Description
tax
Item 6 – Appendix 6f
Final Internal Audit Report General Ledger Greater London Authority March 2009
This report has been prepared on the basis of the limitations set out on page 15.
Contents
Page
This report and the work connected therewith are subject to the Terms and Conditions of the contract dated 20/06/2007 between Greater London Authority and Deloitte & Touche Public Sector Internal Audit Limited. The report is produced solely for the use of Greater London Authority. Its contents should not be quoted or referred to in whole or in part without our prior written consent except as required by law. Deloitte & Touche Public Sector Internal Audit Limited will accept no responsibility to any third party, as the report has not been prepared, and is not intended for any other purpose.
Internal Audit Report: General Ledger 2008/09
Audit Ref: 819
Executive Summary
Introduction and Background
This audit forms part of the 2008/09 Internal Audit Plan, which has been approved by the Mayor and the Audit Panel. The plan entails a review of the systems and controls operating over the Authority’s General Ledger system.
1. 2.
The General Ledger is the Authority’s main accounting system and operates via the Open Accounts financial accounting software. Open Accounts is an integrated financial system that also incorporates the Authority’s Purchase and Sales ledgers. The main users of the General Ledger are the staff within Financial Services, but read-only access to the live financial information is provided to staff across the Authority based on access rights via the e-Bis system; this system provides realtime desktop reporting for budget holders. The implementation of e-Bis improves budget holder’s access to financial information significantly and results in much improved financial management across the Authority. Since our last review of this area during 2007/08, there have been no significant changes to the control environment and this area continues to provide consistent and efficient management and control over the perceived risks within this area. Evidence was gathered through discussion with relevant staff members and samples of prime source documents were selected and tested to evaluate the effectiveness of the controls in operation. A summary of the findings is contained within the following paragraphs.
3. 4.
Policies and Procedures
5. The accounting policies and procedures for the Authority are set out in the Authority’s Financial Manual and Financial Regulations. The responsibilities within the Financial Services division have not changed since the time of the previous audit. The Financial Regulations of the Authority state that the ‘Executive Director of Finance and Performance’, now the Director of Resources, is the Chief Finance Officer; the main responsibilities include the administration of the Authority’s Financial Affairs, the supervision of accounting arrangements, as well as having overall responsibility to ensure that all financial systems of the Authority comply with relevant legislation, regulations and guidelines. There is a comprehensive Finance Manual available to all staff on the Intranet which is formed of 20 individual chapters which are updated and reviewed separately. The Financial Regulations were last reviewed and updated in March 2003. From the previous audit a review of the age and the date of the Finance Manual documents showed that many of them have not been reviewed for over five years. However, Audit was informed by the Chief Accountant that the Finance Manual and Regulations are currently under review in conjunction with the new administration transition. The Corporate Governance Group is in the progress of reviewing the Financial Regulations and approval will be obtained in due course. No recommendations have been raised as a result of our work in this area. Audit Ref: 819
6.
7.
8.
9.
Internal Audit Report: General Ledger 2008/09 Item 6f – Page 4
Security Access
10. The System Finance Administrator is responsible for managing access to the Open Accounts System. A New User Access form is completed and given to Finance by the Line Manager. The start date and the cost codes for which the new user needs authorisation are included on the form. New users are input onto the system by the Senior Finance Officer. Audit review and testing found that there were inadequate controls regarding the removal of users. However, Audit was informed by the Senior Finance Manager that reconciliations between the e-Bis users list and leaver reports from HR will be performed on a monthly basis. Evidence has been obtained to show that this is being pursued, and will be implemented in the near future. Accounting control functions are delegated to individuals, and our review of the Finance Manual supported the delegation of responsibilities to assigned officers. Sample testing system users to ensure that permissions were only granted for their respective job role confirmed that all users had only been granted access to the functions that allow them to carry out their roles. It was confirmed that passwords to access financial information and programmes are not required to be alphanumeric or contain any upper case characters, which is recommended. One recommendation has been raised as a result of our work in this area.
11.
12.
13.
Completeness and Accuracy of Records
14. The Authority has a comprehensive Chart of Accounts for the financial systems, and this is maintained by the Senior Finance Officer. Amendments to codes, the introduction of new codes and deletion of old codes are controlled and co-ordinated strictly by the Financial Systems team and are only permitted once an authorisation form has been completed and authorisation granted by an officer with the delegated authority. It was confirmed that only the Senior Finance Manager and Officer and a few others with delegated authority are able to set up and perform code maintenance on the system. New codes, code amendments and code deletions require the completion of a standard Code Control form; a sample of new codes that were created in the past year were selected, and it was verified that these were supported by a completed Code Control form and had all been authorised by a delegated officer. The Chart of Accounts was also reviewed, and this was found to be clearly structured, with codes being split into the different directorates of the Authority. It was evidenced that this document was readily available to all staff on the Authority’s Intranet, and that it was an up-to-date document. Audit was informed by the Senior Finance Officer that the Chart of Accounts is updated and published on the Intranet on a monthly basis. However, Audit could not evidence the timeliness of this procedure and review found that there had not been an August and October version. The system was checked to ascertain whether invalid codes may be inputted on the system, with results proving that invalid codes were stopped at source. It was verified that the General Ledger provides sufficient analysis of the transactions, with the coding structure adequately reflecting the organisational structure, and breaks Audit Ref: 819
15.
