Annex A
Internal Audit and Counter Fraud
Quarter 2 Progress Report 2025/26
CONTENTS
1. Summary of Completed Audits
2. Counter Fraud and Investigation Activities
3. Action Tracking
4. Amendments to the Audit Plan
5. Internal Audit Performance
1. Summary of Completed Audits
1.1 Employees’ salary payments account for a large proportion of the Council’s expenditure. Gross salary payments for East Sussex County Council (ESCC) for the 2024/25 financial year averaged £24.3m per month, with average net monthly salary payments of £18.5m. The Council’s Payroll Service is responsible for paying employees the right amounts at the right time and in accordance with their contracts and regulatory requirements. It is also responsible for ensuring that correct pay-overs to other bodies (e.g., pension funds and HMRC) are made by the due dates.
1.2 The purpose of the audit was to provide assurance that controls are in place in relation to starters, leavers, permanent and temporary variations to pay, changes to standing data, payruns and BACS transmissions.
1.3 In providing an opinion of reasonable assurance, we found a number of areas of good practice, including that appropriate pre-employment checks are completed, pay is calculated correctly and controls over payruns and BACS transmissions were operating as expected, with appropriate segregation of duties and authorisation in place. We also found that payroll data is regularly reconciled to the general ledger and that changes to payroll standing data were subject to review, testing and authorisation, prior to changes being implemented.
1.4 We did, however, identify some areas where improvement was required, including the need to ensure that:
· Managers provide sufficiently timely information about leavers or changes of position to ensure that the payroll is updated promptly and leavers’ access to the Council’s systems is revoked;
· Casual workers’ agreements are signed, returned and retained by the Council (or school) to evidence that employees understand their terms and conditions; and
· Travel and mileage claims are submitted on the correct claim forms, with the correct information and are supported by VAT receipts.
1.5 Actions to address these issues were agreed with management within a formal management action plan.
Pension Fund Governance Arrangements
1.6 The East Sussex Pension Fund (ESPF) provides retirement benefits for employees of the County Council and 140 other employer organisations, including Brighton & Hove City Council, district and borough councils and academic institutions. ESCC is the designated administering authority of the East Sussex Pension Fund. The Council has statutory responsibility to administer and manage the fund in accordance with the Local Government Pension Scheme (LGPS) regulations.
1.7 This review focused on the controls to ensure that appropriate governance arrangements are in place, including that ESPF roles and responsibilities are sufficiently well-defined, documented and understood to enable timely decision-making, and that the accountability and resilience of the Fund are maintained in the face of loss of key personnel.
1.8 In completing this work, we found appropriate governance arrangements in place and were able to give an opinion of substantial assurance as a result. The roles and responsibilities of the Pension Board and Pension Committee are known, understood and documented, and the Board and Committee exercise effective oversight of the Fund. The Board and Committee are supported by regular reports, which include reports on risk, investment performance, the Fund’s administration, employers joining or leaving the Fund and communications. Only one management action was agreed to address a single, low risk finding.
Oracle Segregation of Company Accounts
1.9 Phase 2 of the Oracle Implementation programme, which included the implementation of the Accounts Payable and Accounts Receivable modules, went live in April 2025. During the ‘hypercare’ period, an issue was identified whereby a purchase order from East Sussex Fire and Rescue Service (ESFRS) was sent to an individual outside the authorised ESFRS approvals hierarchy for authorisation. This raised concerns about the integrity of the approval hierarchies established for workflows within ESFRS and potentially other organisations.
1.10 As part of our support to the Oracle programme, we therefore assessed the adequacy of controls to enable the segregation of ESCC, the ESCC Pension Fund, and ESFRS as distinct legal entities within Oracle, and to ensure the integrity of their financial accounts and other records. Our testing confirmed that sufficient controls are in place to maintain appropriate segregation and that even if the incorrect approver had approved the transaction, it would still have been posted in the correct company accounts.
1.11 In terms of the specific instance whereby an ESFRS purchase order was sent for approval to an individual outside of the organisation, we found that the transaction approval process requires users to select an approver from a list, which may include individuals outside of their respective organisations. Reliance is placed on users to select the correct approver. Detective controls were not in place to identify any instances where an approver outside of the organisation was selected in error. Reliance on user selection introduces the risk that transactions could be authorised by someone outside of the appropriate organisational hierarchy, potentially compromising the integrity of the approval process, increasing the risk of error and fraud.
1.12 Whilst we did not provide a formal opinion as this was considered an advisory piece of work, following our review, improvements to the control process were made, with responsibility assigned for producing and monitoring a report of all activity across different authorities. Escalation routines are now in place to rectify any concerns identified. As a result, the control weakness referenced above has now been mitigated.
