Appendix A
Internal Audit and Counter Fraud
Quarter 2 Progress Report 2020/21
CONTENTS
1. Summary of COVID 19 work and Completed Audits
2. Counter Fraud and Investigation Activities
3. Action Tracking
4. Amendments to the Audit Plan
5. Internal Audit Performance
1. Summary of COVID 19 Work and Completed Audits
COVID 19 Work (July to September 2020)
1.1 During quarter 2 (2020/21), Internal Audit continued to redirect some of its resources to support the organisation in its response to the issues arising from the Coronavirus pandemic and planned work was suspended. As reported to the October 2020 Audit & Standards Committee, the Internal Audit Plan has been substantially revised.
1.2 Throughout quarter 2, the resources of the Internal Audit and Counter Fraud service have been focused on the following:
· Delivering the revised Internal Audit Plan (from the 1 September 2020). Prior to this date some high priority audits from the original audit plan were also being delivered;
· Redeployments of some staff to support Covid-19 cells/ projects;
· Short term staff placements to support individual Covid-19 related work;
· Carrying out data analytics on key financial systems.
· Working with the Business Rate Team to develop a verification process for applications made to the Small Business Grant and Retail, Leisure and Hospitality Fund, as well as the processing and validation of business Covid-19 grant applications;
· Supporting the set up the Council’s own food bank in the city centre and providing advice over the administration of food purchasing;
· Helping to administer a city-wide volunteer register;
· One full time redeployment to the Community Hub within Adult Social Care;
· One full time redeployment to provide project support to the Vulnerable Housing Cell. The cell’s objective was to provide oversight of all accommodation needs of those affected by Covid-19 pandemic;
· Supporting the Executive Director of Health & Adult Social Care with the completion of a Local Care Home Support Plan for submission to ministers;
· Supporting the Ways of Working Recovery Group, the Governance and Accountability working groups and Programme Management Office Covid-19 meeting/group.
Mobile Device Management 2019/20 – Reasonable Assurance
1.4 Mobile devices, such as smartphones and tablet computers, have the capability to store large amounts of data and can present a high risk of data leakage and loss. These devices are often valuable and are therefore also attractive to theft and misuse.
1.5 Mobile device management (MDM) involves monitoring, managing and securing mobile devices to ensure that the Council’s information assets are not exposed. MDM is usually implemented through the use of third-party software. The Council’s MDM solution is provided by VMware AirWatch.
1.6 At the time of the audit, the Council’s mobile device assets compromised of 1,455 Apple phones and tablets, as well as 80 Android phones.
1.7 This audit considered the Council’s approach to managing the risks associated with the security and control of the data contained on, and security of, smartphones and tablets. The audit did not review the controls in place for managing the contractual payments for calls and data or the procurement of the devices, nor did it cover the management of laptop devices, as these are managed through different processes and procedures.
1.8 The audit was based on a review of the control environment before the national response to COVID-19. Any assurance given does not therefore extend to interim measures or changes to management arrangements implemented due to COVID-19.
1.9 We were able to provide Reasonable Assurance over the controls operating within the management of mobile devices because:
• An MDM system is in place that enforces policy based controls to help manage, monitor, and secure mobile devices that access and/or store corporate data (including photos and footage) that may be a sensitive or confidential nature. The system can remotely wipe management devices in the event of loss or theft.
• Security settings configured on the MDM system, such as password rules, device encryption, data storage/backup, device inactivity etc. were found to be in line with the Council’s IT security policies.
• Devices are automatically placed in a non-compliant status (where functionality is suspended or restricted) if the device fails to apply one or more security policy settings, or the user has not complied with the policies.
• The vast majority of the Council’s mobile devices assets are iOS devices which are inherently encrypted, and users cannot choose not to encrypt them.
• A response plan is in place to respond to security incidents such as loss or theft of mobile devices which we found is being adhered to.
1.10 Service management agreed an action to review the mobile phone policy as this was found to contain outdated information.
1.11 Further actions were also agreed to ensure that devices that are no longer in use are monitored and action taken to cancel contracts as appropriate. At the time of the audit approximately £1.2k per month was being spent on mobile device contracts that had been inactive for a period of time.
Creditors: Data Analytics (No specific opinion)
1.12 The widespread roll out of home working had the potential to increase some of the risks relating to payment frauds. In addition, fraudsters (nationally) have increased their attempts at bank mandate fraud, looking to exploit changes in business processes and apply urgency to payment requests seeking to take advantage of the disruption to working practices.
