Internal Security
 |
Source: BFI inspection assessment
For an explanation about how to read this radar chart see Strategic Management.
Post opening
6.1 Secure adequately staffed post opening procedures are a key part of an effective, economic, safe and efficient postal receipt service. Controls should ensure that items of mail sent to a local authority are not lost or stolen and fraudulent documents do not enter the system.
6.2 Many important documents relevant to the claim are received at the local authority. These will often be valuable and confidential such as passports, birth and marriage certificates and driving licences.
6.3 London Borough of Harrow was not at Standard in this element because XXXX XXXX XXXX XXXX XXXX XXXX XXXX XX
6.4 We reviewed the post opening at London Borough of Harrow. Our detailed findings against Performance Standards are detailed in Figure 6.2 below. The areas of concern were:
- XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX
- post was being opened outside of the restricted area
- XXXX XXXX XXXX XXXX
- XXXX XXXX XXXX XXXX XXXX XXXX XX
- XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX X
| Fig. 6.2: Observation of London Borough of Harrow’s post opening arrangements |
||
| Performance Standards |
Met by local authority? 4 /6 |
BFI comment |
| Has a programme for reviewing its post opening procedures. |
4 |
Reviewed at 6-monthly intervals. |
| Carries out monthly management checks on post opening procedures. |
4 |
Scanning and Indexing Team Leader carried out spot checks on procedures. |
| Has a post opening procedures manual. |
4 |
London Borough of Harrow had procedure manuals covering the post opening operation, the recording of valuables and the handling of post under the Do Not Redirect scheme. |
| XXXX XXXX XXXX XXXX XXXX XXXX XXX XXXX |
6 |
XXXX XXXX XXXX XXXX XXXX XXXX XXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX X XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX X XXXX XXXX XXXX XXXX XXXX XXXX XXX |
| Has at least 2 staff opening the post. |
4 |
At least 2 staff were present throughout post opening. |
| Keeps a daily log of all staff involved. |
4 |
Weekly staff rota showed that there were 2 members of staff on post opening at all times. Any changes to personnel were hand-written on a sheet. Rotas were kept on file as a log. |
| Separate post opening duties between opening post, recording valuables and dispatching post. |
4 |
These duties were segregated. |
| XXXX XXXX XXXX XXXX XXXX XXXX X XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX |
6 |
XXXX XXXX XXXX XXXX XXXX XXXX XXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX X XXXX |
| Ensures that all post is stamped with the date of receipt. |
6 |
Not all photocopied documents were date stamped. A cover sheet was attached to a number of documents for the same claim and the sheet was then date stamped. |
| Has assurance that all post is distributed to the right person or section. |
4 |
Support Services Manager had assurance that all post was distributed correctly. |
| Receives photocopies of original documents by hand and stamps them, original seen. |
6 |
Cover sheet was completed to confirm that photocopies were of an original document. Individual copies were not stamped. |
| Performance Standards |
Met by local authority? 4 /6 |
BFI comment |
| Records items of value immediately in a valuables register. |
6 |
XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX X XXXX |
| Ensures that a senior officer countersigns the valuables register. |
6 |
XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XX |
| Ensures that valuables and the register are passed securely to the designated officer for safe keeping. |
4 |
Valuables were returned to customer once they had been photocopied – this was done as part of post opening. Register of returned post was held securely. |
| Ensures that the designated officer signs the register to acknowledge receipt of valuables. |
6 |
XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XX |
| Ensures that post for the fraud team is distributed unopened. |
4 |
Any post for fraud (including returned post) was placed in the dedicated Investigations Team pigeon hole unopened. |
Source: BFI analysis
6.5 London Borough of Harrow would achieve Standard in this element if it:
- revised its post opening procedures to ensure that they align with Performance Standards and regular management checks are undertaken to confirm compliance
- XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XX XXXX XXXX XXXX XXXX XXXX XXX
| Recommendations |
| We recommend that London Borough of Harrow: |
|
|
Recruitment
6.6 Clerical and automated systems depend on the integrity of staff. To reduce the risk of fraud and error it is vital that the qualifications and employment histories of potential recruits are comprehensively verified. This should be backed up by requiring staff to sign an annual declaration covering any interests that may conflict with their work. For example, receipt of HB and CTB or acting as a landlord or agent.