Oracle Support Model
1.13 The Oracle support model includes a network of Council champions and officers from the business support team, third-party support from Fusion Practices, and Oracle support. The purpose of this audit was to provide assurance that controls are in place to help ensure that:
· Roles and responsibilities for the support of the system are fully documented and communicated;
· Incident handling process and procedures are executed and monitored to ensure timely response to any issues; and
· System updates and changes are subject to sufficient testing and authorisation before implementation, with appropriate support arrangements in place with the supplier.
1.14 In completing this work, we were able to provide reasonable assurance for the following reasons:
· The support structure is adequately resourced with a combination of specialist officers who act as interfaces between specific areas and the Subject Matter Experts (SMEs), and four full-time IT and Digital (IT&D) resources allocated to the system. Oracle Advocates champion their business areas, and the Oracle Guided Learning (OGL) platform helps staff self-triage issues and reduce repeat tickets;
· The change process is clearly defined, with stages for business impact analysis and approvals from the Change Advisory Board (CAB); and
· Management of the system update and upgrade process is led by the IT and Digital Oracle Team, with the support of Fusion Practices.
1.15Some areas for further improvement were, however, identified, including that:
· Whilst roles and responsibilities had been clearly defined for the hypercare period, it was acknowledged by programme management that there is a need to update these documents to reflect business as usual (BAU) activities;
· Although the incident handling process is defined, we were unable to evidence an incident’s journey through the process because the handling system does not provide sufficient reporting on individual cases. Without this visibility, it may be difficult to identify patterns or underlying causes, reducing opportunities for lessons learned and corrective actions; and
· An absence of formal KPIs for both Oracle Support and Fusion Practices presents a risk that performance cannot be effectively measured or managed, potentially resulting in inconsistent service quality and missed opportunities to identify developing themes.
1.16 In all cases, actions for improvement were agreed with management.
Direct Payments
1.17 Adult Social Care clients with eligible care needs have the option of receiving direct payments to pay for their support to meet the assessed level of care required. To be offered a direct payment, individuals are required to have a social care needs assessment to assess their needs and to determine how these can best be met.
1.18 Direct payments give individuals greater flexibility and control of their support package. Clients have the option to manage their own direct payment account or may choose to have the account managed by either the Council or an external service provider.
1.19 This audit aimed to provide assurance in relation to the administration, payment and monitoring of direct payments. In completing this review, we were able to provide an opinion of reasonable assurance. We found that:
· Control over the authorisation of care plans and set-up of direct payment accounts is robust;
· A reconciliation process is in place to monitor all direct payment accounts for both ESCC managed and client managed direct payment accounts, to ensure spend is in line with the care and support plan and that there is not a surplus or overspend on direct payment accounts; and
· Payments are made to verified pre-paid card accounts and are appropriately reviewed and authorised prior to being paid.
1.20 There were, however, a small number of areas where further improvements were required, including to ensure that:
· Client contributions are monitored and received;
· Reporting parameters for surplus balances on ESCC and client managed direct payment accounts are reviewed to ensure this includes all accounts with excess balance build-ups; and
· Guidance is produced and key performance indicators developed for annual direct payment review dates and account closures.
1.21 Improvement actions were agreed with management in response to the above areas.
Mental Health Cultural Compliance
1.22 In 2023/24, an audit of compliance with corporate and local procedures within the Adult Mental Health Team was undertaken which resulted in an audit opinion of partial assurance. The review identified areas of non-compliance with Council policies and procedures within the team in relation to financial and staff management.
1.23 We therefore completed a follow-up audit to assess the extent to which the previously agreed actions had been implemented. In completing this review, we were able to provide an improved opinion of reasonable assurance. Based on our work, we found that the majority of agreed actions had been implemented. There were, however, some areas of improvement still required, including the need to ensure that:
· A sample of staff mileage claims and annual leave entitlement is periodically reviewed to ensure that these have been calculated accurately;
· Staff declarations of interest are completed in all cases; and
· Improved reporting is available in relation to staff sickness absence.
1.24 An action plan was agreed with management to address the areas of improvement identified.
Emergency Planning
1.25 ESCC is classed as a Category 1 responder, as defined by the Civil Contingencies Act 2004 (CCA 2004). This means the Council has a duty to co-operate with other responders to assess risks, prepare plans to address risks, train officers and carry out emergency planning exercises. Emergency planning should aim, wherever possible, to prevent emergencies occurring, and reduce, control or mitigate the effects of an emergency, should one arise.
1.26 The purpose of the audit was to provide assurance that controls are in place to meet the following objectives:
· Appropriately robust risk management protocols are in place to identify, assess, monitor, and respond to a wide range of emergency situations;
· Appropriate action is taken in response to an emergency, reducing the risk of harm to individuals or damage to property;
· Appropriate communication of plans and communication protocols takes place regularly, and to the appropriate audience, to support the efficiency of an emergency response; and
· Collaboration and working arrangements with other authorities and organisations are appropriately defined.
