Internal Security
|
Fig. 6.1: Results of BFI’s assessment for Internal Security |
|
|
Source: BFI inspection assessment
For an explanation about how to read this radar chart see Executive summary
Introduction
6.1 It is important that local authorities have effective controls in place to ensure that the risk of internal fraud is minimised. In particular, they must ensure effective control and security over:
· post opening
· recruitment
· internal control mechanisms
· payment and accounting systems
· document management.
6.2 Our work to establish the effectiveness of Wokingham District Council’s controls included:
· observing its post opening, scanning, indexing and cheque dispatch processes
· examining its policies and procedures
· discussions with key management and staff
· discussions with the council’s internal and external auditors and taking account of their reported findings and recommendations.
6.3 Figure 6.1 shows that Wokingham District Council is not at Standard. We found that post opening procedures were insecure and there was a lack of comprehensive guidance surrounding the control of valuables.
Post opening
6.4 Secure, adequately staffed, post opening procedures are a key part of an effective, economic, safe and efficient postal receipt service. Controls should ensure that items of mail sent to a local authority are not lost or stolen and fraudulent documents do not enter the system.
6.5 Sections 1(1A) and 1(1B) of the Social Security Administration Act 1992, mean that many important documents relevant to the claim are received at the local authority. These will often be valuable and confidential such as passports, birth and marriage certificates and driving licences.
6.6 We
observed the post opening process at the Shute End office on
10 July 2003, from the time post was first delivered to the council through
to its dispatch and, where appropriate, its return. We also spoke to the receptionist
at the Woodley Benefits surgery about arrangements for post and valuables
received at the Woodley office.
6.7 We describe our detailed findings in Appendix B. XXXX XXXX XXXX XX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXX XXXX XXXX XXXX XXX
6.8 Wokingham District Council is not at Standard. To achieve standard Wokingham District Council needs to review its post opening arrangements and guidance to ensure that post is kept secure from the initial receipt through to its final distribution. In particular it needs to ensure that:
· XXXX XXXX XXXX XXXX XXXX XXXX XXXX XX
· XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX
· XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXX
· XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX
· post opening is supervised and management checks carried out
· staff who are not currently trained in the Verification Framework receive urgent training.
6.9 Its main strengths include:
· post is opened on the day of receipt
· all documents are date stamped
· valuables are photocopied and marked as originals seen
· valuables are returned on the day of receipt.
|
Recommendations |
|
We recommend that Wokingham District Council: |
|
· revises its post opening arrangements and guidance taking account of the weaknesses that we identify in this report at Appendix B, especially those surrounding: - XXXX XXXX XXXX XXXX XXXX - XXXX XXXX XXXX XXXX XXXX XXX - XXXX XXXX XXXX XXXX · provides staff with more comprehensive written post opening procedural guidance · introduces a formal documented monthly management check of compliance with post opening good practice. |
Recruitment
6.10 Clerical and automated systems depend on the integrity of staff. To reduce the risk of fraud and error it is vital that the qualifications and employment histories of potential recruits are comprehensively verified. Staff should also sign an annual declaration covering any interests that may conflict with their work, for example receiving HB and CTB, or acting as a landlord or agent.
6.11 Wokingham District Council was close to achieving Standard. To achieve Standard, Wokingham District Council needs to:
· introduce management controls that ensure that the register of interest:
– is completed by all staff
– is updated at least annually
· ensure that secure arrangements are in place to restrict access to HB or CTB claims where an interest has been declared
· apply the same standard of recruitment checks to agency staff or contractors used by the Benefits service as that applied to permanent staff
· check for any criminal records for potential employees, who will have access to financial areas.
6.12 We found that it had corporate policy and guidance on recruitment and selection that included:
· a legislative and policy framework
· a code of practice for recruitment and selection
· equal opportunities
· the Race Relations Act 1976
· the Disability Discriminations Acts 1995 and 1999.
