Orbis A4 word portrait 2017 with rings

Appendix 1

Internal Audit and Counter Fraud

Quarter 3 Progress Report 2020/21

CONTENTS

1. Summary of Completed Audits and Covid-19 Related Work

2. Counter Fraud and Investigation Activities

3. Action Tracking

4. Amendments to the Audit Plan

5. Internal Audit Performance

1. Summary of Completed Audits

General Data Protection Regulation (GDPR) (Follow-Up) – Reasonable Assurance

1.1 This audit was a follow-up of the previous GDPR audit which provided an opinion of Partial Assurance. This audit was undertaken to ensure actions have been implemented as agreed and to identify any further work required to support the Authority’s control framework for complying with the requirements of the GDPR.

1.2 In April 2016, the European Union introduced the GDPR, with the intention of strengthening data protection rights for individuals within the EU and came into effect on 25th May 2018. This Regulation also applies to organisations outside the EU that offer goods or services to individuals within the EU. The UK government has confirmed that the UK’s decision to leave the EU will not affect compliance with the GDPR.

1.3 Failure to comply with the GDPR could result in reputational damage and substantial fines by the Information Commissioner’s Office of up to 4% of annual global revenue or 20 million Euros, whichever is the greater.

1.4 We have been able to provide Reasonable Assurance over the controls operating within the area under review because:

· Three of the eight actions agreed in the 2018/19 GDPR audit have been fully implemented. Data protection risks are recorded on in a risk register, service-specific privacy notices can now be found on the council's website, and a template has been introduced for assessment of processing activities taking place on the basis of legitimate interests;

· Where agreed actions have not yet been fully implemented, notable improvement has been made in key areas. For example, in relation to Subject Access Requests (SARs), staff resourcing has been addressed to process the backlog of requests, and a significant decrease in the number of SARs which are overdue has been observed. However, timeframes are still being exceeded in some instances, and key information such the caseworker for the request and the stage it is at are not yet recorded;

· Mandatory GDPR training is in place for all employees, which covers staff obligations in reporting breaches promptly, and key policies and procedures are in the process of being updated to reflect current data protection legislation. However, not all documents have yet been updated and shared with staff on the Wave intranet site;

· Some areas of concern are still present, including information asset registers not being routinely reviewed, and recording and reporting of data breaches not optimised. The imminent introduction of specialised software is intended to facilitate good practice in these areas and will include management of records of processing, privacy impact assessments and risk, and is also being explored for use in the recording and management of data breaches.

1.5 We agreed actions with management for all four medium and one low priority findings identified during the audit.

Patch Management – Reasonable Assurance

1.6 With ever increasing reliance on computer systems, an effective patch management process is crucial to ensure that critical security weaknesses are promptly closed, and systems remain available and up to date. However, patch management processes need to ensure systems can continue to work effectively with other hardware and software following the application of a patch.

1.7 This audit was undertaken with a focus on patching in relation to desktop and laptop devices via the Microsoft System Centre Configuration Manager (SCCM), and a sample of critical systems hosted on-premises. Infrastructure patching arrangements (including servers and switches) were not included within the scope of the audit as these were reviewed within the recent Cyber Security audit.

1.8 The purpose of the audit was to provide assurance that controls are in place to meet the following objectives:

· Patches for all systems and applications in use are identified and applied to all relevant devices on the network;

· Patches are applied in a timely manner and prioritised appropriately;

· Use of outdated, unsupported software (for which patches are no longer available) is minimised. Where remaining in use, additional precautions are taken to mitigate the risk associated with such software;

· Sufficient testing and roll back arrangements are in place to ensure disruption to users and service provision from the application of patches is minimised;

· Comprehensive records of patch application are maintained.

1.9 We were able to provide Reasonable Assurance over the effectiveness of the control framework for Patch Management for the following reasons:

· Good practice was demonstrated in relation to patching, as patches are identified and deployed in a timely manner to relevant council devices;

· Testing of patches and updates is robust for both laptop/desktop devices and sampled critical systems, serving to identify and allow correction of problems prior to wider roll-out. Rollback arrangements are also in place should application of a patch have an adverse effect;

· Patches and updates are applied with consideration to balancing the benefits of patching against the risk of doing so, and the desire for user convenience.

