Agenda item

To present the report of the Head of Audit and Risk.

The report of the Head of Audit and Risk which provided an update on Internal Audit’s latest progress with regard to service delivery, assurance provision and reviews completed was presented for the Committee’s consideration.

The Head of Audit and Risk highlighted the main points as follows –

•           That two audit review reports were finalised during the period the one relating to School Income Collection Arrangements which resulted in a Limited Assurance opinion and the other relating to Concessionary Travel Fraud which produced a Reasonable Assurance opinion.

•           The Concessionary Travel Fraud review was undertaken following the press reports of fraud against Gwynedd Council which led to the conviction of the owners of two bus companies for offences including conspiracy to commit fraud by false representations. Enquiries were made with Gwynedd Council and the Council’s Transport Service to ensure that the Council is not exposed to this fraud. One of the companies had operated two contracts for which the Council reimbursed concessionary fares but was not successful when the Council re-tendered the contracts in 2015. The other had not received payments since June, 2014. In addition the following controls are in place which should ensure that the Council’s exposure to risk in the reimbursement of concessionary fares is minimised -

•           Flintshire County Council on behalf of all the North Wales Councils provides summary reports directly from the Wayfarer system to support reimbursement claims of concessionary fares so contractors cannot tamper with them. The Council’s Transport Service checks all claims for concessionary fares submitted by the bus operator against the reports.

•           From July, 2016 the Welsh Government introduced monthly detailed system reports to allow Councils to monitor smart card activity. The new reporting system means that the Council can identify and investigate anomalies and so there is a reduced risk of losses due to inflated or fraudulent claims for reimbursement of concessionary fares.

•           The Council participates in the “Tell Us Once” scheme and cancels cards when informed of deaths. The Council retains damaged cards and any card reported lost is de-activated.

•           The Internal Audit review of School Income Collection Arrangements was undertaken at the request of the previous Head of Learning due to various concerns about income collections processes within schools. Three primary schools were visited as part of the audit. The review identified policies and procedures in relation to income that were outdated; inconsistencies in accounting for income; lack of corporate monitoring, variations between schools in the monitoring of debt; weak governance of school funds and inappropriate system access controls. Most of the weaknesses found within the income collection processes adopted by schools were due to lack of knowledge and training with the Learning Service not having issued schools with up to date policies supported by procedures and training. There is also a lack of corporate compliance monitoring by the Learning Service which leaves the Council exposed to risks.

•           That four follow-up reviews of Limited Assurance reports were finalised in the period relating to Sundry Debtors (remains a Limited Assurance rating); Corporate Procurement Framework (upgraded to Reasonable Assurance); Council’s Preparation for GDPR (upgraded to Reasonable Assurance) and Corporate Safeguarding (upgraded to Reasonable Assurance).

•           The Sundry Debtors first Follow-Up review found that although the Debtors Team has undertaken significant work to address the issues and risks raised during the original review including implementing major changes to systems while maintaining the daily workload, in many case it has been insufficient to fully address the risk and so the Limited Assurance rating still stands. Of the 19 issues/risks raised during the initial audit review, the Revenue and Benefits Manager has tolerated one Minor risk around refunds and the risk of fraud; 5 have been addressed, 11 are in the process of being addressed and work is yet to start on 2.Where work has commenced and this has reduced the likelihood of the risk occurring, is has been reflected in the risk rating. Internal Audit will revisit the service in July, 2019 to monitor the progress of addressing the risks.

•           That three reports with a Limited Assurance rating are scheduled for a follow-up review before the end of the current financial year. These are Child Care Court Orders under the Public Law Outline (PLO); (Follow-Up scheduled for July, 2018) Payment Card Industry Data Security Standards (Follow-Up scheduled for October, 2018), and System Controls – Logical Access and Segregation of Duties (Follow-Up scheduled for December, 2018). All three follow-up reviews are currently in progress.

•           The Council has steadily improved its performance in addressing issues/risks raised during audits during 2017/18 and has continued to maintain good performance over the first two quarters of 2018/19. A new and upgraded version of the action tracking system will shortly be available, which provides extra functionality and reduces the administrative burden.

