Appendix 1
Internal Audit and Counter Fraud
Quarter 2 Progress Report 2021/22
CONTENTS
1. Summary of Completed Audits
2. Counter Fraud and Investigation Activities
3. Action Tracking
4. Amendments to the Audit Plan
5. Internal Audit Performance
1. Summary of Completed Audits
Procurement Compliance (Phase 1) – Minimal Assurance
1.1 The purpose of this audit was to obtain assurance that where suppliers have been paid more than £75,000, Contract Standing Orders (CSOs) have been complied with and value for money has been demonstrated.
1.2 Our review used data analytics and revealed a high number of instances where there has been supplier expenditure above £75k but where there was no match to the Contracts Register. The initial scope for this audit had not anticipated this, or therefore the extent of Internal Audit resources required to investigate the individual procurements and their compliance with CSO’s. As a result, we have split our work into phases, with this phase one review, focusing on the quality of data captured on the Contracts Register. Additional internal audit resources have been set aside to deliver a second phase of work, seeking to provide assurance over whether there has been appropriate compliance with CSO’s in relation to competitive tendering arrangements. This audit is progressing and will be reported on in future updates.
1.3 This initial review examined data for a 12 month period ending 30/11/2020 and just focused on suppliers with expenditure of more than £75k. This period coincided with the start of the Council response to COVID-19 and includes emergency procurement decisions.
1.4 Our review found that data held in the corporate Contracts Register is incomplete and omits contract arrangements with a significant number of contractors. This is a breach of Contract Standing Order 17 (Contracts Register and Records). The absence of this information significantly hampers the ability of the corporate centre and individual directorates to plan and monitor procurements so that they deliver value for money. It also means that the Council is unable to comply with the Public Contracts Regulations 2015 transparency requirement to publish contract information on the Council website.
1.5 Our review identified that 43% of suppliers where we had purchased goods, works or services above £75k could not be matched to the Contracts Register. Officers had raised purchase orders to the value of £42.6m with these suppliers in the twelve-month period examined.
1.6 Our follow-up enquires with contract officers identified that in some cases the absence of the information indicated that tendering had not taken place in accordance with Contract Standing Orders. However, in most cases officers explained that a process had taken place, but the information had not been added to the Contracts Register. We are therefore, at this stage unable to provide assurance in this area until such time as we have completed the second phase of our review, focussing on the details of individual procurements.
1.7 We found that many of the contracts let under emergency powers, through Gold Command arrangements, to provide goods and services related to the COVID -19 pandemic, are not on the Contracts Register. This accounted for 30 of the suppliers that we had not been able to match to the Contracts Register. Waivers were not approved retrospectively to provide a central record of these procurements. There is likely to be public interest and scrutiny on these purchasing decisions and reporting of them would be expected.
1.8 We also identified a significant number of cases where the procurement had gone through procurement system, but where no contract had been created and was not recorded on the Contracts Register. In most of these cases, the procurement process had been run by officers within a service who may not have been aware of this final important step. In some cases, contracts with suppliers where a waiver had been approved were also not included on the Contracts Register. Similarly, procurements which are run in partnership with other public bodies are not always being included on the Contracts Register.
1.9 Our analysis also found examples of non-compliance with CSO’s where officers were using expired contracts, often described by officers as spot purchasing or working on a purchase order basis. In addition, there was feedback that the contract was often judged to be the value of an individual purchase order rather than reviewing their overall spend with a contractor.
1.10 Finally, many examples were identified through our work of where the expenditure against contracts appeared to exceed the recorded contract value. The absence of a complete and up to date Contracts Register significantly reduces the opportunity for corporate or directorate oversight of this risk.
1.11 There is a module in the Civica Financials system to help officers monitor expenditure against a contract, but this is rarely used. It is understood that the module does not work effectively when there are multiple contracts with the same supplier. Officers are expected to monitor expenditure against contracts but in most cases, there is no link between purchase orders raised on Civica Financials and individual contracts. The absence of this audit trail makes it much more difficult for the Council to scrutinise contract spend. There is also currently no control in the Council’s accounts payable system to prevent high value payments to contractors, where a contract is not in place.
1.12 A total of seven actions were agreed to address the risks identified by this audit. Four of these actions were high priority.