1.10 Some opportunities to improve controls were also identified, including:

· Governance arrangements in respect of patching require improvement as we found there is a lack of oversight of patching, and reports on the Council’s patching status are not routinely run to be viewed by management;

· Centralised documentation covering patching, such as the Patch Management Policy, is not up to date. Additionally, key information is not formally recorded, including roles and responsibilities in relation to patching activities, and the expected target times for patches to be applied (and monitored).

1.11 We worked with management to agree actions to respond to two medium and two low risk findings identified during the audit.

City Clean – Fleet (Follow-up) – Reasonable Assurance

1.12 Internal Audit commenced an investigation within Fleet Management in November 2018. The findings from this initial investigation resulted in the suspension of two officers, and the referral of potential criminal offences to Sussex Police.

1.13 In response to the above investigation, we issued a subsequent internal control report (in June 2020), the purpose of which was to highlight any weaknesses in management controls that had been identified during the investigative process. This report detailed 34 actions for improvement that were agreed with the service and summarised for Audit and Standards Committee in July 2020.

1.14 The objective of this latest audit was to follow up on the actions agreed from the previous report, to provide assurance that these have been implemented and that key financial controls are in place and operating effectively. It should be noted that due to Covid-19 working arrangements, we have been unable to conduct site visits and therefore, have placed more reliance than usual on updates provided by senior management as opposed to physical observation of controls.

1.15 As a result of our follow up work, we are now able to provide reasonable assurance that appropriate improvements have been made. Of the 34 agreed actions from the June 2020 report, 27 had been fully implemented, five had been part implemented and two had not yet implemented. Key areas where we have obtained assurance on improvements since the original audit include:

Contracts and Procurement - There are improved purchasing controls within the Workshop/Fleet Department. All minor parts are checked out or ordered through a new dedicated stores officer and orders over an agreed value now require authorisation by the Head of Fleet or the Workshop & Fleet Manager. An asset management system has now been introduced for larger pieces of hardware used in the workshop. Vehicle parts must only be procured from approved suppliers and all staff in the service have been reminded of the expectations in the Employee Code of Conduct and have confirmed receipt of this and the declaration of interest guidance.

Recruitment/Pay and Allowance Issues - Clear instructions are now detailed in the Recruitment Policy to make it explicit the key principles of the requirement to be consistent and impartial in the treatment of candidates throughout the whole process, and all managers have been informed that in order to recruit they must have successfully completed the recruitment and selection e-learning with the last 12 months. All reference requests for CityClean recruitments are now submitted and reviewed by the HR Recruitment Team and the Council’s corporate contract for the sourcing of agency staff is now used if agency staff are required. We also note that standby and on-call rotas have been removed. Only the Head of Fleet or the Workshop & Fleet Manager can now authorise Workshop overtime and annual leave and we can confirm that the levels of staff overtime have dropped significantly.

Personal Use of Vehicles - Any new vehicles procured for staff use would now have to be supported by a business case reviewed by the Operations Manager and Head of Fleet and that any hire, demonstration, or lease vehicles are only sourced where a business need exists. In addition, log-books are now in operation for all vehicles used by multiple staff and the use of fuel cards has been reduced. Previous incidents of deliberate vehicle damage have been reported to the police and improved security arrangements are now partly in place. Instances of damage are no longer occurring.

1.16 In addition to the above, there are a number of areas where further improvements to control have been agreed with management. These include:

· exploring the possibility of appointing an in-house procurement specialist;

· improving the system for the use of emergency order numbers;

· developing a Driver Handbook, and monitoring compliance with it through the monthly Operator Licence compliance meeting;

· reviewing the arrangement for providing cars and vans where they are required as part of some job roles;

· removal of an unapproved WiFi network at the depot;

· installation of CCTV to help prevent future deliberate damage to vehicles.

Working Time Directive (Follow-up) – Partial Assurance

1.17 The Working Time Regulations (1998) brought the European Working Time Directive (EWTD) into UK law. The regulations set down entitlements of employees to maximum working hours, rest periods, rest breaks whilst at work, annual leave and working arrangements for night workers. For most employees there is a maximum working week of 48 hours, normally averaged over 17 weeks. An employee may work more than 48 hours per week if they complete a written opt-out agreement. Some workers, for example those under 18 and drivers of larger vehicles, cannot opt out.

