General Ledger final - Oxfordmycouncil.oxford.gov.uk/Data/Audit and Governance... · General Ledger...

Oxford City Council

General Ledger

Internal Audit Final Report 09_10 1.7

Assurance rating this review Limited Assurance

Distribution List

Peter Sloman - Chief Executive

Penny Gardner / Sarah Fogden - Heads of Finance

Nigel Pursey – Interim Executive Director, Finance

Anna Winship – Chief Accountant

Performance Board

General Ledger

Final Internal Audit Report

2009/10

2

Contents

Background and Scope………………………………………………………………….. 3

Our Opinion & Assurance Statement…………………………………………………. 4

Executive Summary……………………………………………………………………… 5

Limitations and Responsibilities………………………………………………………. 7

Findings and Recommendations………………………………………………………. 8

Appendix 1. Terms of Reference………………………………………………………. 18

Appendix 2. Assurance Ratings………………………………………………………. 21

General Ledger


2009/10

3

Background and scope

Introduction

This review was undertaken as part of the 2009/10 Internal Audit Plan agreed by the Auditand Governance Committee.

This report has been prepared solely for Oxford City Council in accordance with the termsand conditions set out in our letter of engagement. We do not accept or assume any liabilityor duty of care for any other purpose or to any other party. This report should not be disclosedto any third party, quoted or referred to without our prior written consent.

Background

The Authority operates their General Ledger using the Agresso system. This system issupported by a number of feeder systems which are regularly interfaced. The system isoperated and monitored by the Financial Management Team which is responsible forstatutory duties such as the preparation, monitoring and reporting of revenue and capitalbudgets; the closedown of the accounts each financial year; the publication of the financialstatements and the completion of statutory returns and claims.

Approach and scope

Approach

Our work is designed to comply with Government Internal Audit Standards [GIAS] and theCIPFA Code.

Scope of our work

In accordance with our Terms of Reference (Appendix 1), agreed with the Chief Accountantwe undertook a limited scope audit of the General Ledger.

This limited scope audit involved a review of the design of the key controls together withdetailed testing to determine whether the controls are operating in practice.

Limitations of scope

The scope of our work was limited to those areas identified in the terms of reference.

Staff involved in this review

We would like to thank all client staff involved in this review for their co-operation andassistance.

Name of client staff

Anna Winship – Chief Accountant

Marie Molyneux – Corporate Management Accountant

Dave Swan – Technical Officer

General Ledger


2009/10

4

Our opinion and assurancestatement

Introduction

This report summarises the findings of our review of the General Ledger

Each of the issues identified has been categorised according to risk as follows:

Riskrating

Assessment rationale

Critical

Control weakness that could have a significant impact upon, not only thesystem, function or process objectives but also the achievement of theauthority’s objectives in relation to:

the efficient and effective use of resources;

the safeguarding of assets;

the preparation of reliable financial and operational information; and

compliance with laws and regulations.

High

Control weakness that has or is likely to have a significant impact upon theachievement of key system, function or process objectives.

This weakness, whilst high impact for the system, function or process doesnot have a significant impact on the achievement of the overall authorityobjectives.

Medium

Control weakness that:

has a low impact on the achievement of the key system, function orprocess objectives; and

has exposed the system, function or process to a key risk, however thelikelihood of this risk occurring is low.

Low

Control weakness that does not impact upon the achievement of key system,function or process objectives; however implementation of therecommendation would improve overall control.

General Ledger


2009/10

5

Executive Summary

Department:Finance

Audit Owner:

Anna Winship

Date of lastreview:

-

Overall Opinion:

Limited Assurance

There are some weaknesses in the design and / or operationof controls around journals, suspense accounts and fixedassets which could have a significant impact on theachievement of the General Ledger but should not have asignificant impact on the achievement of organisationalobjectives. However, there are discrete elements of the keysystem, function or process where we have not identified anysignificant weaknesses in the design and / or operation ofcontrols which could impair the achievement of the objectivesof the system, function or process. We are therefore able togive limited assurance over certain discrete aspects of thesystem, function or process.

Direction ofTravel

No previousreview has beenconducted byPwC. Workconducted by theprodecessorauditor identifiedno issues.

Number ofControl Designissuesidentified

0 Critical

3 High

4 Medium

2 Low

Number of ControlsOperating in Practiceissues identified

0 Critical

2 High

3 Medium

1 Low

Key Areas of Risk

Journals are not authorised and arefrequently not accompanied bysupporting documentation

Material Fixed Asset balances arenot reconciled to the GeneralLedger on a periodic basis

Opening balances for the 2009/10year have not been rolled forward

Suspense account balances arelarge and are not being clearedregularly

Other Considerations

Use of Resources-related

Financial reporting issues mayimpact on Use of Resourcesscores

Corporate Plan-related

None noted

VFM-related

None noted

Financial Reportingrelated

Accuracy of financialaccounts is hindered byhigh risk issues raised(see key areas of risk)

Scope of the Review

To ensure that adequate controls exist overaccess and amendments to the GeneralLedger and all transactions are accuratelyrecorded in a timely manner.