16.
17.
18.
Internal Audit Report: General Ledger 2008/09 Item 6f – Page 5
19.
down the activities of the Authority. Cost centres were found to be appropriate and accurately reflected the activities; a Project Ledger and project codes for the analysis of the Authority’s programmed activities also existed, allowing clear explanations of costing. Audit testing confirmed that e-Bis users cannot input invalid codes, as codes can only be selected form a drop down menu according to the codes to which they have been given authorisation. Therefore, incorrect codes can be selected but not invalid codes. However, in the event that codes have been selected wrongly, these will be flagged by the system and will be reviewed and amended by the relevant officer in the Finance Team. One recommendation has been raised as a result of our work in this area.
Suspense Accounts
20. The Suspense Accounts exist to temporarily hold items that are unknown, or incorrectly coded, until they can be posted to the correct account. Suspense accounts are reviewed on an approximately monthly basis and are kept reasonably clear. During the audit, a review of the two main suspense accounts determined that they are reviewed and cleared on a monthly basis. The two main suspense accounts are the General Items and Receipts suspense accounts. General Items may for example consist of Credit Card expense queries, and it is maintained and reviewed by the Finance Officer and the Chief Accountant. The Receipts suspense account is maintained by the Exchequer Team Leader and the Senior Finance Officer. Audit was informed that this account is rarely used, and when items need to be posted to the account, queries are investigated promptly. Audit review confirmed that the majority of items are cleared in approximately 30 days. On the occasion that this was not the case, it was due to Finance awaiting further information on the query. No recommendations have been raised as a result of our work in this area.
21.
Reliability and Integrity of Transactions and Records
22. Adequate controls help to ensure that all transactions recorded in feeder systems are transferred completely and accurately to the main accounting system. The General Ledger system applies validity tests on input data to ensure that coding is correct. A standard journal containing incorrect coding was inputted to the system to test the effectiveness of this control, and it was found that the invalid code was flagged up and effectively prevented from being entered onto the system. Audit testing revealed that data and journal information can be submitted twice. However, Audit was informed by the Principal Accountant and the Team Members that compensating controls are in place in the form of manual checks to ensure that information is not resubmitted. These manual checks include the reconciliation process and the review stage when processing journals, whereby duplication of information and journals will be identified. No issues were identified in this respect. No recommendations have been raised as a result of our work in this area.
23.
Internal Audit Report: General Ledger 2008/09 Item 6f – Page 6
Audit Ref: 819
Journals and Manual Adjustments
24. Journals are input via the uploading of spreadsheets, with the system forcing an audit process to be followed before the journal is posted to the accounts. A sample of 15 journal entries was reviewed, from three different journal types. These were General Ledger Journals, Project Journals and Cash Journals. Budget journals will be tested during the Budgetary Control audit during 2008/09. Audit testing found that hard copies with supporting documentation for three of the 15 journals could not be found. In addition, three of the 12 journals from the Cash journal samples did not have a signature evidencing that a review had taken place and authorisation given so it was not possible to establish whether the journal had been input before or after authorisation was received. For all of the sample entries, it was found that the initiator was clearly identified on the journal input form and in most cases, where relevant, journal entries can be traced back to supporting documentation to confirm that transactions were legitimate. Throughout the audit trail for journals, reasoning for the transfer could not be evidenced. In addition, audit review found that there were no documented procedures for the processing of Journals. Procedures will ensure that different journal types are processed (where applicable) in a consistent manner. For example, when supporting documentation should be retained on file, which documents need authorising and by whom, when information can be input and processed, and that authorisation sheets contain a brief explanation behind the transfer. Two recommendations have been raised as a result of our work in this area.
25.
26.
27. 28.
Bank Reconciliations
29. Bank reconciliations are performed on a monthly basis, with supporting documentation being kept on file. The bank reconciliations take the form of reconciling the bank balance to the General Ledger, taking into account any unreconciled items. Bank reconciliations are prepared by the Senior Finance Officer, certified by the Senior Finance Manager and reviewed and signed by either the Chief Accountant or the Head of Financial Services. Audit review confirmed that reconciliations are performed on a monthly basis, and only identified the October reconciliation as not being completed in a timely manner. As at the 3rd December, this was still to be reviewed and certified as accurate. This was discussed with the Senior Finance Officer, and it was confirmed that the system was still to be closed down for the period, which was planned for approximately five days later, and variances needed to be fully investigated. This was considered to be reasonable, and therefore no further recommendation has been raised. No recommendations have been raised as a result of our work in this area.
30.
31.
Year-end Procedures
Internal Audit Report: General Ledger 2008/09 Item 6f – Page 7 Audit Ref: 819
32.
33.
The annual accounts are closed down at the Year-end, and all balances are brought forward into the new financial year. The Financial Services team is responsible for circulating guidance on the closure of accounts at the year-end to all relevant parties. A Closedown Timetable is also planned to be completed and distributed to staff for the current financial year by January/February 2009. It details the roles and responsibilities of staff members, and the dates by when tasks should be completed. Audit was further informed by the Chief Accountant that a Closedown workshop has been made available to staff, to ensure that the process, roles and responsibilities, and key dates are known and understood. Thirty members of staff have attended the workshop since February 2008. No recommendations have been raised as a result of our work in this area.
