Appendix 4

Internal Audit work completed in Quarter 4 2022/2023 (January to March 2023)

 

Direct Payments (follow up)

 

Direct payments are made to individuals to meet some or all of their eligible health care and support needs. The legal framework is set out in the Care Act, Section 117(2C) of the Mental Health Act 1983 and the Care and Support (direct payments) Regulations 2014.  Direct payments allow clients to procure their own care rather than receiving service provision arranged directly by the Council.

 

This audit was to follow up on the previous Direct Payments review that concluded Partial Assurance, with the objective of providing assurance that actions have been implemented and that effective control arrangements are now in place to ensure funds have been paid and accounted for correctly and used for their intended purpose.

 

Unfortunately, our work identified that limited progress has been made in implementing previously agreed actions and we have therefore only been able to provide Partial Assurance over the control environment.  This is now the third occasion where we have conducted a follow up in response to the 2019/20 Minimal Assurance audit and all in all cases, only Partial Assurance could be provided. 

 

The primary reason for these opinions relates to the delays in completing annual direct payment reviews in accordance with the Care and Support (Direct Payments) regulation 2014 that states that the Local Authority must review direct payments initially within 6 months and thereafter every 12 months. Therefore, in order to address these issues, the following improvement activities have been identified:

 

·         The deployment of additional resources to complete the direct payment reviews and develop a plan to complete reviews over 2023/24 with clear targets that are reported to the Board;

·         The implementation of dashboard and tracking/flagging system to monitor direct payment accounts;

·         Documenting a procedure for handling identified direct payment reviews;

·         For contracted direct payment services, a decision will be agreed on the tolerance of risk the Council is willing to accept for 2023/24, pending the future commissioning of this area; and

·         Resourcing has been identified to support the continuation of the direct payment project.

 

Due to the number of follow up reviews that have been undertaken in this area, a full audit of Direct Payments will be undertaken in 2024/25.  This will aim to provide assurance that the agreed actions with management have been implemented and the end-to-end process for direct payments has robust and sufficient controls in place in order to mitigate potential risks, including addressing backlogs in client reviews.

 

 

Officers Declarations of Interest, Gifts and Hospitality

 

Local authority employees are expected to act in the best interest of the Council at all times and to do so with integrity and professionalism. 

 

All officers of the Council are required to comply with the Code of Conduct.  Officers are expected to declare any potential conflicts of interest to their line manager.  In addition, Executive Officers and staff involved in procurement or managing contracts are required to make a declaration annually, even if this is a nil return.

 

All employees are prohibited from using their official position to obtain private gifts or benefits for themselves during the performance of official duties. Any offers of gifts and hospitality should be declared.

 

The purpose of the audit was to provide assurance that controls are in place to meet the following objectives:

 

·         There are clear policies in place, and these are effectively communicated;

·         There is evidence of consistent compliance with the Declaration of Interests procedures both by officers and when reviewed by management and this is done so in a timely manner;

·         Adequate controls are in place to ensure all employees are aware of their responsibility to complete a declaration of interest where there is a change to their circumstance;

·         Procedures for the declaration of gifts and hospitality are clearly defined in accordance with best practice and are effectively communicated; and

·         That there is evidence of consistent compliance with the gifts and hospitality procedures both by officers and when reviewed by management.

 

Our work identified several areas where improvement was required and, as a result, we were only able to provide an opinion of Partial Assurance.  In response to this audit, an action plan was agreed with management that included measures to:

 

·         Consider the type and frequency of reports provided to Executive Directors to improve compliance;

·         Amend the Code of Conduct to state the consequences of not declaring a conflict of interest and review the guidance notes available on the intranet;

·         Propose recommendations to senior management to review the grade at which officers will have to submit declarations, including nil returns;

·         Use the new intranet site to ensure reminders are presented to officers;

·         Review the reporting mechanism for declarations of interest, including automated emails;

·         Introduce an annual declaration return to ensure compliance;

·         Review the gifts and hospitality form to ensure all relevant information is clear, and;

·         Review the process for monitoring, reporting and approving gifts and hospitality and produce guidance notes.

 

A follow up audit will take place in 2023/24 to provide assurance that the agreed actions have been implemented.

