Appendix 1
Internal Audit and Counter Fraud
Quarter 1 Progress Report 2020/21
CONTENTS
1. Summary of COVID 19 work and Completed Audits
2. Counter Fraud and Investigation Activities
3. Action Tracking
4. Amendments to the Audit Plan
5. Internal Audit Performance
1. Summary of COVID 19 work and Completed Audits
COVID 19 work (April to June 2020)
1.1 During the quarter 1 (2020/21), Internal Audit redirected its resources to support the organisation in its response to the issues arising from the Coronavirus pandemic and planned work was suspended. As a result, the 2020/21 Internal Audit Plan has been substantially revised and forms a separate report to this Committee.
1.2 During quarter 1 the resources of the Internal Audit and Counter Fraud service have been focused on the following:
· Full time redeployments of staff to support Covid-19 cells/ projects;
· Short term staff placements to support individual Covid-19 related work;
· Advice on, and reviewing, system changes to support remote working;
· Finalisation of reports that were put on hold at the year-end;
· Carrying out data analytics on key financial systems e.g. creditors;
· Delivery of some high priority audit projects e.g., an update review on the housing repairs service.
1.3 The redeployment of some Internal Audit staff included support to the following projects and initiatives:
· Working with the Business Rate Team to develop a verification process for applications made to the Small Business Grant and Retail, Leisure and Hospitality Fund, as well as the processing and validation of business Covid-19 grant applications;
· Supporting the delivery of council Covid-19 newsletters to households across the city;
· Supporting the set up the council’s own food bank in the city centre and assisting with the administration of food purchasing;
· Helping to administer a city-wide volunteer register;
· One full time redeployment to the Community Hub within Adult Social Care;
· One full time redeployment to provide project support to the Vulnerable Housing Cell. The cell’s objective was to provide oversight of all accommodation needs of those affected by Covid-19 pandemic;
· Helping the Executive Director of Health & Adult Social Care with support to complete a Local Care Home Support Plan for submission to ministers;
· Laptop distribution to essential staff;
· Supporting the Ways of Working Recovery Group and the Governance and Accountability working group.
Housing and Council Tax Benefits – Substantial Assurance
1.4 Housing Benefit (HB) and Council Tax reductions are administered by the Revenues and Benefits team. In 2017, housing benefit was replaced by Universal Credit for all new claimants. Projected expenditure for housing benefit was £114million at the time of audit in 2019/20.
1.5 The purpose of the audit was to provide assurance that controls are in place to meet the following objectives:
· All benefit payments are legitimate and appropriate;
· Assessment of benefits is accurate and timely;
· Overpayments and Write-offs are managed, monitored and reported;
· Regular reconciliations are undertaken between the Benefits System, Housing Rents and General Ledger;
· Quality Assurance arrangements are effective.
1.6 The audit found that the majority of key controls were in place and that the Revenue and Benefits teams monitor their performance closely and are responsive to demands on the service. There are effective procedures in place to sample check assessments calculations and make corrections. In addition, reconciliation processes between the Benefits Systems, Housing Rents systems and the General Ledger are robust and completed on time.
1.7 One medium priority and one low priority action were agreed to improve the controls within the service. The high priority action resulted from sample testing where we found an instance where the claimant’s self-employed income figure had not been reviewed for over six years. The case relates to Council Tax reduction only.
Payroll - Substantial Assurance
1.8 The council’s payroll and HR processes are hosted on the Personal Information and Employment Resource (PIER) system. The system covers salary, overtime and other employment related payments such as travel, and subsistence. Some system data can be input by individual employees on a self-service basis.
1.9 Employee expenditure accounts for a significant element of the council’s budget. It is therefore essential in terms of accuracy, integrity and value for money that effective control and management is exercised over the payroll function. To provide context, the September 2019 pay run value was £13.6 million (including schools) in relation to 9,320 staff.
· The purpose of the audit was to ensure:
· Starters are properly approved, and pay is calculated and paid from the correct dates and leavers are removed from the payroll in a timely manner;
· Permanent variations to pay are properly approved, calculated and paid from the correct dates;
· Pay runs and BACS transmissions are correct and authorised;
· Payroll data is regularly reconciled to the General Ledger;
· Temporary payments (including additional hours, expense claims and payments to casual staff) are correctly authorised prior to processing;
· Changes to standing data are reviewed, accurately input and authorised.
1.10 The audit found that key controls were operating as expected but two areas for improvement were identified. These were:
· there are a number of outstanding historic cases where the Payroll system and the General Ledger do not match. These are mainly salary advances that have not been recovered and cases where salary has been overpaid but an invoice has never been raised;
· the 2018/19 audit report contained an agreed action that a checklist would be used to record details of payslips spot-checked each month to help ensure that payroll calculations are correct. However, this process has not yet been implemented.