1.13 To provide additional support to the organisation in this high-risk area, we undertook a data analytics exercise on the Council’s creditors data. This included focused testing on vendor bank accounts changes made since the country went into a period of lockdown and Council officers began working from home.
1.14 Our review of these account changes did not identify any instances of fraud against the Council. However, we did identify a number of opportunities to improve the control environment and in some instances there was non-compliance with existing Council processes. It should also be noted that during the same period, the Creditors Team were reviewing their own processes and were identifying and addressing many of the issues found within this report.
1.15 Council processes require the independent validation of the change in bank account details to take place, along with a record of how and what was validated with the vendor, in order to confirm that these are legitimate requests. We found that this process was not always being complied with and officers were sometimes failing to properly evidence what/if any independent validation had taken place. In some of the cases where validation was not taking place, these were following changes in bank details arising from requests for payment from service areas.
1.16 Four medium priority actions were agreed to improve controls in relation to vendor management and bank account changes.
Purchasing Cards : Data Analytics (No specific opinion)
1.17 The roll out of home working has also meant that there was a significant disruption to working practices and an increased demand for equipment to be purchased to support working at home. The Council also needed to purchase huge amounts of Personal Protective Equipment for its own use and within the wider community. These, and other factors, potentially increased the risks surrounding the use of Council purchasing cards.
1.18 As a response to these increased risks, Internal Audit carried out a data analytics exercise at the beginning of the first Covid lockdown period. The purpose of this was to identify any potentially inappropriate card usage, any failures in authorisation of spend or circumvention of other existing controls.
1.19 There were over 12,700 transactions during the period examined (1 April to 14 May 2020 – 13.5 months). This is a similar figure to the 11,000 in the preceding 12 month period (April 2018 to March 2019). Our analysis included tests to identify:
· Unusual or inappropriate expenditure (e.g. entertainment, alcohol, gift vouchers);
· Prohibited types of expenditure (e.g. cash withdrawals, fuel, bills);
· Expenditure that should be processed through accounts payable (e.g. utilities, ICT equipment);
· Split transactions to circumvent spending limits, duplicate payments and cumulative spend in breach of CSOs and Purchasing Card policy;
· Transactions not authorised within 7 days.
1.20 The review did not identify any examples of actual or potential fraud. However, there are opportunities to strengthen the control environment, including improving compliance with existing Council processes. In particular:
· Council processes require authorisation of expenditure items within seven days. It was found that there were just under 4% of transactions totalling £29k that have not been approved within this timescale. Additional controls operate to identify and rectify instances where this control has not operated;
· Cardholders are operating with approvers that have left and have not been reassigned replacements or they haven’t been set up with an approver.
1.21 The detailed results from our findings were shared with the relevant officers with one medium priority and three low priority actions agreed to address the issues identified.
EU Grant – SHINE (Claim 9)
1.22 This is an EU Interreg project that requires grant certification at least once a year. The full title of the project is ‘Sustainable Housing Initiatives in Excluded Neighbourhoods’. The total value of the project between 2016 and 2020 is approximately £367,000 (Grant expected £220,000).
1.23 No significant issues were identified in the grant certification.
EU Grant – SOLARISE (Claim 4)
1.24 This is an EU Interreg project that requires grant certification at least once a year. The full title of the project is ‘Solar Adoption Rise In the 2 Seas’. The total value of the project between 2018 and 2021 is approximately £525,000 (Grant expected £315,000). This was the fourth claim on this project.
1.25 No significant issues were identified in the grant certification.
Bus Subsidy Transport (Revenue) Grant
1.26 The grant of £172,990 for 2019/20 was reviewed and certified as having been spend in accordance with the condition of grant.
Covid-19 Bus Services Support Grant
1.27 The grant claim was reviewed and certified as having been spent in accordance with the condition of grant. It was noted that in this instance the Council had only used £12,000 of the £47,800 of available funding.
Proactive Counter Fraud Work
2.1 Internal Audit deliver both reactive and proactive counter fraud services across the Orbis partnership. Work to date has focussed on the following areas:
National Fraud Initiative Exercise
2.2 Internal Audit are currently working with the appropriate departments to ensure that the relevant datasets are uploaded for the next exercise. The data is required to be uploaded by 1 December 2020 and the results from the exercise are due on 31 January 2021.