Audit Opinion Substantial Assurance Evaluation Opinion: While there is a basically sound system there are weaknesses, which may put some of the system objectives at risk. Testing Opinion: There is evidence that the level of non-compliance with some of the controls may put some of the system objectives at risk.
Internal Audit Report: General Ledger 2008/09 Item 6f – Page 8
Audit Ref: 819
Observations and Recommendations
In order to assist management in using our reports: We categorise our opinions according to our assessment of the controls in place and the level of compliance with these controls Full Assurance There is a sound system of control designed to achieve the system objectives and the controls are being consistently applied. While there is a basically sound system, there are areas of weakness which put some of the system objectives at risk, and/or there is evidence that the level of non-compliance with some of the controls may put some of the system objectives at risk. Weaknesses in the system of controls are such as to put the system objectives at risk, and/or the level of non-compliance puts the system objectives at risk. Control is generally weak, leaving the system open to significant error or abuse, and/or significant non-compliance with basic controls leaves the system open to error or abuse.
Substantial Assurance
Limited Assurance
No Assurance
b) We categorise our recommendations according to their level of priority. Priority 1 Priority 2 Priority 3 Major issues for the attention of senior management. Other recommendations for local management action. Minor matters.
Internal Audit Report: General Ledger 2008/09 Item 6f – Page 9
Audit Ref: 819
Security Access
1. Alphanumeric Passwords
Recommendation
Passwords used to log into the e-Bis and Open Accounts system should be alphanumeric and contain upper case, in addition to being over six characters long.
(Priority 3)
Rationale
User access to Financial information and records should be highly secure. Compulsory password settings to include letters as well as numbers, and upper case will ensure that access to the e-Bis and Open Accounts systems remain secure. Audit review found that passwords were not required to be alphanumeric or contain upper case characters. Passwords with no preconditions expose the system and the Authority to unauthorised user access.
Management response: Head of Technology Group
Under consideration The format of passwords is determined by the financial software provider and is outside the control of the Authority. We have contacted the provider to determine whether this can be done and at what cost. However, as the Authority is currently considering changing providers, it may not prove to be cost effective to pursue this recommendation in relation to the current financial system.
Internal Audit Report: General Ledger 2008/09 Item 6f – Page 10
Audit Ref: 819
Completeness and Accuracy of Records
2. Timely update of the Chart of Accounts
Recommendation Rationale
(Priority 3)
The Chart of Accounts should be updated Timely review and updating of the Chart of and published on the Intranet every month Accounts will ensure that members of staff in a timely manner. are using the correct codes. This will in turn reduce the time spent trying to investigate and correct the codes. Audit review found that there were no August and October version of the Chart of Accounts. In addition, it is not possible to determine the timeliness of the updated document as the date recorded on the document only states the month and year. During the audit it was found that November’s version had been completed on the 3rd December. There is a risk that codes will not be updated and made known to staff in a timely manner. Wrongly input codes will distort the monthly reconciliation balances.
Management response: Senior Finance Officer
Agreed. This has already been implemented.
Internal Audit Report: General Ledger 2008/09 Item 6f – Page 11
Audit Ref: 819
Journal Entries and Manual Adjustments
i. Segregation of duties for journals
Recommendation
A different officer should be responsible for the preparation/input and the authorisation/review process for each journal. All journals should be retained on file with relevant supporting documentation.
(Priority 2)
Rationale
Ensuring that there is a different officer responsible for the different stages of the processing of journals will result in adequate segregation of duties. Audit testing found that three of the twelve journals tested could not be evidenced as having been input or authorised/reviewed by different officers. It has been noted that the journals in question were all Treasury journals. Furthermore, hard copies with the supporting documentation for three of the fifteen journals tested could not be found. Without adequate segregation of duties there is risk to the Authority that fraudulent activity may go undetected.
Management response: Chief Accountant
Agreed. A reminder will be issued to staff involved in the raising and authorisation of Treasury journals. Deadline: March 2009.
Internal Audit Report: General Ledger 2008/09 Item 6f – Page 12
Audit Ref: 819
Internal Audit Report: General Ledger 2008/09 Item 6f – Page 13
Audit Ref: 819
4. Processing Journals Procedures
Recommendation
Guidance procedures on the input, recording, review and authorisation stages of processing journals should be documented and communicated to staff. The procedures should include that a brief reasoning for the journal transfer be included on the authorisation sheet.
(Priority 2)
Rationale
Procedure notes for processing journals will ensure that there is consistency in how they are done between the different types of journals, and that they are appropriately authorised. Audit review and testing found that there were no specific procedure notes with regards to processing journals, which therefore resulted in a lack of consistency. For example, cash journals are the only journals to complete an authorisation sheet. Lack of guidance on the processing of journals may result in inconsistencies in procedures amongst the different types of journals. This may result in a number of things, including inadequate segregation of duties, authorisation not being provided, lack of supporting documentation, lack of reasoning for the transfers.
Management response: Chief Accountant
Agreed. Implementation:March 2009 – Reminder will be issued to all staff involved in the journals process; and April 2009 - Procedures will be documented and circulated to staff.