General Ledger


2009/10

6

Compliance Summary

Compliance Testing

0%

20%

40%

60%

80%

100%

120%

1 2 3 4 5 6 7 8

Test

%

Expected Compliance

Actual Compliance

Tests Performed:

1. Month end closedown performed on a timely basis2. Payroll, Academy and Spectrum interfaces

performed accurately and verified as checked3. New cost centres and codes accompanied by

authorised form4. ‘Performance Matters’ reports published on a

timely basis5. Journals provided with completed input form and

supporting documentation6. Accounts Payable and Receivable reconciliations

performed and reviewed with no exceptions noted7. New Agresso user request forms in place (raised in

minor issues report)8. Agresso users still employed by the Authority

General Ledger

FInal Internal Audit Report

2009/10

7

Limitations and responsibilities

Limitations inherent to the internal auditor’s work

We have undertaken a review of the General Ledger, subject to the following limitations.

Internal control

Internal control, no matter how well designed and operated, can provide only reasonable andnot absolute assurance regarding achievement of an organisation's objectives. The likelihoodof achievement is affected by limitations inherent in all internal control systems. These includethe possibility of poor judgement in decision-making, human error, control processes beingdeliberately circumvented by employees and others, management overriding controls and theoccurrence of unforeseeable circumstances.

Future periods

The assessment of controls relating to the General Ledger is that historic evaluation ofeffectiveness is not relevant to future periods due to the risk that:

the design of controls may become inadequate because of changes in operatingenvironment, law, regulation or other; or

the degree of compliance with policies and procedures may deteriorate.

Responsibilities of management and internal auditors

It is management’s responsibility to develop and maintain sound systems of risk management,internal control and governance and for the prevention and detection of irregularities andfraud. Internal audit work should not be seen as a substitute for management’sresponsibilities for the design and operation of these systems.

We shall endeavour to plan our work so that we have a reasonable expectation of detectingsignificant control weaknesses and, if detected, we shall carry out additional work directedtowards identification of consequent fraud or other irregularities. However, internal auditprocedures alone, even when carried out with due professional care, do not guarantee thatfraud will be detected.

Accordingly, our examinations as internal auditors should not be relied upon solely to disclosefraud, defalcations or other irregularities which may exist, unless we are requested to carryout a special investigation for such activities in a particular area.

General Ledger


2009/10

8

Findings and recommendationsRef Specific risk Control weakness found Risk

ratingRecommendations Management response Officer

responsible &implementationdate

Control Design

1 Periods may not beclosed down on atimely basis.

Late closure ofaccounts at year endincreases the risk ofcut off issues in thefinancial accounts.

There is no timetable inplace to outline thedeadline for closing downthe general ledger at monthend. Best practice wouldindicate that this should beperformed no later then 7days following the monthend.

In 3/3 months tested, theledger was closed after this7 day period. In 1 case(July 09) the period wasreopened over a monthafter closedown.

Medium

A timetable should be put in placeto outline key dates for the closedown of period ends. The ledgershould be closed down in line withthis timetable and should only bereopened in exceptionalcircumstances and to ensureaccuracy of management reporting.

Agreed

A timetable will be put inplace to indicate cut off datesfor close down. The monthwill only be reopened forsignificant journals (e.g. VATreturn) and will be performedby System Administratorsonly.

Anna Winshipand Dave Swan

With ImmediateEffect

General Ledger


2009/10

9

Ref Specific risk Control weakness found Riskrating

Recommendations Management response Officerresponsible &implementationdate

2 Excessive numbersof codes may in use.

Codes may be usedincorrectly or notidentified formanagementreporting.

The Council does notundergo a regular review ofcost centres and accountcodes to ensure theyremain valid and in use.

It was noted through reviewof the ledger that 21account codes have beenset up outside of the normalcoding structure. In additionit appears that a number ofcodes have duplicatenames and descriptions(e.g. creditors, windows,unidentified corporatesavings)

Low

The Authority should seek to reviewtheir chart of accounts on an annualbasis. All dormant and duplicatecodes should be removed.

Agreed

This process was performeda number of years ago butwill be introduced on anannual basis going forward.

AnnaWinship/DaveSwan

31st

March2010

3 Inadequatemanagementinformation canresult in potentialissues not beingidentified and actedupon in a timelymanner.

Whilst the Authorityproduces detailedManagement Accounts ona monthly basis, other keymanagement reports arenot produced.

