Annex B
1. Audits Completed in Q4 (December to March)
1.1 The Civil Contingencies Act 2004 places a statutory duty on Local Authorities, as a category one responder, to develop, maintain and test business continuity plans. Effective business continuity planning provides a controlled resumption of prioritised services within expected timescales, ensuring an organisation can deliver a satisfactory, pre-defined, level of business operations in response to a disruption to business as usual.
1.2 The objective of this audit was to provide assurance over the governance arrangements of the Council’s business continuity framework and that continuity planning is well documented and robust.
1.3 Overall, we found that the Council has effective arrangements for business continuity planning and we were able to provide an opinion of reasonable assurance as a result. Governance arrangements are in place with a defined framework for all departments and levels within the Council. Arrangements for the identification of the Council’s critical/priority activities that feed into business continuity management are robust through the Business Impact Analysis (BIA) process.
1.4 Some areas for improvement were, however, identified, including the need to ensure:
· Roles and responsibilities in relation to business continuity are clearly defined;
· Key business continuity documentation, including plans and business impact analysis, are comprehensive and sufficiently clear; and
· There is a forward plan of tests to ensure business continuity plans are fit for purpose.
1.5 Improvement actions in respect of these areas were agreed with management.
MBOS Programme Support
MBOS – Programme Support
1.6 MBOS is the change programme overseeing the replacement of the Council’s existing enterprise-resource planning (ERP) SAP system with Oracle. In November 2023, the Programme Board took the decision to pause and re-evaluate the strategic direction of the programme.
1.7 A plan of audit work has been agreed with the Programme Board, which includes a review of the governance and risk management arrangements when the programme fully restarts. We will continue to provide independent and objective advice, support and challenge to the Programme Board, updating the Audit Committee on our work as the programme progresses.
1.8 The following position statements were produced as an extension to our support to the programme. These positions statements have since been formally issued as final and are therefore summarised here for completeness.
Migration of SAP to Azure
1.9 Following a pause in the go live date for the MBOS programme, the Council sought to extend the current SAP provision as an interim measure.
1.10 The on-site storage infrastructure used by SAP was considered to be old, with failing components. This presented an immediate risk of disruption to Council operations. Therefore, the Council sought to re-platform the application to a cloud based hosted environment (Azure) to best mitigate this risk.
1.11 This review sought to provide assurance over the governance and risk management controls in place to support the secure and effective transition from an on-premise environment to the cloud-hosted site. The review was not a technical review of the arrangements and was delivered whilst the programme was in progress.
1.12 We found that the programme was being managed in a fluid and dynamic way with robust governance arrangements in place to support this agile approach, which included a Programme Board with defined roles and responsibilities. Data migration and reconciliation arrangements were in place to ensure that the data was transferred to the new environment completely.
1.13 There were, however, some areas where improvements could be made, which reflected that the programme was only partly completed. These included:
· Although risk management arrangements were in place, no assigned risk owners or mitigations for identified risks had been entered on the risk register, therefore compromising the overall effectiveness of the risk management process;
· There were no detailed plans for User Acceptance Testing (UAT) at the time of our review. We were therefore unable to comment on the adequacy and coverage of the planned tests;
· Although disaster recovery arrangements for the new site were in place, the back-up policy and back-up schedules had not yet been produced; and
· Although arrangements for the transfer of technical documentation and knowledge from the technical architects to ESCC staff were included within the scope of the programme, the tasks to support this activity had not been explicitly recorded within the programme plan.
1.14 Due to the pace of the programme, there was not sufficient time to agree actions with senior officers, however, we provided Programme Board with a position statement on our work to inform them of the risks and to build changes into the programme as appropriate.
SAP Update - Control Assurance
1.15 Annual SAP support pack upgrades are made in line with application updates and new governmental mandates (for example, National Insurance changes). This review sought to provide assurance that the testing of ‘key controls’ within SAP was undertaken following implementation of the latest support pack, to ensure that these continued to function as before.
1.16 Our review found that a comparison document had been compiled manually to identify changes in the system arising from the update. In previous years, this information was compiled by a SAP tool which is no longer available due to the licence expiring, creating a risk that some changes in the upgrade may have been missed.
1.17 Testing was split into two phases: the first phase was Quality Assurance (QA) testing undertaken by the Support Team within IT&D; the second phase was User Acceptance Testing (UAT), undertaken by key users within business areas such as Finance and HR.