Internal Audit Report: General Ledger 2008/09 Item 6f – Page 14
Audit Ref: 819
Appendix 1 – Audit Framework
Audit Objectives
The audit is designed to ensure that management has implemented adequate and effective controls within the Authority’s General Ledger system, to ensure the sound administration of the Authority’s finances.
Audit Approach and Methodology
The audit approach was developed with reference to an assessment of the risks and management controls operating within each area of the scope. The following procedures were adopted: 0* identification of the role and objectives of each area; 1* identification of risks within the systems, and controls in existence to allow the control objectives to be achieved; and 2* evaluation and testing of controls within the systems. From these procedures we have identified weaknesses in the systems of control, produced specific proposals to improve the control environment and have drawn an overall conclusion on the design and operation of the system.
Areas Covered
Audit work was undertaken to cover controls in the following areas, to ensure that: 3* Clearly defined policy and procedures are being maintained to support effective processing within the general ledger system, and that roles and responsibilities have been clearly defined and communicated; 4* All data held within the General Ledger system is secure and access is properly controlled and restricted to only authorised officers. In addition, that access rights for all users are reviewed frequently to reflect changes in responsibility and starters and leavers (as appropriate; 5* Effective controls have been established to confirm the completeness and accuracy of the general ledger coding structure; 6* Effective controls exist for the timely review and update of suspense accounts in accordance with approved procedures; 7* All data entry to the general ledger system is checked for completeness and accuracy and has been authorised in accordance with the approved procedures prior to input, and interfaces with feeder systems are subject to sufficient control; 8* Journal entries and manual adjustments are complete, valid, supported by adequate supporting documentary evidence and appropriately authorised in accordance with the approved procedures; 9* Effective controls have been established to confirm the completeness and accuracy of the bank reconciliation process in a timely manner; and 10* Effective controls have been established to confirm that year-end closure of the general ledger accounts is complete, accurate and timely.
Internal Audit Report: General Ledger 2008/09 Item 6f – Page 15
Audit Ref: 819
Appendix 2 - Staff Interviewed
We would like to thank all staff that provided assistance during the course of this audit, and in particular: - The Chief Accountant (Frances Nguene) - The Senior Finance Manager (Meriton Krasniqi) - The Senior Finance Officer (Karen Collymore) - The Management Accountant (Andrew Reeve) - The Treasury Manager (Martin Boyle) - The Exchequer Team Leader (Shawn Marriott) - The Finance Officer (Anthony Alleyne) - Senior Human Resources Manager (Patrick Alleyne)
Internal Audit Report: General Ledger 2008/09 Item 6f – Page 16
Audit Ref: 819
Statement of Responsibility
We take responsibility for this report which is prepared on the basis of the limitations set out below. The matters raised in this report are only those which came to our attention during the course of our internal audit work and are not necessarily a comprehensive statement of all the weaknesses that exist or all improvements that might be made. Recommendations for improvements should be assessed by you for their full impact before they are implemented. The performance of internal audit work is not and should not be taken as a substitute for management’s responsibilities for the application of sound management practices. We emphasise that the responsibility for a sound system of internal controls and the prevention and detection of fraud and other irregularities rests with management and work performed by internal audit should not be relied upon to identify all strengths and weaknesses in internal controls, nor relied upon to identify all circumstances of fraud or irregularity. Auditors, in conducting their work, are required to have regards to the possibility of fraud or irregularities. Even sound systems of internal control can only provide reasonable and not absolute assurance and may not be proof against collusive fraud. Internal audit procedures are designed to focus on areas as identified by management as being of greatest risk and significance and as such we rely on management to provide us full access to their accounting records and transactions for the purposes of our audit work and to ensure the authenticity of these documents. Effective and timely implementation of our recommendations by management is important for the maintenance of a reliable internal control system. The assurance level awarded in our internal audit report is not comparable with the International Standard on Assurance Engagements (ISAE 3000) issued by the International Audit and Assurance Standards Board.
Deloitte & Touche Public Sector Internal Audit Limited St Albans March 2009
In this document Deloitte refers to one or more of Deloitte Touche Tohmatsu, a Swiss Verein, its member firms and their respective subsidiaries and affiliates. As a Swiss Verein (association), neither Deloitte Touche Tohmatsu nor any of its member firms has any liability for each other’s acts or omissions. Each of the member firms is a separate and independent legal entity operating under the names “Deloitte”, “Deloitte Touche Tohmatsu”, or other related names. Services are provided by the member firms or their subsidiaries or affiliates and not by the Deloitte Touche Tohmatsu Verein. In the UK, Deloitte & Touche LLP is the member firm of Deloitte Touche Tohmatsu and services are provided by Deloitte & Touche LLP and its subsidiaries. Deloitte & Touche LLP is authorised and regulated by the Financial Services Authority. ©2009 Deloitte & Touche Public Sector Internal Audit Limited. All rights reserved. Deloitte & Touche Public Sector Internal Audit Limited is registered in England and Wales with registered number 4585162. Registered office: Hill House, 1 Little New Street, London EC4A 3TR.