1.11 Actions to address these control issues have been agreed with management.
Council Tax – Reasonable Assurance
1.12 The council budgeted to raise £143.6 million from council tax in 2019/20. This is an increase of £5.8 million compared with 2018/19. The target collection rate for year was 96.57%. The objectives of the audit were to ensure:
· all taxable properties have been identified and regularly reconciled to the Valuation Office Records;
· an accurate calculation has been made of the chargeable amount for each property, demand notices are sent out promptly and income collected is posted to the correct debtor account;
· outstanding debt is regularly monitored and reviewed. Recovery action is taken in accordance with an approved (documented) recovery process;
· there is a defined procedure for writing off debts;
· key system reconciliations are carried out.
1.13 We found controls were operating correctly in most areas but that there were a number of areas where improvements to control were still required. We also noted a reduction in the effectiveness of collection processes. Key issues arising from our review are summarised in the following paragraphs.
1.14 As at December 2019, in-year collection was below target and demonstrated a deterioration in performance against the same point in 2018.
1.15 Our sample testing of discounts, exemptions and disregards highlighted cases where there was insufficient evidence held to support the reduced liability and cases where continued eligibility for a discount had not been reviewed for several years. We also noted there are a number of accounts (both live and closed) in arrears where the council itself is the liable party.
1.16 As at January 2020, there was a backlog of around 9,000 processes, which equates to just over one week’s worth of work for the service. A comparison of reported figures shows that whilst the backlog is showing a month on month improvement, it was higher when compared to the same period in 2018/19.
1.17 Actions were agreed to address these areas for improvement and will be followed up as part of our 2020/21 audit of the Council Tax system.
Budget Management (2019/20)– Reasonable Assurance
1.18 Budget management processes are key to ensuring that the council has efficient mechanisms to align financial resources to corporate priorities and to allow the early identification of actual and potential overspends. This audit focused on the setting, monitoring and review of the 2019/20 budget, which was approved by Councillors on the 28th February 2019 and included a savings target for 2019/20 of £12.236m. The specific objectives of the audit were to ensure:
· a properly evidenced and accurate budget is set and approved in accordance within the required timeframes;
· budget monitoring reports to senior managers and Members are accurate, consistent and timely;
· there is an effective budget monitoring process embedded throughout the organisation;
· where adverse budget reporting is identified, concerns are escalated, and remedial action is taken to enable budgets to be met;
· savings are being delivered in accordance with the plan for that financial year.
1.19 We concluded that, despite the current budget management challenges, savings were being delivered and budget management arrangements were generally effective. We found that targeted budged management (TBM) reporting process generally provides a good analysis for budget holders, senior management and Members. We concluded that it could however, be further improved by including a section on income targets.
1.20 The audit identified the following areas where further improvements could be made to budget management:
· In response to increasing demand and costs, additional savings were planned through the Sustainable Social Care Programme. This was largely unsuccessful and led to unachieved savings of £440k. The reasons behind this need to be fully understood, in order for the council to learn from this experience and implement changes that reduce the cost of service provision;
· Income targets are sometimes overly ambitious and lack appropriate challenge. Mechanisms to generate income are not always properly understood. This has led to budget pressures as heads of service have to find additional savings to mitigate missed income targets;
· Where there has been an overachievement of income, this has made overspending elsewhere less visible and less open to challenge and scrutiny.
1.21 Five medium priority actions have been agreed to address these issues which will be followed up during our 2020/21 budget management audit.
Housing Allocations – Reasonable Assurance
1.22 The council operates a housing allocation scheme to ensure that it meets its statutory duty to accommodate and allocate other properties to those assessed as having the greatest need. In 2019/20, a total of 581 properties were let, of which 462 were council stock.
1.23 The purpose of the audit was to provide assurance that:
· a defined allocations scheme is in place which accords with legislative requirements;
· the processing and vetting of initial applications/registrations are made in accordance with the scheme, and addresses key fraud risks;
· the housing register is subject to maintenance and review, which periodically removes applicants should they cease to be eligible;
· allocations are made in accordance with the allocations policy, with appropriate controls in place to manage fraud risks (both internal and external).