6.7 London Borough of Harrow was not at Standard in this element because:
· it did not require all staff to make a declaration of interest, including a nil return or to complete a new declaration annually
· it did not regularly review its recruitment procedures
· contractors were not subjected to the council’s existing checks.
6.8 London Borough of Harrow had a recruitment and selection policy, endorsed by Members, specifying the type of checks that should be made on new staff.
6.9 The authority performed well against the Audit Commission’s recommendations on employment checks as shown in Figure 6.3.
| Fig. 6.3: Comparison with Audit Commission’s recommendations |
|
| Recommendations |
BFI comment |
| Verifying references with employers |
London Borough of Harrow checked all references by writing to the previous employer. |
| Verifying if previous employers were genuine |
A standard reference form was sent to previous employers. To ensure that the employer was genuine, the requests were addressed to the company and not the named referee. |
| Ensuring that the required skills profile is met (using competency tests if required) |
Each post had a job description and a person specification. Competency testing formed part of the recruitment process. |
| Verification of educational and professional qualifications |
Educational certificates were checked against those declared on the application form. |
| Verification of previous employment and duties performed |
Reference form asked for details of experience and abilities. |
Source: The Audit Commission’s Countering Housing Benefit Fraud: A Management Handbook (1997), BFI analysis
6.10 All recruitment checks were recorded on a checklist and the Human Resources Department confirmed that all the necessary checks had been performed. Additional checks were carried out for posts that involved handling cash or large council assets, where a full 10-year employment history was obtained and checked. Further checks were also made of staff before they were employed in the Benefits service.
6.11 London Borough of Harrow’s code of conduct for staff stated that all council staff employed on Scale 6 or above were required to complete a declaration of interest form if they had an interest to declare. Once a declaration had been signed the member of staff had to notify their manager of any changes, other than benefit staff London Borough of Harrow did not require staff to complete a nil return or to complete a new return annually.
6.12 There was a written policy for staff in the Financial and Exchequer services which informed them that they were not permitted to:
· access their own Council Tax account
· deal with their own claim for benefit
· handle a claim for benefit from a relative or friend.
6.13 London Borough of Harrow told us that it would review its recruitment procedures during 2003/04. The revised policy would include procedures for gaining assurance that any contractors employed by the authority were subjected to similar checks to those applied to permanent staff of the authority.
6.14 To achieve Standard in this element, London Borough of Harrow should:
· review and revise its recruitment and selection policy and ask Members to endorse the revised policy
· require all staff to complete an annual declaration of interest, including a nil return
· ensure that contractors are subjected to the authority’s recruitment checks.
| Recommendations |
| We recommend that London Borough of Harrow: |
|
|
|
Internal control mechanisms
6.15 Large numbers of HB and CTB payments pass through the accounting and payment systems operated by a local authority. The authority’s Section 151 Officer, must ensure that:
· there is an identifiable division of duties
· there are rigorous internal control mechanisms
· Internal Audit provides assurance to Members and management that controls operate effectively.
6.16 London Borough of Harrow was not at Standard in this element because:
· internal audit coverage of HB and CTB did not reflect the size of payments made by the authority
· there were no arrangements in place for recruitment and vetting procedures to be reviewed annually by Internal Audit or an independent body.
6.17 The authority had a number of strengths:
· internal auditors used the Chartered Institute of Public Finance and Accountancy risk matrix as a key control model
· Performance Standards were used to assess the authority’s performance
· the authority monitored performance against internal audit and external audit recommendations
· reporting mechanisms to senior officers existed to ensure that weaknesses identified were remedied
· External Audit had expressed satisfaction with system security.
6.18 However, as identified in Strategic Management, we had concerns that the internal audit coverage allocated to benefits did not reflect the volume of HB and CTB payments made by the authority or our assessment of the risks associated with HB and CTB administration. We have made a recommendation for this area in Strategic Management.
6.19 We also identified that London Borough of Harrow’s recruitment and vetting procedures had not been reviewed by internal audit or an independent body.