Internal Audit Report: General Ledger 2008/09 Item 6f – Page 17
Audit Ref: 819
doc_911098319.rtf
tax
Item 6 – Appendix 6f
Final Internal Audit Report General Ledger Greater London Authority March 2009
This report has been prepared on the basis of the limitations set out on page 15.
Contents
Page
This report and the work connected therewith are subject to the Terms and Conditions of the contract dated 20/06/2007 between Greater London Authority and Deloitte & Touche Public Sector Internal Audit Limited. The report is produced solely for the use of Greater London Authority. Its contents should not be quoted or referred to in whole or in part without our prior written consent except as required by law. Deloitte & Touche Public Sector Internal Audit Limited will accept no responsibility to any third party, as the report has not been prepared, and is not intended for any other purpose.
Internal Audit Report: General Ledger 2008/09
Audit Ref: 819
Executive Summary
Introduction and Background
This audit forms part of the 2008/09 Internal Audit Plan, which has been approved by the Mayor and the Audit Panel. The plan entails a review of the systems and controls operating over the Authority’s General Ledger system.
1. 2.
The General Ledger is the Authority’s main accounting system and operates via the Open Accounts financial accounting software. Open Accounts is an integrated financial system that also incorporates the Authority’s Purchase and Sales ledgers. The main users of the General Ledger are the staff within Financial Services, but read-only access to the live financial information is provided to staff across the Authority based on access rights via the e-Bis system; this system provides realtime desktop reporting for budget holders. The implementation of e-Bis improves budget holder’s access to financial information significantly and results in much improved financial management across the Authority. Since our last review of this area during 2007/08, there have been no significant changes to the control environment and this area continues to provide consistent and efficient management and control over the perceived risks within this area. Evidence was gathered through discussion with relevant staff members and samples of prime source documents were selected and tested to evaluate the effectiveness of the controls in operation. A summary of the findings is contained within the following paragraphs.
3. 4.
Policies and Procedures
5. The accounting policies and procedures for the Authority are set out in the Authority’s Financial Manual and Financial Regulations. The responsibilities within the Financial Services division have not changed since the time of the previous audit. The Financial Regulations of the Authority state that the ‘Executive Director of Finance and Performance’, now the Director of Resources, is the Chief Finance Officer; the main responsibilities include the administration of the Authority’s Financial Affairs, the supervision of accounting arrangements, as well as having overall responsibility to ensure that all financial systems of the Authority comply with relevant legislation, regulations and guidelines. There is a comprehensive Finance Manual available to all staff on the Intranet which is formed of 20 individual chapters which are updated and reviewed separately. The Financial Regulations were last reviewed and updated in March 2003. From the previous audit a review of the age and the date of the Finance Manual documents showed that many of them have not been reviewed for over five years. However, Audit was informed by the Chief Accountant that the Finance Manual and Regulations are currently under review in conjunction with the new administration transition. The Corporate Governance Group is in the progress of reviewing the Financial Regulations and approval will be obtained in due course. No recommendations have been raised as a result of our work in this area. Audit Ref: 819
6.
7.
8.
9.
Internal Audit Report: General Ledger 2008/09 Item 6f – Page 4
Security Access
10. The System Finance Administrator is responsible for managing access to the Open Accounts System. A New User Access form is completed and given to Finance by the Line Manager. The start date and the cost codes for which the new user needs authorisation are included on the form. New users are input onto the system by the Senior Finance Officer. Audit review and testing found that there were inadequate controls regarding the removal of users. However, Audit was informed by the Senior Finance Manager that reconciliations between the e-Bis users list and leaver reports from HR will be performed on a monthly basis. Evidence has been obtained to show that this is being pursued, and will be implemented in the near future. Accounting control functions are delegated to individuals, and our review of the Finance Manual supported the delegation of responsibilities to assigned officers. Sample testing system users to ensure that permissions were only granted for their respective job role confirmed that all users had only been granted access to the functions that allow them to carry out their roles. It was confirmed that passwords to access financial information and programmes are not required to be alphanumeric or contain any upper case characters, which is recommended. One recommendation has been raised as a result of our work in this area.
11.
12.
13.
Completeness and Accuracy of Records
14. The Authority has a comprehensive Chart of Accounts for the financial systems, and this is maintained by the Senior Finance Officer. Amendments to codes, the introduction of new codes and deletion of old codes are controlled and co-ordinated strictly by the Financial Systems team and are only permitted once an authorisation form has been completed and authorisation granted by an officer with the delegated authority. It was confirmed that only the Senior Finance Manager and Officer and a few others with delegated authority are able to set up and perform code maintenance on the system. New codes, code amendments and code deletions require the completion of a standard Code Control form; a sample of new codes that were created in the past year were selected, and it was verified that these were supported by a completed Code Control form and had all been authorised by a delegated officer. The Chart of Accounts was also reviewed, and this was found to be clearly structured, with codes being split into the different directorates of the Authority. It was evidenced that this document was readily available to all staff on the Authority’s Intranet, and that it was an up-to-date document. Audit was informed by the Senior Finance Officer that the Chart of Accounts is updated and published on the Intranet on a monthly basis. However, Audit could not evidence the timeliness of this procedure and review found that there had not been an August and October version. The system was checked to ascertain whether invalid codes may be inputted on the system, with results proving that invalid codes were stopped at source. It was verified that the General Ledger provides sufficient analysis of the transactions, with the coding structure adequately reflecting the organisational structure, and breaks Audit Ref: 819
15.
