Internal Audit

Progress Report 2023-24

South Hams

Audit & Governance Committee

28 September 2023

Introduction

The Audit and Governance Committee, under its Terms of Reference contained in South Hams District Council’s Constitution, is required to consider the Chief Internal Auditor’s annual report, to review and approve the Internal Audit programme, and to monitor the progress and performance of Internal Audit.

The Accounts and Audit (Amendment) (England) Regulations 2015 introduced the requirement that all Authorities carry out an annual review of the effectiveness of their internal audit system and incorporate the results of that review into their Annual Governance Statement (AGS), published with the annual Statement of Accounts.

The Internal Audit plan for 2023-24 was presented and approved by the Audit and Governance Committee in March and July 2023. The following report and appendices set out the background to audit service provision and provides a position statement on the overall adequacy and effectiveness of the Authority’s internal control environment.

The Public Sector Internal Audit Standards require the Head of Internal Audit to provide an annual report providing an opinion that can be used by the organisation to inform its governance statement. This report contributes to that annual opinion.

Expectations of the Audit and Governance Committee from this progress report

Audit Committee members are requested to consider:

•           the assurance statement within this report.

•           the basis of our opinion and the completion of audit work against the plan.

•           the revised audit plan provided.

•           audit coverage and findings provided.

•           the overall performance and customer satisfaction on audit delivery.

In review of the above the Audit and Governance Committee are required to consider the assurance provided alongside that of the Executive, Corporate Risk Management and external assurance including that of the External Auditor as part of the Governance Framework and satisfy themselves from this assurance that the internal control framework continues to be maintained.

Contents

Introduction

Opinion Statement

Executive Summary of Audit Results

Value Added

Audit Coverage & Progress Against Plan

 Appendices

1 – Summary of Audit Results

2 – Audit Plan Progress

Substantial Assurance

A sound system of governance, risk management and control exist across the organisation, with internal controls operating effectively and being consistently applied to support the achievement of strategic and operational objectives.

Reasonable Assurance

There are generally sound systems of governance, risk management and control in place across the organisation. Some issues, non-compliance or scope for improvement were identified which may put at risk the achievement of some of the strategic and operational objectives.

Limited Assurance

Significant gaps, weaknesses or non-compliance were identified across the organisation. Improvement is required to the system of governance, risk management and control to effectively manage risks and ensure that strategic and operational objectives can be achieved.

No Assurance

Immediate action is required to address fundamental control gaps, weaknesses or issues of non-compliance identified across the organisation. The system of governance, risk management and control is inadequate to effectively manage risks to the achievement of strategic and operational objectives.

Audit

Overall Score

Procurement

Excellent

Health and Wellbeing

Excellent

Pay

Excellent

Regeneration and Investment

Excellent

Council Tax Rebate Checks

Excellent

Audit /

Assurance Opinion

Summary, risk exposure and management actions

Energy Bill Support Scheme

Substantial Assurance

The Councils operated and administered the scheme within the guidance provided by BEIS. The portal went live to applicants on 06 March 2023 with applications closing on 31 May 2023 and the Council completing final payments by 30 June 2023. Total payments made by the councils comprise £286,200 (SHAMS £139,200 for 494 Households; WD £147,000 for 520 Households).The Councils were able to process all applications received by the required payment date. The scheme has been extended by BEIS several times and the current final payment date is 1 September 2023. This is to enable process of applications that have already been received by BEIS that may not have been correctly processed. At the time of the report the Councils have not received or processed any late applications past 31 July 2023. Our review is based on the current live scheme processes and has not been to determine the final scheme closure or reconciliation.

We tested 14 applications across the two authorities from both schemes, including unverified bank accounts, cancelled, and rejected applications. We confirmed procedures were followed by officers operating the scheme and that checks were operating effectively. We identified a couple of areas where officers were aware of issues and are taking remediation work forward. Given these are being addressed we have not made recommendations.

There were no recommendations.