6.13 We found that job descriptions and profiles for the skills required for HB and CTB were available on Wokingham District Council’s Intranet. The council’s Personnel section controlled the recruitment process.
6.14 The Audit Commission’s Countering Housing Benefit Fraud: A management handbook (1997) recommends a number of recruitment checks that an authority should carry out before offering employment.
6.15 We compared Wokingham District Council’s recruitment procedures with Audit Commission recommendations. Figure 6.2 shows that for the recruitment of permanent staff, all Audit Commission recommendations were met.
|
Fig. 6.2: Comparison with Audit Commission’s recommendations |
|
|
Recommendations |
BFI comment |
|
Verifying references with employers |
The Personnel department verifies references for all recruits to the Benefits service. |
|
Verifying if previous employers were genuine |
The Personnel department validates previous employers of new recruits to the Benefits service. |
|
Ensuring that the required skills profile is met (using competency tests if required) |
The required skills for Benefits posts were outlined in the job advertisements. Applicants’ competencies were tested through their written applications and at interview. |
|
Verification of educational and professional qualifications |
The Personnel department does not confirm any appointment until it has conducted a formal check of educational certificates and professional qualifications. |
|
Verification of previous employment and duties performed |
As part of its validation of previous employers, the job type and duties performed were also verified. |
Source: BFI analysis
6.16 Performance Standards require a process to be in place to allow staff to make a declaration of interest for any conflicts with their council duties. We found evidence to show that Wokingham District Council staff were required to complete a declaration of interest. These were kept in a folder, which we found was up-to-date. The declarations covered all relatives and close personal friends who were:
· subject to Council Tax payable to Wokingham District Council
· owners or running a business liable for Business Rates payable to Wokingham District Council
· received Housing Benefit or Council Tax Benefit from Wokingham District Council.
6.17 XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX X
6.18 XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XX XXXX
|
Recommendations |
|
We recommend that Wokingham District Council: |
|
· introduces management controls to ensure that: - the register of interests declared by staff is kept up-to-date - secure arrangements are in place for claims affected by declarations - staff are asked to sign an annual declaration that covers any interests that may conflict with their work · introduces and applies the recruitment checks recommended by Audit Commission for all benefits staff who are supplied by agencies · XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX |
Internal control mechanisms
6.19 Large numbers of HB and CTB payments pass through the accounting and payment systems operated by a local authority. The authority’s Section 151 Officer must ensure that:
· there is identifiable division of duties
· there are rigorous internal control mechanisms
· Internal Audit provides assurance to Members and management that controls operate effectively.
6.20 Wokingham District Council is not at Standard. To achieve Standard Wokingham District Council needs to prepare quarterly reports for the audit sub committee which should include:
· reporting on progress against the audit programme
· the current status of audit reports
· progress against recommendations.
6.21 It also needs to ensure its recruitment and vetting procedures are reviewed independently each year and that Internal Audit assesses its performance against Performance Standards.
6.22 Its strengths in this area include:
· a rolling programme of Internal Audit review covering the period from April 2002 to March 2005 which included 20 days per year allocated specifically to benefits, 15 days to debtors and 7 days to anti-fraud and corruption. We consider that this represents adequate coverage for the size of payments made by HB and CTB
· formal risk analysis of the programme was undertaken and amended annually to take account of any perceived risks or changes
· an ongoing review of key controls associated with secure delivery of the Benefits service
· independent assurance on Wokingham District Council’s Benefits systems integrity by a private partner who has been appointed to carry out systems audits on Wokingham District Council’s behalf
· quarterly
meetings with District Audit to ensure that activities are
co-ordinated and that there is no duplication in audit coverage
· sound reporting arrangements in place. Senior managers have the opportunity to comment on the draft report and agree a timetable for implementation of the recommendations.
6.23 The programme for Internal Audit did not include an annual review of recruitment and vetting procedures in either 2002/03 or 2003/04. Internal Audit told us that changes to the programme would be made when the perceived risk changed. An example given was the introduction of the Benefits IT system in July 2003. A detailed audit of the key controls was undertaken by Wokingham District Council’s private partner immediately prior to the new system’s introduction.