16.
17.
18.
Internal Audit Report: General Ledger 2008/09 Item 6f – Page 5
19.
down the activities of the Authority. Cost centres were found to be appropriate and accurately reflected the activities; a Project Ledger and project codes for the analysis of the Authority’s programmed activities also existed, allowing clear explanations of costing. Audit testing confirmed that e-Bis users cannot input invalid codes, as codes can only be selected form a drop down menu according to the codes to which they have been given authorisation. Therefore, incorrect codes can be selected but not invalid codes. However, in the event that codes have been selected wrongly, these will be flagged by the system and will be reviewed and amended by the relevant officer in the Finance Team. One recommendation has been raised as a result of our work in this area.
Suspense Accounts
20. The Suspense Accounts exist to temporarily hold items that are unknown, or incorrectly coded, until they can be posted to the correct account. Suspense accounts are reviewed on an approximately monthly basis and are kept reasonably clear. During the audit, a review of the two main suspense accounts determined that they are reviewed and cleared on a monthly basis. The two main suspense accounts are the General Items and Receipts suspense accounts. General Items may for example consist of Credit Card expense queries, and it is maintained and reviewed by the Finance Officer and the Chief Accountant. The Receipts suspense account is maintained by the Exchequer Team Leader and the Senior Finance Officer. Audit was informed that this account is rarely used, and when items need to be posted to the account, queries are investigated promptly. Audit review confirmed that the majority of items are cleared in approximately 30 days. On the occasion that this was not the case, it was due to Finance awaiting further information on the query. No recommendations have been raised as a result of our work in this area.
21.
Reliability and Integrity of Transactions and Records
22. Adequate controls help to ensure that all transactions recorded in feeder systems are transferred completely and accurately to the main accounting system. The General Ledger system applies validity tests on input data to ensure that coding is correct. A standard journal containing incorrect coding was inputted to the system to test the effectiveness of this control, and it was found that the invalid code was flagged up and effectively prevented from being entered onto the system. Audit testing revealed that data and journal information can be submitted twice. However, Audit was informed by the Principal Accountant and the Team Members that compensating controls are in place in the form of manual checks to ensure that information is not resubmitted. These manual checks include the reconciliation process and the review stage when processing journals, whereby duplication of information and journals will be identified. No issues were identified in this respect. No recommendations have been raised as a result of our work in this area.
23.
Internal Audit Report: General Ledger 2008/09 Item 6f – Page 6
Audit Ref: 819
Journals and Manual Adjustments
24. Journals are input via the uploading of spreadsheets, with the system forcing an audit process to be followed before the journal is posted to the accounts. A sample of 15 journal entries was reviewed, from three different journal types. These were General Ledger Journals, Project Journals and Cash Journals. Budget journals will be tested during the Budgetary Control audit during 2008/09. Audit testing found that hard copies with supporting documentation for three of the 15 journals could not be found. In addition, three of the 12 journals from the Cash journal samples did not have a signature evidencing that a review had taken place and authorisation given so it was not possible to establish whether the journal had been input before or after authorisation was received. For all of the sample entries, it was found that the initiator was clearly identified on the journal input form and in most cases, where relevant, journal entries can be traced back to supporting documentation to confirm that transactions were legitimate. Throughout the audit trail for journals, reasoning for the transfer could not be evidenced. In addition, audit review found that there were no documented procedures for the processing of Journals. Procedures will ensure that different journal types are processed (where applicable) in a consistent manner. For example, when supporting documentation should be retained on file, which documents need authorising and by whom, when information can be input and processed, and that authorisation sheets contain a brief explanation behind the transfer. Two recommendations have been raised as a result of our work in this area.
25.
26.
27. 28.
Bank Reconciliations
29. Bank reconciliations are performed on a monthly basis, with supporting documentation being kept on file. The bank reconciliations take the form of reconciling the bank balance to the General Ledger, taking into account any unreconciled items. Bank reconciliations are prepared by the Senior Finance Officer, certified by the Senior Finance Manager and reviewed and signed by either the Chief Accountant or the Head of Financial Services. Audit review confirmed that reconciliations are performed on a monthly basis, and only identified the October reconciliation as not being completed in a timely manner. As at the 3rd December, this was still to be reviewed and certified as accurate. This was discussed with the Senior Finance Officer, and it was confirmed that the system was still to be closed down for the period, which was planned for approximately five days later, and variances needed to be fully investigated. This was considered to be reasonable, and therefore no further recommendation has been raised. No recommendations have been raised as a result of our work in this area.
30.
31.
Year-end Procedures
Internal Audit Report: General Ledger 2008/09 Item 6f – Page 7 Audit Ref: 819
32.
33.
The annual accounts are closed down at the Year-end, and all balances are brought forward into the new financial year. The Financial Services team is responsible for circulating guidance on the closure of accounts at the year-end to all relevant parties. A Closedown Timetable is also planned to be completed and distributed to staff for the current financial year by January/February 2009. It details the roles and responsibilities of staff members, and the dates by when tasks should be completed. Audit was further informed by the Chief Accountant that a Closedown workshop has been made available to staff, to ensure that the process, roles and responsibilities, and key dates are known and understood. Thirty members of staff have attended the workshop since February 2008. No recommendations have been raised as a result of our work in this area.
