Internal Audit Assurance Bank Automation Project 2014/15 ... b.pdf · possible and contacting relevant departments for assistance as needed. Examination of the control spreadsheets

Appendix B

Internal Audit Assurance Bank Automation Project 2014/15

Introduction

The purpose of this assignment is to provide independent assurance to management regarding the adequacy and effectiveness of the system of controls and procedures that have been developed throughout the Bank Automation project. The project has required fundamental and radical change in the way the Council’s financial systems operate in order to realise the potential efficiencies of electronic banking and automated reconciliation.

The change of banking service provider was the catalyst to overhaul the established ground up controls and procedures developed to support a predominantly manual paper based process. This has included an upgrade to the Civica Icon cash receipting system and the implementation of additional back office modules.

This assurance is based on observations and discussion with various officers in Financial Services and the Programme Office, all confirmed by transactional testing focussed on key changes in the system and in conjunction with the Bank and Cash Audit Review.

Income posting Comprehensive assurance

Overview of assurance

The key objective of the Council’s financial systems is to ensure income transactions are posted correctly and promptly to the general ledger and to any relevant departmental system. The upgrade to Civica Icon in September 2014 included radical changes to the long established method of payment and fund codes. The testing therefore confirmed how each way payments can be made to the Council is recorded in Icon and that the payment flowed to the correct general ledger code and was allocated to the relevant invoice or account in the subsidiary systems. Analysing payments for a given transaction type now needs selection using a combination of criteria rather than simply by method of payment or fund code or to download data from the WebPay system used by the cashiers. At this stage it has not been possible to identify a payment made via the Planning portal after all the Icon upgrade.

Establishing conditions to allocate payments to the correct fund is fundamental to bank automation. The Interim Accountant advised that the same process has been used for income and disbursements and an observation of this for the latter confirmed a defined process was followed to identify suspense postings and set additional conditions to prevent them.

Allpay administers the Council’s cash payments made at third party Paypoint outlets and Post Offices with reference information taken from a barcode on the invoice or account documentation issued to the customer. This payment method has not previously been evaluated and changed significantly as part of bank automation. Transaction limits of £200 and £1,000 apply respectively although the customer may make multiple payments at the same time. Testing was devised that also confirmed how these multiple transactions behave and compared the values paid to the amount owed to gain assurance regarding the validity of payments. Transactions were selected to confirm consistent posting through the various system changes during the project. The transactions were successfully traced from the Allpay file report, into the correct fund in Icon and on to the general ledger. In all 23 accounts with multiple transactions were examined, 21 council tax, one benefit overpayment and one invoice. Generally the individual payments reflected the monthly instalment value or the Paypoint transaction limit. The amounts paid on four council tax accounts did not correspond to any documentation issued. These payments were allocated to the account in Academy according to the account information presented by the customer and the amount they decided to pay. The financial system therefore works correctly, but the opportunity to identify an inappropriate payment through a face to face transaction at a Council office no longer exists.

Appendix B

Suspense accounts Comprehensive assurance

Overview of Assurance

The main improvement and efficiency has been achieved through automated posting of payments made directly to the Council’s bank using an electronic file from the bank. This avoids processing delays arising from manual entry of each bank statement transaction into Icon and releases resources to identify those with insufficient reference information that are posted to a suspense account further delaying allocation to the relevant debt. Automation began in May on an interim arrangement allowing payment information to be analysed to develop conditions that would post the majority of payments to the right place immediately on receipt. New suspense arrangements were set up to manage this and keep transactions specific to this phase separate from earlier and subsequent phases.

Analysis of transaction volumes shows that for 2014/15 prior to automation in mid-November, 23% of bank account transactions were posted initially to suspense. Following bank automation this drops to 13% and in fact taking out the items where remittance advices are received, providing the details for correct posting, the true suspense is only 7%. This is an amazing achievement. Some remittance advices consist of numerous separate transactions that need to be manually input, however there are plans to automate as many of these as possible where there are efficiency savings to be made. Suspense balances for 2014/15 as at 1 April were only £12,239.

This fantastic result is down to a disciplined team effort prioritising the activity every day to match bank entries to remittance advices received, identifying correct details where possible and contacting relevant departments for assistance as needed. Examination of the control spreadsheets confirms that most entries are resolved and allocated correctly the same day.

Reconciliation Substantial assurance


Reconciliation activity has been centralised within Financial Services wherever possible and automated as appropriate. Now that cash is no longer accepted at Council offices, reconciliation of cheques to system entries is undertaken at location rather than till level as part of banking preparation. A single reconciliation for card payments is carried out centrally on a daily basis between the Icon transaction listing and the card report received from the merchant services provider.

Suspense funds in Icon are reconciled to the corresponding general ledger codes in Total finance system, also confirming the activity recorded in the suspense control spreadsheets mirrors the financial transactions processed. This is completed before the bank statement file for the previous day’s transactions is imported into Icon.

Transactions will automatically reconcile in the Bank Reconciliation module of Icon when the bank statement entries exactly match the Icon system entries by reference and value. Allpay transactions are regularly paid at the same value and so these are manually reconciled within the bank reconciliation module to ensure allocation is made to the correct entry based on dates. Council offices banking and bulk card payment transactions in the bank statement are also reconciled using the manual reconciliation option. Bailiff payment files are imported into the Icon system only when the corresponding bank statement entry appears to ensure these transactions are correctly matched. Manual adjustments are required for car park and Carnegie income which were not posting to bank reconciliation module.

A monthly reconciliation of the bank statement balances to the general ledger is completed independently of the income recording processes. This is a key financial control that accounts for the timing and any other differences between the Icon system and the corresponding bank statement entries. Two general income reconciliations were performed in November one on the eve of bank automation and again at month end when two versions were completed, one continuing the methodology of previous months and the other reflecting the various system enhancements. Both were successfully balanced, but required significant adjustment to achieve. Thereafter a methodology more suitable

Appendix B

for the electronic banking arrangements has been developed, but still needing much manual adjustments and is continuing to evolve and improve as the systems and transaction behaviour is better understood.

Rationalisation of bank accounts Substantial assurance


The Council’s banking services provider switched to Barclays from 1 April 2014 with the HSBC general income account remaining open until the end of November for payers to make the transition. In addition a Santander account remained open for payments made via Girobank which received very little use and has now been closed. Alternative arrangements for payment at Post Offices are now available using Allpay.

Following previous arrangements, accounts with Barclays were set up for general income, cashiers collection, disbursements and unpaid cheques. It has become increasing clear to the Financial Services officers responsible for managing the banking arrangements that this segregation is no longer relevant, most likely having its roots in the historic ground up approach, relying heavily on manual processes that has simply not moved with the times.

The cashier’s collection account entries consist of bulk card payments, banking deposits by Customer Services and Carnegie Theatre and car park income collected by security company. Each location’s transactions are recognisable by distinct referencing representing a bank paying in slip. There is also a separate unpaid cheque account that relevant transactions are transferred into and out of. Officers have confirmed that these accounts do not provide any benefit in matching system to statement entries as using filters selects only the relevant transactions. In fact additional adjustments are needed as part of the monthly income bank reconciliation process as a result.

The decision has been made by Financial Services management to consolidate all such transactions into the general income account and officers envisage a far simpler reconciliation regime based on Icon Bank Reconciliation module reporting. They are considering making this top level reconciliation a daily task as it may be just as easy to do this incorporating the existing daily controls whilst providing better assurance and earlier identification of problems.