1.24 Our testing found that the shortlisting process followed the council’s policy for allocations, over the four priority queues (homelessness, home seeker, council interest queue and transfers). However, the following areas for improvement were identified:
· There were a significant number of bidders who had not supplied all the necessary proofs for their housing need, and as such are bypassed when creating a shortlist;
· The policy states that an applicant should not be in rent arrears, prior to shortlisting. However, this is sometimes waived;
· A key action agreed at the previous audit, was to undertake fraud checks on shortlisted applicants, but this had not been implemented;
· Key information should be easily and clearly retained on the Locator System, but instead reliance is placed on other teams confirming that eligibility criteria have been met;
· Data analytics conducted on the housing register identified a large number of applicants who have no housing need, have not bid on any property in the last 3 years or have a registered address outside the city boundary.
1.25 Actions were agreed with management in relation to all of the areas above, with three having been implemented by the date of finalisation of our report.
Cloud Computing – Reasonable Assurance
1.26 Microsoft defines the ‘cloud’ as a term used to describe a global network of servers, each with a unique function. The cloud is not a physical entity, but instead is a vast network of remote servers around the globe which are linked together and meant to operate as a single ecosystem. These servers are designed to either store and manage data, run applications or deliver content or a service such as streaming videos, web email, office productivity software or social media. Instead of accessing files and data from a local server or personal computer, you are accessing them online from any Internet-capable device – the information will be available wherever you go and whenever you need it.
1.27 From a sample of third party applications and systems retained in the cloud and elsewhere, we reviewed the controls in place to manage the security, access, recovery and deletion of the data. Cloud-based systems are hosted outside of the council's network infrastructure and fall outside of the control of the IT & Digital service , who provide limited support for these systems. As such, there is a risk to the security of data held in these systems, as well as to system availability, which can potentially impact service provision.
1.28 The purpose of the audit was to provide assurance that controls are in place to meet the following objectives:
· There are adequate governance processes in place to ensure all cloud-based systems are reviewed and approved by IT&D;
· System access is restricted to appropriately authorised individuals, the permissions provided to those users are in line with business requirements and this is kept up to date with role changes;
· Leavers are promptly and consistently removed from all systems;
· Access to council data is held in accordance with relevant legislation and data is sufficiently protected by the service provider;
· A process or agreement is in place for externally hosted systems in order to identify and manage vulnerabilities as they arise. This could include patches and other updates are applied in a timely manner;
· Service providers have sufficient disaster recovery and business continuity arrangements in place.
1.29 In providing our opinion of reasonable assurance, we found a number of controls to be operating appropriately, with testing confirming that systems within our sample were generally well managed, with satisfactory password controls, audit trails and helpdesk and other support arrangements in place.
1.30 Some opportunities to further strengthen controls were, however, identified in relation to ensuring Business Change documentation is always available and easily locatable and that the templates used to help assess the security of applications are updated to include all appropriate risk factors.
1.31 The review also identified a lack of awareness of the role of system owner, and the responsibilities this entails, which resulted in some weaknesses associated with user access controls, system documentation and system updates.
1.32 In response to the eight findings identified during the audit (seven medium and one low risk) we agreed with management effective actions to manage the associated risks.
Creditors – Reasonable Assurance
1.33 The Creditors System uses both the Authority Purchasing and Authority Financials (Creditors) modules of the Civica Financials application.
1.34 During the period 1st April 2019 to 31st August 2019 there were 165,236 creditor transactions totalling just under £181m.
1.35 The purpose of the audit was to provide assurance that controls are in place to meet the following objectives:
· Orders are raised for goods, works and services for bona fide services in accordance with standard financial procedures and the needs of the council;
· All payments are subject to review and approval to ensure payments are valid and goods, works or services have been received and are correctly processed;
· Payment runs are subject to appropriate review and authorisation;
· Only creditors that meet the needs of the council and that do not already exist in the creditors system are set up.
1.36 We found that the majority of controls within the creditors system are working correctly but subsequent to issuing the draft report, Internal Audit were notified that the Council had been defrauded of approximately £60,000 through the submission of a falsified bank account change. This has been investigated by the council’s Counter Fraud Team. Controls to prevent this fraud did not operate as expected.
1.37 Two other issues were identified during the audit that need to be addressed in order to improve the control environment.
· Purchase orders are not always being raised in advance of orders being placed with suppliers, circumventing the authorisation process and meaning that commitments are not being recorded in the accounts.
· Two temporary increases to purchasing approval limits were found to have run on beyond the six-month period authorised by Finance.
Residents Parking Permits – Partial Assurance
1.38 The Residents Parking Permit scheme enables residents to park in permit bays and pay and display bays near their homes. As of 1 July 2019, there were 37,500 Resident Parking Permits issued within the City at a value of between £22.50 for three months and £163.00 for 12 months parking dependent on the zone they were issued for.