1.18 The original audit review in this area was delivered during 2019/20, partly as a consequence of a finding from the investigation into a fatal accident at a school, where a caretaker had multiple contracts with the Council for an aggregate of 50 hours per week. This previous audit report resulted in a Partial Assurance opinion, with seven actions agreed with management.

1.19 Although appropriate actions had been agreed as part of the previous report and some progress had been made, we have again concluded Partial Assurance over the controls operating within this area. The main reason for this was that, of the seven agreed actions from the original report, only three had been addressed at the time of the follow-up audit.

1.20 Weekly reports are extracted from the payroll system which detail all employees exceeding the Working Time Directive (WTD) limits, and these show whether an opt-out agreement and a WTD risk assessment form have been recorded. However, monitoring of the reports has not taken place since Covid-19 began to have an impact on the service.

1.21 Our analysis of a sample report from July 2020 found that 34 members of staff had exceeded the WTD limit, but only eight of these had an opt-out agreement recorded on the payroll system , and only five had both an opt-out and a WTD risk assessment recorded. In September 2020, 14 out of 44 employees exceeding the WTD limit had an opt-out recorded, and only nine had both an opt-out and risk assessment recorded.

1.22 The Human Resources section of the Wave now has a page dedicated to the Working Time Regulations, with a standard opt-out agreement available to download. There is also a link to the Health & Safety pages, which have been updated to include a WTD risk assessment form and guidance. However, further improvements agreed in the original audit report, such as the revision of the Performance Toolkit and the Workplace Induction Checklist, have not yet been implemented.

1.23 We also note that the corporate induction courses for managers and staff have not yet been updated to cover the Working Time Regulations.

1.24 Renewed actions and revised target dates have been agreed for the remaining actions to be implemented by the 30 June 2021 and a further follow up will be carried out by Internal Audit sometime after this date.

Direct Payments (Follow-up) – Partial Assurance

1.25 Direct payments are made to individuals to meet some or all their eligible health care and support needs. Direct payments were introduced to offer a greater level of independence to service users by providing them directly with funds to procure their own care rather than receiving service provision arranged directly by the Council. At the time of this follow up audit (August 2020), there were approximately 550 direct payment recipients with a forecast spend of £8.8m in the current financial year.

1.26 The previous audit report gave a Minimum Assurance opinion, with eight actions agreed with the service. The objective of this audit was therefore to follow up on the previous review to provide assurance that actions have been implemented and that effective control arrangements are in place to ensure funds have been paid, accounted for correctly and used for their intended purpose.

1.27 Our follow up found that although progress is being made by the service, only two of the eight actions arising from the previous audit had been implemented, with four actions partly implemented. In particular, we identified that at the time of our review, there was still a backlog of direct payment reviews.

1.28 An additional temporary resource, brought in by management, has been targeting surplus balances but excess surpluses on direct payment accounts had in fact risen since the original audit, with the balance that could potentially be returned to the Council at approximately £1.3m.

1.29 Monitoring of accounts was still found to be ad hoc with very few private bank statements being received. This impacts on the team’s ability to check on client expenditure and to ensure adequate care is being obtained.

1.30 There remains a lack of adequate reports from the organisations looking after the supported bank accounts and prepaid cards on behalf of the Council. This shortfall increases the risk to the Council that its clients are receiving inadequate levels of care or, the Council is incurring unnecessary expenditure if a client is over funded. Although work has begun on securing a new contract for pre-paid cards, the service is still being provided outside of a contract, as this expired in May 2019.

1.31 The service is seeking to update an old service level agreement with the registered charity that manages the finances for approximately 300 Council clients. A contract or other formal agreement is not currently in place to support this arrangement.

1.32 Five actions were restated from the original audit, with target implementation dates set to be completed by February 2021. Officers from HASC will be attending the Audit and Standards Committee meeting to provide an update on these actions as previously requested by the Committee.

Home Care (Follow-up) - Partial Assurance

1.33 The Council has a statutory obligation to provide home-based care support services. The focus is on a person’s wellbeing through supporting them to live as independently as possible for as long as possible. Individuals’ care needs are identified in their care/support plan and can include any support service, including personal and non-personal care.

1.34 Expenditure on the homecare is forecast to be £13.08m against a budget of £9.923m for 2020/2021 and supports approximately 2,100 clients.