Conclusion Substantial assurance

Overview of Assurance (to be included in project highlight report)

Transaction testing has confirmed posting of income to general ledger, subsidiary and departmental systems that has remained consistently accurate throughout, with each key change distinguishable in the records.

The volume of income transactions posted to suspense has reduced from 23% to 13% during the project. Remittance advices are received for half of these, reducing the proportion to only 7%. This activity is prioritised so that the vast majority are re-allocated the same day. Financial Services have worked closely with others to achieve this.

Effective system filters allow Icon users to select those transactions where intervention is needed to match corresponding Civica Icon system and statement entries, otherwise this is automated. The disbursements account has not yet progressed to this stage.

A high level, centralised regime of key independent accounting controls has been developed, improving efficiency, whilst providing assurance regarding the accuracy and integrity of income data. Further improvements are planned including rationalising the number of bank accounts to take advantage of the functionality of electronic banking and these need time to become consistent and embedded.

There is a feeling of energy about those involved in the project as the benefits are clear and there is enthusiasm to make further improvements and resolve the remaining issues currently being worked around. Provided these expectations are achieved, the assurance evaluation will improve beyond the current level.

END OF REPORT

Appendix B

Postal Vote Assurance – Internal Audit Assurance 9 June 2015

Introduction

The purpose of this assignment is to provide independent assurance to the Corporate Director of Resources that: Only electors registered for postal votes are able to vote by these means and duplicates have been identified and rejected.

Project Assurance Statement

Based on the evidence reviewed, observation of the process and discussions with key officers substantial assurance can be provided that only electors appropriately registered to vote have voted by these means. No duplicate ballot papers were accepted for the sessions tested based on the unique bar code reference. Electors who were defined as cancelled or deleted for the election on 7 May 2015 did not cast a vote.

Limited assurance was available for the operational understanding of the Elections software, oversight of operational system administration and exception reporting. Having more exception processing information available to staff reconciling and managing the postal votes would have improved the efficiency and effectiveness in terms of resource spent.

Scope and Objective

In particular the following areas will be considered, in order of priority:

Applications to apply for postal votes

The process of verifying postal votes received

The AVantGuard system controls

The end to end process from application to vote

The process to identify and manage duplicates and rejected postal votes

Confirm that cancelled and deleted voters follow procedure and have not voted

The Scope of the review will comprise

The identification and review of key documentation.

Interview and enquiry with key officers.

The identification and documentation of systems and procedures and

Substantive testing of key controls within the system.

Review of scanned images and data within the AVantGuard and Eros system

Postal Vote Processing Assurance

Two postal sessions were selected to provide assurance that the postal vote process was adequately controlled. That those who registered to vote via post had followed the agreed application process and the postal vote statement (PVS) was agreed or rejected appropriately. The sampling of the electors was designed to specifically include those where there would be a higher chance of error or exception, for example where two electors at the same address have the same initial and surname.

For the two postal opening sessions were randomly selected for substantive testing to confirm:

No duplicate ballot papers were processed in that session

Poll registers confirmed the postal electors names were appropriately marked with ‘A’ and with a line through to show the poll clerk they were registered to vote via post.

A valid postal application was recorded for the elector, scanned images of

Appendix B

applications for each voter were examined.

The scanned image for the PVS corresponded accurately to the application recorded for the elector.

The decision to reject the postal vote was appropriate in all cases for the sessions tested.

Total Votes processed over the two sessions tested – 665 Total number of rejected votes – 10 Number of rejected votes tested – 10 Number of accepted votes tested – 31

When independently tested all postal votes sampled were found to be supported by accurate and complete evidence.

Cancelled or duplicate votes

Cancelled and duplicate PVSs and ballot papers are held securely in a sealed ballot box, these are not available to view after the ballot box has been secured. A court order is required to open the box to access the documents inside.

The Elections Officer provided a system report from Eros detailing a list of cancelled or deleted electors, a sample was selected to confirm:

They did not vote via post, the scanned image of the PVS was confirmed to be blank for the voter

Their names did not appear in any form on the relevant polling station register for their name and address

They had been removed as a elector for a valid reason

Total electors cancelled / deleted – 238 Total of electors selected to confirm no vote was accepted – 15 Number of electors tested who were registered for a postal vote – 6 Number of electors tested who were removed due to moving house – 12 Number of electors who were removed as they were deceased – 3

It was confirmed when independently tested that all deleted / cancelled electors sampled did not vote in the election on 7 May 2015.

Exceptions and Issues

The following exceptions and issues arose during this review:

Duplicates – The AVantGuard system highlights the occurrence of a duplicate elector PVS and rejects it. The system does not record duplicate postal votes received in the session summary information, duplicates are identified by the unique bar code on each PVS issued. Duplicates could occur in the instance of an electors ballot paper and PVS being re-issued due to them reporting their ballot papers as misplaced or lost in the post for example. A verbal account from a Senior ICT Officer was given of an instance where a duplicate PVS was scanned, they confirmed that the system recognised this as a duplicate and immediately removed this vote from the session information. Due to any evidence in relation to this event being securely locked in the ballot box, this could not be independently verified.

Some unique bar code reference numbers have an extra digit – The bar codes on the postal ballot papers have 12 digits, some unique identifier bar codes had 13, this signifies a re-issue. An exception of this nature was reviewed and in this case was an elector who had registered as a waiver.

Provisionally rejected votes submitted to wrong opening session – There were 9 provisionally rejected votes entered into the wrong opening session initially (but the same election so the election count would be correct) and caused the session statistics for PVS processed and the manual supervisor counts not to match. The elections team have contacted the software provider Halarose who have provided a response and a solution for future postal vote processing. These were manually adjusted by the technical system

Appendix B

administrator afterwards to allocate them to the correct vote session. An audit report detailing these actions has been reviewed, it shows all 9 being provisionally rejected then accepted into the correct vote session. One of these votes was given reason unknown for manual acceptance this was a manual error.

Rejected votes – From the ten rejected votes tested three electors entered the voting date rather than their Date of Birth. This could be an area to improve the presentation and directions to increase the volume of accepted postal votes.

Having more exception processing information available to staff reconciling and managing the postal votes would have improved the efficiency and effectiveness in terms of resource spent to process the postal votes.

END OF REPORT

Appendix B

Internal Audit Report Bank and Cash Audit Review 2014/15

Introduction

As part of the 2014/15 Internal Audit Plan, a review has been undertaken of the control activities, policies and procedures currently in place in respect of banking and income recording provided by Allerdale Borough Council. The aim of this review is to provide management with assurance that the system is robust and operating as intended and provide recommendations for improvement to add value and improve the achievement of objectives. This review has been undertaken on a walkthrough basis which consists of testing a single transaction only, for each way customers are able to make payments to the Council, unless control weaknesses are identified requiring further examination. The 2014/15 financial year has seen unprecedented change to the systems in place. There is a new banking services provider, the Council ceased taking cash payments, the use of Paypoint outlets, significant cash receipting system upgrade and automation of bank statement postings and reconciliation. Sample selection has taken these alterations into account to optimise the assurance gained. This audit review has been conducted in tandem with the Bank Automation project assurance assignment to allow the testing under each to inform the other. The objective and scope of this audit was defined in the audit brief issued to all relevant staff on 4 March 2015. A guide to the assurance provided for each area within this report will be provided as a supplement when the report is issued. Internal Audit would like to thank all staff involved during the course of the review for their help and assistance.