1.39 There is a significant risk of fraud and abuse of the parking scheme due to the difference between the high average cost of parking in the city and the cost of purchasing a Residents Parking Permit.
1.40 The purpose of the audit was to provide assurance that:
· Resident Parking Permits are issued in accordance with legislation and council criteria;
· Residency checks are completed at the point of initial application for a Residents Parking Permit;
· All renewal applications are verified to confirm the applicants on-going eligibility to have a Residents Parking Permit.
1.41 The audit concluded partial assurance and identified a number of control weaknesses which need to be addressed to prevent the risk of passes being issued to people within the city who are not entitled. Through the use of data analytics, our review identified instances of permits being issued to applicants who are not eligible.
1.42 Parking Services should obtain two proofs of residency for a new permit application and one proof of residency for a renewal application. Our testing found that no proof of residency was being obtained when a resident applies to renew their parking permit.
1.43 Verification checks are not being conducted against council tax records at the point of application for new or renewed permits. The frequency and number of verification checks against council tax records vary and are currently completed after the permit has been issued.
1.44 Furthermore, two systems for issuing permits are currently in use, increasing the risk of duplicate permits being issued.
1.45 Two high priority and two medium priority actions were agreed to address these control issues. Two of these had been implemented at the time the final report was issued and all of these will be subject to a formal follow up by Internal Audit as part of future work plans.
Highways Contract Management – Partial Assurance
1.46 The Council manages approximately 390 miles of highways and 750 miles of pavements. Under the Highways Act 1980, the Council has a duty to maintain public highways in the city and must take all reasonable action to keep them in a safe condition.
1.47 The Highway Inspection team make decisions on all reported defects and whether these should be passed for repair. Repairs are carried out through a framework contract worth approximately £1million per annum.
1.48 The purpose of the audit was to provide assurance that controls are in place to meet the following objectives:
· Adequate controls are in place governing the ordering and authorisation process for works;
· Highways repairs are delivered under contract and are in accordance with the contract specification and requirements relating to materials;
· Management arrangements for review of contracted work gives sufficient assurance over the quality and quantity of work competed.
1.49 The scope of the work was limited due to Covid-19 restrictions and as a result, testing focussed on a desktop review of inspections rather than physical visits to completed works.
1.50 The audit concluded partial assurance because:
· There is insufficient evidence to support the calculation of some contract rate uplifts;
· The software used to monitor the repairs work has significant limitations, including reporting functionality and access controls;
· Some functionality within the system is accessible by the contractor and some aspects of this are not sufficiently controlled;
· Work flows were found to be significantly reliant on paper-based system, and there was a significant backlog of work to be scanned and archived at the time of the audit;
· The absence of GPS to locate works creates inefficiencies and errors in locating and planned works;
· Performance measures, such as the number of works orders not meeting the target date for completion, or the number of works not passing the inspectors approval first time, are not held. The part year percentage figures and our sample testing highlighted that 40% of works orders were not completed to target times;
· Under the contract, 10% of works orders should have an on-site inspection, prior to the release of payment. Although 15% are recorded as being inspected, this inspection may not be a site visit, but rather a view of the photographs supplied by the contractor.
1.51 Actions have been agreed with management to rectify these control issues and these will be subject to a formal follow up review by Internal Audit to confirm implementation.
Debtors – Partial Assurance
1.52 The Central Collection Team is responsible for ensuring that all income due to the council is collected effectively and efficiently; and that this is correctly accounted for. At the time audit (2019/20), this team processed 88,431 invoices and credit notes, generating a net amount owed to the council of £50.6m.
1.53 The purpose of the audit was to provide assurance that:
· All income generating activities are identified and accurately raised to customers;
· A customer account maintenance process is in place and operating effectively and amendments to invoices are correct and authorised;
· Collection and debt recovery are managed efficiently and effectively, including that write-offs are processed accurately and correctly authorised;
· Payments are received and recorded against the correct debtor account in a timely manner;
· Key systems reconciliations are undertaken on a regular basis;
· Debt recovery performance is monitored and reported.
1.54 The audit concluded Partial Assurance and we identified a number of areas for the improvement of the control environment.
1.55 Due to capacity issues, Court action to recover debts has not been taken during the previous year. Our sample testing found that reminders and arrears notices are being issued as expected, but that later stages of recovery of not always been applied. In addition, the audit identified examples where non-statutory services were still being provided by the council to companies who had already accrued debts with us. This included examples relating to Commercial Waste Collection, where businesses were continuing to have their waste collected up to the time of writing this report, despite having outstanding invoices.
1.56 Although new performance reports had been developed and agreed with budget holders, these were not being distributed.