1.35 Our previous audit report, from February 2020, gave a Minimal Assurance opinion, with five improvement actions agreed with the service.

1.36 The objective of this audit was therefore to follow up on that previous reviews to provide assurance that actions have been implemented to ensure correct payments are being made to service providers and the necessary data is obtained to facilitate the appropriate monitoring of care provided.

1.37 Based on our follow up work we have only been able to provide Partial Assurance because significant control issues with the payment system reported in our last two audit reviews had still not been addressed. Specifically, there remained a significant risk that controls do not prevent overpayments to service providers. In some cases, there was also insufficient information provided by care providers to allow effective monitoring of the care hours provided. In a similar finding to the previous audit, overpayments had been made to some service providers.

1.38 At the time of our audit review the software used to collate the information about services provided was still not working effectively. As a result, an in-house solution was in the process of being developed to improve the processes for ensuring that service providers are paid accurately and to help reduce the risk of overpayments.

1.39 Since the middle of September 2020, a member of the Business Operations team had been tasked with scrutinising timesheets submitted by providers claiming planned, rather than actual hours. The purpose of this was to act as a compensating control for some of the current control shortfalls.

1.40 In addition to the weaknesses in system controls, it was found that there is insufficient clarity in the roles and responsibilities of Adult Social Care and Business Operations staff in relation to the assignment of payment and performance controls.

1.41 A total of five improvement actions have been agreed with management to address these control issues, with the target implementation dates by the end of March 2021. A further follow up will therefore be carried out by Internal Audit as part of our 2021/22 audit plan.

Payroll Control Issues – No specific opinion given

1.42 Following the departure of a number of key staff at the beginning of 2020 an error was made closing the payroll for the month of May 2020 that resulted in the payroll system being temporarily locked with transactions not being able to be processed. The issue could not be fixed by in house staff and took some time to resolve following the commissioning of additional services from the software supplier.

1.43 In addition, a further problem arose which impacted on the reconciliation of the payroll system with the Council’s general ledger. This in turn held up the production and circulation of the Council’s budgetary control reports. This issue was complex and time-consuming to resolve.

1.44 In response to the above, we undertook a short review to help identify any lessons to be learned for the organisation and consequently a number of actions have now been implemented or agreed to reduce the risk of further problems of this nature arising with the operation of the system. These included:

· Upgrading the payroll system to the latest version;

· Improved guidance notes and training for staff;

· Additional oversight and management in this area of the Business Operations service;

· A configuration review of the system by the software supplier.

Middle Street Primary – No specific opinion given

1.45 In October 2020, Internal Audit and Counter Fraud received a notification about potential financial irregularities concerning purchases made using a supplier purchasing account at the school. The issues identified related to a supplier account administered by a former employee of the school.

1.46 After investigation it was identified that the majority of the suspect transactions had in fact been paid for using the personal card of the former employee. In a small number of cases, some potentially private purchases were identified which were paid for using the school’s purchasing card. The transactions concerned totalled less than £250.

1.47 It was determined that although there was insufficient evidence to take further action in response to the allegation of irregularities, our review did identify a number of issues indicating weaknesses in controls. Actions were therefore agreed to ensure improvement of the following areas:

· Strengthening controls to ensure the independent review of all purchasing card statements, receipts and other key documentation;

· Restricting the use of supplier accounts to be used for school transactions only;

· Improved controls to prevent sharing of the school’s purchasing card;

· Improved petty cash reconciliation procedures.

1.48 The school has agreed to implement all of these actions.

EU Interreg Grant – SCAPE (Claim 7)

1.49 This is an EU Interreg project that requires grant certification at least once a year. The full title of the project is Shaping Climate Change Adaptive Places. The total value of the project is approximately £488,000 (Grant expected £293,000).

1.50 No significant issues were identified in the grant certification.

EU Interreg Grant- BioCultural Heritage Tourism (BCHT)

1.51 This is an EU Interreg project that requires grant certification at least once a year. The total cost of the project between 2018 and 2021 is approximately £463,000. The grant expected is £320,000. This was the fifth claim on this project.