Income recording – manual entry Substantial assurance


Transactions tested comprise:

cash (April and May only)

car park ticket machine income

cheque (face to face and by post)

credit and debit card transactions face to face and telephone

Records confirm appropriate data has been captured to enable correct posting of income transactions both in the Council’s financial systems and departmental applications and the automated allocation of unique transaction references providing traceability.

Areas for improvement

The Document Management Team (DMT) no longer list cheques received by post on departmental Postal Remittance sheets. This provided a record of income as soon as possible on receipt. They record the number of cheques received for each department in a log book signed by two officers present at post opening. An officer from Development Services may collect their cheques and paperwork signing the log book to confirm receipt. On 18 March 2015 there were two for Planning and one for Building Control recorded in the log book. The officer then takes them to a Customer Services Advisor (CSA) for processing, before taking the receipt with the paperwork to the department. Otherwise they are held in a tray and passed to a CSA with the log book. During an observation on 18 March 2015 the CSA checked the number of cheques and signed the log book to confirm she had received the remaining 21 before starting to enter them into the system whilst working on the front desk. Other CSAs assisted when they had the opportunity between customers. This does not allow for a batch control to provide assurance over the completeness of input. The cheque list produced at end of day cash-up listed 19 postal and two attachment of earnings cheques, which must override the postal criteria to enable

Appendix B

correct posting in departmental systems.

Examination of the cheque list is not conclusive, but it is likely that the Development Services payments have been processed as counter cheques. This demonstrates however that the process is not sufficiently robust to confidently deal with any complaints from customers regarding missing postal cheques. Apart from this the method of payment data will be needed to develop a strategy to manage customer expectations should the Council cease taking cheques.

CSAs continue to post car park ticket machine income from the Daily Collection recording sheets completed by Parking Services officers. The transaction selected was posted on 13 October, but related to income collected on 29 September the recording sheet having been emailed to two CSAs on 30 September. This significant posting delay leads to difficulty with budget forecasting as the financial systems are way out of step with the departmental applications. This task cannot be done whilst dealing with customer enquiries partly due to the level of detail required making it time consuming and because a different process is used. It also duplicates data held in the Parking Services database.

Agreed actions

1 – Medium priority

Arrangements should be put in place to improve the accuracy of method of payment selection for postal remittances to provide assurance that all cheques received through the post have been entered into the cash receipting system and that management information used for future payment method decisions is reliable.

Associated Risks

Postal remittances are not entered into the Council’s financial systems.

Customer complaints regarding missing postal remittances cannot be answered with confidence.

Decisions regarding future changes to payment methods and the communication strategy developed is impaired due to inaccurate management information.

Response

Development Services officers collecting documentation and getting the cheques processed before the others is not routine. If cheques are processed in this way in future the processing cashier will receive them in a file to highlight these payments should be recorded as postal cheques.

Responsible Officer Due Date

Customer Services Team Leader Completed

2 – Medium Priority

An alternative streamlined process for posting car park ticket machine income should be introduced that takes account of all aspects. As well as aligning the task to the available resource, duplicating the transactional detail in the financial systems that is present in the departmental system, should be avoided, unless this can be automated. A robust monthly reconciliation between the departmental and general ledger would be a fundamental part of this approach.

Associated Risks

Inefficient process duplicates income data input to financial and departmental systems. Significant additional adjustments for timing differences needed for budget forecasting and for decisions based on financial data.

Additional adjustments needed in monthly bank reconciliation for timing differences.

Response

Waiting for the e-form templates from Civica, which will allow training to commence, the date provided is considered realistic.


Senior Accountancy Assistant Technical 30 October 2015

Appendix B

Income recording – automated Comprehensive assurance


Transactions tested comprise:

cash at Paypoint outlets and Post Offices

automated credit and debit card transactions (telephone and internet)

direct payments to the bank (on-line banking, standing orders etc)

The codes used to record these payments changed during the year as the bank automation project progressed. The specific project assurance assignment provides most of the assurance over these changes, however the transaction testing has been fundamental to understanding the flow within and between systems and confirming that the accuracy of income postings has been maintained throughout the changes.

Transactions that continued to be paid directly into the HSBC account after the switch to Barclays and a Santander account that is used for Girobank transactions have continued to be entered manually. These accounts have now been closed. From 16 May 2014 bank statement files from Barclays were uploaded and sorted electronically according to defined conditions automating the posting of individual payments to the correct fund. This was improved with the full bank automation from 14 November 2014. Those bank statement transactions with insufficient reference information to satisfy the defined conditions are automatically posted to a suspense fund according to whether a remittance advice is expected. These transactions are prioritised within financial services ensuring there is always cover for the various tasks so that the vast majority are transferred to the correct fund the same day.

Four transactions were selected from each suspense fund and remittance advices located for three of the four from fund XC. The Accountancy Assistant confirmed the other to be a counter payment at the bank which was resolved by a telephone call. Fund X4 holds the true suspense items although transactions may be posted there simply because the reference information is not in the precise format recognised by the defined conditions as was the case for one of the sample. These are easily corrected by the Finance admin team and there are those where a departmental reference is quoted which they deduce or recognise. Others need more investigation and they are reliant on what others tell them or their best guess from the limited information they can gather. Sometimes payments will go to the wrong place, but relationships have been built with other services to resolve these quickly. In conclusion a resilient and responsive suspense activity has been developed which gets great results in terms of timely and accurate posting of income.

Areas for Improvement

Migrating the handling of cash transactions to Paypoint outlets and Post Offices diminishes the Council’s ability to recognise potential money laundering activity as it occurs. Post Office staff should be well versed in such matters, but it is less likely to be the case at Paypoint outlets. There is a £200 Paypoint transaction limit providing some safeguards, but the customer is able to make multiple payments during a single visit to the outlet enabling them easily pay larger bills. The Council’s anti-money laundering response becomes reactive to overpaid accounts where the processing of refunds needs to be given greater scrutiny. The specifics of this to be addressed as part of the Debtors and Revenues audit reviews.

Financial Services recognise that there is still more to do to minimise suspense items and intend to work with regular bulk payers to develop automated solutions where the number of transactions from an organisation make this worthwhile. Another aspect worth looking into is working with other services to see whether the documentation issued can be clearer to help customers identify the right information to provide with their payment.

Income reconciliation Substantial assurance


Going cashless, electronic banking and the increased automation this facilitates has

Appendix B

allowed key financial controls in the income and banking system to be streamlined and centralised removing duplication. Daily cash-up is by location rather than till, consisting of reconciling cheques for banking against the system total and the reconciliation of card payments is only done centrally, as confirmed by observation.

At the end of each day debtors and miscellaneous cash files are uploaded to the Total finance system and the total values entered onto a manual Daily Slam Up Control sheet. The following morning reports from Civica Icon are run to complete the rest of the control sheet ensuring the top and bottom sections balance. Again this has been confirmed by observation.

Each morning the Civica Icon suspense funds are reconciled to the corresponding Total general ledger codes, also confirming the spreadsheet suspense control record is in agreement. This is completed prior to importing the bank statement file received overnight for the previous day.

The Senior Accountancy Assistant (SAA) performs the monthly income bank reconciliation between Total general ledger, Icon cashbook and the bank statements. February 2015 reconciliation was successfully re-performed.


