Annexe A
Internal Audit and Counter Fraud
Quarter 1 Progress Report 2024/25
CONTENTS
1. Summary of Completed Audits
2. Counter Fraud and Investigation Activities
3. Action Tracking
4. Amendments to the Audit Plan
5. Internal Audit Performance
1. Summary of Completed Audits
1.1 The Council is the designated statutory administering authority of the East Sussex Pension Fund (“the Fund”). It has statutory responsibility to administer and manage the Fund in accordance with the Local Government Pension Scheme (LGPS) regulations and has delegated the management and responsibility of the Fund to the East Sussex Pension Committee and the Pension Board, supported by the Chief Finance Officer for ESCC.
1.2 The Fund is responsible for managing assets for the long-term benefit of scheme members in accordance with statutory regulations and is a member of ACCESS, a collaboration of 11 LGPS administering authorities, which work together to reduce investment costs and gain economies of scale.
1.3 During quarter 1, we completed the following work in relation the Pension Fund, in accordance with the Pension Fund Internal Audit plan. Where we identified opportunities to strengthen controls, actions for improvement were agreed with management in all cases.
Pension Fund - Cash Management
1.4 The purpose of this audit was to provide assurance that:
· Pension contributions from all employers in the scheme are collected in full, at the time they fall due;
· Information from employers is provided in a timely manner to maintain the Fund’s ability to deliver an effective service; and
· Funding levels of new employers are sufficient to cover their liabilities.
1.5 Overall, we were able to give an opinion of substantial assurance in relation to this work. We found that:
· The Cash Management Strategy has been updated to reflect current requirements and best practice;
· The admission of new employers into the Fund is managed effectively;
· Information for employers is easily accessible via the Employer Toolkit, with appropriate guidance in place;
· A Service Level Agreement setting out the respective roles and responsibilities of the Pension Fund and the Council’s Treasury Management Team has been drafted and due to be approved by the Pension Committee;
· Appropriate segregation of duty is in place regarding users’ roles that have been set-up for accessing the Fund’s bank account; and
· Appropriately robust cash flow forecasting takes place.
1.6 Only two low risk findings were identified and actions to address these were agreed with management.
Pension Fund Investments and Accounting
1.7 The purpose of this audit was to provide assurance that:
· Stewardship of the Fund’s assets, including governance in relation to investment decisions, ensures that assets are safeguarded and managed effectively, and in accordance with regulatory requirements;
· The performance of the Fund’s investments meets its objectives;
· Investment income is received in full in a timely manner; and
· Accounting of the Pension Fund is accurate, resulting in an unqualified opinion by the external auditor on the Fund’s annual accounts.
1.8 In providing an opinion of substantial assurance, we found that:
· There were strong processes in place to ensure that investments are effectively monitored and align with the expectations of the Fund;
· Investment decisions are based on appropriate guidance from the investment advisors and are made within the terms of the framework set by the Pension Committee;
· Due diligence is undertaken prior to the engagement of new investment managers and investments are formally approved by the Pension Committee;
· All recent external assurance reports have received an unqualified opinion, with no significant control weaknesses identified;
· Investment income is monitored by the Fund’s custodian, Northern Trust, to ensure that it is received promptly and in full;
· The roles and responsibilities of all parties involved in the investment process are clearly documented and communicated;
· Appropriate checks are carried out to ensure that payments are made in accordance with contractual obligations; and
· Reconciliations are undertaken periodically to ensure that funds are recorded and accounted for correctly in the general ledger.
1.9 Only two minor areas for improvement were identified, with actions being agreed with management to address these.
Pension Fund – Administration of Pension Benefits
1.10 This audit reviewed the controls in place in relation to the calculation and payment of pension benefits and transfers to and from the Fund. The purpose of the audit was to provide assurance that:
· Data quality is sufficiently accurate to support transactions and reporting requirements;
· The calculation of pension benefit entitlements is accurate; and
· Delivery of the pension administration service complies with the requirements of the Pension Regulator.