1.52 No significant issues were identified in the grant certification.

Transport Capital Grant (2019/20)

1.53 This was the certification of the Local Transport Capital Block Funding (Integrated Transport and Highway Maintenance) Specific Grant for 2019/20. The audit work included testing to certify £4.1m of expenditure incurred in 2019/20. We note that despite this, a carry forward from 2018/19 and an allocation of £5.6m in 2019/20, meant that £4.7m was carried forward to 2020/21. This carry forward was disclosed on the audit certificate sent to the Department for Transport with plans in place to use the funding during 2020/21.

Covid-19 Work in Quarter

1.54 During quarter 3 (2020/21), Internal Audit continued to redirect some of its resources to support the organisation in its response to the issues arising from the Coronavirus pandemic, but this support was significantly reduced as compared to the previous two quarters.

1.55 In Quarter 3, the support provided has included:

· Some continued support to the Business Rate Team with regard to the verification of Business Rate Grants;

· Supporting the Ways of Working Recovery Group;

· Supporting Public Health with the Covid-19 related work (two members of the Counter Fraud Team).

2. Proactive Counter Fraud Work

2.1 Internal Audit deliver both reactive and proactive counter fraud services across the Orbis partnership. Work to date has focussed on the following areas:

National Fraud Initiative (NFI) Exercise

2.2 Internal Audit coordinated the recent submission of Council datasets to the biennial NFI exercise. Results from the data matching will be provided to the Council on 31 January 2021 at which point Internal Audit will liaise with the relevant departments to ensure that flagged matches are investigated and actioned appropriately. Results from the exercise will be shared with the committee in future progress updates.

Fraud Risk Assessments

2.3 Fraud risk assessments are regularly reviewed to ensure that the current fraud threat for the Council has been considered and appropriate mitigating actions identified. We have updated the risk assessment to include new and emerging threats as a result of the COVID-19 pandemic. This includes potential threats to payroll, staff frauds relating to home working and cyber frauds.

Fraud Response Plans

2.4 The Fraud Response Plans take into consideration the results of the fraud risk assessments and emerging trends across the public sector in order to provide a proactive counter fraud programme. The Fraud Response Plans include a pilot data analytics programme for key financial systems. Work on the key financial data analytics that includes creditors, debtors and payroll commenced in quarter three.

Fraud Awareness

2.5 The team have published fraud bulletins raising awareness to emerging threats, in particular recent risks from the Covid-19 pandemic. These were published on the intranet and shared with high risk service areas. In addition, the team continues to monitor intelligence alerts and work closely with neighbouring councils to share intelligence and best practice.

Reactive Counter Fraud Work - Summary of Completed Investigations

COVID-19 Business Grants

2.6 Internal Audit are continuing to provide the Business Rates Team with advice and support when administering applications for the Small Business Grant and the Retail, Hospitality and Leisure Grant Fund. This has included investigation of alleged false applications for the grant.

Adult Social Care

2.7 Internal Audit have continued to provide advice and support to Adult Social Care on individual cases where concerns have been expressed over false applications, the potential deprivation of capital and the misuse direct payments.

Housing Tenancy & Local Taxation

2.8 In addition to the above, a key focus area remains housing tenancy fraud and local taxation. Resources have been impacted by COVID-19 and the redeployment of staff, however, the following progress has been made:

· Tenancy fraud identified in 6 cases, resulting in 5 properties returned to the Council;

· Single Person Discounts to the value of £22,935.71 have been removed from council tax accounts following investigation.

3. Action Tracking

3.1 All high priority actions agreed with management as part of individual audit reviews are subject to action tracking. As at the end of quarter 3, 84% of high priority actions due had been implemented.

3.2 As at the end of December 2020, there were four high priority actions which were overdue. Details of these are provided below, together with a revised deadline for implementation.

