcomes are delivered;
· The financial reporting program delivers accurate management information which underpins efficient utilisation of the Grant Fund and awards.
1.34 In providing an opinion of reasonable assurance, we found that, overall, appropriate governance arrangements in relation to the Grant are in place, including the, albeit recent, formation of a Public Health Board, which has a scrutiny and advisory function to identify potential areas across the county that may require public health support. It is also tasked with reviewing the performance, risks and spend of the public health function. We also found that:
· Grant conditions are being complied with;
· Tendering for contracts went through appropriate procurement channels and were compliance with the Council’s Procurement and Contract Standing Orders;
· Contracts are monitored for outputs related to public health outcomes and are regularly reported to management;
· Financial monitoring is undertaken regularly to ensure expenditure against grants and individual projects/initiatives that are linked to the grant, are within tolerances; and
· Procedures for the Public Health team that cover the identification process for new initiatives and commissioning, budget setting, and financial monitoring are in place.
1.35 Only one area for improvement was identified, relating to the need for Public Health to have a detailed strategy/service plan in place which enables progress against desired goals, and risks to the delivery of public health outcomes, to be assessed and monitored. This was in development at the time of the audit.
IT Asset Procurement – Value for Money
1.36 The COVID-19 pandemic placed significant demands on local authorities to provide IT assets to its officers to enable them to work remotely. In many cases, these officers were office based prior to the COVID-19 global pandemic, so IT departments have had to respond by providing mobile devices (e.g., laptops and mobile phones) to a significant number of officers as well as other peripheral items such as monitors and mice, to support Display Screen Equipment (DSE) requirements. With the expansion of remote working, IT Hardware is in greater demand than ever before.
1.37 The purpose of our audit was to provide assurance that controls are in place to meet the following objectives:
· All procurement and purchasing activities of IT assets is undertaken in response to a business need and, where applicable, in line with the Council’s Contract Standing Orders;
· The processes used to procure/purchase IT assets are suited for the intended outputs; and
· Procurement of IT assets is undertaken by IT&D, and any exceptions are executed with IT&D oversight and according to standards defined by IT&D.
1.38 In providing an opinion of substantial assurance, we found that:
· Robust governance arrangements are in place for procurement activity in relation to the tendering of contracts for IT assets across the Council. Prior approval for procurement exercises is obtained from both senior management, through the IT&D Capital Strategy, as well as from members in the form of the approval of the Council's procurement forward plan and the Business Services Department Portfolio Plan;
· Procurement activity (at the time of our review), to procure end user devices, was found to be following best practice with appropriate support from the corporate Procurement Team, with market testing taking place and consideration given to sustainability, environmental impact, support and deployment options, in addition to cost;
· Guidance is available to all staff in relation to the purchase of IT assets, which states that all IT purchasing should be completed by the IT&D Purchasing Team, with the Procurement Team being consulted for purchases over £100k.
1.39 Only one minor area of improvement was identified, relating to the need to further promote the services provided by the IT&D Purchasing Team where a small amount of spend (approx. £2.5k since April 2021) on peripheral IT assets was identified. Better value could have been obtaining if the formal procurement route had been followed. Actions were agreed with management to address this.
1.40 In our quarter 2 progress report, we summarised the work we had completed, at the request of senior management, to support the Department for Levelling-Up, Housing and Communities (DLUHC) assurance deep-dive of the South East Local Enterprise Partnership (SELEP). As previously reported, Essex County Council (ECC) is the host accountable body for SELEP. As part of their review, the DLUHC had requested, through ECC, information supporting the grant agreements and procurement activities undertaken for projects delivered by Sea Change Sussex (SCS). We provided additional resource and support in obtaining the evidence requested. This involved the review of extensive documentation and the collation and analysis of records dating back many years, which enabled the Council to provide the required information back to ECC. In addition, further support was also provided throughout the year in relation to analysing information regarding grant and loan funding in response to a complaint from SCS regarding a property transaction and queries that were raised over the use of SELEP money.
School Audit Work
1.41 We have a standard audit programme in place for all school audits, with the scope of our work designed to provide assurance over key controls operating within them. The key objectives of our work are to ensure that:
· Governance structures are in place and operate to ensure there is independent oversight and challenge by the Governing Body;
· Decision making is transparent, well documented and free from bias;
· The school is able to operate within its budget through effective planning;
· Unauthorised or inappropriate people do not have access to pupils, school systems or the site;
· Staff are paid in accordance with the schools pay policy;
· Expenditure is controlled and funds are used for an educational purpose. The school ensures value for money on contracts and larger purchases;
· All income due to the school is collected, recorded and banked promptly;
· All Voluntary Funds are held securely, and funds are used in accordance with the agreed aims; and
· Security arrangements keep data and assets secure and are in accordance with data protection legislation.