•           That since the appointment of the two new Senior Auditors, work on the 2018/19 Internal Audit Operational Plan (Appendix A to the report) has progressed well. However, due to the length of these vacancies, protracted investigations, significant follow-up work and the maternity leave of the third Senior Auditor, the target for undertaking 80% of the red and amber risk in the corporate risk register will be difficult to achieve. To date 29% of the red and amber residual risk in the corporate risk register have been covered and work is ongoing in the 7 areas listed in paragraph 42 of the report. Where the Operational Plan shows no target date for reporting to the Committee, it is because it is anticipated no work will be carried out in those areas – there may be other work being undertaken in these areas e.g. ongoing systems implementation with regard to Payroll which will need to bed in before Internal Audit can review the area or an area may not be a priority at this time or an area may be subject to other regulatory/oversight work e.g.  Energy Island Programme/Wylfa Newydd which because of its significance has, and is receiving a great deal of scrutiny from other sources.

•           The Council’s Insurers, Zurich Municipal have undertaken an independent Risk Management Health Check. The outcome is largely as expected with a few opportunities for improvement. The Strategic Risk Consultants’ report along with the improvement action plan, will be shared with the Committee once the the report is finalised.

•           During the last quarter, Internal Audit has been requesting, collating, reviewing and uploading all the required data for the 2018/19 National Fraud Initiative exercise – a biennial exercise which matches data across organisations and systems to help public bodies identify potentially fraudulent or erroneous claims and transactions. The previous NFI exercise in 2016/17 has been one of the most successful to date already resulting in the identification of £5.4m of fraud and overpayment in Wales and £301m across the UK.

The Committee considered the report and made points as follows –

•           The Committee noted that the travel fraud against Gwynedd Council in relation to concessionary fares has highlighted an issue that posed a significant risk. The Committee sought clarification of whether there is data available with regard to past and present usage across authorities

Mr Alan Hughes, WAO said that he understood but could not confirm, that Welsh Government has undertaken a review to establish whether the problem that surfaced in Gwynedd was more extensive. The Head of Audit and Risk said that she would contact Welsh Government to see if the information is available bearing in mind that Welsh Government funds the all Wales Concessionary Travel Scheme.

•           The Committee noted with regard to the audit of School Income Collection arrangements that the issues/risks raised are primarily financial in nature. The Committee sought clarification therefore of whether the Finance rather than the Learning Service should be taking the lead on addressing those issues given that it would be expected that Finance has the greater expertise in relation to income collection processes and is therefore best placed to rectify the situation.

The Head of Function (Resources)/Section 151 Officer said that although the responsibility for income collection lies ultimately with the Section 151 Officer the involvement of schools in this case complicates the matter. As schools are legal entities in their own right and have different levels of administrative support, establishing a process that works for all in the same way is difficult. Previously income was collected manually which although laborious was a tried and tested process; however the introduction of the School Comms system and cashless payment in some schools is an added complexity in terms of making it more difficult to reconcile income that is actually collected by a school with payments made digitally via Schools Comms where the school has not handled any cash. The system was introduced with grant funding but was not subject to any subsequent review and although the audit has not uncovered any issue as regards monies missing the inconsistencies and variations along with the lack of oversight and corporate compliance monitoring means that no assurance can be provided that the Council is not at risk of losing money because of the issues with the reconciliation process. It is a matter for the Finance Service to ensure that the appropriate controls are put in place, and with the input of the Learning Service and schools, to devise a process that works for all, that everyone understands and that provides the required level of assurance.

•           The Committee noted that only three schools were visited as part of the audit; the Committee sought clarification of how this sample was arrived at and whether it could be taken as representative.

The Head of Audit and Risk said that the audit visit was targeted at a new school that had had the system installed for a short time only; a school which had been operating the system for a long time where the process was expected to have embedded and a school known to have issues. The different results from each school which the audit produced confirmed the lack of consistency which it could be assumed was replicated in the remaining schools. The core issues is that the software has been installed without the parallel training and guidance and additionally it has been installed to do different things in different schools. The Officer said that she was however assured by the newly appointed Schools Business Support Officer and her action plan for progressing the matter and addressing the identified risks/issues.

The Chief Executive in acknowledging that the situation highlighted by the audit review was unacceptable said that he too was encouraged by the comprehensiveness of the Action Plan which he assured members would be implemented.

•           The Committee noted that a lesson to be taken from the audit review of school income collection arrangements is that projects, whether to introduce a new system or otherwise need to have a post-implementation review which in this case could have helped identify the pitfalls sooner and allowed them to be addressed in a more timely way. The Committee also sought clarification as to the availability of benchmarking data for school meals income collection which would help the Committee gain some perspective on the issue.

The Head of Audit and Risk said that she would endeavour to provide the information.