Details of Audit, Risk and Action	Dir.	Due date	Revised date	Progress and comments
HASC Temporary Accommodation Two providers were used to spot purchase places when general needs temporary accommodation is unavailable (i.e. if an individual is evicted/barred from general needs accommodation). Use of these providers has resulted in high levels of spend which is not in line with corporate procurement processes.	HNC/ HASC	31/12/20	End May 2021	The service had planned to undertake a re-procurement of all emergency accommodation provision to start in March 2020, but this was paused due to COVID-19, and the need to allow all rough sleepers to be provider with accommodation. The revised specification is due to be finalised by 30/1/21, ready for Procurement to run the tender process, with new (flexible 18 month) contracts in place by May 2021.
Residential and Nursing Care It is a Care Act requirement for care plans to be reviewed annually. The audit found that this is not always happening. There is a risk clients care needs are not being met and/or that the Council may be paying for nursing care that is no longer required by the client. The service agreed an action to improve performance with a revised target set of 60% but which prioritises clients in nursing care settings.	HASC	31/12/20	Propose to stop tracking this action but revisit as part of an audit in 2021/22.	The service have explained that they have achieved an improvement in our waiting lists through the development and use of more proportionate assessment tools, thus creating the capacity to prioritise planned reviews. Current performance (of long term reviews) has been reported at 52.52% set against a target of 60%. Performance against this indicator is tracked regularly with the Operational Leads, via the corporate performance framework (as this is a key indicator within the corporate KPI set), and report directly through to councillors via the Performance Information Group (made up of representatives of the Health and Wellbeing Board). The HASC Modernisation programme seeks to further improve this performance via the implementation of our new target operating model.
Debtors Our 2019/20 report found that debt recovery performance reports are not currently circulated to all relevant service teams. Although a report template had been developed this control had not yet been put in place.	F&R	31/12 2020	To be agreed as part of the 2020/21 audit process.	The delivery of this action has been put back due to the impact of Covid-19 and the absence of key staff. Our 2020/21 audit is in progress and this will include a follow-up on the progress with regard to this action. A separate agenda item for this meeting includes an update on progress with addressing previous audit findings with regard to the Debtors System
Debtors Our sample testing of unpaid invoices found that reminders and arrears notices were being issued as expected, but in many of the sampled cases the recovery process had then ceased. It was agreed that the latest Aged Debtor Report would be worked through by the new Corporate Debt Campaign Team. New recovery routes would be agreed with service areas, and Court action will be reintroduced on a trial basis.	F&R	31/12/22020	To be agreed as part of the 2020/21 audit process.	The delivery of this action has been put back due to the impact of Covid-19 and the absence of key staff. Our 2020/21 audit is in progress and this will include a follow-up on the progress with regard to this action. A separate agenda item for this meeting includes an update on progress with addressing previous audit findings with regard to the Debtors System.

Details of Audit, Risk and Action

Dir.

Due date

Revised date

Progress and comments

HASC Temporary Accommodation

Two providers were used to spot purchase places when general needs temporary accommodation is unavailable (i.e. if an individual is evicted/barred from general needs accommodation). Use of these providers has resulted in high levels of spend which is not in line with corporate procurement processes.

HNC/

HASC

31/12/20

End May 2021

The service had planned to undertake a re-procurement of all emergency accommodation provision to start in March 2020, but this was paused due to COVID-19, and the need to allow all rough sleepers to be provider with accommodation. The revised specification is due to be finalised by 30/1/21, ready for Procurement to run the tender process, with new (flexible 18 month) contracts in place by May 2021.

Residential and Nursing Care

It is a Care Act requirement for care plans to be reviewed annually. The audit found that this is not always happening. There is a risk clients care needs are not being met and/or that the Council may be paying for nursing care that is no longer required by the client.

The service agreed an action to improve performance with a revised target set of 60% but which prioritises clients in nursing care settings.

HASC

31/12/20

Propose to stop tracking this action but revisit as part of an audit in 2021/22.

The service have explained that they have achieved an improvement in our waiting lists through the development and use of more proportionate assessment tools, thus creating the capacity to prioritise planned reviews.

Current performance (of long term reviews) has been reported at 52.52% set against a target of 60%.

Performance against this indicator is tracked regularly with the Operational Leads, via the corporate performance framework (as this is a key indicator within the corporate KPI set), and report directly through to councillors via the Performance Information Group (made up of representatives of the Health and Wellbeing Board).

The HASC Modernisation programme seeks to further improve this performance via the implementation of our new target operating model.

Debtors

Our 2019/20 report found that debt recovery performance reports are not currently circulated to all relevant service teams. Although a report template had been developed this control had not yet been put in place.

F&R

31/12 2020

To be agreed as part of the 2020/21 audit process.

The delivery of this action has been put back due to the impact of Covid-19 and the absence of key staff. Our 2020/21 audit is in progress and this will include a follow-up on the progress with regard to this action.

A separate agenda item for this meeting includes an update on progress with addressing previous audit findings with regard to the Debtors System

Debtors

Our sample testing of unpaid invoices found that reminders and arrears notices were being issued as expected, but in many of the sampled cases the recovery process had then ceased.