1.11 Overall, we were able to provide an opinion of reasonable assurance. We found that:
· Appropriate data quality assurance processes are in place, including identifying data validation errors where information is received via automated transfer;
· Pension benefits are processed accurately, are paid on time and subject to appropriate authorisation; and
· Reporting to the Pension Board and Committee is comprehensive, open and transparent.
1.12 Some areas for improvement were identified, including the need to ensure that:
· System access is revoked in a timely manner when staff leave;
· Checks are undertaken to confirm that all steps within a process have been completed;
· Address changes are supported by members’ formal authorisation; and
· Changes to bank details are confirmed to members.
1.13 Actions in respect of the above findings were agreed with management.
Supplier Failure Follow-Up
1.14 During 2023/24, we completed an audit of Supplier Failure, where we sought to provide assurance on the arrangements and controls in place within the Council to identify critical suppliers at risk of failure and to mitigate the effects of any failures that occur. Our work identified that contract managers had a lack of awareness of the guidance and tools available within the Corporate Management Framework in relation to supplier failure and, as a result, did not always demonstrate consistent approaches to managing this risk. Consequently, we were only able to provide a partial assurance opinion.
1.15 As a result, we completed a follow-up review to assess the extent to which the agreed actions had been implemented. In completing this review, we were able to provide an improved opinion of substantial assurance, with all of the agreed management actions having been implemented and no further actions for improvement identified. Improvements made included:
· The development of a contract, performance and risk dashboard, enabling the contract landscape and associated risks to be visualised;
· Increased awareness of contract risk management and the Council’s Contract Management Framework, which includes guidance on supplier failure; and
· Reminding line managers of their responsibilities in ensuring contract managers, who report to them, are appropriately trained for their roles.
System Change Control and Release Management
1.16 System change controls and release management encompasses the process of identifying, acquiring, testing, and deploying system changes and releases. These changes and releases may aim to correct problems, close vulnerabilities, and improve system functionality. By implementing system changes and updates, the Council can minimise the risk of known vulnerabilities being exploited, enhance its cyber security, as well as ensuring that all systems have optimal or improved functionality.
1.17 This audit considered the Council’s system change and release controls, including whether changes and supplier releases are subject to testing prior to being applied swiftly and consistently, and whether disruption to users is minimised.
1.18 In providing an opinion of reasonable assurance, we found that:
· There is a clear and appropriate process in place for custom changes to IT&D managed systems;
· Changes to systems are subject to risk assessments that help to prioritise these;
· For both releases and changes to systems, the applications teams within IT&D receive notification and oversight of the details of changes, either through supplier release notes or official change requests;
· There are documented ‘minimum lead times’ for implementation of changes to systems, which include sufficient explanation of the reasoning for these times;
· The responsibility for identifying issues, testing, and sign-off of system changes sits with the service area, with support as necessary by the applications teams within IT&D. We found that results of the testing and any actions required are documented, along with any backout arrangements; and
· Arrangements for system downtime are appropriate, including, notification to users of when this will occur and, where possible, takes place out of core working hours.
1.19 Alongside the above, we identified the following areas for improvement, and actions were agreed with management to address these, including:
· The need for the release management process to be documented to help ensure releases to systems are completed in a consistent manner and using the same principles; and
· Further documenting roles and responsibilities for release and change management.
SAP Support Costs - Advice
1.20 The SAP system is currently supported by seven agency consultants covering payroll, finance, technical reports and troubleshooting, security and access, and overall SAP environment management (Basis Team).
1.21 During the quarter, we were approached by IT&D to assess the risks and implications associated with the potential removal of the SAP security and access role, in order to reduce the ongoing agency support costs for SAP whilst the new system, Oracle Fusion, was being implemented.
1.22 In reviewing the current responsibilities and workloads of the different roles, we found that the Security and Access Consultant handles crucial tasks, including setting up user access, managing permissions, and keeping data synchronised between SAP and Oracle. We felt that removing this role could lead to significant risks, including unauthorised access, data breaches, and operational inefficiencies. The consultant also supports the Oracle program indirectly by ensuring accurate data transfer and providing technical advice.
1.23 Following our feedback on this, management agreed to explore options for alternative arrangements which may be more cost effective, while retaining the Security and Access Consultant role.