 

School Meals Contract Management

 

The primary and special school meals contract, currently with Caterlink Ltd, was awarded in August 2018 for four years.  The option to extend the contract by two years has been applied and the contract will therefore end on 31 July 2024.  The contract has a value of between £4m and £4.4m per annum.  The contractor is expected to provide around 11,000 meals per day to approximately 60 sites across the city.  The contract covers the provision of school meals to all maintained special and primary schools as well as Tarnerland Nursery and nurseries attached to maintained schools.  We understand that secondary schools, academies and free schools were invited to be included in the central contract but have chosen not to participate.

 

The purpose of the audit was to provide assurance that controls are in place to meet the following objectives:

 

·         Effective contract monitoring and reporting arrangements are in place to ensure delivery in accordance with the contract, legislative and stakeholder expectations;

·         Any variations or the changes to the original contract are in accordance with Contract Standing Orders;

·         The contractor is properly insured and has effective business continuity planning in place;

·         Contract payments are correct and properly authorised;

·         Controls are in place to ensure that school meals income is promptly banked and reconciled; and

·         Financial controls and effective budget monitoring arrangements are in place to ensure delivery in accordance with the agreed budget and contact amount. 

 

Our work identified several areas where improvement was required and, as a result, we were only able to provide an opinion of Partial Assurance.  In response to this audit, an action plan was agreed with management that included measures to:

 

·         Review and update procedure notes and filing in a central location in order to help reduce the risk associated with the loss of key staff;

·         Following successful recruitment, restarting monitoring visits;

·         Ensuring the next school meals contract will include specific, meaningful and timebound key performance indicator (KPI) targets by which the contractor can be measured and held accountable;

·         Sealing outstanding Deeds of Variation once the pricing review has been completed;

·         Improving information for parents around credit balances and refunds.

 

In accordance with our standard practice, a follow up audit will take place in 2023/24 to provide assurance that the agreed actions have been implemented.

 

Highways Contract Management

 

Under the Highways Act 1980, the Council has a statutory duty to maintain the public highways and pavements in the city and keep them in a safe condition.  To meet this duty, the Council employs highways contractors to provide specialist resources, plant, and equipment. 

 

The purpose of the audit was to provide assurance that controls are in place to meet the following objectives:

 

·         Planned works are subject to appropriate governance and approval arrangements and are according to contract specifications;

·         Reactive works are subject to robust ordering and authorisation processes, which are correctly applied according to an agreed schedule of rates;

·         Client-side reviews of contracted work (both planned and reactive) are undertaken and given sufficient assurance over the quality, quantity and timeliness of work completed; and

·         Actions for implementation agreed as a result of the follow up audit of highways contracts have been implemented.

 

Since the previous audit (2020/21) and the follow-up review (2021/22) we found that there have been improvements in the control environment.  There is a robust process in place for raising, authorising, and paying for reactive repair work, along with a well-controlled inspection regime to identify repairs.  In addition, there are effective controls over the payment process as evidence of completed work is retained and appropriate authorisation is obtained prior to payment.  Therefore, we were able to provide an opinion of Reasonable Assurance based on the work undertaken. 

 

As part of the audit, we also agreed some additional actions with management to help further improve the control environment, primarily relating to storage and retention of records.

 

Adult Social Care (In-house Services)

 

Brighton and Hove City Council has three bedded units that are currently provided in-house, these are, Craven Vale, Ireland Lodge and Wayfield Avenue.  In addition, the Council delivers in-house home care provision through Independence at Home.  These services are regulated by the Care Quality Commission (CQC).

 

The purpose of this audit was to provide assurance that these services are being effectively managed, from a strategic perspective, covering the following objectives:

·         Robust arrangements regarding the management and governance of adult social care in-house services are in place, including strategies, policies, procedures and guidance, that are compliant with relevant regulations and keep clients safe;

·         A workforce strategy is in place and effective planning takes place to safeguard delivery of care and fully utilise the accommodation; and

·         The financial spend against in-house services is monitored, reviewed, reported and escalated, where applicable.

 

We were able to provide an opinion of Reasonable Assurance over the controls in place.  We found that all relevant data and information is taken into account to ensure that an accurate budget is compiled, based on appropriate assumptions.  Periodic financial monitoring and reporting is in place to review expenditure, providing explanations for any potential variances and updating forecasts based on this information, with all corrective action to be taken being discussed with appropriate officers.  Policies and guidance documents are held centrally for the team, these had been reviewed as part of a recent CQC inspection.