It was agreed that the latest Aged Debtor Report would be worked through by the new Corporate Debt Campaign Team. New recovery routes would be agreed with service areas, and Court action will be reintroduced on a trial basis.

F&R

31/12/22020

To be agreed as part of the 2020/21 audit process.

A separate agenda item for this meeting includes an update on progress with addressing previous audit findings with regard to the Debtors System.

4. Amendments to the Audit Plan

4.1 The Audit & Standards Committee agreed a revised Internal Audit Plan in October 2020. Since then there have been several additions and deletions to the revised plan as detailed in the two tables below.

Deletions or postponements to the revised 2020/21 Internal Audit Plan

Planned audit	Rationale for deletion or postponements
School Attendance	This audit has been postponed at the request of FCL due to the impact of Covid-19 on schools and will be considered as a priority for delivery in 2021/22.
Better Lives, Stronger Communities Programme	With a new HASC Modernisation Business Case submitted in November 2020, to realign ways of working, governance and deliver significant financial savings, this planned review will require rescheduling for the latter half of 2021/22.
Health and Social Care Integration (Strategic Risk 20)	This audit has been postponed at the request of HASC due to the impact of Covid-19 on their services and will be considered as a priority for delivery in 2021/22.

Additions to the revised 2020/21 Internal Audit Plan

Planned audit	Rationale for addition
Payroll Control Issues	This review was added to the revised plan following the referral of a systems issue to Internal Audit. A summary of this work is included in Section 1 of this report
IT Access Management	This audit was added to the audit plan in Quarter 3 following some issues identified with regard to how network permissions had been managed in a front line service. These issues were treated as a data breach which was separately invested by the Council’s Information Governance Officers.
Middle Street Primary School	Audit requested at the request of the school following the identification of a potential irregularity. A summary of this work is included in Section 1 of this report

4.2 In addition to the above there are a significant number of Covid-19 related central government grants that will require certification in the coming months. At present it is likely that the majority of this work will fall into the 2021/22 financial year and therefore these have not been detailed here.

5. Internal Audit Performance

5.1 In addition to the annual assessment of internal audit effectiveness against Public Sector Internal Audit Standards (PSIAS), the performance of the service is monitored on an ongoing basis against a set of agreed key performance indicators as set out in the following table:

Aspect of Service	Orbis IA Performance Indicator	Target	RAG Score	Actual Performance
Quality	Annual Audit Plan agreed by Audit Committee	By end April	G	Approved by Audit & Standards Committee on 10 March 2020. (Revised plan approved by Audit & standards Committee 27 October 2020)
	Annual Audit Report and Opinion	By end July	G	2019/20 Annual Report and Opinion approved by Audit Committee on 21 July 2020
	Customer Satisfaction Levels	90% satisfied	G	100%
Productivity and Process Efficiency	Audit Plan – completion to draft report stage		A	During the COVID-19 pandemic, the audit plan has been suspended to allow the organisation to respond to the emerging pandemic.
Compliance with Professional Standards	Public Sector Internal Audit Standards	Conforms	G	January 2018 – External assessment by the South West Audit Partnership gave an opinion of ‘Generally Conforms’ – the highest of three possible rankings. June 2020 - Internal Self-Assessment completed, no major areas of non-compliance with PSIAS or our own processes identified.
	Relevant legislation such as the Police and Criminal Evidence Act, Criminal Procedures and Investigations Act	Conforms	G	No evidence of non-compliance identified
Outcome and degree of influence	Implementation of management actions agreed in response to audit findings	95% for high priority agreed actions	A	84% at end of quarter 3.
Our staff	Professionally Qualified/Accredited	80%	G	91%

Audit Opinions and Definitions

Opinion	Definition
Substantial Assurance	Controls are in place and are operating as expected to manage key risks to the achievement of system or service objectives.
Reasonable Assurance	Most controls are in place and are operating as expected to manage key risks to the achievement of system or service objectives.
Partial Assurance	There are weaknesses in the system of control and/or the level of non-compliance is such as to put the achievement of the system or service objectives at risk.
Minimal Assurance	Controls are generally weak or non-existent, leaving the system open to the risk of significant error or fraud. There is a high risk to the ability of the system/service to meet its objectives.