1.18 We found that the level of testing undertaken to ensure that the update worked as expected was consistent with the level of risk, focussing on the functional and transactional areas of key change. Whilst some of the UAT included an element of key control testing, it was not a specific objective of UAT to undertake testing to ensure that key controls within the system continued to function as expected. We were, therefore, unable to provide complete assurance that all key controls continued to function post upgrade. Due to the number of key controls within the system (we estimate this to be approximately 150) testing all of these, including those unaffected by the change, on an annual basis could be both excessively time consuming and costly.
1.19 Actions were, however, agreed with the business areas to review and incorporate testing of high-risk key controls into future test scripts. Further actions were agreed to ensure roles and responsibilities within the upgrade process are clearly defined and to ensure consistency of documentation.
Robotics Process Automation (Governance Arrangements)
1.20 Robotic Process Automation (RPA) is a form of business process automation that allows a user to define a set of instructions for a robot to perform automatically, often repeating the task quickly. The main benefits of automation are to remove repetitive, rule based and time-consuming tasks which allows staff to use their time much more productively. However, if automation is not suitably governed and managed, this could represent significant risk to the security and integrity of Council data.
1.21 The review evaluated the effectiveness of the controls to govern the use of robotics within the Council. We were able to provide an opinion of reasonable assurance in this area for the following reasons:
· The RPA governance arrangements are well-developed, allowing new RPA’s to be developed through the Robotic Development Team;
· Processes ensure each RPA has governance arrangements in place and is built with an integrated activity log to keep track of all successful and unsuccessful activity. Any failures which occur are reported automatically to the service and development team; and
· Controls within the design process ensure that the expected benefits from implementing an RPA are reviewed and assessed at each stage.
1.22 However, we found that there is no signposting to the Robotics Development Team for anyone considering creating their own robot or automated process. This leaves the Council at risk of automated processes being unidentified and, if an officer were to leave, the organisation may not be aware of this automation and the process may not operate as intended.
1.23 Actions were agreed with management to address this and other minor risks.
Mobile Device Management
1.24 Mobile devices such as smartphones and tablet computers have the capability to store large amounts of data and, therefore, can present a high risk of data leakage and loss. Devices and data are often valuable and are therefore attractive to theft and misuse. Mobile device management (MDM) involves monitoring, managing and securing mobile devices to ensure that the Council’s information assets are not exposed.
1.25 In reviewing mobile device security governance, access control and encryption, and incident management, we were able to provide an opinion of reasonable assurance over the controls in place to support the organisation’s mobile device management arrangements. We found that:
· The security compliance settings applied to all registered iphones were found to be robust in relation to security arrangements. These include password rules, encryption, automatic locking of devices, antivirus, antispyware and trusted platforms;
· The ability to install third party applications on managed devices has been restricted and users can only install applications that are on the Council's approved applications catalogue. Where a new application is required, a robust commercial, technical and risk review is undertaken prior to being authorised;
· An effective response plan is in place to respond to security incidents such as loss or theft of mobile devices;
· The MDM system will lock or wipe managed devices remotely in the event of loss or theft; and
· Adequate policy documents set out the responsibility of the user, showing what is acceptable practice and what would be unacceptable.
1.26 However, there were opportunities to further enhance controls, including ensuring that:
· There is appropriate oversight and management of the risks and related actions when devices are identified as non-compliant, to ensure appropriate action is taken in each case; and
· Responsibility for periodic reconciliation of the number of active devices as identified by the network provider, to the number of devices enrolled on the MDM, is formally assigned.
1.27 Appropriate actions were agreed with management in relation to these areas.
Ukraine Funding
1.28 In March 2022, the Government launched the Homes for Ukraine Sponsorship Scheme, which gave Ukrainian’s the right to apply for a visa if they had a named eligible sponsor who could provide accommodation in the UK. The Council has several obligations under the scheme, including conducting appropriate checks in respect of the sponsor and accommodation, making ‘one-off’ £200 subsistence payments to each guest (guest payments), making ‘thank you’ payments to the host (host payments) and assisting guests to access relevant services. To fulfil these obligations, the Council receives grant funding from the Department for Levelling Up, Housing and Communities (DLUHC). In two tier areas such as East Sussex, funding is provided to the upper-tier authority. However, a condition of the funding is that a plan is agreed locally for prompt payments to lower-tier district and borough councils (D&BCs) to enable them to pay upfront costs and provide services for guests under the scheme.