 

However, some further opportunities to strengthen the control environment were identified.  These included:

·         Completion and approval of the Operational Workforce Strategy, which was in development at the time of the audit review; and

·         The development of key performance indicators to provide measures against the objectives in the service plan and ensuring these objectives are cross-references to the Health and Adult Social Care (HASC) Strategy and Corporate Plan.

 

An action plan to address the findings of the review has been agreed with management.

 

City Clean External Contracts and Commercial Activities (follow up)

 

An audit of the City Clean External Contracts and Commercial Activities was completed in 2017/18, and this received an audit opinion of Minimal Assurance.  A subsequent follow up review in 2020/21 should only limited improvement with a revised opinion of Partial Assurance being provided.  A further follow up has therefore being required to assess the extent to which previously agreed actions have been implemented.

 

The result of this work showed that four previous actions had been implemented, two had been partially implemented and we also identified a new finding.  We were therefore able to issue a revised opinion of Reasonable Assurance.  The outstanding actions, agreed with management, related to:

 

·         Updating and retaining a full record of information on the contract spreadsheet, with regular monitoring being undertaken; and

·         When new contracts are let they will include key performance indicators to ensure performance can be adequately monitored. 

 

All actions were agreed with management which includes clear timescales for implementation.

 

MetaCompliance IT Application Audit

 

The MetaComplaince system offers a range of information security and information governance tools, including security awareness training, phishing simulation, cyber security e-learning, privacy management, policy management and incident management. 

 

At the time of the audit the system was not yet fully live at the Council.  However, it had recently been made available to all staff as an interim training solution for a variety of e-learning modules beyond its original remit.

 

The purpose of the audit was to provide assurance that controls are in place to meet the following objectives:

 

·         Systems access is restricted to appropriately authorised individuals and the permissions provided to those users are in line with job functions;

·         Data processes through interfaces are authorised, accurate, complete, securely processed and written to the appropriate file;

·         Outputs produced by the system are complete, accurate, reliable, distributed on time and with confidentiality where appropriate;

·         System updates and enhancements are performed in a consistent manner and subject to sufficient testing and authorisation before implementation; and

·         Appropriate support arrangements are in place to manage changes within the system.

 

We were able to provide an opinion of Reasonable Assurance based on the work undertaken as part of this audit. Proportionate controls appear to be in place for the system.  If usage of the system were to be expanded to store additional information, appropriateness of controls would need to be re-evaluated ahead of any change of use.

 

In response to this audit, an action plan was agreed with management that included measures to:

 

·         Identify and agree a system owner for the MetaCompliance system; and

·         Undertake a Technical Risk Assessment of the system, which will be subject to review and sign off.

 

A formal action plan to address the findings of the review has been agreed with management.

 

Housing Management System (follow up)

 

The housing management system replacement programme was a significant change project for the Housing Service in order to procure and implement a new system, which is used to support delivery of services to the Council’s tenancy and leaseholders in the city.  This modernisation will implement processes that are more efficient.

 

An audit of the NEC Housing Management System was completed in 2021/22 and we provided an opinion of Partial Assurance.  The audit resulted in 11 agreed actions with management, two of which were assessed as high risk.  We have therefore undertaken a follow up review to provide assurance that these actions have been appropriately implemented, having regard to the control objectives from the original audit, namely:

 

·         Effective quality and cost controls are in place;

·         Risk management is appropriately addressed;

·         Reporting and communication during the programme is well managed; and

·         Detailed implementation and change management plans are in place.

 

Our work identified that of the 11 previously agreed actions, 9 had been fully implemented and two partially implemented.  As a result of these improvements, we were able to issue an opinion of Reasonable Assurance.  Ongoing work continues to be required in relation to the following actions:

 

·         The NEC Asbestos module will be implemented.  In addition, a management plan will be drafted to clarify where information is currently held and how to access it, as an interim arrangement, until accurate data can be centrally stored in one location; and

·         Cost controls for works and repairs will be reviewed to ensure information (such as labour and material costs) are correctly captured.  This will inform accurate leaseholder billing as well as cost information provided to management.

 

Revised timescales were agreed with management for these actions.