Oracle Implementation Programme
1.24 We have continued to attend Programme Board meetings to provide ad-hoc advice and support on governance, risk and probity related issues. A review of the Programme Governance and Risk Management arrangements is currently being undertaken and a specific piece of work to provide assurance over the Enterprise Performance Management (EPM) module go-live has also been approved by the Board, with the timings to be agreed.
1.25 The Committee will continue to see summaries of all our work.
Climate Change Follow-Up
1.26 An audit of Climate Change was completed in 2023/24 that sought to provide assurance that appropriate measures are in place to achieve the Council’s aim of carbon neutrality. It covered:
· Governance arrangements;
· Resourcing;
· Arrangements to embed carbon neutrality through the Council;
· Mechanisms in place to monitor and report on the impact and outcome of carbon neutrality activities;
· Review and consideration of national and international legislative requirements; and
· Whether appropriate consideration had been given to the Council being able to adapt to unavoidable climate change.
1.27 This resulted in an opinion of partial assurance, and we have therefore completed a follow-up review to assess whether the actions agreed with management for improvement had been implemented. In completing this work, whilst acknowledging that there were some areas where further improvement was still required, we found that the direction of travel in many areas was positive, resulting in an overall opinion of reasonable assurance. We found that:
· Steps have been taken to identify ways to secure future funding (although recognising that the funding currently available is still not sufficient to deliver the 13% annual carbon reduction target);
· Equality Impact Assessments have been completed to identify where climate change actions taken by the Council may impact upon those with protected characteristics;
· Through reviewing the available case studies of energy and carbon reduction in schools, this indicates that schemes within schools are subject to appropriate monitoring to confirm that the desired outcomes have been achieved, both in relation to the reduction in carbon output and the functionality of the scheme within the school;
· Engagement activities with schools and young people are taking place and this has resulted in the production of a Climate Change Charter detailing ways in which schools can reduce their emissions;
· Additional roles have been created and recruited to in order to further support carbon reduction in Procurement, Property and Finance; and
· Work to develop a climate adaptation plan is being undertaken.
1.28 There were, however, some areas where further work was required to support the achievement of the Council’s carbon reduction target, including to ensure that:
· The Climate Emergency Board terms of reference are updated to reflect the current membership and voting arrangements;
· The process for considering climate change implications in decision-making is fully embedded; and
· The process for dealing with Scope Three emissions is properly resourced and embedded.
1.29 Actions to address these outstanding areas were agreed with management within a formal management action plan.
Adult Social Care and Health Liquidlogic (LAS) and Controcc
1.30 Liquidlogic (LAS) is the Council’s information management and authorisation system for Adult Social Care clients’ care needs. ContrOCC is the Council’s contracts and budget management system for Adult Social Care clients. The system is used to make payments to care providers and to collect contributions from clients towards the cost of their care. An automated interface allows LAS and ContrOCC to share key information. These are considered key financial systems, with circa. £300 million of care payments generated on an annual basis.
1.31 The purpose of the audit was to provide assurance that controls are in place to meet the following objectives:
· Only approved care packages are set up in LAS in accordance with the Council’s delegated authority;
· Payments to providers are complete, accurate, timely and only for services delivered;
· Client contributions are correctly calculated, received in full, and accurately recorded; and
· There is effective integration of LAS and Enterprise Resource Planning (ERP) systems to ensure sharing of key information.
1.32 In completing our work, we were able to provide reasonable assurance that controls are in place and operating effectively. We found that:
· Regular monitoring takes place to provide oversight of cases, with errors and incomplete cases being identified and investigated in a timely manner;
· New providers undergo appropriate approval before becoming ‘live’ on the system, reducing the risk of unauthorised payments being made;
· Payments to providers take place in line with defined payment schedules;
· Client financial assessments are undertaken in a consistent and timely manner;
· There is effective integration of data between LAS and ContrOCC, and ContrOCC and SAP, and appropriate reconciliation controls to ensure payments are made as planned; and
· There are clear workflow and approval pathways in place for the wide range of care package routes that exist.