1.29 This review focussed on providing assurance over the payment, monitoring and governance arrangements in place for grant money received, and allocated by, East Sussex, under the Homes for Ukraine Scheme. In completing this work, we found weaknesses in the control environment with regards to the recording of completed safeguarding checks, the administration of the payments made, and the ongoing monitoring of these payments. We were, therefore, only able to provide an opinion of partial assurance in this area, finding that improvements were necessary in ensuring that:
· There are appropriate contracts and/or service level agreements in place between the Council and partnering authorities to help ensure that safeguarding checks of properties are completed timeously by East Sussex Fire and Rescue Service (ESFRS) and that scheme monies are appropriately allocated or spent by district and borough councils;
· Grant agreements are appropriately signed by partner organisations to ensure that the terms and conditions can be enforced in the event of future challenge;
· Payments made by district and borough councils are reconciled within Council records to ensure that payments have only been made where instructed;
· District and borough councils submit monthly returns to the Council of payments that have been made, to reduce the risk of inaccurate returns of overall expenditure by the Council to DLUHC; and
· The programme risk register is reviewed to ensure that it includes risk owners, mitigating actions and risk scores.
1.30 Improvement actions in all of these areas were agreed with management and we will complete a follow-up review in 2024/25 to assess the extent to which these have been implemented.
Mental Health Services – Compliance with Corporate and Local Procedures
1.31 The Adult Mental Health Teams provide support for Adult Social Care (ASC) clients whose primary presenting need is mental health.
1.32 The objective of this review was to provide assurance over compliance with corporate and local policies and procedures in relation to practice, performance and quality within the Mental Health Team. In completing this work, we found that corporate policies are not always being adhered to, including in relation to the appropriate use of purchasing cards, completion of relevant online health and safety training, staff expense and overtime claims and the management of absences. As a result, we were only able to provide an opinion of partial assurance.
1.33 A robust action plan was agreed with management to ensure that:
· Employees are aware of and adhere to corporate policies in relation to travel and expense claims, health and safety training, declarations of interest, purchasing, and ensuring the security of client information on accessible calendars;
· Sickness absences are appropriately recorded, with absence management procedures being followed where triggers are met;
· Annual leave entitlements are appropriately calculated; and employees only take the level of leave that they are entitled to; and to
· Improve Practice Managers’ capability in relation to finance matters.
1.34 Due to the partial assurance opinion, we will complete a follow-up review in 2024-25 to assess the extent to which the agreed improvement actions have been implemented.
Waste Management Services – Contract Management
1.35 Together with Brighton and Hove City Council, the Council has held a Private Finance Initiative contract with South Downs Waste Services Limited for the delivery and operation of waste facilities, including recycling and disposal services for household waste across both authorities. The contract, including a five-year extension that was negotiated in October 2007, has a total value of £1.1bn over its 30-year lifetime and attracts PFI credits of £49m.
1.36 The contract covers the provision of the following services:
· The operation and maintenance of 12 household waste sites;
· The construction, operation and management of additional sites (including a household waste recycling site, a composting plant, a materials recovery facility, an energy recovery facility and three waste transfer stations); and
· The logistic activities to support these operations.
1.37 The aim of the audit was to provide assurance that controls are in place to meet the following objectives:
· Governance arrangements are effective in delivering the contract’s objectives;
· Payments are made in accordance with the terms of the contract;
· Data is secure from unauthorised access;
· Service delivery is maintained in the event of the loss of the supplier or key sites; and
· Any variations to the original contract are made in accordance with the Council’s Procurement and Contract Standing Orders.
1.38 Based on the work undertaken, we found that the contract was managed effectively, with appropriate reporting arrangements, liaison with the contractor and robust payment controls, and we were able to provide an opinion of reasonable assurance.
1.39 However, a small number of areas for improvement were identified, including in relation to the valuation of sites for insurance purposes, and actions were agreed with management to address these.
Children’s Services Quality Assurance Framework
1.40 Children’s Services have developed an Early Help and Social Care (EHSC) quality assurance framework which sets out how the service will monitor and evaluate the quality of practice and service provision to improve quality and achieve better outcomes for children, young people and their families.
1.41 The scope of this review was therefore to provide assurance on the effectiveness of the Children’s Services quality assurance (QA) function in driving improvement within the service, including in relation to comparison with similar organisations, resourcing, risk management, quality assurance activity, reporting and implementation of improvement actions.