 

Cyber Security

 

Cyber-attacks on the Council’s IT systems and devices are a threat to the security of the Council’s data and could have a significant adverse impact on service delivery. Cyber security refers to the measures in place to combat these threats and is defined as the protection of information systems (hardware, software, and associated infrastructure), the data on them, and the services they provide, from unauthorised access, harm, or misuse. This includes harm caused intentionally by the operator of the system, or accidentally, as a result of failing to follow security procedures.

 

This audit sought to evaluate the Council’s cyber security arrangements, with reference to the National Cyber Security Centre’s ‘Actions to Take When the Cyber Threat is Heightened’ guidance. This guidance highlights the fundamental security measures that organisations are advised to have in place.

 

Whilst it is not appropriate to share the specific details of our findings within this report, as this information may be used to increase the risk of a successful cyber-attack, based upon the work we have undertaken, we have been able to provide and opinion of Reasonable Assurance.

 

The audit highlighted two areas for improvement, one medium and one low risk finding, with appropriate actions to mitigate the risks agreed with management.

 

Home to School Transport

 

Home to School Transport is provided by the Council to eligible pupils within the city to facilitate attendance at school.  Eligibility for home to school transport is defined by the Council’s Transport Policy, and the eligibility criteria is set by the Department of Education.  As of 9th September 2022, the service had 1,666 eligible pupils for home to school transport and the budget provision for 2022/23 is approximately £3.9 million.

 

The purpose of this audit was to provide assurance that controls are in place to meet the following objectives:

 

·         Council policies and procedures on home to school transport ensure that all statutory requirements are met;

·         Adequate governance arrangements are in place to ensure that the home to school transport service is managed effectively;

·         The procurement processes and management of home to school transport providers are robust, adhere to Council policies and are efficient, to ensure the delivery of the suitable provision of this service that provides value for money;

·         Adequate service provider checks are undertaken to ensure the safety of children during their transfer to and from school; and

·         Budgets are properly set, monitored and reported.

 

As a result of our work, we were able to provide an opinion of Reasonable Assurance in this area.  We found that robust arrangements were in place to ensure suitable due diligence checks are carried out on providers.  Complaints and incidents are investigated and monitored, with appropriate follow up action taken when required.  The service regularly engages with key stakeholders and works closely with partner organisations.  High-level monitoring of the service is undertaken through quarterly reporting to the Home to School Transport Governance Board and half-yearly progress reporting to the CYPS Committee.

 

Whilst the budget setting process for the service had robust controls in place, it should be noted that there is a cost pressure for the service, which is nationally recognised, due to a rising number of pupils needing transport, more pupils with solo passenger status, driver shortages and increased fuel costs being key factors.

 

Some areas were identified in order to further improve overall controls, this included measures to:

 

·         Notify all applicants of eligibility, including information about the Appeals Policy

·         Amend the appeal panel checklist to include all information, and complete spot checks to monitor compliance.

·         Amend the award spreadsheet to show the two authorisers and record rationale for, retendering of protected routes

·         Develop written procedures; and

·         Add route safety criteria to the next publication of the Home to School Transport Policy.

 

A formal action plan to address the findings of the review has been agreed with management.

 

Procurement Compliance (follow up)

 

An audit of Procurement Compliance commenced in 2020/21 which was split into two phases, with phase one primarily focussing on the quality of data captured on the Council’s Contracts Register.  In 2021/22, phase two was undertaken with the objective of obtaining assurance that, where suppliers had been paid more than £75k, Contract Standing Orders has been complied with and value for money had been demonstrated.  For both phases we provided an audit opinion of Minimal Assurance.

 

Our subsequent follow up work has identified that of the of the 16 agreed actions from the previous phase 1 and phase 2 audits all had been fully or partially implemented, with clear progress made to improve controls.  As a result of these improvements, we were able to issue an improved opinion of Reasonable Assurance.  The following actions were agreed with management, that still require implementation, these included:

 

·         Monitoring mechanisms will be established utilising a monthly report of spend, this will be shared with officers in the Procurement Team for them to review and discuss with their clients;

·         A full update of Contract Standing Orders (CSOs) will be completed once there is clear guidance from central government;

·         The provision of training to specific officers and teams will be undertaken and procurement training slides will be published on the intranet; and

·         Mechanisms will be put in place in order to link information on the Contracts Register to the Council’s creditors system.

