Annexe A
Internal Audit and Counter Fraud
Quarter 2 Progress Report 2023/24
CONTENTS
1. Summary of Completed Audits
2. Counter Fraud and Investigation Activities
3. Action Tracking
4. Amendments to the Audit Plan
5. Internal Audit Performance
1. Summary of Completed Audits
Accounts Receivable (Interim Review)
The Accounts Receivable (AR) function is responsible for ensuring that all income due to the Council is collected effectively and efficiently, banked promptly and is correctly accounted for.
The Council’s new Enterprise Resource Planning (ERP) system, Oracle, replacing the current system, SAP, was due to go-live in November 2023. Our previous audit of AR was completed in February 2023 with an opinion of reasonable assurance. In view of the impending go-live of the new system and the relatively recent completion of the 2022/23 AR audit, we completed an interim review whereby we undertook limited sample testing of key controls in order to provide assurance that these continue to operate as expected. We also sought to confirm that the agreed actions from the previous AR review had been implemented.
In completing this work, we found that the system continues to be well-controlled and remained fundamentally unchanged since the previous audit. We did not provide an opinion on this occasion due to the interim nature of the review, however, based on the work carried out, we have seen no evidence of any deterioration in the control environment since providing reasonable assurance in this area.
We identified a small number of areas where controls could be strengthened. These included the need to:
· document more fully the process to waive debts, to ensure a consistent approach; and
· embed a systemically controlled approach to the enforcement of segregation of duties for writing off debts, which is currently a manual process.
Actions were agreed with management to address these.
Risk Management
As with all Local Authorities, there is an element of risk in all the activities undertaken by the Council in its daily operation. Risks are recorded and managed both within departments and at a strategic level.
This audit assessed compliance with the Council’s Risk Management Framework (RMF) to ensure that risks are appropriately identified, assessed, mitigated and reported.
Based on the testing undertaken, we were able to provide an opinion of reasonable assurance over the controls in place with various aspects of good practice identified. There were some opportunities for improvement, however, including:
· The development of a risk appetite statement to supplement the Council’s RMF;
· Defining more formally the process over the identification of new and emerging risks, assignment of appropriate mitigations and recording of amendments to risk registers, including the responsibilities of strategic risk coordinators, departmental management teams and departmental risk coordinators;
· Establishing formal training requirements within the RMF for officers with responsibility for risks or risk management; and
· Obtaining CMT approval for the latest version of the RMF.
Actions to address these issues were agreed with management within a formal management action plan.
Contract Management
The Council has in place a Contract Management Framework (CMF), developed by Orbis Procurement, which provides an approach for the management of contracts, to ensure delivery of value and quality of goods and services purchased from suppliers. Although the Procurement Team is responsible for maintaining the framework, it is the responsibility of individual contract managers to familiarise themselves with it and apply it to their contracts, as appropriate.
The comprehensive framework outlines contract managers’ responsibilities in relation to their contract, taking into account their size and complexity. The framework is accompanied by a suite of supporting documentation and templates to assist contract managers. Contract managers often take on this responsibility as an addition to their role, without necessarily having any specialist knowledge of contract management. The framework is, therefore, a valuable resource available to help them in managing their contracts effectively.
In 2021/22, we assessed the adequacy of the Council’s CMF and were able to give an opinion of reasonable assurance. It was agreed with management that we would follow this up with a review to ascertain the degree to which contract managers are using the framework to support the successful delivery of their contracts.
In completing this work, we found that compliance with the framework was weak in a number of areas and, as a result, we were only able to provide an opinion of partial assurance in this area. We identified the need to promote the awareness and use of the CMF, reminding managers that, to deliver their contracts successfully, they should:
· make use of the framework’s documentation and templates, particularly contract management plans;
· ensure that performance monitoring reports are obtained and retained over the lifespan of contracts;
· strengthen risk management, including the use of contract-specific risk registers and making risk management a standing agenda item for meetings with suppliers;
· maintain effective business continuity arrangements to ensure the continuation of essential service provision in the event of a major problem with (or loss of) a supplier; and
· and ensure that the approval of contract variations is adequately recorded.
Techforge IT Application Controls
Technology Forge Cloud (tfcloud) is a web-based property management system with modules to facilitate a variety of functions undertaken by local authorities in relation to property and asset management. At present, the Council is using the system for holding building condition information and all property ownership details, as well as statutory compliance information in relation to fire safety following site visits.