1.27 As a result of our work, we were able to give an opinion of reasonable assurance. We found that controls were in place to identify and review risks, including with multi-agency involvement. Regular exercises are carried out to test emergency plans, and live incidents are appropriately documented.
1.28 However, we did identify some areas where controls could be strengthened. These related to the need to ensure that:
· All relevant officers complete refresher training;
· Contact details for emergency responders are kept up-to-date; and
· All emergency response plans are up-to-date.
1.29 An action plan to address these issues was agreed with management.
Transport for the South-East Governance Arrangements
1.31 The business plan for 2025/26 comprises a budget of £3.6m, of which £2.16m comes from the Department for Transport (DfT), and £0.5m from local contributions, with the bulk of the remainder having been brought forward from the previous year.
1.32 This audit covered the governance and financial management arrangements in place, and sought to provide assurance that:
· Governance and financial management arrangements meet Department for Transport requirements;
· Procurement activity delivers value for money; and
· Effective management of contracts delivers the required outcomes and value for money.
1.33 Through our work, we were able to give an opinion of reasonable assurance. We found that appropriate governance arrangements are in place and are captured in TfSE’s constitution, and that financial management follows the Council’s standard methodology. The procurement of consultants to carry out research into future transport requirements, which constitutes the bulk of TfSE’s expenditure, has been simplified through a contract with a single supplier, let with support from the ESCC Procurement Team. Procedures are in place to ensure that individual pieces of work are delivered in accordance with TfSE’s expectations.
1.34 However, we did find scope for strengthening controls to ensure that:
· The approval of all consultancy engagements is formally documented; and
· The published register, containing declarations of interests, is brought up to date.
1.35 Actions were agreed with management to address these findings.
School Audit Work
1.36 We have a standard audit programme in place for all school audits, with the scope of our work designed to provide assurance over key controls operating within schools. The primary objectives of our work include seeking assurance that:
· Governance structures are in place and operate effectively to ensure there is independent oversight and challenge by the Governing Body;
· Decision-making is transparent, well documented, and free from bias;
· Effective planning and monitoring arrangements are in place to enable the school to operate within its budget;
· Expenditure is controlled and funds are used only for educational and school business purposes;
· The school ensures value for money is sought on contracts and larger purchases;
· Voluntary funds are held securely and used in accordance with the agreed aims;
· Pupils and the school’s systems, assets, and site are safeguarded from unauthorised or inappropriate access; and
· Employment processes are robust to ensure that only appropriate persons are engaged, and staff are paid in accordance with the school’s pay policy.
1.37 The table below shows the results of the school audit completed in Q2.
|
Name of School |
Audit Opinion |
Areas Requiring Improvement |
|
Denton Community Primary School |
Partial Assurance |
Including to ensure that: · Declared conflicts of interest are managed appropriately; · Budget monitoring by governors occurs more frequently; · Purchase orders are raised and approved before orders are placed; · Segregation of duties in the expenditure process is strengthened; · The school’s procurement card is used in line with the Council’s policy; · Staff expenses are appropriately authorised; · The unofficial School Fund is audited in accordance with the Council’s Scheme for Financing Schools; and · Checks take place to ensure the school complies with HMRC’s IR35 requirements. |
Grant Related Audit Work
Local Authority Bus Subsidy (Revenue) Grant
1.38 The Department of Transport (DfT) provides payments to local authorities to support the running of local and community bus services through the ringfenced Local Authority Bus Subsidy (Revenue) Grant. This grant aims to help local authorities maintain or enhance current service levels, as well as invest in alternative services or bus infrastructure provision.
1.39 Our role involved undertaking sample testing across various routes and payments made to operators annually. This testing sought to provide assurance that payments are accurately calculated and that all conditions attached to the grant are met. Based on our sample testing, we confirmed that the payments were accurate and the Council complied with the grant terms. A signed declaration was returned to the DfT within the required timescales.
Childcare Expansion Capital Grant
1.40 The Childcare Expansion Capital Grant was provided by the Department for Education (DfE) to support the expansion of Early Years childcare provision for working parents of all children aged between 9 months and 3 years, as well as to increase the supply for wraparound care in primary schools.
1.41 A review of documentation took place to ensure that the schemes funded through this grant were in compliance with the grant terms and conditions, and that required processes were followed. We confirmed that the funding had been received intact, and that appropriate evidence of expenditure had been retained. Based on our testing, we were able to provide a return to the DfE to confirm that the conditions attached to the Childcare Expansion Capital Grant had been met.
Local Transport Capital Block Funding (Integrated Transport and Highway Maintenance Blocks) Grant
1.42 Payments from the Department for Transport (DfT) are made to local authorities in relation to highway maintenance and infrastructure through this grant. It includes five elements:
· Integrated Transport Block;
· Highways Maintenance Block needs element;
· Highways Maintenance Block incentive element;
· Network North (reallocated from HS2); and
· Pothole Fund
1.43 We were required to confirm that the grant conditions had been complied with. A sample of transactions was tested which confirmed this, and a signed declaration was returned to the DfT within the required timescales.