1.13 The actions agreed were to:
· Undertake additional monitoring and analysis of the spend recorded within the Council’s Contract Register;
· Procurement guidance and training will be reviewed and updated to reflect the importance of completing the final steps to ensure that all contracts over £75k are published on the corporate Contract Register;
· A central register of Covid 19 emergency payments by contractor will be compiled;
· A review of Contract Standing Orders will take place to include additional financial controls that would provide more robust governance for officers undertaking procurement responsibilities. Additional dedicated support, for procurements up to a value of 187k will also be provided;
· The development and use of data analytics techniques will take place within the Procurement Team, to review CSO compliance and to communicate to ELT where this does not happen;
· Develop a joint project with Business Operations and Procurement to improve the procurement controls in current processes with the objective of enabling the linking of contracts to purchases in the Council’s financial systems;
· All Procurement Officers to be reminded of the need to update the Contracts Register when variations are authorised.
1.14 In addition to the phase two work currently underway, a formal follow up review will be carried out to assess implementation of the above actions.
Performance Review Compliance (PDPs and 1 to 1s) – Partial Assurance
1.15 All Council employees are expected to have an annual Personal Development Plan (PDP) discussion with their line manager in June or July, and a Mid-Year Review (MYR) around December/January. In addition, 1-2-1s should be held every four to six weeks.
1.16 The purpose of these processes is to ensure that the Council has a motivated workforce who are focused on the delivery of corporate, directorate and service priorities and have their training and development needs identified and met. In addition (and particularly during Covid-19), these processes are designed to support the wellbeing of all staff.
1.17 This audit was included as an addition to the agreed audit plan as corporate performance information had identified a significant shortfall in compliance with these corporate processes e.g. only 47% of staff having had either a PDP or MYR recorded on the PIER Human Resources system within the period March to September 2020.
1.18 The purpose of the audit was to provide assurance that controls are in place to ensure:
· Appropriate training and guidance is in place to ensure that managers are aware of their performance management responsibilities and the corporate targets for PDP/MYR and 1-2-1 completion;
· All staff are subject to regular management and supervision in accordance with Council guidelines; review meetings are recorded on the PIER system and adequate records are retained by the line manager;
· Corporate data on compliance with performance review targets is accurate. There is a robust process in place for monitoring, interpreting and reporting data in relation to performance management.
1.19 We were only been able to provide Partial Assurance over the controls operating within the area under review because we found that record-keeping on PIER of staff receiving a PDP/MYR or regular 1-2-1 meetings with their line manager needs significant improvement. Our own analysis confirmed that a significant proportion of staff have not had a PDP/MYR and/or a 1-2-1 recorded in line with corporate targets. Some services performed markedly worse than others.
1.20 Our review sought to determine the reasons for non-compliance with corporate targets. This found that in many cases either some or all of the review meetings had taken place, but they had not recorded them on the PIER system. When asked about the barriers in general to keeping up to date with this task, a significant proportion of managers contacted cited time pressures/other priorities.
1.21 Our testing also found that compliance reports do not accurately reflect local arrangements that have been agreed in some service areas, with some managers using an alternative form and some having no record of the meetings at all.
1.22 The actions agreed with management to address these findings were:
· Human Resources will ensure that all Directorate Management Teams agree mechanisms they will use to assure themselves of the recording of PDPs and 1-2-1s;
· Monitoring of PDP and 1-2-1 completions will be undertaken by individual Directorates and will be periodically reviewed by Human Resources;
· New monitoring and reporting processes for each Directorate will be introduced to accurately reflect the use of local arrangements for performance reviews;
· All managers and team leaders will be reminded that the appropriate templates should be used for PDPs and MYRs, and that adequate records of 1-2-1 meetings need to be retained.
Highways Contract Management (Follow-up) – Reasonable Assurance
1.23 The Council manages approximately 390 miles of highways and 750 miles of pavements. Under the Highways Act 1980 the Council has a duty to maintain public highways in the city and must take all reasonable action to keep them in a safe condition.
1.24 The Highway Inspection team make decisions on all reported defects and whether these should be passed for repair. Repairs are carried out through a framework contract worth approximately £1million per annum.
1.25 The previous audit report, from July 2020, gave a Partial Assurance opinion. The objective of this audit was to follow up on those previously agreed actions to provide assurance that they are being implemented and effective control arrangements are now in place.
1.26 This follow up audit concluded Reasonable Assurance and found that most of the actions from the previous audit report had been implemented.
1.27 The introduction of handheld devices, and photographic evidence from the contractor, has improved the quality of evidence around responsive repairs and other improvements have been made around the timeliness of obtaining traffic control permits.
1.28 The existing performance targets are still not always being achieved. However, 2020 was a challenging year due to the pandemic and restrictions over safe working, along with the service needing to implement a paperless system for setting up works orders which took longer than expected to fully develop. The audit found that there was an improving trend in the main performance indicator associated with the time taken for the contractor to fix highways defects.