1.33 There were, however, some areas where controls could be strengthened, including ensuring that:
· Adequate controls exist in the setting up of new users within the system;
· Policy and procedure documents are periodically reviewed and updated as appropriate;
1.34 Actions for improvement in respect of these findings were agreed with management.
Adult Social Care Debt Management and Recovery
1.35 The Care Act 2014 introduced a legal framework for the recovery of any debts that may have accrued as a result of the Council meeting a person’s eligible care and support needs. Income from charging is an essential contribution to Adult Social Care’s (ASC) budget to support the delivery of services to help people live and age well.
1.36 This audit reviewed the controls operating to manage debt to ensure that, where possible, debt recovery is maximised, performance monitoring is robust and resources are focussed on areas of priority debt.
1.37 In completing this review, we were able to provide an opinion of reasonable assurance. We found that strong arrangements were in place in several areas, including:
· The engagement of a project manager to improve processes for the recovery of debts relating to unpaid care and support charges;
· Improved arrangements for communications with non-paying clients to discuss debt repayment options;
· The creation of an ASC Debt Panel to provide oversight of high risk, non-payment cases and consideration of the most appropriate mechanisms for dealing with these, and to discuss lessons learned from previous cases from both within the Council and other authorities;
· The creation of a debt working group to review the debt position and to identify appropriate actions to mitigate this; and
· Monthly aged-debt reports, reviewed by senior management.
1.38 Some opportunities to enhance and strengthen the existing processes were, however, identified, and appropriate actions were agreed with management in respect of these, including to:
· Ensure the Income Collection policy and operational guidance are subject to regular review to help ensure continuing compliance with legislative requirements and principles;
· Promote the use of direct debts, which is the most secure, convenient and cheapest way to collect payments, where we found the take-up of these had reduced;
· Undertake early intervention work for instalment plans that have defaulted; and
· Develop a collection strategy for the prioritisation of debts to help ensure that resources are focussed effectively and that all recovery tasks are completed.
Greenwood Establishment Review
1.39 Greenwood is a care home situated in Bexhill, providing short stays and respite care. The establishment can accommodate up to a maximum of 15 guests. The home offers respite services for adults who live in East Sussex and have a learning disability, physical disabilities, sensory impairments or are over 65.
1.40 The objective of this audit was to provide assurance that management and financial controls are in place and operating effectively within the home, assessing compliance with key Council policies and procedures.
1.41 Based on the work completed, we were able to provide an opinion of reasonable assurance over the controls in place. We found that the home:
· Is well placed to identify and address budget variations and pressures in a timely manner, highlighted by the recent steps taken to reduce agency staff expenditure and adopting more cost-effective solutions;
· Makes use of the Council’s existing service contracts, contractors and approved vendors to mitigate any additional risks associated with sourcing such services itself. Expenditure and purchasing processes are in accordance with Council policies;
· Has processes in place to provide appropriate support to staff, including induction, training, supervision and observations.
1.42 There were, however, some areas where controls could be strengthened, including ensuring that all staff complete declarations of interest in accordance with the Council’s Code of Conduct and Conflict of Interest policy, and that Disclosure and Barring Service (DBS) certificates are only retained where there is appropriate authorisation to do so. Actions for improvement in these areas were agreed with management.
Highways Maintenance Contract Management
1.43 The County Council has a statutory duty to maintain the road network in a safe condition for the general public to use. The previous contract to maintain the County’s roads expired in April 2023 and, following an extensive procurement process, a new contract was let with Balfour Beatty Living Places Ltd. This contract commenced on 1 May 2023 and will run for an initial seven-year period, with an estimated value of £350m, but with an option to extend it for up to a further seven years.
1.44 This audit looked at the adequacy of contract management arrangements, focussing on:
· Contract monitoring and reporting arrangements;
· Financial controls, including budget monitoring;
· Variation arrangements;
· Financial viability, insurance and business continuity arrangements; and
· Access to IT systems.