Importing the debtors and miscellaneous cash files to Total is a task performed each day that could be automated once the issue regarding numerical costing ledger codes has been resolved. There would need to be a daily task the following morning to correct any suspense postings, but the occasional delays in posting cash would be avoided and it is expected that Total will provide a more robust audit trail than the annotated printed cash file report currently in use.

The monthly bank reconciliation regime has not yet settled into a consistent format. The SAA has plans to make further improvements in conjunction with rationalising the bank accounts, using system reports as a base which she anticipates will make this key financial control simpler to perform without the level of adjustment that is currently needed.

END OF REPORT

Appendix B

Internal Audit Review

Council Tax Walkthrough Audit Review 2014/15

Introduction

As part of the 2014/15 Internal Audit Plan, a review has been undertaken of the control activities, policies and procedures currently in place over council tax administration at Allerdale Borough Council (ABC). The aim of this review is to provide management with assurance that the system is robust and operating as intended and provide recommendations for improvement to add value and improve the achievement of objectives, if appropriate. A guide to the assurance provided for each area within this report is provided in the attached Internal Audit Opinions document. Internal Audit would like to thank all staff involved during the course of the review for their help and assistance, in particular, the Revenues Manager (RM), the Senior Revenues Manager (SRO) and the Revenue Control Officer (RCO).

Main Billing Process Substantial Assurance

Overview of Assurance.

As part of the main billing process ABC obtain all appropriate information from Cumbria County Council, the Police authority and the Town/Parish Councils to assist in determining the Council Tax (CTAX) setting procedure culminating in a report being put before Council for agreement of the CTAX base in the timescale that complies with legislation.

The Academy system requires the billing parameters for Band D properties to be manually input into the system and the system then calculates the correct CTAX for all other bands as per the following formula, Band A 6/9th, Band B 7/9th, Band C 8/9th, Band E 11/9th, Band F 13/9th, band G 15/9th, and Band H 18/9th. The review established that there are good controls in place, prior to the CTAX bills being produced, to confirm that the correct details had been entered in to the system with regard to Band D properties and that the system had correctly calculated the CTAX for all other bands.

A sample of individual accounts are examined by the CTAX Section to establish that all details are correct, this includes the correct banding, correct calculation of any relevant discount, instalment dates and calculations, and percentage increases are in line with the Council Tax setting resolution. Copies of all accounts examined are retained and each account is dated and initialled by the officer reviewing it.

Once data has been confirmed as being accurate all appropriate records are directly transported to Cumbria Mailing Services, this includes DVD’s which are encrypted and password protected. A certificate of Compliance with the Data Protection Act 1998 is signed by Cumbria mailing and retained by ABC. Once the mailing process is complete the DVD’s are collected, transported to ABC and destroyed by the ITC Section.


Although the certificate of compliance with the Data Protection Act 1998 has fields for both parties to sign it could be improved be having separate field for those signing to print their names. This would provide clarity of who has signed if any issues arise with Data Protection.

This is considered a minor issue and has been discussed with the RM who has amended the certificate as discussed therefore there is no requirement for a recommendation.

New Properties Substantial Assurance


CTAX receive monthly correspondence from the Council’s Building Control section with regard to new properties and improvements to current properties. The information for each property is recorded on a control spreadsheet and a Revenues Building

Appendix B

Commencement form is issued to a visiting officer, who uses the form to record progress following site visits. The spreadsheet is updated from the information recorded by the visiting officer. On completion of the work a skeleton property is set up on Academy and once a week a report is obtained and forwarded to the Valuation Office (VO) for banding purposes.

On a weekly basis a report is obtained from the VO site of all new and amended bandings and these are fed into the Academy system with reports printed off and reconciled to agree the correct number of properties in each banding.

The review established that there are good controls in place for the identification of new properties, improvements to current properties and the implementation of new and changed bandings into the Academy system.


The review identified that although the Revenues Building Commencement form is being used to record building progress following site visits it is not being signed off properly by revenues staff on completion of the work to confirm that all amendments and/or additions have been made in Academy in order that correct bills are raised as appropriate.

This issue has been discussed with the RM who has confirmed that he will issue instructions for the form to be completed and signed off correctly.

New occupants Comprehensive Assurance


Following the receipt of information with respect to new occupants all the relevant details are entered into the Academy system on a daily basis and the system is updated instantly. At the end of each day the process for a new bill run is implemented, bills produced and despatched. Integrity checks are undertaken and any amendments carried out prior to the despatch of bills.

Details of the change to one property were selected and the account reviewed to confirm all the appropriate details had been amended.

Testing as part of this review confirmed that the system for recording details of new occupants and the production of bills is as prescribed.


None

Refunds Comprehensive Assurance


If a refund is due following the change in a discount, exemption or liability the details are recorded in to the Academy system by an officer with the correct access level and then the refund has to be authorised by either the RM or the SRO. The system prevents the authorisation of a change being performed by the same officer who originated the refund and as part of the review this control was demonstrated by the SRO who attempted to authorise a refund she had generated and the system prevented her from doing so.

Once a week reports are run to create all the refunds in Academy and to identify any errors and/or warnings, which are reviewed and amended as required. Once complete a Payments Production Report (read only) is run and reconciled with the Refunds Report and if agreed the report is run in the live system environment. The details of the total amounts are forwarded to the Finance section who agree them with the BACS file and cheque total (if appropriate) and process the payments. All refunds are posted to individual accounts. One refund from the report was selected and traced to the individual account which confirmed that it had been posted correctly.

Testing as part of this review confirmed that the system for initiating, paying and posting of refunds to individual accounts was as expected.

Appendix B


None

Collection and Ledger Reconciliation Comprehensive Assurance


Each evening there is a procedure automatically run in Academy to interface and post CTAX payments to individual accounts. As part of this review I ascertained the total of the amounts posted to individual accounts on the 23 February and reconciled this to the total recorded through the cash receipting system. In addition, one individual payment was selected and traced through to the CTAX account. Both totals reconciled and the individual payment was posted to the correct account for the right amount.

The procedure for initiating direct debit payments was confirmed and the production of the various reports for direct debits due on the 1 March 2015 was reviewed. As part of the review the total amount due was reconciled with the amount recorded through the cash receipting system and one payment was selected and the amount confirmed as being posted to the correct account.

The Revenues and Benefits Performance Team provide the Finance Section with a spreadsheet, on a monthly basis, of all totals in Academy and these figures are fully reconciled with those within the general ledger. As part of the review the total figures for the different areas examined have been reconciled to the figures obtained from the general ledger.

Testing performed confirmed that the procedure for posting all payments to individual accounts and the reconciliation of Academy totals to the general ledger totals was as prescribed.


None

END OF REPORT

Appendix B

Internal Audit Report Debtors 2014/15 – Walkthrough

Introduction

As part of the 2014/15 Internal Audit Plan, a review has been undertaken of the controls and procedures in place in respect of the Debtors system at Allerdale Borough Council (ABC) which now incorporates trade waste income. The aim of this review is to provide management with assurance that the system is robust and operating as intended and provide recommendations for improvement to add value and improve the achievement of objectives. Most observations for this audit review have taken place after 31 March 2015. After this date Financial Services have implemented paperless processes archiving reports electronically and scanning relevant documents for attachment to transactions, making further progress to smarter ways of working. Four of the six agreed actions from the last audit review have not yet been implemented, however the bank automation project has taken precedence during 2014/15 as well as the debt recovery project aligning financial and legal processes so this is understandable. These remain relevant to improving the efficiency of the system and continue to be followed up as part of agreed action monitoring for reporting to the Audit Committee. A guide to the assurance provided for each area is included at the end of this report. Internal Audit would like to thank all staff involved during the course of the review for their help and assistance, in particular, the Debtors Clerk.

