Water Industry Commission for Scotland - independent review: financial transactions

1. Executive Summary

1.1 Background

The Auditor General completed an audit of the Water Industry Commission for Scotland ('WICS') in 2022/23. A Section 22 report was issued which identified claims for unauthorised expenditure, as well as issues with the wider expense process. Several reviews took place in response, including an internal audit by Grant Thornton, an internal financial transactions review, and an internal governance review. The themes identified in the Section 22 report were further highlighted in these reviews.

The Scottish Government asked EY to assess the approach to the WICS internal review and conduct further testing on expenses data prior to 2021/22 to identify any additional themes or findings not noted in previous reviews.

EY were appointed to deliver this review for the Scottish Government under the Internal Audit Co-source agreement dated 15 August 2019. The findings and recommendations set out are for the attention and consideration of the Scottish Government, not for WICS or any other third party.

1.2 Scope

EY's scope of work included the following:

• Assessment of the approach to the internal review carried out by WICS of their financial transactions for 2022/23 and the first three quarters of 2023-24.
• Further testing of expenses prior to 2022/23, to assess if any risks, themes or insights not highlighted by the previous reviews can be identified.

For full details of the scope of our work please refer to Appendix D.

1.3 Exclusions from Scope

• This was not an assurance exercise, and we did not opine on the completeness, accuracy or appropriateness of WICS data, transactions or controls.
• We did not re-perform any testing or verification carried out by WICS as part of their internal review, except as necessary to assess the quality and robustness of the testing performed.
• We did not review any scope area not specifically noted above or set out in Appendix D.
• Our work did not include re-performing any of the work undertaken by Audit Scotland as part of the Section 22 report or by Grant Thornton as part of their internal audit of governance and financial management arrangements.

1.4 Summary of Conclusions

Our testing did not identify any risks or themes not highlighted by previous reviews. However, we noted multiple transactions which demonstrate weaknesses in governance and control and point to patterns of behaviour identified by previous reviews.

Our key findings are as follows:

• The Head of Finance was responsible for designing and scoping the internal review, with input from the Director of Analysis. However, the scope of the review did not obtain formal input or approval from the Board prior to commencement. Additionally, there was no formal mechanism for reporting up to the Board during the review, or for the Board to review or formally acknowledge the output.
• While the internal review followed a defined scope of work and was performed by an individual independent from the Finance Team, a wider scope and more rigorous documentation and quality review processes would have enhanced the rigour and value of the exercise.
• The expenses policy in place for the period 2018-2022 was silent on key areas including who should approve Director expenses, whether alcohol is permitted in subsistence claims, whether expenses could be claimed for spousal travel and under what circumstances, and any relevant considerations for incurring and approving out of policy expenses.
• Our review of transactions identified multiple instances where expenses were incurred with no discernible business purpose, which is consistent with the findings of the Grant Thornton review and the Section 22 report.
• We acknowledge that management have taken steps since the Grant Thornton review and Section 22 report to enhance the control environment –for example, updates to the expenses policy –and that there have been changes to senior personnel. However, there are opportunities to further develop the preventative and detective controls in place to reduce the risk of inappropriate expenditure, such as monitoring of spend by individuals to identify outliers and including additional guidance in the expenses policy to cover all scenarios that would likely take place under normal business circumstances.

In addition to our findings, we executed a high-level analysis of the data to understand the profile of spend by individual and by year for key categories –for example, flights and hotels. The results of this can be found in Appendix B. A full list of our observations can be found on page 7. Full detail of the procedures and tests executed can be found in Appendix A.

1.5 Positive Observations

• WICS employees made themselves available to speak to us as well as proactively sharing documentation, information, and assisting with queries.
• Although the scope of the internal exercise completed could have been more comprehensive, testing completed was in line with scope and by an individual independent of the finance team.
• Following the internal review, updates have been made to the financial policies, including expense policy.
• Findings from all reviews and audits carried out have been collated into a master document where there is evidence of actions being tracked by WICS.

1.6 Key Findings

Overview

We carried out a review of the work completed by WICS which involved:

• - Interviewing the Head of Finance and the Senior Analyst who completed the review.
• - Reviewing the scope, workbook, and report produced by WICS.