Audit Opinion Substantial Assurance Evaluation Opinion: While there is a basically sound system there are weaknesses, which may put some of the system objectives at risk. Testing Opinion: There is evidence that the level of non-compliance with some of the controls may put some of the system objectives at risk.
Internal Audit Report: General Ledger 2008/09 Item 6f – Page 8
Audit Ref: 819
Observations and Recommendations
In order to assist management in using our reports: We categorise our opinions according to our assessment of the controls in place and the level of compliance with these controls Full Assurance There is a sound system of control designed to achieve the system objectives and the controls are being consistently applied. While there is a basically sound system, there are areas of weakness which put some of the system objectives at risk, and/or there is evidence that the level of non-compliance with some of the controls may put some of the system objectives at risk. Weaknesses in the system of controls are such as to put the system objectives at risk, and/or the level of non-compliance puts the system objectives at risk. Control is generally weak, leaving the system open to significant error or abuse, and/or significant non-compliance with basic controls leaves the system open to error or abuse.
Substantial Assurance
Limited Assurance
No Assurance
b) We categorise our recommendations according to their level of priority. Priority 1 Priority 2 Priority 3 Major issues for the attention of senior management. Other recommendations for local management action. Minor matters.
Internal Audit Report: General Ledger 2008/09 Item 6f – Page 9
Audit Ref: 819
Security Access
1. Alphanumeric Passwords
Recommendation
Passwords used to log into the e-Bis and Open Accounts system should be alphanumeric and contain upper case, in addition to being over six characters long.
(Priority 3)
Rationale
User access to Financial information and records should be highly secure. Compulsory password settings to include letters as well as numbers, and upper case will ensure that access to the e-Bis and Open Accounts systems remain secure. Audit review found that passwords were not required to be alphanumeric or contain upper case characters. Passwords with no preconditions expose the system and the Authority to unauthorised user access.
Management response: Head of Technology Group
Under consideration The format of passwords is determined by the financial software provider and is outside the control of the Authority. We have contacted the provider to determine whether this can be done and at what cost. However, as the Authority is currently considering changing providers, it may not prove to be cost effective to pursue this recommendation in relation to the current financial system.
Internal Audit Report: General Ledger 2008/09 Item 6f – Page 10
Audit Ref: 819
Completeness and Accuracy of Records
2. Timely update of the Chart of Accounts
Recommendation Rationale
(Priority 3)
The Chart of Accounts should be updated Timely review and updating of the Chart of and published on the Intranet every month Accounts will ensure that members of staff in a timely manner. are using the correct codes. This will in turn reduce the time spent trying to investigate and correct the codes. Audit review found that there were no August and October version of the Chart of Accounts. In addition, it is not possible to determine the timeliness of the updated document as the date recorded on the document only states the month and year. During the audit it was found that November’s version had been completed on the 3rd December. There is a risk that codes will not be updated and made known to staff in a timely manner. Wrongly input codes will distort the monthly reconciliation balances.
Management response: Senior Finance Officer
Agreed. This has already been implemented.
Internal Audit Report: General Ledger 2008/09 Item 6f – Page 11
Audit Ref: 819
Journal Entries and Manual Adjustments
i. Segregation of duties for journals
Recommendation
A different officer should be responsible for the preparation/input and the authorisation/review process for each journal. All journals should be retained on file with relevant supporting documentation.
(Priority 2)
Rationale
Ensuring that there is a different officer responsible for the different stages of the processing of journals will result in adequate segregation of duties. Audit testing found that three of the twelve journals tested could not be evidenced as having been input or authorised/reviewed by different officers. It has been noted that the journals in question were all Treasury journals. Furthermore, hard copies with the supporting documentation for three of the fifteen journals tested could not be found. Without adequate segregation of duties there is risk to the Authority that fraudulent activity may go undetected.
Management response: Chief Accountant
Agreed. A reminder will be issued to staff involved in the raising and authorisation of Treasury journals. Deadline: March 2009.
Internal Audit Report: General Ledger 2008/09 Item 6f – Page 12
Audit Ref: 819
Internal Audit Report: General Ledger 2008/09 Item 6f – Page 13
Audit Ref: 819
4. Processing Journals Procedures
Recommendation
Guidance procedures on the input, recording, review and authorisation stages of processing journals should be documented and communicated to staff. The procedures should include that a brief reasoning for the journal transfer be included on the authorisation sheet.
(Priority 2)
Rationale
Procedure notes for processing journals will ensure that there is consistency in how they are done between the different types of journals, and that they are appropriately authorised. Audit review and testing found that there were no specific procedure notes with regards to processing journals, which therefore resulted in a lack of consistency. For example, cash journals are the only journals to complete an authorisation sheet. Lack of guidance on the processing of journals may result in inconsistencies in procedures amongst the different types of journals. This may result in a number of things, including inadequate segregation of duties, authorisation not being provided, lack of supporting documentation, lack of reasoning for the transfers.
Management response: Chief Accountant
Agreed. Implementation:March 2009 – Reminder will be issued to all staff involved in the journals process; and April 2009 - Procedures will be documented and circulated to staff.