•           The Committee noted with regard to the Sundry Debtors First Follow-up Review that nearly two years will have elapsed since the original Internal Audit review in November 2017 and the planned Second Follow-Up review in July, 2019 which it viewed as an excessively long timescale to address the issues and risks raised. The Committee also noted that lack of capacity seems to have hampered the Debtors Team from making greater progress and it sought clarification of whether there was a case to be made for additional resources. The Committee further queried whether in the light of the financial pressures on the Council and the ongoing need to identify savings, the maximisation of income, income collection and debt recovery should be priorities.

The Head of Function (Resources)/Section 151 Officer explained what the large-scale investment in systems encompassing Debtors, Cash Collection and Accounting, Council Tax and Housing Benefits which the Finance Service has made over the last two years has entailed specifically for the Debtors and Income Collection teams. In that time also a complete staff restructure has been implemented which itself became a lengthy process. Having improved the Debtors System to a point where it is working reasonably well with invoices being raised promptly and the team working to a 3 day target for the authorisation of new debtors,  the Finance Service is now looking to roll out those tasks  for services themselves to undertake. Whilst there remains a backlog which the team is working through there are now processes in place to ensure that backlogs are not allowed to accumulate. The other element of the process is the cash system with new software with greater functionality now being introduced. This is as a result of a successful bid for resources under the Invest to Save initiative whereby funding is released for projects that improve the Council’s business processes the aim with the new cash system being to better facilitate in advance online payment for services. There has been some delay in implementation because of complications arising from dual software systems. However, once the planned alternative methods of payment are established i.e. online, by touchtone - it will release resources for other tasks within the Income and Debtor Teams. A great deal of progress has been made over the past two years and the improvements and systems upgrade when they are all completed should allow the Service to direct resources to where they are needed and to deal  with matters before they become problems.

In respect of outstanding debt and debt recovery, the Officers said that the Council raised a total of £15.7m through the Debtor system in in 2017/18 or 11,500 invoices. At the end of Quarter 2 of the current financial year the outstanding balance was around £4m of which £2.3m was debt over 120 days old. This figure could contain one or two large debts by public bodies which when cleared would reduce the sum significantly. The Recovery Team has also been restructured and an officer has been recruited on a performance basis who has been tasked with dealing with old debts initially to the value of £1.5m. To date the officer has dealt with over £500k of which £250k has been collected. Extra resources are therefore being allocated to debt recovery in the knowledge that the return will be greater than the cost of employing the officer to do the work.

•           The Committee noted with regard to the Corporate Procurement Framework Second Follow-Up that of the 20 issues/risk raised in the original review in September, 2017, six remain unaddressed and noted also that the Corporate Procurement Manager had extended the deadline dates for addressing these remaining risks. The Committee sought assurance that the outstanding issues do not impact on the efficiency of the process.

The Head of Audit and Risk confirmed that the facility which enables managers to extend implementation dates has now been withdrawn. The Officer proceeded to outline the areas to which the outstanding issues relate which include uploading the Central Contracts Register to the external website which because of reconfiguration work on the website has been delayed; revising Contract Procedure Rules and establishing a suite of PIs to measure the effectiveness of procurement activity.

•           The Committee noted with regard to GDPR that although the Council’s arrangements are now assessed as providing Reasonable assurance, the Annual Report of the Senior Information Risk Owner presented to the Committee’s previous meeting highlighted that in the region of 50% of the Council’s staff had not completed the e-learning training on data protection. The Committee sought assurance that work is ongoing to ensure that all staff fulfil this requirement. The Committee also noted that GDPR has been an issue for schools and that there has been some difficulty in recruiting to the post of Schools’ Data Protection Officer.

The Head of Audit and Risk said that Heads of Service are responsible for ensuring their staff complete data protection training and they are provided with reports on the number of staff who have done so. The Click to Accept policy acceptance facility within the Policy Portal provides assurance that policies are being read and accepted by individual staff.  With regard to schools, the Internal Audit Service will be undertaking an Information Governance Health check of schools in Quarter 4 2018/19 which will cover data protection.

It was resolved that having considered the information presented and the clarifications provided by Officers , the Audit and Governance Committee accepts and notes Internal Audit’s latest progress in terms of its service delivery, assurance provision, reviews completed, performance and effectiveness in driving improvement.

ADDITIONAL ACTION PROPOSED: Head of Audit and Risk to provide the Committee with the following –

•           Data on past and present usage in relation to concessionary travel

•           Benchmarking data in relation to school meals income collection