Findings

1. Governance

1.1 The Head of Finance was responsible for designing and scoping the internal review, with input from the Director of Analysis. However, the scope of the review did not obtain formal input or approval from the Board prior to commencement, although the Chair of the Board did request information relating to any identifiable issues in the current financial year (23-24).

Implication

Without input and / or approval by the Board the review may not have delivered the intended assurances the Board had sought, and as such may not delivered the envisaged benefit and insight.

Obtaining formal approval would have demonstrated consensus on the review and created a record to demonstrate the Board was aligned to its aims.

1.2 Throughout the review, updates were provided by the Senior Analyst executing the review to the Head of Finance on an ad hoc basis (See finding 2.2). However, there was no formalised, documented line of reporting to the Head of Finance or the Board.

While the final report was shared with the Board, we have been unable to evidence that there was Board review of the contents, formalised acceptance of the findings, or clear Board-level accountability for actions (although we note that there is an action plan in place to address issues identified by the Grant Thornton review and the Section 22 report).

Implication

If Board involvement is limited and/or lacking in clear structure, findings are less likely to be actioned, potentially leading to continued non-compliance with the expense policy.

2. Testing Review and Documentation

2.1 The scope of the review included review of expenses from financial year 2022/23 and the first 9 months of financial year 2023/24.

To provide WICS with a detailed view of non-compliance with expenses policy requirements for receipting and approval, all expenses claims were reviewed to ascertain whether:

• i. A valid receipt was provided,
• ii. For subsistence expenses, was alcohol included
• iii. Appropriate approval was obtained.

The following tests were not performed, which would have added further insight and value to the exercise:

1. Compliance with expenses policy spending limits across expense categories (e.g. maximum cost of hotel per night etc.).

2. Key word / phrase search for high-risk items (e.g. "gift", "first class", "cash").

3. Thematic analysis of spend – for example by individual or expenses category, to establish patterns in behaviour or systemic non-compliance.

Implication

As the testing performed was narrow, the level of assurance it could provide over the culture of control for expenses was limited.

Examining categories of expenses other than subsistence (for example, flights and hotels) would have provided greater insights into the extent of claims being made outside policy.

Completion of a key word search would have helped identify transactions with a potential non-business purpose or those outside of the expense policy.

Thematic analysis would have helped to highlight individuals with the highest number and value of claims, as well as the type of claims with the highest values.

2.2 There was limited formality of the review and reporting completed. The review was carried out by a Senior Analyst, with findings and updates reported into the Head of Finance on an ad-hoc basis. Updates included whether any findings had been identified or whether additional scope areas were required. However, there is no audit trail of formalised quality review of workbooks and only verbal assurances that these were completed.

Implications

Without a clear audit trail which demonstrates the rigour of the exercise, the approach and its findings could be disputed, casting doubt on the value of the exercise as a whole.

2.3 The testing and approach set out in the scope were completed thoroughly and as defined. However, there is limited contextual detail within the workbook itself. It does not set out rationale for the items tested, or document conclusions that can be linked back to the report.

Implications

Although a member of the review team could explain the workbook, the workbook itself does not provide sufficient clarity to allow a reasonably informed person to review and understand the work completed and therefore the conclusions reached. This detail would demonstrate rigour in the approach and would also ensure the workbook can be interpreted if key team members were to leave the organisation.

3. Transactional Testing

3.1 The expense policy in place from 2018-22 noted the maximum permissible spend on flights, hotels and subsistence, as well as who should approve non-director expenses. However, following a revision to the policy in 2022, limits for permissible spend on flights was removed. The policy also did not state:

• Who should approve Director expenses.
• What (if any) were the allowances for spousal travel.
• Where alcohol is allowable in subsistence claims.
• Processes for approval of out of policy expenses.

Additionally, the policy was not updated to reflect allowances for working from home expenses during Covid-19 for the period 2020-2022.

We tested a sample of expenses claims for compliance with the policy. Our testing identified:

• From a sample of 25-line items covering hotels, flights and subsistence, 17 were in excess of the maximum amount permitted by policy.
• From a sample of 25 items expensed by the former CEO, 11 were out of policy (hotels and flights).

Whilst there may be legitimate business circumstances in which it is not feasible to book flights or hotels below the policy limit, the rationale for these exceptions was not documented for items tested.