Internal Audit Report: General Ledger 2008/09 Item 6f – Page 14
Audit Ref: 819
Appendix 1 – Audit Framework
Audit Objectives
The audit is designed to ensure that management has implemented adequate and effective controls within the Authority’s General Ledger system, to ensure the sound administration of the Authority’s finances.
Audit Approach and Methodology
The audit approach was developed with reference to an assessment of the risks and management controls operating within each area of the scope. The following procedures were adopted: 0* identification of the role and objectives of each area; 1* identification of risks within the systems, and controls in existence to allow the control objectives to be achieved; and 2* evaluation and testing of controls within the systems. From these procedures we have identified weaknesses in the systems of control, produced specific proposals to improve the control environment and have drawn an overall conclusion on the design and operation of the system.
Areas Covered
Audit work was undertaken to cover controls in the following areas, to ensure that: 3* Clearly defined policy and procedures are being maintained to support effective processing within the general ledger system, and that roles and responsibilities have been clearly defined and communicated; 4* All data held within the General Ledger system is secure and access is properly controlled and restricted to only authorised officers. In addition, that access rights for all users are reviewed frequently to reflect changes in responsibility and starters and leavers (as appropriate; 5* Effective controls have been established to confirm the completeness and accuracy of the general ledger coding structure; 6* Effective controls exist for the timely review and update of suspense accounts in accordance with approved procedures; 7* All data entry to the general ledger system is checked for completeness and accuracy and has been authorised in accordance with the approved procedures prior to input, and interfaces with feeder systems are subject to sufficient control; 8* Journal entries and manual adjustments are complete, valid, supported by adequate supporting documentary evidence and appropriately authorised in accordance with the approved procedures; 9* Effective controls have been established to confirm the completeness and accuracy of the bank reconciliation process in a timely manner; and 10* Effective controls have been established to confirm that year-end closure of the general ledger accounts is complete, accurate and timely.
Internal Audit Report: General Ledger 2008/09 Item 6f – Page 15
Audit Ref: 819
Appendix 2 - Staff Interviewed
We would like to thank all staff that provided assistance during the course of this audit, and in particular: - The Chief Accountant (Frances Nguene) - The Senior Finance Manager (Meriton Krasniqi) - The Senior Finance Officer (Karen Collymore) - The Management Accountant (Andrew Reeve) - The Treasury Manager (Martin Boyle) - The Exchequer Team Leader (Shawn Marriott) - The Finance Officer (Anthony Alleyne) - Senior Human Resources Manager (Patrick Alleyne)
Internal Audit Report: General Ledger 2008/09 Item 6f – Page 16
Audit Ref: 819
Statement of Responsibility
We take responsibility for this report which is prepared on the basis of the limitations set out below. The matters raised in this report are only those which came to our attention during the course of our internal audit work and are not necessarily a comprehensive statement of all the weaknesses that exist or all improvements that might be made. Recommendations for improvements should be assessed by you for their full impact before they are implemented. The performance of internal audit work is not and should not be taken as a substitute for management’s responsibilities for the application of sound management practices. We emphasise that the responsibility for a sound system of internal controls and the prevention and detection of fraud and other irregularities rests with management and work performed by internal audit should not be relied upon to identify all strengths and weaknesses in internal controls, nor relied upon to identify all circumstances of fraud or irregularity. Auditors, in conducting their work, are required to have regards to the possibility of fraud or irregularities. Even sound systems of internal control can only provide reasonable and not absolute assurance and may not be proof against collusive fraud. Internal audit procedures are designed to focus on areas as identified by management as being of greatest risk and significance and as such we rely on management to provide us full access to their accounting records and transactions for the purposes of our audit work and to ensure the authenticity of these documents. Effective and timely implementation of our recommendations by management is important for the maintenance of a reliable internal control system. The assurance level awarded in our internal audit report is not comparable with the International Standard on Assurance Engagements (ISAE 3000) issued by the International Audit and Assurance Standards Board.
Deloitte & Touche Public Sector Internal Audit Limited St Albans March 2009
In this document Deloitte refers to one or more of Deloitte Touche Tohmatsu, a Swiss Verein, its member firms and their respective subsidiaries and affiliates. As a Swiss Verein (association), neither Deloitte Touche Tohmatsu nor any of its member firms has any liability for each other’s acts or omissions. Each of the member firms is a separate and independent legal entity operating under the names “Deloitte”, “Deloitte Touche Tohmatsu”, or other related names. Services are provided by the member firms or their subsidiaries or affiliates and not by the Deloitte Touche Tohmatsu Verein. In the UK, Deloitte & Touche LLP is the member firm of Deloitte Touche Tohmatsu and services are provided by Deloitte & Touche LLP and its subsidiaries. Deloitte & Touche LLP is authorised and regulated by the Financial Services Authority. ©2009 Deloitte & Touche Public Sector Internal Audit Limited. All rights reserved. Deloitte & Touche Public Sector Internal Audit Limited is registered in England and Wales with registered number 4585162. Registered office: Hill House, 1 Little New Street, London EC4A 3TR.
Internal Audit Report: General Ledger 2008/09 Item 6f – Page 17
Audit Ref: 819
doc_911098319.rtf