6.20 To achieve Standard in this element, London Borough of Harrow should:
· ensure that internal audit coverage reflects the size of HB and CTB payments made by the authority
· make arrangements for its recruitment and vetting procedures to be reviewed annually by internal audit or an independent body.
| Recommendations |
We recommend that London Borough of Harrow: |
|
IT systems
6.21 A local authority heavily relies on IT systems to deliver its Benefits service.
6.22 London Borough of Harrow was at Standard in this element because it regularly assessed the integrity and security of its IT systems.
6.23 The Quality, Systems and Development team controlled access to the benefits IT and the document image processing systems. It also tested new releases of software and logged any faults that were reported by users.
6.24 Internal Audit reviewed the document image processing system in December 2000 and made a number of recommendations relating to the security of the system. We were pleased to find that all the recommendations relating to system security had been implemented prior to our inspection.
6.25 Figure 6.4 provides details of London Borough of Harrow’s compliance with access control good practice.
| Fig. 6.4: Summary of the authority’s compliance with access control good practice |
||
| Good Practice |
Met by local authority? 4 /6 |
BFI comment |
| Access control policy |
||
| Requirements for user access to systems should be defined and documented. |
4 |
Requirements for user access were defined and documented in a systems access policy. Requests for user access to the benefits IT system and document image processing system were made by the line manager on a standard form. |
| User registration |
||
| System
users should be registered in accordance with their system
access needs and |
4 |
New users’ system access needs were determined and controlled by the line manager. Line managers requested that a user is de-registered when access was no longer required. |
| Privilege management |
|
|
| Some system privileges may allow users to override system controls and so they must be identified, allocated and authorised on a ‘need-to-use’ basis. |
4 |
User privileges were authorised by the Quality, Systems and Development Team or the corporate IT Section. |
| Review of user access rights |
|
|
| Users access capabilities (including privileges) should be regularly reviewed. |
4 |
User access levels were reviewed every three months. The Quality, Systems and Development Team controlled this process. |
| User password management |
|
|
| Allocation of user passwords should be controlled by a formal management process. |
4 |
The Quality, Systems and Development Team controlled user passwords. |
| Password use |
|
|
| Users should be advised to follow good practice in selection and use of passwords. |
4 |
A written policy on system security and use of passwords was provided to all staff at induction. |
| Good Practice |
Met by local authority? 4 /6 |
BFI comment |
| Unattended equipment |
|
|
| Unattended equipment should be protected from unauthorised access or usage. For example, active sessions should be terminated unless they can be controlled by a system lock or time-out. |
4 |
Unauthorised access to the benefits IT and document image processing systems was prevented by users locking their workstation. Active sessions were terminated after 15 minutes by a system lock. |
| User identifiers |
|
|
| All computer activities should be traceable to individuals. |
4 |
Each user had a unique identifier and this enabled them to be traced on system audit trails. |
Source: London Borough of Harrow and BFI analysis
Document management
6.26 Document management needs to be supported by effective procedures and controls. A good document management system gives a local authority an opportunity to improve its performance.
6.27 London Borough of Harrow was above Standard in this element because its document image processing system was efficient, effective and secure and it conducted regular reviews to identify further improvements to the system.
6.28 We were pleased to find that the authority was continuing to work closely with the provider of its document image processing system and we identified some good work in identifying enhancements to the system to improve performance.
6.29 At the time of our first inspection the authority had a large backlog of post waiting to be scanned and indexed. At the time of this inspection there was no such backlog.
6.30 Figure 6.5 compares London Borough of Harrow’s document image processing system with document management good practice.