 

Revised timescales were agreed with management for all of these actions.

 

Members Declarations of Interest, Gifts and Hospitality

 

The Council has a Code of Conduct which sets out Members’ responsibilities for declaring their interests, gifts and hospitality (either accepted or declined with a value of £50 or over) within 28 days.  These declarations are required to be available to the public, Council employees and Members. 

 

The purpose of this audit was to provide assurance that controls are in place to meet the following objectives:

 

·         There is a clear policy in place to ensure that Members are aware of their responsibility to declare an interest and this policy/code of conduct is effectively communicated;

·         There is evidence of consistent compliance with the code of conduct/policy in declaring interests by Member and when reviewed by officers and that this is done so in a timely manner;

·         Adequate controls are in place to ensure all Members are aware of their responsibility to complete a declaration of interest where there is a change to their circumstance;

·         Procedures for the declaration of Gifts and Hospitality are clearly defined in accordance with best practice and are effectively communicated; and

·         That there is evidence of consistent compliance with the gifts and hospitality procedures both by Members and when reviewed by officers.

 

We were able to provide an overall opinion of Reasonable Assurance over the control environment.  We found that declarations are documented and published on the external website in accordance with section 29 of the Localism Act 2011.  The Council has a policy framework in place which sets standards and the personal responsibilities of Members in the areas of conflicts of interest, offers and the acceptance of gifts and hospitality.  In addition, work is currently in progress to include Members’ induction and relevant documentation via the Members’ hub before the next local elections, to ensure new Members are able to access the majority of guidance documentation in one place.

 

However, some further opportunities to strengthen the control environment were identified.  These included:

·         The introduction of scheduled reminders to ensure all Members are aware of the requirement to notify of any changes to their roles or interests; an annual review of the register; and to ensure consistency of the recording declarations made at meetings being recorded in the public register;

·         Reviewing the template used by Members to notify officers of declarations of interest made and how these declarations are held on file;

·         Amending the form used by Members to declare gifts and hospitality to include the reason for acceptance of the gift and/or hospitality; and

·         The creation of a spreadsheet to log receipt of interest declarations/amendments.

 

A formal action plan to address the findings of the review has been agreed with management.

 

Revenue Collection and Banking

 

The Council uses Civica Pay income management system, which is a vendor-hosted solution, to process and distribute income received by the Council.  Civica Pay controls the distribution of income received to the Council’s financial systems.  The Banking & Income Team within Welfare, Revenue and Business Support are responsible for ensuring income is allocated correctly and promptly to the appropriate cost centres.

 

The purpose of the audit was to provide assurance that controls are in place to meet the following objectives:

 

·         All income transactions are promptly and accurately posted to the cash receipting system;

·         All income is accurately and correctly populated to the correct financial system;

·         Bank reconciliations are regularly prepared by independent finance officers with evidence of separation of duties;

·         Bank signatories are up to date and accurate;

·         Access to the Civica Pay system is restricted to officers with legitimate business needs; and

·         The Council’s Financial Regulations and Standard Financial Procedures relating to income collection and banking are adhered to.

 

As a result of our work, we were able to provide an opinion of Reasonable Assurance in this area.  We found that daily reconciliations are taking place, there is no significant backlog of unmatched transactions, a daily suspense analysis process is taking place to allocate transactions that could not be automatically matched, and a record of action taken is maintained.  User access to Civica Pay is generally well controlled, with appropriate staff having access to the system, and suitable permissions granted.

 

Some areas were identified in order to further improve the overall controls in place, these included measures to:

 

·         Review and update procedure documentation to ensure that important steps and timings are included; and

·         Capture authorisations showing the time this took place.  Any amendments subsequent to this will be recorded and subject to further approval.

 

A formal action plan to address the findings of the review has been agreed with management.

 

IT Asset Procurement (Value for Money)

 

The COVID-19 Pandemic placed significant demands on local authorities to provide IT assets to its officers to enable them to work remotely. IT departments have had to respond by providing mobile devices (e.g., laptops and mobile phones) to a significant number of officers as well as other peripheral items such as monitors and mice, to support Display Screen Equipment (DSE) requirements.  With the expansion of remote working, IT Hardware is in greater demand than ever before.