1.45 In finding that most aspects of an effective contract management system were in place, we were able to provide an opinion of reasonable assurance. We found that:
· The contract is managed by an experienced team, supported by a comprehensive contract that sets out the respective roles of the Council and its contractor;
· The contractor’s performance is reported monthly to the Service Management Board (SMB) and the SMB reports contain actions for improvement in areas where performance is below the required level;
· Regular budget monitoring takes place with support from the Council’s Finance Team;
· Relevant checks are undertaken on the contractor’s continuing financial viability and insurances, and appropriate business continuity arrangements are in place; and
· Access to IT systems is adequately controlled.
1.46 We did, however, identify some areas that would benefit from strengthened controls, including to:
· Develop a formal contract management plan to provide a structure to the various contract management activities within the contract and to provide resilience in the event of loss of key staff;
· Review and, where possible, simplify the payments process which is currently complex and labour intensive;
· Further develop the risk management process;
· Implement an active programme of performance management, to include a programme of compliance audits to ascertain the contractor’s performance against each of the core activities in the contract; and
· Ensure Council officers have access to the contractor’s accounting system to enable it to validate costs.
1.47 A formal management action plan, incorporating actions for improvement against the above areas, was agreed with management.
Highways Contract Management Group Cultural Compliance Follow Up
1.48 The Highways Contract Management Group (CMG) is responsible for overseeing the Council’s Highways and Infrastructure Contract. The group monitors the performance of the service provider and ensures they are fulfilling the contract and tender commitments. It also manages the development of an asset management approach to looking after the highways and infrastructure, development of the service and all contract finance and budgets.
1.49 A cultural compliance audit of the Highways Contract Management Group was completed in 2019/20 and we provided an audit opinion of partial assurance. As part of our planned work for 2021/22 and 2022/23, we completed follow-up reviews of this audit, with both receiving unchanged opinions of partial assurance. This follow-up, therefore, sought to ensure that the agreed actions from these audits had been implemented.
1.50 In providing an improved opinion of reasonable assurance, we found that:
· A presentation was given by management to employees at a team meeting, discussing the key findings from the previous audit review and reminding them of the need to comply with organisational policies and requirements;
· Management monitor expenditure on contractors on a monthly basis, demonstrating an improvement in oversight;
· VAT receipts are being maintained for purchases made using a purchasing card, in line with organisational policy; and
· All travel claims tested were supported by an appropriately completed claim form. Evidence of expenditure in the case of train travel and car parking or fuel receipts for car journeys was available.
1.51 There were, however, some areas that required strengthening. These were discussed with management and actions agreed for improvement, including that:
· All staff within the team complete declarations of interest in line with organisational policy;
· Purchases via the team’s purchasing card are appropriate; and
· IT&D are consulted before purchases of IT equipment are made.
Vehicle Use Follow-Up
1.52 An audit of Vehicle Use was undertaken in 2020/21 which resulted in an audit opinion of partial assurance. A follow-up audit took place in 2022/23 to ensure that the agreed actions had been implemented and that compliance with Council policy in this area had improved. This resulted in an unchanged opinion of partial assurance due to continued compliance issues across the organisation.
This follow-up review was, therefore, undertaken to assess and provide assurance on the progress made in implementing the agreed actions from the previous audits.
1.53 In completing this review, we were again only able to provide an opinion of partial assurance. Whilst it is acknowledged that this is not a strategic risk for the Council or an area of high materiality, it is important that Council vehicles are only used for official Council business and that transparent records of vehicle usage are maintained to enable confirmation that this is appropriate in all cases, where inappropriate use has reputational, financial and legal implications. Our work has, unfortunately, confirmed that there are still issues of non-compliance with agreed policy in this area, as detailed below.
1.54 As part of the previous follow-up review, a key action was for the Fleet Management Team within Communities, Economy and Transport (CET) to reissue a guidance email to key contacts for all fleet vehicles, in order to remind them of, and confirm, their responsibilities in using Council vehicles. This duly happened and clear guidance was again provided to managers of teams that have access to fleet vehicles. However, we found that in over 55% of the teams approached during our review, managers had not shared the content of the email with their teams. This is likely a contributing factor in relation to the other findings of this follow-up, including that:
· Whilst vehicle mileage logs are being completed, the quality of completion varies and there is not always sufficient information to identify journeys and to confirm their legitimacy, as per defined process. As part of the guidance referred to above, a new mileage log template, designed to help ensure that appropriate details are recorded, was introduced, but we found that this was not being used consistently across the organisation. In addition, regular reconciliation of fuel receipts to journeys undertaken was not taking place in a number of teams; and
· Evidence of appropriate business insurance is not requested and maintained by teams, increasing the risk of employees not being insured should an incident occur whilst driving during the course of their duties.