1.29 An action was agreed with management to continue to improve service performance through the embedding of the paperless (works ordering system) and continued improvements in contract management.
MCM Housing Repairs Application – Reasonable Assurance
1.30 The Housing & New Homes Committee in September 2018, and the Policy, Resources & Growth Committee in October 2018, approved the recommendation to bring the responsive repairs and empty property refurbishments service inhouse from April 2020. The annual value of the work is thought to be approximately £8m.
1.31 To enable a smooth transition to an in-house service, the Council opted to use the Mears MCM works management system for a period of two years.
1.32 The purpose of this audit was to provide assurance that controls are in place to meet the following objectives:
· System access is restricted to appropriately authorised individuals and the permissions provided to those users are in line with job functions;
· Data processed through interfaces is authorised, accurate, complete, securely processed and written to the appropriate file;
· Outputs produced by the system are complete, accurate, reliable, distributed on time and with confidentiality where appropriate;
· System updates and enhancements are performed in a consistent manner and subject to sufficient testing and authorisation before implementation;
· Appropriate support arrangements are in place to manage changes within the system.
1.33 We were able to provide an opinion of Reasonable Assurance for the following reasons:
· Controls are in place to ensure system access is provided only to appropriate authorised individuals and that all new user applications are appropriately authorised and user permission levels are monitored;
· Changes to data validation criteria within the system receive appropriate authorisation;
· There are suitable controls over the interfaces between the system and the Council’s housing management system;
· There is a robust control process in place for managing system updates;
· When changes to the system are made, support is provided to users. There are scheduled system 'downtimes' as detailed within the contract. However, BHCC confirmed that users are not informed of these scheduled ‘downtimes’;
· Audit logs are not being reviewed on a regular basis to detect any inappropriate or suspicious activity.
1.34 Actions were agreed to manage the two low priority findings identified during the audit.
DWP/Searchlight System Security Compliance – Reasonable Assurance
1.35 In February 2021, the Department of Works and Pensions (DWP) wrote to all chief finance officers (S151 Officers) and Senior Responsible Officers for Security (as defined by the DWP) requesting support in addressing an upward national trend in the number of suspected data breaches, involving the inappropriate access by local authority staff to DWP and HMRC personal customer data held within the DWP's Searchlight System.
1.36 The data held within Searchlight enables staff within the Adult Social Care, Revenues and Benefits and Blue Badge teams to access service user’s confidential benefit information held by the DWP. There are approximately 48 staff with access to the data, along with nine members of staff with administrator rights to enable the adding/removing of staff from the system.
1.37 This review was an addition to the agreed Internal Audit Plan for 2021/22, in response to the above-mentioned letter from the DWP, in order to provide assurance over the level of compliance with the expectations contained within the letter.
1.38 Based on the work carried out, we have been able to provide an overall opinion of Reasonable Assurance because:
· Training undertaken by staff to embed sound data security principles within departments and as part of organisational GDPR training, helps to ensure staff are aware of the seriousness and potential consequences of a data breach incident;
· ‘Management checks’ for which the user is required to provide evidence of a genuine business reason to access the record are undertaken, which helps to embed the message that staff must only access the system for a legitimate purpose.
1.39 However, some areas were identified where the Authority is not completely complying with the expectations of the DWP and these include:
· Putting in place arrangements for meeting the DWP deadline of 20th April 2022 for all staff being subject to Baseline Personnel Security Standard checks;
· Ceasing the practice of utilising service user records for training purposes, which is not a legitimate business purpose;
· Establishing arrangements for ensuring that all department utilise communications from the DWP to reiterate the data security message for staff.
1.40 In all cases, the necessary improvement actions were agreed with management to address the findings from our review.
Welfare Discretionary Funding - Reasonable Assurance
1.41 To help mitigate the financial impact of Covid 19 on vulnerable groups, central government provided additional welfare funding for the Council to administer and pay out to its residents, some of which was added to existing local discretionary schemes. The funds administered in 2020/21 were the Local Discretionary Social Fund, Discretionary Housing Payments, Covid 19 Emergency Assistance Grant and Covid 19 Winter Grant Scheme, with total funding of £5.1m.
1.42 The purpose of this audit was to provide assurance that:
· Policies, procedures and statutory guidelines are in place to support the administration of the Discretionary Welfare Payments;
· Claims are assessed and payments calculated in accordance with regulations;
· Claims are processed within required timescales with decisions appropriately recorded;
· The Discretionary Payment budgets are appropriately monitored and reported.