 

The purpose of our audit was to provide assurance that controls are in place to meet the following objectives:

 

·         All procurement and purchasing activities of IT assets is undertaken in response to a business need and, where applicable, in line with the Council’s Contract Standing Orders;

·         The processes used to procure/purchase IT assets are suited for the intended outputs;

·         Procurement of IT assets is undertaken by IT&D, and any exceptions are executed with IT&D oversight and according to standards defined by IT&D.

 

Overall, we were able to provide an opinion of Substantial Assurance. We found that robust governance arrangements are in place for any procurement activity in relation to the tendering of contracts for IT assets across the council. Current procurement activity within IT&D includes criteria such as sustainability, environmental impact, support and deployment options.

 

While no specific findings were raised as part of this audit, advice and areas for consideration were provided to management.

 

DHSC Grant - Adult Weight Management Grant

 

This is a grant available to local authorities from the Department of Health and Social Care to support the commissioning of adult behavioural weight management services. The amount of £99,487 was provided to the Council for 2021-22. This was the second claim for the financial year.

No significant issues were identified in the grant certification.

 

DEFRA – Section 31 Biodiversity Net Gain Grant

 

This is a new grant to help Councils develop a strategy and prepare for changes within the Environment Act 2021 that include provisions to make achievement of 10% biodiversity gain mandatory for developments under the 1990 Town and Country Planning Act. For 2022/23 funding of £43,467 was provided for this purpose.

 

No significant issues were identified in the grant certification.

 

Schools

We have a standard audit programme in place for all school audits, with the scope of our work designed to provide assurance over key controls operating within them. The key objectives of our work are to ensure that:

 

·         Governance structures were in place and operated to ensure there was independent oversight and challenge by the Governing Body;

·         Decision making was transparent, well documented, and free from bias;

·         The school was able to operate within its budget through effective financial planning;

·         Unauthorised or inappropriate people did not have access to pupils, systems or the site;

·         Staff were paid in accordance with the schools pay policy;

·         Expenditure was controlled and funds used for an educational purpose;

·         Value for money was achieved on contracts and for larger purchases;

·         All unofficial funds were held securely and used in accordance with their agreed purpose;

·         Security arrangements keep data and assets secure and are in accordance with data protection legislation.

School audits are currently being undertaken under remote working arrangements and one school audit was delivered in quarter 4. The table below shows the school we have audited, together with the final level of assurance reported to them.

 

Name of School

Audit Opinion

Patcham High School

Reasonable Assurance

 

We aim to undertake follow up audits at all schools with Minimal and most schools with Partial Assurance opinions.

 

At the end of quarter 4, liaison was ongoing to identify schools for audit within the 2023/24 financial year.

 

Counter Fraud and Investigation Activities

 

Internal Audit have been liaising with the relevant services to provide advice and support in processing the matches received as part of the National Fraud Initiative.  In addition, we continue to monitor intel alerts and share information with relevant services when appropriate.

Summary of Completed Investigations

 

Bribery Allegation

During the quarter we investigated an allegation of potential bribery when awarding a contract for the supply of diesel and oil to the Council. The referrer alleged that two former members of City Clean staff had received a bribe to award a contract to a preferred supplier. The investigation found that the two members of staff had left the employment of the Council prior to the contract being awarded and there was no evidence that they had been involved in the procurement exercise. Furthermore, the investigation did not identify any concerns that the supplier had acted inappropriately.

 

Misconduct Allegation

Internal Audit conducted initial enquiries and provided advice to a service following an anonymous referral that a member of City Clean staff was carrying out secondary employment. The service interviewed the member of staff, and no evidence of secondary employment was identified. The case was closed with no further action.

 

Fraudulent use of a Purchase Card

Advice was provided to a school following a Purchase Card being used for a fraudulent transaction. A number of transactions had been flagged by the card issuer as fraudulent. The school are working with the bank to identify any fraudulent transactions and arrange recovery of funds. Following confirmation that the card had been cloned, advice was given on the secure use and safe storage of the card.

 

 

Phishing Email

Advice was provided to the Business Operations Team following a potential phishing email being received from a bank. The phishing email had been received purporting to be from the bank and asking the recipient to provide financial information. The email was flagged because it requested information relating to a card holder who no longer worked for BHCC. The email was identified as bogus and it was confirmed that no action to provide information had been taken in response to the request.