1.55 Given these are compliance issues across the Council, it was agreed with management that:
· Communications will be issued from the Director of CET to reiterate the requirement for careful completion and reconciliation of mileage logs in order to minimise errors, together with;
· All relevant guidance and policies being issued to key contacts for all fleet vehicles by the Director of CET, making it clear that this information should be passed onto all drivers of fleet vehicles;
· All drivers of fleet vehicles will be required to sign a declaration to confirm to their managers that they have received, read and understood all associated vehicle policies, with this requirement being monitored by the Fleet Team and reported to line managers where non-compliance is identified; and
· The Safe Use of Motor Vehicles policy will be reviewed to reinforce the requirement for managers to obtain and record sufficient evidence that staff who drive their own vehicles on Council business, have the appropriate business use insurance.
Parking – Procurement and Monitoring of External Service Providers
1.56 The Parking Team is responsible for managing the Authority’s parking arrangements across the county, including parking enforcement and fine collections. A previous audit investigation had identified significant control weaknesses in this area, so this review sought to confirm that these had been addressed. In particular, we looked to ensure that the engagement, through the Parking Team, of service providers for key parking related activities, complied with the key Council policies. We also assessed the adequacy of monitoring arrangements in place to ensure providers are delivering services in accordance with contracts.
1.57 In completing this work, we were able to provide an opinion of reasonable assurance, finding that the Parking Team has adequate arrangements in place for contract and performance management with service providers, and there is proper engagement with the Procurement Team over the letting of contracts.
1.58 A few areas for improvement were, however, identified, including the need for the Head of Service to independently review specifications for the procurement of services and other parking-related activity, to ensure they are fit for purpose and contain accurate information before the tender process begins. These were agreed with management.
School Audit Work
1.59 We have a standard audit programme in place for all school audits, with the scope of our work designed to provide assurance over key controls operating within schools. The key objectives of our work include seeking assurance that:
· Decision making is transparent, well documented and free from bias;
· The school is able to operate within its budget through effective planning;
· Staff are paid in accordance with the school pay policy;
· Expenditure is controlled and funds are used for an educational purpose. The school ensures value for money on contracts and larger purchases; and
· All voluntary funds are held securely, and funds are used in accordance with the agreed aims.
1.60 We undertake school audits through a range of both remote and on-site working arrangements.
1.61 The table below shows a summary of the school audits completed in Q4, together with the level of assurance received and areas for improvement.
|
Name of School |
Audit Opinion |
Areas Requiring Improvement |
|
Alfriston School Follow-Up |
Substantial Assurance |
Including to ensure that: · Purchase orders are raised in respect of goods and services; and · Roles and responsibilities over use of the school’s purchasing card are clarified. |
|
Frant Church of England Primary School |
Partial Assurance |
Including to ensure that: · Any individual who is in regular contact with children, is subject to a DBS check and the relevant information is recorded on the Single Central Record (SCR); · The minutes of the meeting in which the annual budget is approved clearly record the carry forward balance, the budget share, clarity over which supporting financial documents are being approved and the school to which the approval applies; · Free lettings should be annually reviewed and approved by Governors, and any hirers of school premises should be required to sign a formal agreement; · Appropriate checks as to contractor’s employment status are undertaken; and · The responsibilities and financial limits documented within the school’s Scheme of Delegation and supporting local procedures are appropriate and reflect reasonable operational practice within the school. |
Grant Related Audit Work
Supporting Families Programme 2024/25 Quarter 1
1.62 The Supporting Families (SF) programme has been running in East Sussex since January 2015 and is an extension of the original Troubled Families scheme that began in 2012/13. The programme is intended to support families who experience problems in certain areas, with funding for the local authority received from the Department for Levelling Up, Housing and Communities (DLUHC), based on the level of engagement and evidence of appropriate progress and improvement.