Invoice and credit note processing Comprehensive assurance


Four distinct processes are used in the debtors system (sundry debtor, periodical, trade waste and service processed) and a sample invoice and credit note from each was selected for testing. The supporting records retained and transactional data held in the debtors Ledger for the sample transactions reflected the process observed with the Debtors Clerk confirming consistency of application throughout the 2014/15 financial year. Batch controls are used to confirm the accuracy and completeness of data input. See the specific section below regarding trade waste invoicing.

The processing timescale for invoice requests could not be confirmed as dates of receipt were not recorded, however the sample of credit notes were processed within 5 working days.


Agreed action one from the 2013/14 review to streamline the processing of recurring invoices for periodical charges is progressing and an extension for implementation agreed to 31 August 2015. It was acknowledged in last year’s report that this may require a long term strategy involving other services to achieve.

Trade waste invoice processing Substantial assurance


Trade waste invoices are processed quarterly in arrears by uploading a file exported from the Mayrise application. The export files are verified by the Senior Accountancy Assistant (SAA) against a control spreadsheet verified by the trade waste team. Any discrepancies identified are referred back to them for resolution before the invoices are processed.

The export file for quarter four 2014/15 invoices was created on 15 April 2015, but could not be processed due to 94 discrepancies which were resolved, allowing the file upload to take place on 1 June 2015. As the file held invoice and payment due dates relative to the 15 April production date these had to be amended to reflect the revised timing. The SAA took great care to ensure she identified and amended the correct elements of the text file data, testing a small sample. Invoices and credit notes for ad hoc services and variations

Appendix B

to standard contracts are input individually by the Debtors Clerk as described above. A solution to automate this is being looked into. A clear audit trail of the discrepancies and amendments has been maintained by Financial Services through to verification that correct values have been invoiced.

Roughly two thirds of trade waste invoices are sent by email and the SAA advised that system records enable them to verify that the number emailed and printed to be sent by post agrees to the number produced.


The number of discrepancies had not been experienced in previous quarters and the reason for them is not yet understood. The experience with quarter four 2014/15 invoices highlights that when things do not go as expected, significant additional work is created across the trade waste and finance teams, hence the change in assurance evaluation for billing compared to the Trade Waste Project Assurance Report from 2013/14 covering the migration to Total. A reliable invoicing process will be fundamental for plans to move to direct debit payments to be realised.

The incorrect invoice details were uploaded into the Total debtors ledger and each invoice transaction was manually corrected by the Debtors Clerk, which was a lengthy process contributing to the invoices finally being ready for dispatch on 3 June 2015. A productive meeting was held with the Mayrise software supplier on 17 June 2015 when a number of system functions were identified that users had not previously been aware of. These will assist in several areas and actions were agreed by the attendees to manage things better at the next quarter and identify the cause should the same problem recur.

The delay in processing the quarter four invoices has had a clear impact on the Council’s cash flow to the tune of £186,000 (assuming payment within credit terms). It also makes budget monitoring harder as timing differences need to be taken into account. This will also have a knock on effect for the quarter one 2015/16 billing, which will be delayed to avoid issuing invoices to customers too quickly in succession.

Payment Comprehensive assurance


All payments are posted initially to the Civica Icon cash receipting system and a cash file uploaded to the debtors ledger at the end of each day by the SAA. The Debtors Update Report produced as part of this is reviewed by the Debtors Clerk the following morning who allocates any payments manually that the system was unable to match to an invoice.

Payments without a valid customer reference are posted initially to the Debtors suspense account. This is well managed with transfers to the correct account and invoice being made promptly.

Payments for the sample invoices were all allocated promptly to the appropriate invoice including two which were initially posted to the general ledger suspense funds before being corrected the same day.

Debt recovery Substantial assurance


Weekly debtor recovery runs are undertaken picking up overdue invoices. In February a new stage was added to the process that had previously been performed by Legal Services. After the reminder letter and referral to the originating department, a Letter Before Action is produced before referral to Legal Services after a further week if the debt remains unpaid, all at weekly intervals. The Debtors Clerk is meticulous in her approach, annotating the recovery listing with exceptions, ensuring correspondence is not issued if customers have disputed the invoice or have advised of other reasons for delayed payment. In these cases the recovery activity is temporarily suspended until the following week. From 1 April 2015 the listings are exported to excel to provide an electronic version of the previous manual system.

Appendix B

Legal costs and annual premises licence invoices are not progressed through the sundry debtors recovery process. The former because they are covered by the separate legal debt recovery process and the latter because the relevant legislation requires the licence to be suspended. These are permanently suspended from the recovery activity when they first appear on the recovery list.


Implementation of three agreed actions from the last audit review relating to improvements in the debt recovery area is being aligned with progress on the Debt Recovery Project. This entails redesigning the entire process resulting in changing roles and responsibilities across the finance and legal teams in conjunction with the Financial Services and Governance restructures. The selection of the Civica Legal application will enable Total Enhanced Recovery to be utilised allowing far more flexibility in recovery progression and process design including built in intervention in recovery progression based on specified criteria. This is currently at testing stage and it is considered that implementation of interim arrangements to complete the agreed actions would not have been cost effective. In the meantime there remains a high level of manual intervention in this particular process. As an example on 11 March 2015 the Debtors Clerk processed a recovery hold on 34 invoices because the customer pays by instalments. This must be repeated each week until the full invoice amount has been paid.

As part of the paperless initiative the scanned image of the invoice or credit note requisition is attached to the corresponding transaction. The way these appear does not allow the Debtors Clerk to distinguish between requisition documents and notes she has added to record reasons for intervention in the normal debt recovery progression, without viewing the note on every transaction appearing on the weekly recovery list processed after 1 April 2015. An alternative method is currently being tested.

Whilst the Licensing team have access to view the status of licence invoice transactions on a case by case basis they rely on a periodic meeting, usually monthly, with the Debtors Clerk, to discuss action to be taken on the outstanding debts. A spreadsheet listing all outstanding licence invoices collated by the Debtors Clerk is used as a basis for this procedure which has not changed since the last review. The spreadsheet is used to cross reference the invoice with the licence reference used by the service. It was agreed during this review that in future this reference will be input at invoice processing stage in the Alternative invoice reference field which will allow users to search for the invoice transaction using the licence reference alone. This should help with implementation of agreed action five from the 2013/14 audit review relating to improving the timeliness of notification of these debts to the service and reviewing the need for the spreadsheet record. The Senior Land Charges and Licensing Officer advised that the meetings are not frequent enough for them to comply with the legislation to suspend unpaid licences. Weekly notification of debts as they become overdue in line with normal recovery progression would improve this.

Ledger reconciliation and Write offs Comprehensive assurance


The Period End Reconciliation for March 2015 was reviewed and all supporting records confirmed as present. It had been performed by the Debtors Clerk and countersigned by the Interim Accountant providing independent oversight.