6.24 Arrangements for reporting Internal Audit findings and remedying weaknesses were due to change at the time of our inspection. Since 2000, the elected Member with responsibility for audit had received Internal Audit reports. Internal Audit told us that an audit sub committee was being set up from 6 August 2003. No precise definition of its future role had been made at the time of our inspection.
6.25 Internal Audit confirmed that progress against its report recommendations was not formally monitored.
|
Recommendations |
|
We recommend that Wokingham District Council: |
|
· ensures that: - all recruitment and vetting procedures are annually reviewed by an independent body, such as Internal Audit - its Internal Audit function measures the effectiveness of Benefits service performance against the Performance Standards - its audit committee receives quarterly reports on: - progress against the audit programme - the current status of audit reports - progress against recommendations. |
Document management
6.26 It is important that local authorities have effective procedures and controls in place to securely manage the information they receive and to deliver an effective and timely Benefits service.
6.27 To assess how Wokingham District Council controls and manages documents received we observed the scanning and indexing process and spoke to members of staff.
6.28 Wokingham District Council is not at Standard. To achieve Standard it needs to review the procedure for indexing and allocating documents to work trays to ensure that documents reach the staff member who will process the claim at the earliest opportunity. It also needs to urgently address the weaknesses in its IT to ensure it can establish a clear audit trail of all actions recorded on its systems. We discuss this in more detail and make recommendations in Strategic Management – IT.
6.29 Wokingham District Council uses a document image processor system to record and control the movement of the information it receives. All documents and evidence provided by HB and CTB claimants are scanned onto the system when received. An automatic interface with the benefits IT system provides processing staff with immediate access to the images recorded.
6.30 We report in Processing of Claims that Wokingham District Council did not make effective use of its document image processor system to monitor the progress of claims received. We were also concerned that access to audit trail information was limited. This was having an impact on service in terms of efficiency, effectiveness and security.
6.31 Wokingham District Council’s strengths included:
· documents received were scanned on the day of receipt
· documents were indexed within 2 days but generally on the day of receipt
· a quality check of all documents scanned was carried out to ensure that they were clear and of a good quality
· scanned documents were retained on-site in secure cupboards for a period of between 2 and 6 months
· a split screen was available to enable staff to compare documents.
6.32 Our findings and observations of Wokingham District Councils performance against Standards and good practice are outlined in Figure 6.3.
|
Fig. 6.3: Comparison of Wokingham District Council’s performance with document management best practice |
||
|
Good practice |
Met by local authority? Yes/No |
BFI comment |
|
Provide a comprehensive list of document types for indexing |
Y |
A comprehensive list of all document types was held by the administration staff. |
|
Monitor the progress of scanned documents allocated to individual members of staff |
N |
The document image processing system provides a facility to monitor the progress of documents. At the time of our inspection this facility was not being utilised. |
|
Routeing indexed documents to specific members of staff or teams |
Y |
The document image processing system has functionality to route documents to individuals. At the time of our inspection documents were allocated to today’s work tray and then reviewed clerically before being transferred to the member of staff who would process the claim. |
|
Being able to significantly magnify chosen areas of the document, such as the signature for close scrutiny |
Y |
The document image processing system allows documents to be significantly magnified. |
|
Providing a split screen facility, so that 2 documents can be readily compared at the push of a button |
Y |
A spilt screen facility is available. |
|
Being able to easily produce high quality hard copies of images |
Y |
The printers can produce hard copies of images. Our observations showed that these were clear and legible. |
|
Identify high priority documents, such as extended payment claims and can allocate different timescales for dealing with different types of documents |
Y |
The document imaging processing system has the functionality to flag up priority documents. At the time of our inspection this was being carried out clerically. |
|
Automatically alerts staff to documents due for action or overdue |
N |