This application controls audit assessed all major input, processing and output controls as well as interfaces with other systems, to confirm that:
· No unauthorised or inappropriate access to data is obtained in order to reduce the risk of data breaches;
· Only correct data is input into the system, resulting in accurate records being held by the Council;
· System outputs are correct, enhancing management information and leading to informed decision-making;
· System updates and enhancements are introduced in a controlled manner, reducing risks to service delivery and / or vulnerabilities to malicious attacks against the system;
· The introduction of the employer portal interface (i-Connect) is well controlled and ensures that data is correctly transferred, outputs are accurate, and the risk of breaches is mitigated against; and
· Changes to the system are communicated and supported effectively, reducing the risk of a negative impact on service delivery.
During the audit, we identified a number of areas of control weakness that required improvement, including that:
· System owner responsibilities were not clearly defined and formally documented, leading to a reduction in understanding as to the requirements of the role. We believe that this underpins a number of the findings outlined below;
· There are a number of generic user accounts assigned which allow multiple people to access the same user account, reducing the transparency and traceability of use;
· There is no clearly defined process in place to allocate roles to users, increasing the risk of users having the ability to authorise transactions where their role does not require them to do so;
· At present, there is no formalised process in place to review the actions undertaken by those with system administrator access;
· The process for completing system updates is not as clearly defined as it could be, with the recording of actual test outputs not being undertaken; and
· The technical risk assessment for the system is outdated, having not been reviewed since November 2020.
We were therefore only able to provide an opinion of partial assurance in this area. Actions to address the findings of the review have been agreed with management within a formal management action plan, and we will complete a follow-up review in 2024/25 to assess the extent to which the agreed actions have been implemented.
Modernising Back Office Systems (MBOS) - Cutover Arrangements
MBOS is a change programme to replace the Council’s existing enterprise-resource planning (ERP) SAP system with Oracle. ‘Cutover’ is the period where the Council moves from the old SAP ERP system onto the new Oracle ERP solution as part of the transition to go-live. Cutover planning and management are needed to help minimise and manage the risks of disruptions and delays to Council operations.
Through our work, we looked to confirm that adequate arrangements were in place for cutover, including in relation to:
· Cutover planning;
· Engagement of key stakeholders;
· Managing the risks of disruption associated with cutover;
· Adequacy of information to support cutover and go-live decision-making;
· An analysis of the staff resources required to deliver the cutover; and
· Contingency planning in the event that cutover did not proceed as planned.
In general, we found that the cutover strategy and approach for the cutover phase of the MBOS project was appropriate. However, we found that additional work was needed to implement elements of the strategy before management can have reasonable confidence that the cutover process will be delivered effectively, including ensuring that:
· Information gaps within individual workstream plans are addressed and key tasks completed;
· For all workstream plans, resourcing requirements and task owners are clearly defined to reduce the risk that cutover could be delayed or interrupted as a result of capacity gaps;
· There is sufficient time and opportunity for senior management to scrutinise and challenge cutover plans before the cutover period begins; and
· The draft rollback plan includes key detail, including the identification of the people who would be involved in the rollback process, tasks/activities that will need to be completed, and timelines/deadlines.
Our report, in the form of a position statement, was presented to the Programme Board, the Programme Management Office and Cutover Manager who have agreed to incorporate improvements as appropriate. It should be noted that since our position statement was issued, a decision to delay the system go-live has been taken (in part due to concerns raised within this report and the results of the MBOS Key Control Testing below) whilst an assessment of current programme progress and outstanding delivery tasks is completed, with a revised go-live date to be determined following this.
MBOS Key Control Testing
In Summer 2022, Internal Audit undertook an initial review of the key controls expected to be in place within the new ERP system. While it was our intention to be able to provide assurance over all processes, at that point in time it was not possible due to the incompleteness of the design process and various unknowns as to how the system would operate.
We agreed with the Programme Board and Programme Director that further work should be undertaken to review the business processes and their associated controls. The work sought to support the Chief Finance Officer’s responsibility under Section 151 of the Local Government Act to ensure a suitable control framework is in place. It was agreed the work would be undertaken in September 2023 in order to support cutover and the planned November 2023 go-live decisions.
Despite the best efforts of everyone involved, we were unable to complete our review to the full extent planned, and, for this reason, we were unable to provide any assurance to the Programme Board over the adequacy of the control framework within the new system and the control processes operating around it. We were able to meet with many of the Subject Matter Experts (SME), Business Leads and other nominated officers from different workstreams who confirmed that that the processes around the system had not yet been designed, meaning they were not ready for our review, and business process documentation had therefore not been produced. There were a number of reasons presented for this including:
· User Acceptance Testing delays meaning the system has not been built or fully configured;
· End to end testing had not been completed;
· Some key users reported that they had not seen the full system in use; and
· Pressure of work.