1.63 Children’s Services submit periodic claims to the DLUHC to claim grant funding under its ‘payment by results’ scheme. DLUHC requires Internal Audit to verify 10% of claims prior to the Local Authority’s submission of its claim. We therefore reviewed 18 of the 184 families included in the April to June 2024 grant cohort.
1.64 In completing this work, we found that valid ‘payment by results’ (PbR) claims had been made and outcome plans had been achieved and evidenced. All the families in the sample of claims reviewed had, firstly, met the criteria to be eligible for the SF programme and had achieved significant and sustained progress. We therefore concluded that the conditions attached to the SF grant determination programme had been complied with.
Childcare Expansion Capital Grant
1.65 The Childcare Expansion Capital Grant was provided to support the expansion of Early Years childcare provision for working parents of all children aged between 9 months and 3 years, as well as for wraparound care for primary aged children. Through this grant, ESCC received funding of £823,379, of which £658,703 has been spent on schemes at local primary schools. At the time of our work, £164,676 remained unallocated.
1.66 A review of documentation took place to ensure that the schemes funded through this grant were in compliance with the grant terms and conditions, and that required processes were followed. We ensured that the funding had been received in-tact, and that appropriate evidence of expenditure had been retained.
1.67 Based on our testing, we were able to provide a return to confirm that the conditions attached to the Childcare Expansion Capital Grant had been met.
2. Counter Fraud and Investigation Activities
Counter Fraud Activities
2.1 The team continue to monitor intel alerts and share information with relevant services when appropriate.
2.2 Advice and support was provided on an ad hoc basis, and referrals made to external agencies for allegations not connected to ESCC.
3. Action Tracking
3.1 All high priority actions agreed with management as part of individual audit reviews are subject to action tracking, whereby we seek written confirmation from services that these have been implemented. As at the end of quarter one, all high priority actions due had been implemented.
4. Amendments to the Audit Plan
4.1 In accordance with proper professional practice, the internal audit plan for the year remains under regular review to ensure that the service continues to focus its resources in the highest priority areas based on an assessment of risk. Through discussions with management, the following reviews have been added to the audit plan so far this year:
|
Review |
Rationale for Addition |
|
Registration Service |
Identified as an area for review after the audit plan had been agreed. |
|
Declaration of Interest System Upgrade Project |
Advice on risk and control in relation to the upgraded declaration of interest system. |
|
SAP Support Costs |
As per 1.20 above. |
|
Civica Property Management (CPM) system - Payment Controls |
To review internal controls in the system following the identification of potential duplicate payments. |
|
Oracle Programme Governance and Risk Management Arrangements |
To review programme governance and risk management arrangements. |
|
Oracle Implementation Programme Controls Assurance – Enterprise Performance Management (EPM) |
To assess controls within the Enterprise Performance Management module of Oracle. |
|
Early Years Childcare Expansion Grant |
New grant that required certification. |
4.2 To-date, the following audits have been removed or deferred from the audit plan and, where appropriate, will be considered for inclusion in the 2025/26 plan as part of the overall risk assessment completed during the annual audit planning process. These changes are made on the basis of risk prioritisation and/or as a result of developments within the service areas concerned requiring a rescheduling of audits:
|
Planned Audit |
Rationale for Removal |
|
Financial and Benefit Assessments |
Rescheduled for 2025/26. |
|
Broadband Grant |
No grant certification required this year. |
4.3 The following audit work is currently in progress at the time of writing this report (including those at draft report stage, as indicated) or is scheduled for quarter 2:
In Progress:
· Cyber Security Response and Resilience (draft report)
· Domestic Violence Refuge Contract Management (draft report)
· Grangemead Establishment Review (draft report)
· Registration Services (draft report)
· Health and Safety Compliance (draft report)
· Health Visiting Contract Management
· Workforce Capacity and Working Arrangements