1.43 Our review concluded Reasonable Assurance and found that the majority of the expected key controls were in place.
1.44 Procedures for awarding Local Discretionary Social Funds have been in place since 2013 and the majority of claimants applied through an externally hosted online application system, that records the evidence provided and decisions made, to ensure consistency and transparency. Our sample testing confirmed that the recipients of this funding were persons in genuine financial need.
1.45 The biggest area of funding was used to fund a council tax reduction during 2020/21. This was an automated process which identified qualifying claims and applied a standard £150 reduction to relevant accounts. Our sample testing confirmed that the grant was used to fund the council tax reductions for only those account holders that were entitled.
1.46 The Covid Winter Grant funding was distributed through a range of organisations that the Council was already funding. As part of the audit we contacted a small sample of recipient organisations who confirmed that they had spent the funding in accordance with the intended purposes.
1.47 Our sample testing also provided evidence that payments were made within a reasonable timescale to help reduce unnecessary hardship.
1.48 We found good evidence of monitoring and reporting of the use of the funding and that it was distributed as intended.
1.49 The audit identified a small number of areas for improvement, including the need for a physical reconciliation of the food vouchers issued to some clients. A decision was also outstanding regarding the use of unspent (physical vouchers) totalling approximately £2,000 that were been stored but not used (Emergency Assistance Grant for Food and Essential Supplies).
Transport Capital Grants (2020/21)
1.50 There is an annual requirement for internal audit to check and certify capital related expenditure funded by the Department for Transport. The amounts certified for 2020/21 are detailed in the table below:
|
Grant Stream |
Amount |
|
Integrated Transport Block |
£3,059,000 |
|
Highways Maintenance Block needs element |
£2,110,000 |
|
Highways Maintenance Block incentive element |
£440,000 |
|
Pothole and Challenge Fund |
£1,372,000 |
|
Highways Maintenance Challenge Fund - Western Road Renewal |
£18,459 |
1.51 No issues were identified during the grant certification processes.
Bus Subsidy Transport (Revenue) Grant
1.52 During 2020/21, the Department for Transport paid a local authorities a grant to be used for the purposes of supporting bus services (including community transport services run under a section 19 permit), or for the provision of infrastructure supporting such services.
1.53 This Council’s allocation for 2020/21 was £172,990 and through our checking and certification process, we have been able to confirm that this was all spent in accordance with the conditions of grant.
Additional Home to School Transport Grant (Tranche 5, 6 and & 7)
1.54 This grant was received from the Department for Education with the objective of boosting transport capacity for dedicated school and college services during the Autumn and Spring terms 2020/21, whilst social distancing measures were in place on public transport.
1.55 Three grants were audited and certified in Quarter 2 as follows:
· Tranche 5: £187,435;
· Tranche 6: £71,578;
· Tranche 7: £113,795.
1.56 No issues were identified in the grant certifications, with all funding utilised in accordance with the grant conditions.
EU Grant Solarise – Claim 6
1.57 This is an EU Interreg project that requires grant certification at least once a year. The full title of the project is ‘Solar Adoption Rise In the 2 Seas’. The total value of the project between 2018 and 2021 is approximately £525,000 (Grant expected £315,000). This was the sixth claim on this project.
1.58 No issues were identified in the grant certification.
2. Proactive Counter Fraud Work
2.1 During quarter 2, three fraud awareness sessions have been delivered to Business Operations focussing on the risks to the Council of bank mandate fraud and cyber fraud. In addition, we have been working with Health and Adult Social Care to raise fraud awareness and develop fraud reporting procedures within the service.
2.3 The Counter Fraud Strategy for the Council has also been reviewed and will be presented to Audit and Standards Committee in April 2022. As art of this, the Fraud Risk Assessment has been updated to ensure that the current fraud threat for the Council has been considered and appropriate mitigating actions identified.
2.4 Internal Audit are continuing to liaise with the services to ensure that matches from the National Fraud Initiative are being reviewed and processed
2.5 Finally, the team continue to monitor intelligence alerts and share information with relevant services when appropriate.
Summary of Completed Investigations
Housing Tenancy & Local Taxation
2.6 A key focus area our service remains housing tenancy fraud and Local Taxation. Whilst the pandemic has impacted on the team’s ability to conduct interviews and visits in the past 18 months, we are now starting to progress cases. The first interview under caution since Covid-19 has been conducted and two housing properties have been returned to the Council’s stock.