Complete records of write offs have been retained for each quarter. Quarter two trade waste and quarter three accounts receivable were selected and the recommendation, authorisation, continuity of records and processing of transactions was consistently and accurately recorded following a sample of four different reasons for write off.

END OF REPORT

Appendix B

Internal Audit Review Payroll Walkthrough Audit Review 2014/15

Introduction

As part of the 2014/15 Internal Audit Plan, a review has been undertaken of the control activities, policies and procedures currently in place over payroll administration at Allerdale Borough Council (ABC). The aim of this review is to provide management with assurance that the system is robust and operating as intended and provide recommendations for improvement to add value and improve the achievement of objectives. A guide to the assurance provided for each area within this report is provided in the attached Internal Audit Opinions document. Internal Audit would like to thank all staff involved during the course of the review for their help and assistance, in particular, the Senior Accountancy Assistant (SAA). Within their 2014/15 workplan Grant Thornton will be undertaking specialised IT assurance work to satisfy them that the SAGE payroll system is functioning as they would expect for materiality purposes. This review has also provided the opportunity to validate and evaluate elements of the three lines of defence in place to manage the key operational risks to the Payroll service. The Payroll service risks have been discussed during the organisation wide assurance mapping exercise and the mitigating actions in place detailed as part of the risk assessment. In addition to this, discussions were led by Internal Audit to establish the three lines of defence in place for the day to day operations within the Payroll service. The overall assurance profile for Financial Services will be presented upon completion of the statutory system reviews. This is the first payroll walkthrough review on the new SAGE system, the team are committed to driving forward further improvements and efficiencies and Internal Audit will support these improvements through further advice and guidance.

Amendments to payroll standing data Limited Assurance

Overview of Assurance.

A single starter, leaver and mover was tested for accuracy, integrity of information and completeness over the process for employees, starting, leaving and changing position through the SAGE Payroll system. The three employees tested did result in the information being accurate within the payroll system although it is in some cases unclear from the forms used who has taken what action and where responsibility lies between the Payroll Team and Human Resources (HR).

Due to the implementation of the new payroll system a full organisation establishment list to full payrun reconciliation was completed for the December 2014 payrun. This proved difficult as at the time of testing an ‘all inclusive’ establishment list could not be provided. The benefit of this test is to provide assurance that the area of the business managing the people resources and distribution and deployment of these corresponds to the financial output from the organisation in terms of who we are paying a salary to. The anomalies identified between the records included name changes, bank account name differentials, casual employees and one payee on the payrun BACS submission with no name, which has since been rectified by the Payroll Team.


The SAGE Payroll system is managed by a number of users within the HR and Payroll services. During the input of the new starter there were steps completed in the process observed which were unclear and ambiguous, further training should be provided to ensure all users with access to the payroll system are fully competent to carry out their designated roles. The need for payroll data integrity is paramount and the necessity for users to have full awareness of the impact of all actions taken within the system is heightened by the fact the system regularly requests users to update the system when a system update is released.

Appendix B

The number of users with access to SAGE is limited due to the software being designed for small businesses where multi user access is unusual. SAGE version updates cannot be completed centrally, but must be applied individually to each user’s workstation. Users are therefore kept to a minimum to reduce the likelihood of a future version conflict which can corrupt the database. For Internal Audit to view the system a virtual environment was created with strict guidance from the ICT service as to the risks to data integrity arising from accepting changes or updates within the system.

Currently the SAA Payroll is the system administrator of the SAGE Payroll system and has access to all operational and system administration functions of the system. This arrangement reduces the assurance of separation of duties between HR and Payroll when making changes to standing data. The update link from the SAGE HR to SAGE Payroll system is not currently functioning which is creating duplication and repetition of tasks. The update from SAGE Payroll to SAGE HR is completed monthly, however a report detailing the update content does not exist. Further work needs to be completed to agree the useful fields in SAGE for both HR and Payroll to ensure useful management information for both teams is maintained.

Internal Audit are in the process of providing some advice and guidance to the teams involved to assist them define a process that will maximise the assurances available in respect of the data integrity and to assist in the distribution of responsibility so the right people are doing the right tasks in the most efficient way.

Agreed actions


Improve the Payroll Notification Form so each action is clear who has completed it and why/what they are signing for to confirm where accountability and responsibility lies.

Associated Risks

Roles and responsibilities are not clear Duplication of process steps – checking other steps have been completed Steps are missed or assumed complete Assurance around the process is unclear

Response

Agreed and process will also considered to ensure maximum efficiency.


SAA Payroll and HR Advisor 15 June 2015


An establishment list should exist detailing who resides in what post for all areas of the business and how much this costs.

Associated Risks

Operational resource information is inaccurate Decisions are based on inaccurate information Information and risks around casual workers employed are not managed effectively

Response

Improvements in finance already in place with the introduction of Total salary budget modelling. A meeting is planned between the HR advisors to improve the information in the establishment list.


HR Advisor 15 June 2015

Payroll Payrun Limited Assurance


Observations were completed of the pay run process for January 2015 including the submission of statutory deductions and the monthly independent reconciliation,

Appendix B

appropriate assurances were in place for the payrun process. It must be acknowledged that the payroll has remained on time regardless of the change of operating system to SAGE from 1st April 2014 and employees will have noticed little difference other than they now benefit from an electronic payslip.

There is a methodical approach to the payrun process and reports are run to compare previous payrun outputs to current months expected output and two Payroll officers scrutinise the report to detail why differences have occurred to confirm there are valid reasons. There is no longer a requirement to manually submit end of month payments and reports to Her Majesty’s Revenues and Customs as there is a facility within the SAGE payroll system for this to be uploaded automatically. This improvement has reduced the time spent on this monthly task and the Payroll Team find this function excellent.

A monthly reconciliation of the SAGE output to the General ledger (GL) is now completed independently of officers directly involved with the payroll processes. An observation was completed and although this was the first time the officer had completed it, she had excellent procedure notes to follow which made the task straight forward. At the suggestion of Internal Audit the appropriate bank statement detailing the payrun values is now also included in the reconciliation process to enhance the assurance over the system. This was suggested as a source of additional assurance due to the need for a manual transfer of information to the Total GL rather than an interface between the GL and the SAGE Payroll system.


The authorising officer for the monthly payroll scrutinises the BACS Pay transfer report and confirms the total agrees with the BACS submission report by signing and dating the report. The authorising officer also questions any exceptional values and people who leave, but this is specific to each authoriser’s differing approach and is not a prescribed control.

The monthly transfer of information to the GL from SAGE Payroll is a completely manual process which only one officer in Financial Services has the knowledge to complete. This process requires the output from SAGE payroll to be transformed via spreadsheet analysis to create a report format that can be received accurately by Total GL. This approach took some time to devise and the SAA explained it was the only option after there were issues experienced directly after go live with the GL update for payroll. This is not ideal, integration between the systems would be more efficient, effective and reduce the scope for human error.

The report detailing the differences between current and previous months pay is produced manually and this is annotated under dual control using the electronic payslip information as a reference, the comments are saved for the respective month. December 2014 was reviewed, each field with an increase was noted, this was for the majority of the workforce due to the statutory pay increase and would have been time consuming. The SAA Payroll signed, ticked and dated the report to confirm this assurance over the acknowledgement of all differences. Agreeing parameters for these exceptions reports would allow more assurance to be obtained from reviewing in more detail the high value/high change transactions.

Agreed actions


A clear picture of the management oversight actions taken when authorising the monthly payroll should be provided to strengthen the second line of defence.