Fraud Response Plans
2.3 The Fraud Response Plans include a data analytics programme for key financial systems. Work on the key financial data analytics that includes creditors, debtors and payroll will commence in quarter three.
Reactive Counter Fraud Work - Summary of Completed Investigations
Communities Fund
2.4 The team investigated an allegation that a community interest company had made a false claim to the Communities Fund for a grant to assist them to put in place policies and procedures that were COVID-19 compliant. However, investigation has confirmed that there was no case to answer.
COVID19 Business Grants
2.5 Internal Audit are continuing to provide the Business Rates Team with advice and support when administering applications for the Small Business Grant and the Retail, Hospitality and Leisure Grant Fund. This has included 20 investigations of alleged false application for the grant. Our investigations have resulted in the recovery of £10,000 that had been wrongfully paid out as well as the prevention of inappropriate payment of several other grants.
Adult Social Care
2.6 Internal Audit have continued to provide advice and support to Adult Social Care on individual cases where concerns have been expressed over false applications, the potential deprivation of capital and the misuse direct payments.
Housing Tenancy & Local Taxation
2.7 In addition to the above, a key focus area remains housing tenancy fraud and local taxation. Whilst our team’s resources have been impacted by Covid-19 and the redeployment of staff, the following progress has been made:
· Tenancy fraud identified in four cases resulting in three properties returned to the Council, one of which was an HRA property;
· The recovery of £1,386.84 in housing benefit overpayment and £9,984.65 in Council Tax Reduction overpayments. Single person discounts to the value of £2,715.97 have also been removed from council tax accounts.
3. Action Tracking
3.1 All high priority actions agreed with management as part of individual audit reviews are subject to action tracking. As at the end of quarter 2, 100% of high priority actions due had been implemented.
4. Amendments to the Audit Plan
4.1 During most of Quarter 2 the delivery of the majority of the 2020/21 audit plan was suspended to focus on supporting the Council in its response to the Covid-19 pandemic. Information about this response is included at the beginning of this report and a revised audit plan for the remainder of the year was agreed at the Audit & Standards Committee in October 2020.
5 Internal Audit Performance
5.1 In addition to the annual assessment of internal audit effectiveness against Public Sector Internal Audit Standards (PSIAS), the performance of the service is monitored on an ongoing basis against a set of agreed key performance indicators as set out in the following table:
|
Aspect of Service |
Orbis IA Performance Indicator |
Target |
RAG Score |
Actual Performance |
|
Quality
|
Annual Audit Plan agreed by Audit Committee |
By end April |
G |
Approved by Audit & Standards Committee on 10 March 2020. (Revised plan approved by Audit & standards Committee 21 July 2020) |
|
Annual Audit Report and Opinion
|
By end July |
G |
2019/20 Annual Report and Opinion approved by Audit Committee on 21 July 2020 |
|
|
Customer Satisfaction Levels |
90% satisfied
|
G |
No surveys received in the period |
|
|
Productivity and Process Efficiency |
Audit Plan – completion to draft report stage |
|
N/A |
During the COVID-19 pandemic, the audit plan has been suspended to allow the organisation to respond to the emerging pandemic. |
|
Compliance with Professional Standards |
Public Sector Internal Audit Standards |
Conforms |
G
|
January 2018 – External assessment by the South West Audit Partnership gave an opinion of ‘Generally Conforms’ – the highest of three possible rankings |
|
|
Relevant legislation such as the Police and Criminal Evidence Act, Criminal Procedures and Investigations Act |
Conforms |
G
|
No evidence of non-compliance identified |
|
Outcome and degree of influence |
Implementation of management actions agreed in response to audit findings |
95% for high priority agreed actions |
G |
100% at end of quarter 2. |
|
Our staff |
Professionally Qualified/Accredited
|
80% |
G |
92% |
Appendix B
Audit Opinions and Definitions
|
Opinion |
Definition |
|
Substantial Assurance |
Controls are in place and are operating as expected to manage key risks to the achievement of system or service objectives. |
|
Reasonable Assurance |
Most controls are in place and are operating as expected to manage key risks to the achievement of system or service objectives. |
|
Partial Assurance |
There are weaknesses in the system of control and/or the level of non-compliance is such as to put the achievement of the system or service objectives at risk. |
|
Minimal Assurance |
Controls are generally weak or non-existent, leaving the system open to the risk of significant error or fraud. There is a high risk to the ability of the system/service to meet its objectives. |