· IT Asset Records Management
· Payroll
· Home Care Contract Management
· Appointee and Deputyship Follow-Up
· Claverham Secondary School
· Accounts Receivable
· IT&D Project Management
· Civica Property Management (CPM) Payment Controls
· Civica Property Management (CPM) IT Application Controls Follow-Up
· Procurement Data Analytics Follow-Up
· Declaration of Interests System Upgrade
· PAX Application Controls
· Oracle Implementation Programme – Programme Governance and Risk Management Arrangements
· Ukraine Funding Follow-Up
Scheduled:
· Oracle Implementation Programme – Controls Assurance – Enterprise Performance Management
· Mobile Phone Application Management
· Surveillance Cameras
· Cultural Compliance Review
· Transition of Local Enterprise Partnership
· External Funding Follow-Up
· Contract Management Follow-Up
· Alternative Education Provision Commissioning for Children
· Supporting Families Q2
· Direct Payments
· Pension Fund Accounting Controls
· Accounts Payable
· Capital Budgetary Control
· Risk Management
· Contain Outbreak Management Fund - Grant Certification
· Local Transport Grant Funding - Grant Certification
· Bus Services Operators Grant
· Waivers to Procurement and Contract Standing Orders
· External Funding Follow-Up
5. Internal Audit Performance
5.1 In addition to the annual assessment of internal audit effectiveness against Public Sector Internal Audit Standards (PSIAS), the performance of the service is monitored on an ongoing basis against a set of agreed key performance indicators as set out in the following table:
|
Orbis IA Performance Indicator |
Target |
RAG Score (RAG) |
Actual Performance |
||
|
Quality
|
Annual Audit Plan agreed by Audit Committee |
By end April |
G |
2024/25 Internal Audit Strategy and Annual Audit Plan formally endorsed by Audit Committee on 28 March 2024. |
|
|
Annual Audit Report and Opinion |
By end July |
G |
2023/24 Internal Audit Annual Report and Audit Opinion was noted by Audit Committee on 5 July 2024. |
||
|
Customer Satisfaction Levels |
90% satisfied |
G |
100% |
||
|
Productivity and Process Efficiency |
Audit Plan – completion to draft report stage |
90% |
G |
36.9% achieved to the end of Q1, against a Q1 target of 22.5% (this includes completion to draft report of audits carried forward from 23/24). |
|
|
Public Sector Internal Audit Standards |
Conforms |
G |
Dec 2022 -
External Quality Assurance completed by the Chartered Institute of
Internal Auditors (IIA). Orbis Internal Audit assessed as
achieving the highest level of conformance available against
professional standards with no areas of non-compliance identified,
and therefore no formal recommendations for improvement arising. In
summary the service was assessed as: November 2023 – Updated self-assessment against the Public Sector Internal Audit Standards completed. The service was found to be fully complying with 319 of the standards and partially complying with 2. In both cases, proportionate arrangements remain in place. November 2023 - Quality review exercise completed. No major areas of non-conformance identified. The need to ensure consistency in the quality of the evidence contained within a small number of audit working papers was identified. This was addressed as part of our assignment manager review process and will be further considered at our auditor development days during 2024/25 |
||
|
|
Relevant legislation such as the Police and Criminal Evidence Act, Criminal Procedures and Investigations Act |
Conforms |
G |
No evidence of non-compliance identified |
|
|
Outcome and degree of influence |
Implementation of management actions agreed in response to audit findings |
97% for high priority agreed actions |
G |
100% |
|
|
Our staff |
Professionally Qualified/Accredited |
80% |
G |
94%* |
*Includes part-qualified staff and those undertaking professional training.
Appendix B
Audit Opinions and Definitions
|
Opinion |
Definition |
|
Substantial Assurance |
Controls are in place and are operating as expected to manage key risks to the achievement of system or service objectives. |
|
Reasonable Assurance |
Most controls are in place and are operating as expected to manage key risks to the achievement of system or service objectives. |
|
Partial Assurance |
There are weaknesses in the system of control and/or the level of non-compliance is such as to put the achievement of the system or service objectives at risk. |
|
Minimal Assurance |
Controls are generally weak or non-existent, leaving the system open to the risk of significant error or fraud. There is a high risk to the ability of the system/service to meet its objectives. |