Further, we found that Change Impact Assessments have not been completed, which would have been useful in identifying to the Programme Board any changes that the organisation might need to make to support the introduction of the system.
We raised the following recommendations, and questions, for the Programme Board to consider:
· The Board (or workstream sponsors) should be sighted on the progress being made to establish and document the ‘to-be’ process documentation and for this to be included within the cutover decision-making dashboard;
· The ‘to-be’ process mapping exercise should be extended to include the controls that operate within the processes around the system (rather than just those in the system);
· How much organisational and business readiness work can realistically be completed whilst UAT remains in progress?
· When should we return to complete the control assurance work?
The Programme Director agreed to respond to the position statement formally at the next Programme Board meeting.
Milton Grange Nursing Home Establishment Review
Milton Grange offers intermediate care to meet a range of needs for older adults, which includes the provision of intermediate beds with nursing care, and assessment and rehabilitation for people with dementia. The service is provided on a short-term basis to enable people to maximise their independence and return home where possible. The multi-disciplinary team at the home comprises rehabilitation support workers, occupational therapists, therapy assistants and a facilities team supported by a registered manager and deputy manager. Nursing and physiotherapy support is provided by East Sussex Hospitals Trust (ESHT).
The purpose of this establishment review was to provide assurance that management and financial controls are in place and operating effectively within the home, assessing compliance with key Council policies and procedures. It included assessing whether:
· Expenditure is only incurred for legitimate Council business and is in line with the relevant policies, procedures and procurement process;
· All key activities undertaken by the team are conducted in accordance with the Council’s and local policies and procedures;
· Robust arrangements are in place and all members of staff, agency workers and contractors are subject to appropriate onboarding checks, management and supervision.
In providing an opinion of reasonable assurance, we found a number of areas of good practice, with only a small number of areas where controls could be improved to mitigate potential risk to the service. These included ensuring that:
· There is adequate separation of duties in relation to petty cash claims and that this is properly recorded, where we found that some claims had been approved by the same officer who that had received reimbursement;
· Records to evidence that key aspects of service delivery have taken place, and when, are properly updated, where we found this had not happened in some instances; and
· Safety checks undertaken on the home’s minibuses are properly recorded.
Actions to address these issues were agreed with management.
The front-line staff in Adult Social Care (ASC) use a number of tools to obtain records in a digital format relating to services users, including audio and video recordings, photographs etc. Clearly, it is important that this data is handled, retained and held securely over its entire life cycle. In addition, the integrity of data held is key in assisting management decision-making.
The purpose of this review was to provide assurance that:
· Clear roles and responsibilities are in place to ensure the accountability for data access;
· There are documented retention and disposal procedures to include provision for permanent preservation of archival material and secure disposal of information at the end of its life;
· Processes and procedures are in place to ensure that information is secure from accidental alteration or erasure, and the accuracy and reliability of data provided to management that will be used to inform decisions; and
· Clear policy, guidance and training is available to Council officers over information/data handling of personal and/or sensitive information, in addition to ongoing learning and awareness.
· dedicated guidance in relation to photo, video and media data within the already established range of policies and guidance on data handling; and
· a responsible user within the service who has responsibility for monitoring/enacting the retention policy for data held within Liquid Logic and eCase-file (ASC case management systems).
These were discussed with management and actions agreed to address them in the form of a management action plan.
School Audit Work
We have a standard audit programme in place for all school audits, with the scope of our work designed to provide assurance over key controls operating within schools. The key objectives of our work include to ensure that:
We undertake school audits through a range of both remote and on-site working arrangements.
The table below shows a summary of the two school reviews completed in Q2, together with the level of assurance received and areas for improvement.