1.42 At the time of writing, school audits are being undertaken through remote working arrangements.
1.43 The table below shows a summary of the four school reviews completed in Q4, together with the level of assurance they received and areas for improvement.
Name of School |
Audit Opinion |
Areas Requiring Improvement |
Westfield School |
Reasonable Assurance |
· All staff to complete an annual declaration of interest; · A Business Continuity Plan to be developed; · Payroll reconciliations to be subject to independent review and approval; and · IR35 checks to be carried out in relation to consultants. |
Little Horsted CE Primary School |
Reasonable Assurance |
· Mitigations to be implemented where employees declare a conflict; · Oversight as to the budget position to be maintained; · The school improvement plan to be costed; · Staffing expenditure to be subject to regular review; · Robust procurement processes to be undertaken when purchasing high value goods or services; and · Local Financial Procedures to be updated. |
Tollgate Community Junior School |
Reasonable Assurance |
· Robust procurement processed to be undertaken when purchasing high value goods or services; · Oversight as to the long-term budget plan to be maintained; · Separation of duties to be ensured in the purchasing card approval process; · Expenditure on staffing to be monitored; and · Scheme of Delegation to be updated to reflect current practice. |
South Malling CE Primary and Nursery School |
Reasonable Assurance |
· Contract Register to be updated to include key dates and details; · Scheme of Delegation to be reviewed, updated and approved; · Mitigations to be implemented where a conflict of interest has been identified; · Governors to formally approve the budget; and · Up to date statutory reports to be published on the school website. |
Grant Related Audit Work
Supporting Families Programme
1.44 The Supporting Families (SP) programme has been running in East Sussex since January 2015 and is an extension of the original Troubled Families scheme that began in 2012/13. The programme is intended to support families who experience problems in certain areas, with funding for the local authority received from the Department of Levelling Up, Housing and Communities (DLUHC), based on the level of engagement and evidence of appropriate progress and improvement.
1.45 Children’s Services submit periodic claims to the DLUHC to claim grant funding under its ‘payment by results’ scheme. The DLUHC requires Internal Audit to verify 10% of claims prior to the local authority’s submission of its claim. We therefore reviewed two of the 10 families included in the January/March 2023 grant cohort.
1.46 In completing this work, we found that valid ‘payment by results’ (PbR) claims had been made and outcome plans had been achieved and evidenced. All the families in the sample of claims reviewed had firstly met the criteria to be eligible for the SP programme and had either achieved significant and sustained progress and/or had moved from out of work benefits into continuous employment. We therefore concluded that the conditions attached to the SP grant determination programme had been complied with.
Biodiversity Net Gain Grant
1.47 The Biodiversity Net Gain Grant is a ringfenced grant provided to local planning authorities to support preparation activity for mandatory biodiversity new gain (BNG) which was introduced through the Environment Act 2021. The Department for Environment, Food and Rural Affairs (DEFRA) provided ESCC with £26,807 for this purpose.
1.48 We conducted appropriate checks to ensure that the grant terms and conditions had been complied with and were able to provide confirmation to DEFRA which was signed by the Chief Internal Auditor and Chief Executive.
2. Counter Fraud and Investigation Activities
Counter Fraud Activities
2.1 We have been liaising with the relevant services to provide advice and support in processing the matches received as part of the National Fraud Initiative. The team also continue to monitor intel alerts and share information with relevant services when appropriate.
Summary of Completed Investigations
2.2 Internal Audit investigated a referral from the Pension Service regarding a potential false claim to obtain payment of a pension. A scheme member had taken early retirement on the grounds of poor health and a request for payment of the pension had been received. However, subsequently mortality data matching indicated that the scheme member had passed away prior to the request being received. The investigation confirmed that the scheme member had passed away and payment of the pension was stopped. A reconciliation between the payments made and the death grant due confirmed that no overpayment had been made as a result of the discrepancy in the reporting of the death in service.
Misuse of a COVID19 Grant
2.3 An investigation was conducted following an anonymous referral alleging that an East Sussex care provider had misspent grant funding received under the Worker Recruitment and Retention Fund during the COVID19 pandemic. The main purpose of the fund was to support local authorities to address workforce capacity pressures within adult social care, with the funding due to be spent on recruitment and retention activity. The investigation concluded that the care provider had spent the grant funding on recruitment campaigns, agency staff and staff incentives, in accordance with the grant conditions.
Use of IT Equipment
2.4 We provided support to a school following a concern being raised that a teacher held a second laptop at home which was not being used in accordance with the IT Policy. Following a fact-finding meeting, a first warning was issued to the teacher concerned.
Petty Cash
2.5 We reviewed local procedures following a concern being raised in relation to a petty cash discrepancy at a respite home within Adult Social Care. A report was issued identifying areas for improvement in the procedures, which will be implemented by the service.