Associated Risks

Assurances are based on fact rather than assumption Level of assurance is defined Second line of defence is weak

Response

Build this into exception report

Appendix B


Interim Accountant and SAA Payroll 30 June 2015

4 – High Priority

Procedures for the creation of the month end output file to be uploaded to GL should be created and the knowledge shared.

Associated Risks

The output from the SAGE Payroll system is not entered into the Total General Ledger in an accurate timely manner The information in the GL relating to staffing costs is inaccurate or incomplete Accurate budget forecasting activities cannot take place

Response

Will approach Copeland for their approach and document the procedure, request total 1st/2nd June to see options for upload.


SAA Technical and Accountancy Assistant 30 June 2015


Parameters should be agreed for payroll exception reporting at an appropriate level that will improve the quality of assurance gained from confirming that payroll exceptions and changes made above the agreed thresholds are valid and accurate.

Associated Risks

Inefficient use of resources Quality of assurance is not maximised

Response

Exception reporting will be developed and inform the authorisation process to give clear management oversight.


Interim Accountant 30 June 2015

Hourly and Overtime Pay Substantial Assurance


The SAGE Payroll system does not allow for the calculation of overtime and hourly pay to be created in the system, therefore this has to be recorded in a spreadsheet separately and then the totals for each employee are entered into SAGE manually.

One hourly paid claim and two overtime claims were tested to confirm the process and accuracy of output, minor errors were in relation to miscalculation of half an hours pay and a minor discrepancy due to a change in an increment adjustment which had already been partially adjusted by the payroll team.


The iclaims system for mileage provides an electronic solution for claims, this reduced the need for manual processes and double keying. An electronic solution for processing overtime and hourly pay would reduce the time spent on this area and place responsibility with the authorising officers for accuracy and completeness.

The Payroll Team need to be confident that all claims received are appropriately authorised to confirm the payment is valid, whether this be by email submission by the authoriser or a manual form with the original signature. Due to the changes in management and responsibilities resulting from restructure and ongoing change, the Certificates of Financial Authority in place for the approval and authorisation of payments of this kind should be reviewed. Updating this key process would assist to improve the assurance that those authorising this expenditure have the authority to do so.

Agreed actions

Appendix B

6 – Low Priority

Revisit the manual process for hourly paid and overtime claims and consider other processing options to improve efficiency and accuracy.

Associated Risks

Claims paid are not appropriately authorised Payments are inaccurate Payments made are not for hours worked Payments are not processed by payroll deadline in the event of staff absence Process is time consuming

Response

Hourly pay has reduced since the Carnegie has transferred to the trust, the team will start scanning these documents and revisit the process to ensure maximum efficiency.

Responsible Officer Due Date SAA Payroll 30 May 2015

Travel and Subsistence Claims Substantial Assurance


A claim from the months April, October and November 2015 were tested to confirm the assurance in place over the process. All information was considered to be accurate and complete.

Manual forms are currently completed with the signature authorisation process still in place, all forms tested were completed by the employee as expected. The Council’s ICT team created a program called iclaims to allow one point input of claims of this nature with the intention that this would remove the need for manual forms and reduce duplication, however this has not yet been rolled out for officers and members to use.

The Payroll Team input the information into the iclaims facility based on the information on the manual forms received. The iclaims is a program specifically written to accurately calculate mileage and record information for each employee with an electronic interface so this information is allocated to the appropriate payroll record in SAGE. For the sample tested all payslip information was accurate when compared to the manual documentation.


Drivers declaration forms were not in place for the sample tested, there has recently been an intranet notification by the Health and Safety Advisor to remind users of the need to submit these by 30 April 2015 and those outstanding will be followed up in an individual basis. The purpose of this declaration form is to obtain assurance from each individual driver that they have the required insurance and licence to carry out on the road work activities, without these there is a risk they would not be insured in the event of an accident.

The full benefits of the iclaims system will not be realised until this is rolled out to users and members to input their own claims at source. When there is a corporate decision taken to roll this out Internal Audit will be happy to assist the team with any control, assurance and risk mitigation evaluations.

Risk and Service Continuity Limited Assurance


Risk management and assessment activities have taken place as part of the Integrated Assurance framework providing results and actions from the assurance mapping exercise. The Payroll service would be considered a priority service particularly if a business continuity scenario arose close to the monthly payrun date. Officers within the payroll service are not aware of specific operational plans for payroll, however in the case of an event occurring they could default to paying the previous month’s payrun as a contingency plan.

Appendix B

Due to the SAGE Payroll system not conforming to the organisations back up cycle and the reliance on a Payroll officer to manually back up the system on a daily basis there is an increased risk that some payroll data would be lost should a data restoration action arise.


Clarity around business continuity requirements for the Payroll service need to be communicated and agreed. Deputies for key back up tasks should be identified to ensure the system can be operated and backed up in confidence in the absence of the SAGE Payroll System Administrator.

Internal Audit have worked with representatives from Payroll and HR to create a schedule of tasks where action needs to be taken to identify who does what and to improve the accountability and responsibility for processes, this should also highlight where the main lack of deputies lie. They have agreed this as an improved way forward and will all take time to complete their areas, this should improve confidence and ownership for all involved in the people and Payroll processing.

Agreed actions


Business continuity requirements for the payroll service needs to be established and communicated particularly due to the systems back up regime operating outside the organisations back up protocol.

Associated Risks

Assumptions are made based on back up best practice Back up is missed due to human error or lack of deputies

Response

Nominated deputy SAA Technical


SAA Payroll 31 May 2015

8 – High Priority

To drive efficiency and improvement the who does what, when and why payroll and HR schedule of tasks should be completed in full and agreed by management. A joint communication workshop involving all concerned to share accountability and responsibility for all tasks is fundamental to improve assurances over the people and payroll processing.

Associated Risks

Repetition of tasks and additional ‘checking’ due to lack of awareness of what steps in a process have been taken and by whom Ownership and responsibility of tasks is not agreed Tasks are completed by officers who have not received the necessary training The integrity of the system data is flawed Departmental independencies are not understood or managed

Response

Both Finance and HR teams are keen to develop this and agree the most efficient processes together.


Senior Accountancy Assistant Payroll 15 June 2015 Senior Accountancy Assistant Systems HR Advisor

END OF REPORT

Appendix B

Internal Audit Final Report Treasury Management 2014/15

Introduction

As part of the 2014/15 Internal Audit Plan, a review has been undertaken of the control activities, systems and processes currently in place for the Treasury Management at Allerdale Borough Council (ABC). The aim of this review is to provide management with assurance that the system is robust and operating as intended and provide recommendations for improvement to add value and improve the achievement of objectives. A guide to the assurance provided for each area within this report is provided in the attached Internal Audit Opinions document. Internal Audit would like to thank all staff involved during the course of the review for their help and assistance, in particular, the Senior Accountancy Assistant (SAA).

Treasury Management Records and Reconciliation Substantial Assurance


It is evident from the information reviewed that there are continuous improvements to record management in the Treasury Service. Documentation is now scanned and filed electronically and the introduction of a new Daily Investment Checklist provides an excellent snap shot of the treasury position on the given date to inform both dealers and authorisers of counterparty balances and actions. The process for daily cash flow management is now more streamlined due the availability of daily electronic bank statements, information is easy to access and in real time, allowing more informed projections and pre-set warnings where counterparty limits are reached.