1.57 Our analysis of invoices issued since April 2019 found accounts set up in trading names rather than the name of a sole trader or limited company. This impacts on the council’s ability to be able to manage these debts. Our testing also found that system notes to record the reason for amendments or refunds are not always being completed on debtor accounts.
1.58 In an effort to improve the service and address the issues raised in our review, a Corporate Debt Campaign Team is currently being recruited, with four posts being created for a two-year trial period. This team will be focussed initially on working through the Aged Debtor Report.
1.59 In all cases, actions have been agreed with management to address these issues and again these will be followed-up in our 2020/21 audit of this service.
Direct Payments – Minimal Assurance
1.60 Direct Payments enable service users to purchase care themselves, based on an assessment of their needs.
1.61 As at December 2019, there were 588 adult clients in receipt of Direct Payments with an estimated annual cost of £8.3m. This is an increase since our previous audit in 2018, when expenditure for the year was forecast to be £6.4m.
1.62 This audit focused on the following control objectives:
· That monitoring arrangements ensure that payments are being controlled to protect the financial interests of the service user and the council;
· Service users’ reviews are carried out every 12 months ensuring the care plan reflects the care need;
· Regular monitoring of client contributions is undertaken to ensure sufficient funds are available within the service users’ dedicated bank account to pay for their care needs;
· Effective contract management arrangements are in place.
1.63 The audit concluded minimal assurance and a number of areas for improvement were identified, in particular:
· significant resourcing issues within the service in the last 12 months has impacted on the work required to monitor accounts and ensure financial information and balances are up to date and compliant. Linked to this, the service was also not meeting its target to review direct payments every 12 months. As at December 2019, 48% of clients had not received a review in the last 12 months;
· Whilst a card provider has been contracted to improve the monitoring and control of expenditure incurred for all the 170 pre-paid card holders, there is an absence of contract management. The format of the information being provided does not assist the service in reducing the risk of fraudulent activity;
· The service was unable to provide a copy of a contract with a charity that assists in managing finances for approximately 300 council clients;
· Very little monitoring of clients’ account statements has occurred since February 2019 and there has been a shortfall with regard to reclaiming surplus balances;
· Processes are not in place to ensure social workers consider issues raised by the Direct Payments Team in relation to financial matters and their implications in the context of the overall care needs of a client.
1.64 Actions for improvement have been agreed with the service and, in view of the number and significance of the findings, a follow-up on these actions is planned for later this financial year (2020/21).
Network Security – Partial Assurance
1.65 Information Technology (IT) systems enable the Council to provide its critical services to its customers and are used to collect, process and retain ever increasing amounts of confidential information. The vulnerabilities that exist in these IT systems across all Councils, as well as the infrastructure that supports them, combined with a perceived lack of awareness regarding security issues, have led to attackers targeting public organisations and exposes Councils to the risk of a cyber-security attack. Cyber security attacks can be launched from any internet connection and can have a significant financial and reputational impact on the Council.
1.66 The purpose of this audit was to provide assurance that controls are in place to meet the following objectives:
· Policies and procedures are clearly defined, regular effective risk assessments are undertaken, network topology is kept up to date, access to routers is restricted through network protocols or IP addresses, separate virtual local area networks (VLANs) are managed for sensitive information assets, network policies encrypt using Wi-Fi protected access II (WPA2), and authentication controls use registered certificates and session tokens.
· Approved protocols are used for inward and outward traffic, demilitarised zones (DMZs) have appropriate segregation (front and back facing), third-party security contractual clauses are in line with internal policies, firewall and antivirus administration is restricted and adequately controlled, approved router rules are in place (filter traffic to critical hosts, from invalid addresses, and internet control message protocol (ICMP) traffic), network access controls have been enabled and validated for both wired and wireless networks, and network performance is overseen and predictive log reviews are undertaken.
· External penetration tests and internal vulnerability assessments are undertaken by with remediation supported by executive management, server operating system (OS) patching is facilitated automatically, active directory domain administrator rights are restricted and password rules set, virtual private network (VPN) access is restricted to trusted clients, and manufacturer default passwords and settings (where applicable) have been changed.
· Both specialist and general staff awareness training is overseen and owned by executive management, and unnecessary server services have been disabled.
· Recovery action plans are in place for manual operations, understood by key officers, regularly tested and updated.
1.67 As a result of our work, we have only been able to provide Partial Assurance over the controls operating for Network Security. Whilst we noted a number of high-level technical controls were in place and operating as expected, some issues were identified that impact on the overall level of security of the network, making the network vulnerable to attack.