| Fig. 6.5: Summary of compliance with document management good practice |
||
| Good Practice |
Met by local authority? 4 /6 |
BFI comment |
| Provide a comprehensive list of document types for indexing. |
4 |
54 different document types were used. |
| Monitor the progress of scanned documents allocated to individual members of staff. |
4 |
Assistant Benefits Managers were able to monitor any documents that had been scanned and indexed. |
| Routeing indexed documents to specific members of staff or teams. |
4 |
Individual documents could be routed to specific members of staff once they had been added to a case file. |
| Being able to significantly magnify chosen areas of the document, such as the signature for close scrutiny. |
4 |
Complete documents or an area of a document could be magnified. |
| Providing a split screen facility, so that 2 documents can be readily compared at the push of a button. |
4 |
A number of documents could be displayed at once so that documents could be compared. |
| Being able to easily produce high quality hard copies of images. |
4 |
High quality copies of documents could be printed locally. |
| Identify high priority documents, such as extended payment claims and can allocate different timescales for dealing with different types of documents. |
4 |
Each document had a process type attached to it and each process type had a priority attached to it. |
| Automatically alerts staff to documents due for action or overdue. |
4 |
The system automatically alerted managers to documents that were overdue. |
| Producing colour images, in addition to black and white. |
4 |
The system had the facility to produce colour images. |
| If documents are stored on disk, having disks stored carefully in conditions which minimise the risk of degradation. |
4 |
Documents were saved to a server and then archived to optical disk. |
| Classifying documents in terms of priority, security level and urgency for input. |
4 |
Documents were reviewed, prioritised and classified with specific security levels. |
| Scanning documents into the system on the day of receipt. If this is not possible, they should be scanned as soon as possible on the next working day. |
4 |
The target was to scan documents into the system within 24 hours of receipt. This was being achieved. |
| Ensuring that scanned images cannot be amended or altered by users. |
4 |
Users could not alter scanned documents. |
| Having sufficient staff with responsibility for scanning documents who are sufficiently fraud aware to be able to identify and intercept suspect documents. |
4 |
Scanning staff had received training in the identification of original documents and in fraud and forgery awareness. |
Source: BFI analysis
Payment and accounting
6.31 HB and CTB payments form a large part of the accounting and payment systems operated by a local authority. Rent Allowance payments are made to customers, landlords and agents. This is different to CTB and Rent Rebates where the payment involves the transfer of credits between local authority accounts.
6.32 The difference means that there is a greater risk of fraud and error attached to payments of Rent Allowance. The benefits of ensuring that all Rent Allowance payments are secure include:
· deterrence against internal fraud
· potential reduction in local authority error overpayments
· improved administration of the local authority’s bank accounts and early identification of problem areas through regular reconciliation of payments.
6.33 To illustrate the sums of money involved, Figure 6.6 shows the amount of Rent Allowance paid and the methods of payment in 2002/03 to 16 February 2003.
| Fig.
6.6: Rent Allowance payments and methods of payment - 2002/03
– |
||||
| Payment method |
To
tenant |
To
landlord |
Total
paid |
% of total |
| Bank Automated Clearing System |
21,288,936 |
7,914,552 |
29,203,488 |
71 |
| Crossed cheque |
1,650,961 |
10,467,336 |
12,118,297 |
29 |
| Total |
22,939,897 |
18,381,888 |
41,321,785 |
100 |
Source: London Borough of Harrow
6.34 London Borough of Harrow was not at Standard in this element because XXXX XXXX XXXX XXXX XXXX XXXX XXXX X. This weakness had been raised in our first report but XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XX XXXX
6.35 However, there had been some improvement since our first inspection when we recommended that a record of the nominated officer and the accompanying officer be maintained. We were pleased to see that this recommendation had been adopted and that the Support Services Manager now maintained a record of the officers involved in the payment process.
6.36 We tested the security and effectiveness of the payment system by observing the payment process. Effective controls were in place to ensure cheques were controlled and signed for by the nominated officer involved in the receipt and dispatching process.
6.37 In our first report we recommended that access to the key for the secure cupboard, where the cheques were stored until they were ready to be enveloped and dispatched, should have been restricted. At the time we were on-site the key to the cupboard was kept in a key safe within the restricted area. But XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX X XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXX
6.38 London Borough of Harrow had responded to a recommendation in our first report, by attempting to make the area where cheques are enveloped more secure by placing a security screen between the enveloping machine and the main door. We identified the following areas of concern:
· XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX X
· XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX X XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX X
· during our observations of the cheque dispatch process, another member of staff opened incoming post on the desk next to the open box of cheques
· XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX X XXXX XXXX XX
· XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX X XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XX
6.39 Since our first inspection London Borough of Harrow had introduced procedures to investigate and cancel cheques that had not been cashed by the customer within 6 months of issue. The status of each cheque was now recorded on the benefits IT system through an interface with the council’s bank reconciliation programme.
6.40 To achieve Standard in this element, London Borough of Harrow should XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX X
| Recommendations |
| We recommend that London Borough of Harrow: |
|