1.42 Our work identified that the Quality Assurance Framework is in line with good practice, with an annual quality assurance plan which is reviewed quarterly and which sets out the assurance activities to be undertaken in order to deliver the Framework. Assurance activities are being regularly undertaken by officers with appropriate knowledge and who are able to maintain appropriate independence to the practice or service under review. There is good management oversight as to the outcomes of quality assurance activities, with progress on the implementation of actions being monitored and reported on a quarterly basis. As a result, we were able to provide an opinion of substantial assurance.
1.43 One low risk finding was identified in relation to the case audit reporting tool, where there was an opportunity to improve the efficiency of collating and reporting on findings from QA reviews which was a manual process. An action, in the form of building a monthly automatic report of case file audits, was agreed with management.
School Audit Work
1.44 We have a standard audit programme in place for all school audits, with the scope of our work designed to provide assurance over key controls operating within schools. The key objectives of our work include assurance that:
· Decision making is transparent, well documented and free from bias;
· The school is able to operate within its budget through effective planning;
· Staff are paid in accordance with the schools pay policy;
· Expenditure is controlled and funds are used for an educational purpose.
· The school ensures value for money on contracts and larger purchases; and
· All voluntary funds are held securely, and funds are used in accordance with the agreed aims.
1.45 We undertake school audits through a range of both remote and on-site working arrangements. The table below shows a summary of the two school reviews completed in Q4, together with the level of assurance received and areas for improvement.
Name of School |
Audit Opinion |
Areas Requiring Improvement |
Beckley CE Primary School |
Reasonable Assurance |
Ensuring that: · Governor’s declarations of interest are published on the school website; · Consolidated accounts are published for the school fund, and subject to annual audit; · Checks are undertaken to ensure that contractors continue to hold sufficient public liability insurance; · All committees have an agreed terms of reference in place; · A leavers checklist is implemented to document the revocation of physical and systems access and return of assets when an employee leaves the employment of the school. |
Forest Row CE Primary School (Follow-Up) |
Reasonable Assurance |
Ensuring that: · Liaison with the bank continues to regain access to the school fund bank account; · Staff are reminded of the need to raise purchase orders prior to making a purchase; · All contracts and subscriptions are identified and documented within a contract register; and · The budget amount is documented within governing body minutes to confirm the value that has been approved. |
Grant Certification
Local Transport Authority Bus Recovery Funding
1.46 The Local Transport Authority Bus Recovery Funding (LTA BRG) was provided to support the provision of commercial and tendered bus services following the initial ‘emergency’ period of Covid. Through this funding, the Council received £116,176.06.
1.47 Testing of provider returns, invoices and payments made was undertaken to ensure that the funding was used in line with the grant conditions and that appropriate documentation had been kept to evidence expenditure.
Supporting Families Grant Certification
1.49 The Supporting Families (SF) programme has been running in East Sussex since January 2015 and is an extension of the original Troubled Families scheme that began in 2012/13. The programme is intended to support families who experience problems in certain areas, with funding for the local authority received from the Department of Levelling Up, Housing and Communities (DLUHC), based on the level of engagement and evidence of appropriate progress and improvement.
1.50 Children’s Services submit periodic claims to the DLUHC to claim grant funding under its ‘payment by results’ scheme. The DLUHC requires Internal Audit to verify 10% of claims prior to the Local Authority’s submission of its claim. We therefore reviewed 16 of the 160 families included in the January/March 2024 grant cohort.
1.51 In completing this work, we found that valid ‘payment by results’ (PbR) claims had been made and outcome plans had been achieved and evidenced. All the families in the sample of claims reviewed had firstly met the criteria to be eligible for the SF programme and had either achieved significant and sustained progress at case closure. We therefore concluded that the conditions attached to the SF grant determination programme had been complied with.
2. Counter Fraud and Investigation Activities
2.1 Internal Audit have been liaising with the relevant services to provide advice and support in processing the matches received as part of the National Fraud Initiative.
2.2 In addition, the team continue to monitor intel alerts and share information with relevant services when appropriate.
2.3 Advice and support was provided on an ad hoc basis, and referrals made to external agencies for allegations not connected to ESCC.
2.4 During the quarter, an attempted bank mandate fraud was logged and reported to ActionFraud. An individual impersonating a senior officer requested, via email, a change to bank details for salary payments. The request was identified as bogus and not actioned.