1.68 For reasons of security, we are not able to share the detailed finding within this report, however, actions to manage the risks identified have been agreed with management and will be subject to a formal follow up review by Internal Audit as part of future planned work.
Housing Repairs Service – Partial Assurance
1.69 A report to the January 2020 A&S Committee included a summary of Internal Audit’s work on the insourcing of the housing repairs service. The objective of this audit had been to provide assurance that the insourcing programme was on target to ensure the delivery of the repairs service on time and at the expected cost. As at the date of audit (November 2019), Internal Audit concluded that there was a significant risk that the Council would not be able to successfully deliver a cost effective and efficient in-house repairs service by 1 April 2020.
1.70 A follow-up has now been completed on the live service, and a report was agreed with Housing management at the beginning of October 2020. It should be noted that the roll-out of the service has been significantly impacted by COVID 19 and the restrictions that came into force shortly prior to the commencement of the inhouse service the on 1 April 2020.
1.71 The service has explained that the impact of COVID 19 has included: delays to agreeing contracts and procurement activity; disruption to mobilisation plans such as training and induction; implementing a safety first approach involving social distancing protocols, working away from the office, sourcing of Personal Protective Equipment, undertaking risk assessments; a large proportion of the workforce being furloughed; and, restricted access to properties needing repair.
1.72 In addition, service delivery has recently been impacted by industrial action.
1.73 The conclusion in the October 2020 report is that Partial Assurance can be given on the operation of the new service and related systems.
1.74 The audit found that in order to deliver the service within the specified timetable, contract waivers totalling over £9.3m have had to be authorised. These contracts were let to existing suppliers and will be in place for the next one to two years. Delegated authority was provided by the Housing Committee & New Homes Committee (26 September 2018) and Policy, Resources & Growth Committee (18th October 2018) to award contracts required to implement the recommendations set out in that report. Members were also informed of the intention to enter into these contracts by a report to the January 2020 Housing Committee.
1.75 However, although these waivers were properly documented and authorised the use of waiver processes does not provide the same level of transparency and assurance over the delivery of value for money as a competitive tendering exercise would have done. The service has agreed an action to ensure that any additional procurements are planned in such a way to avoid the use of waivers. New procurements will be scheduled to replace the existing waiver arrangements as soon as existing contracts allow.
1.76 The audit also found that a number of important contracts have still not yet been signed with the key supplier, six months into the service. Although heads of terms have been agreed, this places the council in a weak position if there was any dispute.
1.77 Due to COVID 19, the council has so far been delivering a limited repair service and many staff were furloughed. At the time of the audit, there was no formal plan in place for returning the service to its normal output and to tackle the backlog of repairs that has been building up since April 1st, 2020. An update report, including on issues with current COVID 19 related performance issues was shared with Housing Committee on 16 September 2020.
1.78 At the time of the transfer in April 2020, many of the contracts with subcontractors, using the Mears supply chain, had not been agreed, which meant that specialist repair jobs could not be assigned. Although progress has been made our audit found that the council has not yet contracted with enough subcontractors to meet the needs of the service. Additional procurements are in progress to address this shortfall.
1.79 We also found that many key business processes had not been mapped. In addition, the service has not determined how the costs of individual jobs will be monitored - although some job costing information is being collated within the MCM system.
1.80 Quality controls are not yet fully in place for this service and post work inspections have been suspended due to COVID 19.
1.81 There is a risk that disrepair claims are likely to increase due to changes in legislation. The delay to repairs due to COVID 19 may also increase volumes of complaints and claims.
1.82 Service Management has identified that it requires additional resources to deliver a full service and tackle the backlog of repairs. There were vacancies at the time of transfer in April (2020) but some agency staff have been recruited to fill these posts. There are also likely to be further costs due to the harmonisation of terms and conditions for transferred staff. This will put additional financial pressure on the budget for 2020-21. It is likely that these will be partly offset by the delay in full-service provision due to COVID 19, with the full financial impact not seen until 2021-22.
1.83 The Internal Audit report includes eight high priority actions for improvement. All of these actions have now been agreed with management. In addition to the above, there were a number of issues where we have agreed medium priority actions for improvement with the service.
1.84 Given the updated opinion of partial assurance, a further follow audit will be carried out by Internal Audit in due course to confirm sufficient improvement has been made.
DFE Laptop Scheme – No specific opinion
1.85 Brighton and Hove City Council were given an initial allocation of circa 1,100 devices to allocate to children with social workers and care leavers who did not have access to a device, to enable social workers to keep in contact and to support learning whilst educational institutions were closed due to the ongoing Covid 19 pandemic.