|
Name of School |
Audit Opinion |
Areas Requiring Improvement |
|
Firle CE Primary School, Lewes |
Reasonable Assurance |
· All contractors and providers working within the school must be listed on the Single Central Record; · Staffing expenditure to be subject to regular review in order to bring it closer in line with the requirements of the Department for Education; · Budget oversight to be maintained, and steps taken to improve the budget position; · Mitigations to be implemented where positive declarations of interest are made; and · A contract register should be maintained detailing all contracts and subscriptions in sufficient detail to support contract management. |
|
Pevensey and Westham CE Primary School |
Reasonable Assurance |
· Statutory information in relation to the Governing Body should be published, including the name of the Chair of Governors; · A robust procurement process should take place where there is an expectation that expenditure with an individual company will exceed £5k; · Governors should be sighted on and give approval for the crisis management plan, with roles being appropriately assigned or clear scope for delegation defined; · Purchase orders should be raised prior to orders being made with suppliers, and subject to evidenced approval; · Opportunities to reduce expenditure on staffing should be explored in order to support the production of a balanced budget in future years; and · Letting fees should be consistently applied, and evidence of sufficient insurance and risk assessments must be requested and maintained. |
Grant Related Audit Work
Supporting Families Programme 2023/24 Quarter 2
The Supporting Families (SF) programme has been running in East Sussex since January 2015 and is an extension of the original Troubled Families scheme that began in 2012/13. The programme is intended to support families who experience problems in certain areas, with funding for the local authority received from the Department of Levelling Up, Housing and Communities (DLUHC), based on the level of engagement and evidence of appropriate progress and improvement.
Children’s Services submit periodic claims to the DLUHC to claim grant funding under its ‘payment by results’ scheme. The DLUHC requires Internal Audit to verify 10% of claims prior to the Local Authority’s submission of its claim. We therefore reviewed 5 of the 53 families included in the August/September 2023 grant cohort.
In completing this work, we found that valid ‘payment by results’ (PbR) claims had been made and outcome plans had been achieved and evidenced. All the families in the sample of claims reviewed had firstly met the criteria to be eligible for the SF programme and had either achieved significant and sustained progress. We therefore concluded that the conditions attached to the SF grant determination programme had been complied with.
Broadband Grant
The 'e-Sussex' project, led by ESCC in partnership with Brighton & Hove City Council, was launched to improve internet access for homes and businesses in East Sussex. The project is overseen by Broadband Delivery UK (BDUK), part of the Department for Digital, Culture, Media and Sport.
The purpose of our work was to confirm that the Council was adhering to the terms of the programme and that the figures stated in the return were correct, which we were able to confirm. There were no findings arising and therefore no actions for improvement were needed.
Local Authority Bus Subsidy (Revenue) Grant / Bus Service Operators Grant (BSOG)
Payments from the Department of Transport (DfT) are made to local authorities for the running of local and community bus services. BSOG intends to benefit passengers through:
· helping to keep fares down; and
· enabling operators to run services that might otherwise be unprofitable and could lead to their closure.
The grant is ring-fenced and should be used to fund the provision of supported bus services or other related transport provision. Internal Audit is required to undertake sample testing across a number of routes and payments made to operators on an annual basis to ensure that payments are calculated accurately, and that the conditions attached to the grant are complied with. We were able to confirm that payments were correct, and that the Council had complied with the terms of the grant. A signed declaration was returned to the DfT within the required timescales.
2. Counter Fraud and Investigation Activities
Counter Fraud Activities
We have been liaising with the relevant services to provide advice and support in processing the matches received as part of the National Fraud Initiative.
The team continue to monitor fraud intelligence alerts and share information with relevant services when appropriate.
Summary of Completed Investigations
Bribery Allegation
An anonymous allegation was received alleging that an Officer received a cash payment to provide a positive statement in regard to a planning application. An investigation found that an offer had been made and refused. The offer was reported to management at the time and appropriate action taken.
Bank Mandate Fraud
An investigation was conducted following the payment of £9,014 as a result of a bank mandate fraud at a school. The investigation found that the school email had been compromised allowing the interception and diversion of correspondence. In addition to the compromised IT security, the procedures for independently verifying changes to vendor records had not been followed. Following the investigation, an internal control report was issued with agreed control actions. In addition, ICT security support was provided to the school. The incident was reported to Action Fraud.
3.1 All high priority actions agreed with management as part of individual audit reviews are subject to action tracking, whereby we seek written confirmation from services that these have been implemented. As at the end of quarter two, all high priority actions due had been implemented.