Council Tax Rebate Checks (£150 CT rebate)

Reasonable Assurance

The Councils operated and administered the scheme within the guidance provided by the DLUHC for the scheme period April to November 2022. They were able to distribute 98% of the funding provided to its eligible households, roughly 50% by the end of April and 88% by the end of July 2022. We confirm procedures were followed by officers operating the scheme. We have identified process improvements for consideration for the current and future schemes.

We have identified as a high risk that Spotlight checks, as stipulated by the DLUHC guidance, have not been completed for discretionary payments where current bank details were not already held. Going forward, Spotlight checks will be completed post payment for additional assurance.

For discretionary scheme applications it was not always possible to clearly determine the reason for approval as determination, in line with the scheme policy, was not always included on the application notes. This confirmation of compliance to the scheme may be required for any future award confirmation by DLUHC.

The system identified that two applications were received for the same household and that two £150 discretionary payments were made to the same person. No action has yet been taken to recover this overpayment.

We also identify process improvements for this and future schemes in:

·         Completing a risk assessment and or pre/post-payment assurance plan at the start of the project and updating this as the scheme progresses.

·         Retaining documentation during the process such as process notes and system change records, publicity, social media, website information and application forms that are more difficult to evidence when the scheme has closed but might be required in post assurance testing.

We agreed one High, one Medium and five Low priority recommendations.

The High recommendation related to undertaking Spotlight checks before payment where applicable – this is being done.

Insurance

Reasonable Assurance

The Councils have insurance policies expected as standard which provide appropriate cover for all activities and risks except cyber-attack. For the year 2023, SHDC paid £626k in insurance premiums and WDBC £105k and the excess value varying from £100 to £5k. The method of recording claims prior to October 2022 has meant that the cost of the premiums against the value of claims settled cannot be compared. This would help assess if value for money was being obtained from the insurance held.

Between 2019 and 2022, SHDC received between thirty and fifty claims annually but in 2023 has received fifty in the first five months; half were attributable to the Waste service. WDBC received eleven claims in 2019, reducing to around five per year from 2020 to 2022 and one in the first five months of 2023. Review of claims indicate there is a process to promptly consider whether they are merited and to pay or challenge them. Working practice is to settle any agreed claims valued at less than £1k despite the Excess value set.

The Councils do not have a strategy governing their approach to insurance cover, nor is it informed by analysis of claims. Spreadsheet records maintained by officers previously responsible for administering insurance claims do not include the value of claims settled or which services gave rise to the claims. Officers have not used the data to highlight areas where there are large numbers of insurance claims. Work is now underway to analyse the data and use it to identify staff training needs and procedures to be changed to reduce incidents.

In relation to Cyber Security, we have previously identified the council have good prevention and recovery controls. It has not procured Cyber Insurance. The insurance is expensive and difficult to secure but would help mitigate the financial impact of a cyber-incident. The costs and benefits of this insurance should be considered.

We agreed two Medium and five Low priority recommendations.

Food Safety

Reasonable Assurance

There was a good system of governance, risk management and control, supported by comprehensive policies and procedures to manage and deliver the Food Safety service. However, this is undermined by limited staffing levels and significant issues with the software to administer the service. These have contributed to an inability to meet the requirements of the FSA Covid Recovery Plan and the Food Law Code of Practice (England) 2021.

Following the end of Covid-19 measures, the FSA issued a Recovery Plan to move to a normal inspection regime between July 2021 and March 2023. SHDC and WDBC were not able to fully meet this plan, in part due to the failure of contractors brought in to assist. For 2022/23 out of all Recovery Plan inspections of rated food businesses, 46% were completed for SHDC and 51% for WDBC. This has resulted in a significant backlog of 425 unrated premises to be inspected, 18% of the total food businesses across the two authorities. From April 2023 the required inspection frequency has returned to that detailed in the Food Law Code of Practice (England) 2021.

Management has highlighted that the FSA, as the regulating body, has been informed of the issues and their plans to address them, and has not highlighted it as a significant issue. Officers continue to challenge delivery methods, to seek further efficiencies and to address the software issues. To allow service delivery levels to be met by the end of 2024/25 actions are being taken on recruitment and staff training. It was also noted that inspections of high-risk food premises are prioritised, allowing these to be completed on time.  However, there remains risk that these actions may not be delivered. Appropriate reporting to members should be introduced to ensure they are aware of the risks and progress made to meet legal requirements.