2. Counter Fraud and Investigation Activities
Counter Fraud Activities
2.1 The team continue to monitor intel alerts and share information with relevant services when appropriate.
2.2 In addition, we are continuing to review matches released as part of the National Fraud Initiative (NFI). High risk matches will be prioritised for investigation and support provided to services reviewing the reports.
Summary of Completed Investigations
2.3 A review of a high-risk payroll match from the NFI identified an individual employed by the Council who was working simultaneously with HM Land Registry. Our investigation found that the individual had failed to declare the secondary employment. The case progressed to a disciplinary hearing where the individual was dismissed for gross misconduct.
Conflict of Interest
2.4 An investigation was undertaken following receipt of an allegation that a Council employee had disclosed confidential pricing information to assist a supplier submitting a tender. The investigation found no evidence that contractual information had been disclosed but did identify that the employee had not declared external interests, which included acting on behalf of a Council supplier and family connections to a supplier. The case progressed to a disciplinary hearing where the individual was dismissed for gross misconduct.
2.5 We received a request from management for support in reconciling payments received within one of the Council’s services. In providing this support, we identified that an administration officer had failed to follow local procedures which led to discrepancies in income receipting. Whilst there was no evidence of personal gain, it was found the officer had not followed guidance. The individual resigned with immediate effect during the disciplinary process.
3. Action Tracking
3.1 All high priority actions agreed with management as part of individual audit reviews are subject to action tracking, whereby we seek written confirmation from services that these have been implemented. As at the end of quarter 1, it was confirmed that 8 of the 8 (100%) high-risk actions due to be implemented on a 12-month rolling basis had been actioned.
4. Amendments to the Audit Plan
4.1 In accordance with proper professional practice, the internal audit plan for the year remains under regular review to ensure that the service continues to focus its resources in the highest priority areas based on an assessment of risk. Through discussions with management, the following reviews have been added to the audit plan so far this year:
|
Review |
Rationale for Addition |
|
Exceat Bridge |
Reported in Q1 progress report. |
|
Cherwell Replacement Project – Governance Arrangements Healthcheck |
Added to the plan in response to a request from the service for additional assurance over a large and complex project. |
|
Core Growth Hub Grant |
Reported in Q1 progress report. |
4.2 To-date, the following audit has been removed from the audit plan.
|
Planned Audit |
Rationale for Removal |
|
Supporting Families programme |
The Supporting Families programme ended on 31 March 2025. No further work is required from us at this time.
|
4.3 The following audit work is currently in progress at the time of writing this report (including those at draft report stage, as indicated):
· Surveillance Cameras (draft report)
· Neighbourhood Support Team Cultural Compliance (draft report)
· Digital Literacy and Skills Training (draft report)
· Oracle Integrations and Interfaces (draft report)
· Section 17 Payments
· Grievance Arrangements
· Whistleblowing Arrangements
· Oracle Transition from Hypercare into Business as Usual
· Oracle Permissions and Management Trails
· Cherwell Replacement Project
· Deprivation of Liberty Safeguards
· External Funding Follow-Up
· Online Safety Act 2023
· General Data Protection Compliance (GDPR) – Covert Recording
5. Internal Audit Performance
5.1 Public Sector Internal Audit Standards (PSIAS), replaced on 1 April 2025 by new Global Internal Audit Standards (GIAS), required the internal audit service to be reviewed annually against the Standards, supplemented with a full and independent external assessment at least every five years. The results of our most recent self-assessment are included in the table below.
5.2 Our last quality review exercise in November 2023, identified no major areas of non-conformance. The need to ensure consistency in the quality of the evidence contained within a small number of audit working papers was highlighted, and this has been addressed at service development days in 2024/25.
5.3 In addition to our periodic self-assessments of effectiveness, the performance of the service is monitored on an ongoing basis against a set of agreed key performance indicators as set out in the following table:
*Includes part-qualified staff and those undertaking professional training.
Appendix B
Audit Opinions and Definitions
|
Opinion |
Definition |
|
Substantial Assurance |
Controls are in place and are operating as expected to manage key risks to the achievement of system or service objectives. |
|
Reasonable Assurance |
Most controls are in place and are operating as expected to manage key risks to the achievement of system or service objectives. |
|
Partial Assurance |
There are weaknesses in the system of control and/or the level of non-compliance is such as to put the achievement of the system or service objectives at risk. |
|
Minimal Assurance |
Controls are generally weak or non-existent, leaving the system open to the risk of significant error or fraud. There is a high risk to the ability of the system/service to meet its objectives. |