1.86 As part of our work, we reviewed controls in relation to the following key areas:
· Ownership;
· Password Management;
· Security;
· Internet monitoring;
· Delivery;
· Support;
· Asset Management;
· Information Governance and Technical Risk Assessments;
· Asset tracking (and wiping in the event that assets are lost or stolen).
1.87 We found that IT&D had a well-managed project in place to manage the set-up and allocation of devices, working on behalf of, and with, Children’s Services. Some minor improvements to controls were agreed with the project team.
2. Proactive Counter Fraud Work
2.1 Internal Audit deliver both reactive and proactive counter fraud services across the Orbis partnership. Work to date has focussed on the following areas:
National Fraud Initiative Exercise
2.2 The results from this exercise were received on 31 January 2019 and continue to be reviewed. This exercise identified total overpayments of £61,304.21. The overpayments were identified across several areas, including £10,126.76 from Housing Benefit Claimants to Student Loans, £7,307.66 from Housing Benefit Claimants to Payroll, £42,519.14 from Private Residential Care Homes to DWP Deceased data and £1,350.65 from duplicate Council Tax Reduction claims between local authorities. A one-off exercise matching council tax to electoral roll records has also conducted. The results of this exercise continue to be processed but so far £4,601.58 in Council Tax discounts have been identified. Internal Audit are currently working with the appropriate departments to ensure that the relevant datasets are uploaded for the next exercise. The results from the exercise are due on 31 January 2021.
Counter Fraud Policies
2.3 Each Orbis partner has in place a Counter Fraud Strategy that sets out their commitment to preventing, detecting and deterring fraud. Internal Audit have reviewed the sovereign strategies to align with best practice and to ensure a robust and consistent approach to tackling fraud. These were approved by Audit Committee on 10 March 2020 and are now available on the intranet.
Fraud Risk Assessments
2.4 Fraud risk assessments have been consolidated and are regularly reviewed to ensure that the current fraud threat for the Council has been considered and appropriate mitigating actions identified. We have updated the risk assessment to include new and emerging threats as a result of the Covid-19 pandemic. This includes potential threats to payroll, staff frauds relating to home working and cyber frauds
Fraud Response Plans
2.5 The Fraud Response Plans take into consideration the results of the fraud risk assessments and emerging trends across the public sector in order to provide a proactive counter fraud programme. The fraud response plans include an emphasis on data analytic and during quarter 1, we have conducted data analytics exercises on use of Council procurement cards. We have also developed a data analytics programme for key financial systems and this work will commence in quarter 2..
Fraud Awareness
2.6 The team continue to monitor national intelligence alerts and have produced a Fraud Bulletin identifying potential threats against the Council and its employees. This includes increased risks of bank mandate fraud, cyber threats including various phishing scams and online shopping scams. The bulletin is published on the Council’s intranet.
Reactive Counter Fraud Work - Summary of Completed Investigations
COVID19 Business Grants
2.7 Internal Audit have been providing the Business Rates Team with advice and support when administering applications for the Small Business Grant and the Retail, Hospitality and Leisure Grant Fund. This has included 15 investigations of alleged false application for the grant. Our investigations have resulted in the recovery of £10,000 that had been wrongfully paid out as well as the prevention of payment of several other grants.
Employee Fraud
2.8 The team investigated an allegation that a member of staff had ordered goods for private use on a Corporate Amazon account and then attempted to conceal the theft by deleting and falsifying records. The investigation uncovered goods to the value of £3908 had been purchased by the member of staff. The full value of the loss has been recovered and the employee subsequently resigned before a disciplinary hearing took place.
Declaration of Interest
2.9 Following the HR team raising a concern relating to a declaration of interest submission, Internal Audit undertook an investigation into a member of staff who had a financial interest in an external business that was frequently engaged to carry out work for the Council. The investigation concluded that there was no misconduct by the member of staff, but that there was a potential conflict of interest that needed to be effectively managed. The declaration of interest has since been reviewed and management controls implemented by the member of staff’s line manager.
Adult Social Care
Mandate Fraud
2.11 Internal Audit provided advice to a service following concerns being raised over a potential bank mandate fraud by a PPE provider. The service later advised that there was no case to answer.
Parking Permit Fraud
2.12 Following referrals from the Council’s Parking Department, Internal Audit have undertaken five investigations into alleged fraudulent applications for residents parking permit. The investigations have resulted in four permits being either stopped or cancelled.