The team administers registration documents for the movement of shellfish from production areas and issue food export certificates, principally for the South Hams shellfish industry. Due to post Brexit regulations, work for the shellfish industry has increased significantly, with no additional staff resource, although the council should seek to recover costs. While it is not a statutory requirement to provide this export certificate service and it places significant burden on the team, it is considered important to support local business.

We agreed two High, two Medium and three Low priority recommendations.

The two High recommendations related to:

1.    Ensure effective steps are taken to increase staff resource to meet legal requirements.

2.     Improve the accuracy of the register of Food Businesses.

Project Management

Reasonable Assurance

The formal project management framework is used effectively to deliver the larger council projects. We reviewed three major Council projects: the time critical waste contract moving back in-house; Batson Development part of the capital plan; and the planning project requiring IT support and involvement and part of the Future IT (FIT) plan. In these we found good adherence to project management principles.

We note that the waste project was able to deliver the cessation of part of the waste contract and moving this and related services back in house within the planned timescales and budgets and met the objectives of the project plan. The Batson Development had issues related to the contractor to deliver the final project but again project planning and management of processes mitigated most issues and delivered the planned outcomes. The planning system is currently progressing to the testing phase and has developed SharePoint Teams software to enable assigning of tasks, tracking progress, and storing of records.

However, work is needed to consider an appropriate and consistent approach to managing smaller projects. Smaller projects although subject to reviews by project boards or line management, are not consistently overseen by trained Project Managers. Project officers were not fully aware of, or used, the Councils Project Process or Toolkit and issues and lessons learnt, as part of a formalised end of project, are not gathered to improve and contribute to the planning process for future projects.

The councils centrally manage its key projects with other projects managed at Service level. A Project Register to record all Council projects is to be created. This would be beneficial, and we suggest this should also record key project performance information like timeliness, budgeting, and effectiveness. This should also consider the centralised recording of project approvals, records, and the wider use of standard project templates.

The waste project was an uncommon and unplanned exceptional project that had to be undertaken in a relatively short timeframe and will have identified issues related to the cessation of a significant agreement mid contract. An advantage of this is that the closedown of this project stage will provide insights into the complexities of undertaking this project which should be considered in producing a business continuity plan for the waste service and applied to other contracts and projects, such as the Leisure Contract.

We agreed three Medium and six Low priority recommendations.

Travel and Subsistence

Reasonable Assurance

The Travel and Subsistence Policy outlines the circumstances in which employees may claim for expenses. The Policy is now being updated to reflect changes to the system, business arrangements and corporate objectives. This will align the policy to Financial Procedure Rules and working practice. Our audit has also informed the review including management approval of travel claims, and reminders to staff to deduct travel to work mileage, and holding current driving licence, insurance, and MoT.

The new i-Trent system has simplified the claim process for officers, and reduced Payroll team processing work. Claims are submitted and paid promptly and are coded accurately within the ledgers While the system has resulted in efficiencies, there have been recent instances of duplicate claim payments through i-Trent which are being investigated. There is also potential to make better use of system reporting to help monitor claims.

Officers currently self-certify their claims. This is significantly at variance to public sector practice and increases the risk of fraud and error. Receipts are often not submitted with claims; without checks to identify such instances expenses are reimbursed in full without deduction of tax, as required by HMRC rules. The Councils do not recover VAT from HMRC, this being dependent on ensuring receipts are provided with all claims. 10% of claims are checked by the payroll team, however their knowledge of the journey need is limited. We identified claims which were not within the scope of the Policy, although we do not consider them fraudulent. In relation to VAT, there is no process for the councils to recover VAT incurred on travel and subsistence payments.

Detailed examination of claims highlighted some deviations from the Travel and Subsistence Policy. Not all claims deducted home-to-work mileage for journeys starting or finishing at home. This may be a genuine error as the practice was suspended during the Covid pandemic and its re-introduction in May 2022 was only notified in a single e-newsletter. Other errors were also noted but the complexity of the Policy may contribute to these. This complexity has arisen from efforts to ensure fairness to all officers and to operate across two headquarters.