Additionally, our sample of items expensed by the former CEO identified a high value business class flight (£18,159.56) for the Director of Corporate and International Affairs and her spouse. Whilst we understand from interviews that both were living in New Zealand at the time, it is not usual practice to expense business class travel for spouses and we cannot see evidence that appropriateness and value for money were considered before this was incurred. Further, there is no evidence of Audit Committee Chair approval in the system, as required by the policy.

Our sample also identified multiple items relating to alcohol being claimed under subsistence and home working during the pandemic (see 3.5).

Implications

The expense policy that was in place did not provide appropriate coverage of all expense scenarios that would likely take course under regular business practice e.g. approval for expenses outside of policy. This gives limited opportunity to challenge expenses practices and means that there is limited the ability to fully assess compliance against a robust framework of control after the fact.

A revised policy should consider the areas outlined and account clearly for processes for managing instances where out of policy expenditure is unavoidable.

3.2 The transactional data showed 28 instances where the former CEO uploaded several expenses ('bulk uploads') at once (between 2 and 51 line items) across the period from October 2018-June 2023.

This is not unusual practice in itself, particularly where there is a significant volume of expenses relating to a single trip. However, we would expect to see evidence that individual expenses, not just the total value, were approved.

The bulk uploads varied in value from £190.86 to £21,329.36. Expenses from the CEO should have been approved by the Chair of the Audit Committee, in line the established process. We reviewed all of these bulk uploads individually for approval, as well as reviewing a sample of line-item expenses within the bulk uploads for business purpose and compliance with the expenses policy.

Of the 28 uploads:

• No approval from the Audit Committee Chair was evident on 14 bulk uploads.
• Of those 14, 3 had a signed line item expense report.
• Where approval was received, it was as an individual value is being approved for the total bulk upload. It is therefore unclear whether expenses have been reviewed on a line-item basis. This is particularly pertinent where there are missing receipt declarations within the bulk upload. (See 3.4)

The approval workflow now requires each individual expense receipt to be reviewed prior to approval however, this was not in place during the period reviewed and so has not been tested.

Implications

Where there is no evidence of Audit Committee Chair approval, there is a greater risk that transactions with no business purpose or outside policy have been processed for payment.

3.3 Following testing of bulk uploads (See 3.2) where we found no evidence of approval by Audit Committee Chair on 14 of 28 uploads tested, we reviewed each line item description on the bulk uploads.

Following review of line item descriptions from bulk uploads, we identified 2 items for which no clear business purpose could be identified. These were:

• A Mulberry wallet costing £170.83 (August 2019)
• Glasses costing £290 (December 2018 - policy permitted claims of up to £130 for glasses)

Due to the limitations of the policy documentation at the time (see 3.1) and audit trail, we were unable to confirm who reviewed and approved these expenses.

Implications

Expenses that are being processed for non-business purposes highlight a poor control and governance environment. This does not establish anything that has not been identified in the wider reviews which have been delivered related to this matter, but further evidences the pattern of behaviour.

3.4 We reviewed 16 missing receipt declarations from bulk uploads of expenses from the former CEO, covering a period from November 2018 – June 2023.

For one missing receipt declaration, with a total value of £4,748.13, one line item with a value of £593.37 appears to have been paid twice. This appears to have occurred due to the item being included and paid as part of both the bulk upload and missing receipt declaration. The transaction was approved by the Audit Committee Chair.

Implications

Expenses processed without appropriate review and approval increases the risk that there are inappropriate and duplicate expenses processed. These transactions have been identified within sample testing and there is therefore a risk of more transactions that may have gone unidentified.

3.5 We carried out a high-level analysis of expenses by expense category and individuals claiming within each category (See Appendix B). This facilitated more detailed testing at a line-item level, in which we identified the following two points:

• 11 of the 25 subsistence claims tested were expensed with alcohol, dating back to 2019.
• There were wide-ranging values on a number of working from home expenses: chair value £90-£500, desk value £100-£600, headset value £25-£220. The Expenses policy at the time did not provide guidance on what was an acceptable amount to claim for home working.

The data does not allow for granular analysis of individual compliance with policy without a line by line review - for example, there is no separate field for the length of a hotel stay, therefore average cost per night per individual cannot be analysed.

Implications

As the data does not easily facilitate detailed analysis of compliance by individuals, the ability to generate meaningful MI and reporting across the population is limited. This should be considered going forward and a mechanism put in place which would identify potential non-compliance - for example, significant outliers against policy and/or peer group.