The IT system has the capacity to inform staff if documents are due for action or overdue. Wokingham District Council told us that it did not make use of this function because of the work backlog situation as it would result in large numbers of documents being listed as due or overdue. |
|
Producing colour images, in addition to black and white |
N |
There is capacity within the IT systems to produce colour images, but these were not utilised. |
|
Good practice |
Met by local authority? Yes/No |
BFI comment |
|
If documents are stored on disk, having disks stored carefully in conditions which minimise the risk of degradation |
Y |
Documents are stored on the server. |
|
Classifying documents in terms of priority, security level and urgency for input |
Y |
All documents are scanned onto the system on the day of receipt. The system identifies the category of document, which determines the priority and security levels. |
|
Scanning documents into the system on the day of receipt. If this is not possible, they should be scanned as soon as possible on the next working day |
Y |
Our observations showed that documents were scanned on the day of receipt. In our discussions with staff, we were told that they cover each other’s role during absences, and that there had only been two occasions in the previous two years when the system had broken down. |
|
Ensuring that scanned images cannot be amended or altered by users |
Y |
Users cannot alter scanned documents. |
|
Having sufficient staff with responsibility for scanning documents who are sufficiently fraud aware to be able to identify and intercept suspect documents |
Y |
Two of the three staff advised that they
had received training on the Verification framework and talked us through
the process. XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXX XXXX
XXXX XXXX XXXX XXXX XXX XXXX XXXX XXXX XXXX XXXX XXXX XXX XXXX XXXX
XXXX XXXX XXX |
Source: BFI analysis
|
Recommendation |
|
We recommend that Wokingham District Council: |
|
· reviews the procedure for indexing and allocating documents to work trays. |
Payment and accounting
6.33 HB and CTB payments form an important part of the accounting and payment system operated by a local authority. For Rent Allowance claims a local authority makes payments to claimants, landlords or agents. Secure payment of Rent Allowance claims is deterrence against internal fraud.
6.34 Wokingham District Council is not at Standard. Its payment reconciliation process is secure but we found a slight weakness with the security of its cheques.
Payment reconciliation
6.35 Wokingham District Council paid its Rent Allowance claims by crossed cheque and its council tenants by automated transfer to individual rent accounts. There were plans to introduce payment by Bankers Automated Clearing Service once the new Benefits IT system was fully integrated.
6.36 The Benefits IT system automatically prompted the generation of a benefit payment depending on the period payment type. Payments were made by crossed cheque at weekly, fortnightly or 4-weekly intervals and were processed every Monday.
6.37 We discussed Wokingham District Council’s payment and accounting procedure with the Control Officer, who worked separately from the benefit assessment team and tested the security and effectiveness of the system by observing the payment and accounting process.
6.38 We found that Rent Allowance expenditure was reconciled weekly by the Control Officer who compared the payments issued report against the cheques issued report. We were told that any discrepancies were reported to the Benefits Manager. This provided the necessary assurance to Wokingham District Council that its Rent Allowance payment process was sound.
Cheque security
6.39 We observed the cheque dispatch process during our period on-site. All payment runs were listed electronically and were scrutinised by the Control Officer who checked the payment list for duplications or potential errors. XXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXX XXXX XXXX XXXX XXXX XXXX XXXX X Any cases involving error including duplicate payments and stopped cheques were identified, removed from the cheque payment run by the Control Officer and queries were referred back to the benefit assessment team. We examined written guidance on the process for stopping cheques during the payment run and were satisfied that the guidance was clear and comprehensive.
6.40 Having identified the number of items within the payment run the Control Officer collected the appropriate number of blank cheques from the Finance Officer. The cheques were sequentially numbered and both parties signed the cheque register. XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX X XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX X
6.41 XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX The Finance Officer signed for the printed cheques and arranged for their dispatch in Do Not Redirect envelopes.
6.42 The Benefits IT system produces reports of cheques that have not been cashed 6 months following their dispatch. The Overpayments Officer refers the cases involved for follow up action, normally by visit, to establish the reason for non-encashment.