The Payroll team recently became aware the system is paying occasional historic claims a second time. This is believed to have only affected a handful of staff and has been logged with the software supplier for resolution.

The induction process for new staff includes a check of their driving licence, MOT, and insurance, which should include “business use”. However, no further checks are made. Reliance is placed on the certification statement within the travel and subsistence claim form. Staff are not required to confirm they acknowledge and agree the certification, nor does it refer to the need for “business use car insurance”, only “car insurance”. This may result in staff using their own vehicles without appropriate insurance or tax.

We agreed six Medium and six Low priority recommendations.

Devon Building Control Partnership

Good (equates to a Reasonable Assurance)

The management of the DBCP is very experienced and the team are providing the statutory service to a high standard.  Our ‘Good’ level of assurance is mainly due to factors outside of Building Control as they are reliant on IT services provided by Teignbridge which have weaknesses. We would consider an ‘Excellent’ opinion if these were not included.

Board meetings are held regularly and documented on the TDC website (albeit the March 2023 meeting minutes have not yet been published).  Meetings have been well supported in the past and appropriate DBCP plans and reports, and other relevant documents are shared with committee members. New members will be appointed to the committee following the elections.

Operations are undertaken in accordance with current legislation and the Head of Service has close links with the Local Authority Building Control (LABC) service as the South West Chair.  There are changes to the way surveyors are regulated coming into effect in 2024, and the team are undertaking the necessary qualifications in Q4 2023 including Level 6 qualifications required for Fire Safety. There is currently a review of the Partnership Agreement being done to ensure that it encompasses the appropriate wording to protect itself from potential future changes in non-fee work for large or ‘relevant buildings’ which may otherwise adversely impact DBCP.

Performance monitoring is excellent with an impressive central dashboard which we consider a major asset to the operation and the standard other authorities should aspire to.  We examined various performance measures which were all being met. Workloads are high across the team, and there is risk related to the impact of staff departure or sickness.  We are told that some work e.g., plan checking can be outsourced if required, however this will impact profitability.

The financial position of the partnership has faced challenges in the last three years due to unexpected (inherited) pension costs necessitating use of the Building Control partnership reserves. However, an increase in reserves to £150k has been approved which should make it more robust. With interest rates rising and a cost-of-living crisis it is conceivable that a downturn in the housing market is a potential future threat.  A pricing review led to an average 14% increase in fees across all lines in May 2023 to maintain a zero impact in-year. Budget monitoring is thorough with monthly meetings between accountants and Head of Service. For 2022-23 there was a surplus of £53.6k.

Market share remains strong at c.85% and the team work hard to sustain and develop their reputation and network of contacts in the professional community. This leads to significant new and repeat business. Maintaining the current staffing levels is also a challenge for the partnership. An experienced, mature team with several staff approaching retirement age raises concerns about future planning and sustainability, particularly when recruiting is difficult in this specialist sector.  Training and retention will require careful management, even with the external funding secured from the LABC for two new apprentices.

Due to the databases of the three districts being combined there are legacy data protection concerns relating to the data being held by the DBCP.  A software cleanse is being progressed via Strata; however, this will take time to complete.

We also highlight our concerns around the security of accepting telephone card payments. This is an out-of-date process, which is not compliant with the Payment Service Directive (part 2). A solution is likely to be provided by the external payment provider Adelante at a future date (currently unknown). The processes are otherwise robust with payments for the Building Control service being received in advance of work commencing. This has also raised the question of whether staff who handle sensitive card / payment / personal data should have any vetting prior to employment e.g., Disclosure Barring Service checks.

There are very low levels of complaints recorded. Feedback from customers is sought via email, and whenever this highlights concerns, customers are contacted to discuss and resolve.  However, DBCP does not have a ‘how to complain’ link on its website, though feedback is clear and easy to provide using the ‘Customer Feedback’ link.  Complaints are expected to be routed through the customers own council website and follow their procedure, but this is not possible as none of the three authorities have a category for Building Control in their online complaints process.

We agreed four Medium and one Low priority recommendation.