The controls around the completion of the reconciliation for both principal investment and interest were reviewed, a sample of transactions from the treasury management transaction summary for 2014/15 were selected to verify on the respective bank statement, cash processing interface system and the Total General Ledger. The reconciliation is completed by an officer who no longer has the permissions to deal in treasury transactions but is an emergency authoriser, these records are in good order. Bank statements are now saved into the Financial Services shared area daily for both disbursements and income, this allows for efficient independent reconciliation and all transactions recorded by the treasury service for February 2015 were successfully referenced to the Total General Ledger.


To further improve record management and fully benefit from the efficiencies of reducing paper and smarter ways of working there should be clear guidance for the finance assistants as to what manual records need to be retained post scanning. There should be careful consideration of what assurances can be gained from retaining information, in particular internal processing documents in both electronic and paper format.

A follow up of the agreed actions from 2013/14 identified the need for the Treasury Management consultancy agreement to be detailed on the organisations contract register, this register is currently a work in progress and although the contract is detailed, the whole of contract life costs have not been detailed. Contracts are being looked at in depth by the contracts group and addressed on a priority basis, based on contract cost and the operational need to review.

Treasury Management Transactions Comprehensive Assurance


An observation of the process and controls for treasury management investments were completed on a day where four investments to different counterparties took place. The documents differ for internal investments to the Councils bankers Barclays (treated as internal transfers) and investments to external counterparties, although the two step

Appendix B

independent process for payment creation and authorisation is in place for both. The observation was successful and all information was accessible electronically along with the corresponding counterparty confirmation and bank statement.

Due to the functionality of the Barclays system, payment templates are created and stored for regular investment payments, the processing officer confirmed that the creation of any new templates requires two officers to complete the process. This functionality reduces the margin of error and effort when processing payment information, the investment value and date is all that is required when inputting an investment. This system is really quick and straight forward, the process is more structured and by design the easy to follow template provides additional assurance that those processing payments occasionally can do so quickly and efficiently.

Two returning investments were also reviewed to provide assurance over the repayment process, this was found to be accurate and timely.

Risk Management and Business Continuity

Limited Assurance for Business Continuity, Substantial for risk management


The officers responsible for Treasury Management have taken part in the assurance mapping exercise during 2015. This information has been used to build a picture of the assurances in place through all three lines of defence in the Treasury Service. The Officers in post have a high level of knowledge and experience in this area and this is clearly visible through the output and organisation of the service. Risks were discussed and evaluated during this process and thorough responses were provided. A training session for members and officers (including internal audit) was provided by the treasury consultants Sector, this was informative and useful from a governance perspective to highlight the impact of economic and financial market risks on treasury decisions.

Although the organisation lacks a corporate business continuity plan, some services have considered their own operations and have informal plans to ensure service continuity. The Relationship Manager at Barclays confirmed that in the event of our ICT systems and Barclays secure card readers being inaccessible there are arrangements in place to allow treasury business to continue. It would be possible to make investments with both Barclays; by telephone banking and other external counterparties; by attending the branch and completing the documentation required for a same day transfer. After speaking to the business relationship manager at Barclays they verbally confirmed that the authorisation of such transactions would only be permitted in line with the specified bank mandate.


Assurance over the management of the key treasury risk identified during the assurance mapping exercise would be greater enhanced through the formalisation of roles and responsibilities particularly where officers do not have a job description as a minimum. The Financial Services restructure is in progress which will hopefully improve accountability and responsibility in the future.

In the absence of a functional relocation site at present, details of how the Treasury Management function could be promptly and securely operational should be documented. The new arrangements agreed with Barclays should be documented for assurance and clarity for those managing these plans in the event of a business continuity scenario. To complete treasury transactions basic counterparty account information would need to be provided to Barclays to make a same day payment, at present these are held on the network files and on an informal basis in the key Treasury Officers memory. The same applies should the team need to request repayment of any investments from the respective counterparties. Information needed to complete treasury transactions should be identified and held securely to support business continuity plans.

The use of templates for treasury management transactions is now standard practise for day to day treasury investments, account information for regular counterparties is set in the Barclays system and is rarely altered. It was explained that in the event of the business

Appendix B

continuity scenario an investment could be sent to any bank account and sort code providing the bank mandate transaction authorisation was fulfilled. Barclays would complete a signature verification and telephone confirmation with their Allerdale contact prior to sending the same day payment. The likelihood of this scenario occurring is low however due to the potential financial impact it would best practice to ensure the financial controls are equally robust for both manual and electronic treasury payments. A recommendation has been raised to reduce this risk.

Agreed Action

1 – High Priority

The bank mandate should be updated to ensure in the event of processing a same day manual transaction, payments are only made where two authorising signatories are present in branch.

Associated Risks

Treasury investments are not secure

Unnecessary risks and opportunities are presented

Business continuity arrangements are not controlled

Treasury management transactions are not completed in line with agreed policy and procedure.

Response


Senior Accountancy Assistant 31 July 2015

END OF REPORT

Appendix B

The following paragraphs are included at the end of each Internal Audit Report: In line with the Public Sector Internal Auditing Standards Internal Audit will monitor all current and future agreed actions. Actions will be recorded in the Covalent performance management system or its successor system. This will allow officers to directly update their progress and give managers the opportunity to monitor these actions. Implementation dates are agreed before the Final report is issued, amendments to these dates must be agreed with Internal Audit prior to changes being made within Covalent. The assigned actions will appear on users’ Covalent homepage. Updates and details of implementation can be completed by the officers assigned to the actions at any time. The record of the agreed actions updates within Covalent will be used to provide information required by the Senior Management Team and Audit Committee.

Agreed actions are graded according to the level of importance and severity of the issues identified. This grading falls into the following three categories:

High – There is a control vulnerability that could result in failure to achieve corporate objectives, reputational damage, lead to material loss, exposure to serious fraud or failure to meet legal or statutory requirements. This includes material non-compliance with the Constitution, Financial Regulations or Council policies and procedures. Managers should address high priority recommendations urgently to rectify the situation.

Medium – The system or procedure lacks adequate control that could result in failure to achieve operational objectives, non-material loss, or non-compliance with departmental operational or financial procedures. This would also include minor non-compliance with Financial Regulations. Although not fundamental to system integrity these risks should be addressed promptly as the next priority.

Low – To implement this would be good practice to improve or enhance the system and the achievement of objectives. Several low risks in combination may give rise to concern.

This information is available separately in the Internal Audit area of the intranet document store and can be provided with audit reports for information.

Guide to the assurance evaluations

Comprehensive There is a sound system of controls designed to meet objectives, manage risks and controls are consistently applied in all the areas reviewed.

Substantial There is a good system of controls and risks are managed. However, there are opportunities for improvement in the design or consistency of application that will assist in the achievement of objectives identified as being at risk in the areas reviewed.

Limited Key controls exist to help achieve objectives and manage principle risks. However, there are opportunities for improvement in the overall control environment which would enhance the design and application of controls, thereby assisting the achievement of objectives identified as being at risk in the areas reviewed.

Minimal The absence of basic key controls or the inconsistent application of key controls is so severe that the audit area is open to abuse or error. Risks to objectives are not being managed.

Internal Audit Assurance Bank Automation Project 2014/15 ... b.pdf · possible and contacting relevant departments for assistance as needed. Examination of the control spreadsheets

Documents