Non-Audit Work
2.7 One member of the Internal Audit and Counter Fraud Team has continued to support the Council’s wider response to the pandemic through part time redeployment with the Ways of Working Recovery Group until 30 September 2021.
3.1 All high priority actions agreed with management as part of individual audit reviews are subject to action tracking. As at the end of quarter 2, 97% of high priority actions due had been implemented.
3.2 As at the end of September 2021, there was one high priority action which was overdue. This was an action in the HNC Directorate which has now been implemented.
4. Amendments to the Audit Plan
4.1 In accordance with proper professional practice, the Internal Audit plan for the year has been kept under regular review to ensure that the service continues to focus its resources in the highest priority areas based on an assessment of risk. Through discussions with management, the following reviews were added to the original audit plan during the year.
|
Rationale for Addition |
|
|
Procurement Compliance - Phase 2 |
This audit is an extension of our Procurement Compliance (Phase 1) audit that is described earlier in this report. The purpose of the audit is to obtain assurance that quotations and tenders have been obtained in accordance with Contract Standing Orders for all procurements above £75k. |
|
Children’s’ Disability Agency Placements – Budget Pressures |
In 2020/21 there was an unprecedented increase in the number of high cost placements in part to the Covid pandemic. This audit is therefore to ensure that budget setting and management of this service is robust and that the commissioning of services, and individual placements is subject to rigorous scrutiny and that placements are monitored on a regular basis to ensure that they remain relevant and appropriate to the needs of service users. |
|
Property & Design - Corporate Landlord |
This was an additional audit agreed by the Executive Director Economy, Environment and Culture and is focused on the management of legislative responsibilities (including gas, electric, legionella, fire and asbestos), as well as budget management and contracts. |
|
Covid-19 Bus Service Support Grant (CBSSG) |
This is an additional Covid related grant certification in respect of additional grant funding to support bus services. |
4.2 In order to allow these additional audits to take place, the following audits have been removed or deferred from the audit plan and, where appropriate, will be considered for inclusion in future audit plans as part of the overall risk assessment completed during the annual audit planning process. These changes have been made on the basis of risk prioritisation and/or as a result of developments within the service areas concerned requiring a rescheduling of audits:
· Track and Trace Grant;
· Public Health Prep Grant (HIV);
· EU Interreg Grant- SHINE.
5. Internal Audit Performance
5.1 In addition to the annual assessment of internal audit effectiveness against Public Sector Internal Audit Standards (PSIAS), the performance of the service is monitored on an ongoing basis against a set of agreed key performance indicators as set out in the following table:
|
Aspect of Service |
Orbis IA Performance Indicator |
Target |
RAG Score |
Actual Performance |
|
Quality
|
Annual Audit Plan agreed by Audit Committee |
By end April |
G |
Approved by Audit & Standards Committee on 9 March 2021. |
|
Annual Audit Report and Opinion
|
By end July |
G |
2020/21 Annual Report and Opinion approved by Audit Committee on 29 June 2021 |
|
|
Customer Satisfaction Levels |
90% satisfied
|
G |
100% |
|
|
Productivity and Process Efficiency |
Audit Plan – completion to draft report stage |
90% |
G |
46.9% at year mid-point |
|
Compliance with Professional Standards |
Public Sector Internal Audit Standards |
Conforms |
G
|
January 2018 – External assessment by the South West Audit Partnership gave an opinion of ‘Generally Conforms’ – the highest of three possible rankings
July 2021 - Internal Self-Assessment completed, no major areas of non-compliance with PSIAS identified. |
|
|
Relevant legislation such as the Police and Criminal Evidence Act, Criminal Procedures and Investigations Act |
Conforms |
G
|
No evidence of non-compliance identified |
|
Outcome and degree of influence |
Implementation of management actions agreed in response to audit findings |
95% for high priority agreed actions |
G |
97.8% for high priority agreed actions |
|
Our staff |
Professionally Qualified/Accredited (Includes part-qualified staff and those undertaking professional training)
|
80% |
G |
91% |
Audit Opinions and Definitions
|
Opinion |
Definition |
|
Substantial Assurance |
Controls are in place and are operating as expected to manage key risks to the achievement of system or service objectives. |
|
Reasonable Assurance |
Most controls are in place and are operating as expected to manage key risks to the achievement of system or service objectives. |
|
Partial Assurance |
There are weaknesses in the system of control and/or the level of non-compliance is such as to put the achievement of the system or service objectives at risk. |
|
Minimal Assurance |
Controls are generally weak or non-existent, leaving the system open to the risk of significant error or fraud. There is a high risk to the ability of the system/service to meet its objectives. |