Housing Tenancy & Local Taxation
2.13 In addition to the above, a key focus area remains housing tenancy fraud and Local Taxation. Whilst our team’s resources have been impacted Covid-19 and the redeployment of staff, the following progress has been made:
· Tenancy fraud identified in 3 cases resulting in 2 properties returned to the council;
· £1,386.84 in housing benefit overpayment has been identified;
· £9,984.65 in Council Tax Reduction overpayment has been identified;
· Single person discount to the value of £2,715.97 has been removed from council tax accounts.
3. Action Tracking
3.1 All high priority actions agreed with management as part of individual audit reviews are subject to action tracking. As at the end of quarter 1, 96% of high priority actions due had been implemented.
3.2 As at the end of June 2020, there were two high priority actions which were overdue. Details of these are provided below, together with a revised deadline for implementation.
|
Dir. |
Due date |
Revised date |
Progress and comments |
|
|
HASC Temporary Accommodation Two providers were used to spot purchase places when general needs temporary accommodation is unavailable (i.e. if an individual is evicted/barred from general needs accommodation). Use of these providers has resulted in high levels of spend which is not in line with corporate procurement processes. |
HASC
|
30/4/20 |
31/12/20 |
Through the analysis of the temporary accommodation service it was identified that a Dynamic Purchasing System DPS to enable the procurement of call off contracts for short term and emergency managed temporary accommodation for homeless households was appropriate. This recommendation was presented to Policy & Resources committee on 13 November 2019 and was approved. Due to COVID-19 the project has unfortunately been placed on hold by the client area. |
|
Housing Local Delivery Vehicle (Follow-up) Funding Gap. The terms of the original funding agreement with Seaside Homes included a guaranteed rent payment which is no longer affordable over the last five years the Local Housing Allowance rate (which is the maximum rent the council can charge its tenants to match the housing benefit) has remained static. This has meant a growing and significant financial gap between what the council receives in rent and what it pays to Seaside Homes. The Executive Director agreed to work with Seaside Homes to discuss and agree a constructive way forward. |
NCH |
30/9/19 |
31/12/20 |
This is a complex issue which has not yet been resolved. The Executive Director (F&R) and the former and Acting Director (NCH) have held meetings during 2019 and options are being considered to manage the financial gap. If this issue is not addressed, it will result in a substantial cumulative deficit which cannot be funded from future rents.
|
4. Amendments to the Audit Plan
4.1 During Quarter 1 the delivery of the majority of the 2020/21 audit plan was suspended to focus on supporting the council in its response to the Covid-19 pandemic. Information about this response is included at the beginning of this report and a separate report on this agenda details a revised audit plan.
5 Internal Audit Performance
5.1 In addition to the annual assessment of internal audit effectiveness against Public Sector Internal Audit Standards (PSIAS), the performance of the service is monitored on an ongoing basis against a set of agreed key performance indicators as set out in the following table:
|
Aspect of Service |
Orbis IA Performance Indicator |
Target |
RAG Score |
Actual Performance |
|
Quality
|
Annual Audit Plan agreed by Audit Committee |
By end April |
G |
Approved by Audit Committee on 10 March 2020 |
|
Annual Audit Report and Opinion
|
By end July |
G |
2019/20 Annual Report and Opinion approved by Audit Committee on 21 July 2020 |
|
|
Customer Satisfaction Levels |
90% satisfied
|
G |
100% as at the end of quarter 1 |
|
|
Productivity and Process Efficiency |
Audit Plan – completion to draft report stage |
|
N/A |
Audit plan suspended for first 5 months of 2020/21 |
|
Compliance with Professional Standards |
Public Sector Internal Audit Standards |
Conforms |
G
|
January 2018 – External assessment by the South West Audit Partnership gave an opinion of ‘Generally Conforms’ – the highest of three possible rankings |
|
|
Relevant legislation such as the Police and Criminal Evidence Act, Criminal Procedures and Investigations Act |
Conforms |
G
|
No evidence of non-compliance identified |
|
Outcome and degree of influence |
Implementation of management actions agreed in response to audit findings |
95% for high priority agreed actions |
A |
96% at end of quarter 1. |
|
Our staff |
Professionally Qualified/Accredited
|
80% |
G |
92% |
Audit Opinions and Definitions
|
Opinion |
Definition |
|
Substantial Assurance |
Controls are in place and are operating as expected to manage key risks to the achievement of system or service objectives. |
|
Reasonable Assurance |
Most controls are in place and are operating as expected to manage key risks to the achievement of system or service objectives. |
|
Partial Assurance |
There are weaknesses in the system of control and/or the level of non-compliance is such as to put the achievement of the system or service objectives at risk. |
|
Minimal Assurance |
Controls are generally weak or non-existent, leaving the system open to the risk of significant error or fraud. There is a high risk to the ability of the system/service to meet its objectives. |