4. Amendments to the Audit Plan
4.1 In accordance with proper professional practice, the internal audit plan for the year remains under regular review to ensure that the service continues to focus its resources in the highest priority areas based on an assessment of risk. Through discussions with management, the following reviews have been added to the audit plan so far this year:
|
Review |
Rationale for Addition |
|
Sea Change Sussex |
Continued support in helping the organisation collate information to address queries and issues raised. |
|
IT Asset Records Management |
Service requested additional assurance following issues highlighted from their own internal review. |
4.2 To-date the following audits have been removed or deferred from the audit plan and, where appropriate, will be considered for inclusion in the 2024/25 plan as part of the overall risk assessment completed during the annual audit planning process. These changes are made on the basis of risk prioritisation and/or as a result of developments within the service areas concerned requiring a rescheduling of audits:
|
Planned Audit |
Rationale for Removal |
|
Covid Outbreak Management Fund – Grant Certification |
No requirement for certification this year. |
|
Schools Basic Needs Allocation – Grant Certification |
No requirement for certification this year.
|
|
New Home to School Transport System |
System will not be fully implemented this financial year. Audit postponed until 2024/25. |
|
Property Asset Management System (PAMS) Replacement |
No requirement for additional support for the implementation project.
|
4.3 The following audit work is currently in progress at the time of writing this report (including those at draft report stage, as indicated) or is scheduled for quarter 3:
In Progress:
· Mobile Device Management (draft report)
· Procurement of IT Systems (draft report)
· Supplier Failure (draft report)
· Accounts Payable Interim Review (draft report)
· Payroll Interim Review (draft report)
· Children’s Data Handling Follow Up (draft report)
· Sea Change Sussex
· Parking – Procurement and Monitoring of External Service Providers
· Waste Management Contract – Contract Management
· Children’s Disability Services Direct Payments
· Ukraine Funding
· Business Continuity Planning
· Pension Fund – Collection of Contributions
· General Ledger
· Mental Health Cultural Compliance
· Adult Social Care Debt Management and Recovery
· Treasury Management
· Robotics (Governance Arrangements)
· System Change Control and Release Management
· LAS/Controcc
· Health and Safety Compliance
· MBOS Business Continuity Arrangements
· MBOS Security, Roles and Permissions
· St Mary’s Catholic School
· Contract Management Group Cultural Compliance Follow-Up
· Vehicle Use Follow-Up
Scheduled:
· Health and Safety Compliance
· Pension Fund Cash Management
· Pension Fund Administration of Pension Benefits
· Workforce Capacity and Working Arrangements
· External Funding Follow-Up
· Cyber Security – Response and Resilience
5. Internal Audit Performance
5.1 In addition to the annual assessment of internal audit effectiveness against Public Sector Internal Audit Standards (PSIAS), the performance of the service is monitored on an ongoing basis against a set of agreed key performance indicators as set out in the following table:
|
Orbis IA Performance Indicator |
Target |
RAG Score (RAG) |
Actual Performance |
||
|
Quality
|
Annual Audit Plan agreed by Audit Committee |
By end April |
G |
2023/24 Internal Audit Strategy and Annual Audit Plan formally approved by Audit Committee on 31 March 2023. |
|
|
Annual Audit Report and Opinion |
By end July |
G |
2022/23 Internal Audit Annual Report and Audit Opinion was approved by Audit Committee on 7 July 2023. |
||
|
Customer Satisfaction Levels |
90% satisfied |
G |
100% |
||
|
Productivity and Process Efficiency |
Audit Plan – completion to draft report stage |
90% |
G |
57.6% achieved to the end of Q2, against a Q2 target of 45%. |
|
|
Public Sector Internal Audit Standards |
Conforms |
G |
Dec 2022 -
External Quality Assurance completed by the Chartered Institute of
Internal Auditors (IIA). Orbis Internal Audit assessed as
achieving the highest level of conformance available against
professional standards with no areas of non-compliance identified,
and therefore no formal recommendations for improvement arising. In
summary the service was assessed as: |
||
|
|
Relevant legislation such as the Police and Criminal Evidence Act, Criminal Procedures and Investigations Act |
Conforms |
G |
No evidence of non-compliance identified |
|
|
Outcome and degree of influence |
Implementation of management actions agreed in response to audit findings |
97% for high priority agreed actions |
G |
100% |
|
|
Our staff |
Professionally Qualified/Accredited
|
80% |
G |
97% |
Appendix B
Audit Opinions and Definitions
|
Opinion |
Definition |
|
Substantial Assurance |
Controls are in place and are operating as expected to manage key risks to the achievement of system or service objectives. |
|
Reasonable Assurance |
Most controls are in place and are operating as expected to manage key risks to the achievement of system or service objectives. |
|
Partial Assurance |
There are weaknesses in the system of control and/or the level of non-compliance is such as to put the achievement of the system or service objectives at risk. |
|
Minimal Assurance |
Controls are generally weak or non-existent, leaving the system open to the risk of significant error or fraud. There is a high risk to the ability of the system/service to meet its objectives. |