Medium

The Authority should considerdistributing a managementinformation 'pack' on a monthlybasis. This could include reportsshowing:

Significant balances onsuspense accounts;

Individually significant journaltransactions

Agreed

The production of reportsindicating significant journalsand suspense accounts willhelp to mitigate against anumber of risks identifiedduring the General Ledgerreview. These will be passedto Heads of Finance forreview.


1st

December2009

General Ledger


2009/10

10



4 Transactions areposted to the ledgerwithout adequatejustification orauthorisation.

Journals aregenerally acceptedto be moresusceptible to fraudas they are oftenbased on accountingestimates.

There is no process inplace for authorisingjournals. The Council hasintroduced a method of‘parking’ larger journalsbefore they are processedbut it is not possible toevidence this on Agresso.

High

Best practice would indicate that alljournals should be authorisedbefore being processed onAgresso.

The Council should investigate thefunctionality of Agresso to includean automated workflow for journaltransactions.

Partially Agreed

It is not deemed efficient toauthorise all journals where alarge majority of transactionsare reversed out after periodend. That said, theimplementation of a review ofall significant journals (seeissue ‘#3) will mitigateagainst the risk of materialmisstatement due to journalcalculations.

Further consideration will begiven to the journal workflowwithin Agresso.


1st

December2009

5 Fixed Assetbalances may bematerially misstated.

Reconciliations betweenthe General Ledger and theFixed Asset Register areonly performed at year end.The Council hasencountered significantissues with thecompleteness of FixedAsset data in theclosedown of prior yearaccounts.

High

Periodic reconciliations should beperformed between the Fixed AssetRegister and General Ledger. Allreconciling items should be clearedon a timely basis.

Agreed

A fundamental review ofFixed Assets is underway.Going forwards the FixedAsset Register will bereconciled to the GeneralLedger on a monthly basis.

Anna Winship

31st

December2009

General Ledger


2009/10

11



6 Close down issueswill not be identifiedbefore year endleading to anincreased risk ofaudit issues.

The Council does notcurrently perform a trialclose down before yearend.

We are aware that theCouncil is planning toscope plans for a trial closedown in the comingmonths.

High

A trial close down should beperformed ahead of the newcalendar year. This should involvereconciliation of balance sheetcodes to ensure completeness ofinformation and target testing oftransactions to supportingdocumentation. Review ofinformation for inclusion in thefinancial accounts should beconsidered.

Agreed

A trial close down is beingplanned for December 2009.

Anna Winship

31st

December2009

7 Access may not beremoved on a timelybasis leading toincreased risk ofmisappropriation ofCouncil systems.

Monthly leavers reports aresent from payroll toAgresso administrators.This ensures that allleavers are removed fromthe system.

There is no process inplace for removingtemporary agency staff.

Medium

A process should be put in place toensure that system administratorsare able to remove temporaryagency staff access rights whenthey have left.

This may involve a regular listingbeing sent from the agency contractmanager or a periodic review of allusers.

Agreed

A regular report will berequested from responsibleofficer to detail all temporaryagency staff who have leftthe Authority.

We will liaise with ICT toascertain whether a processfor informing departments ofagency staff leavers can bedevised.

Dave Swan

31st

December2009

General Ledger


2009/10

12



8 If users are removedwithout transferringtheir subscriptions,the Council maymiss key paymentdeadlines.

Retention of userson Agressoincreases the risk ofunauthorisedaccess.

Officers are able to set upsubscriptions on Agresso toallow ongoing periodicpayments to be madethroughout the year.

It was brought to auditsattention that if an officersubsequently leaves theAuthority and theirusername is parked, thesubscription payments arecancelled. These users aretherefore kept live onAgresso.

Low

A listing of all users who have setup subscriptions should begenerated and compared to leaverslists provided from payroll. Linemanagers of leavers with thisaccess should be contacted and anew responsible officer identified.Subscriptions should be moved tothe new individual and the leaverparked on Agresso.

Agreed

Mitigating controls are inplace to ensure that leaverswho have subscriptionresponsibilities cannot haveaccess to Agressofunctionalities. A call will belogged with Agresso toestablish whether a solutioncan be put in place.

Dave Swan

31st

December2009

General Ledger


2009/10

13



9 Increased risk ofdata loss orinstability.

The Council outsourcedtheir IT functions in 2009/10and consequently allresponsibilities for back upsof the ledger have beenpassed to the CountyCouncil.

No notification is sent to theAgresso systemadministrator to confirmthat backups have occurredor more importantly whenerrors have arisen.

It was commented that anissue with backup of theledger occurred inDecember 2008. Thesystem administrator wasnot made aware of thisinstance until errors werenoted by end users.

Medium

Notification should be requestedfrom the County Council to ensurethat backups have been performedcorrectly. All failures should benotified to the system administratoras a matter or urgency.

Agreed

Exception reports will beprovided to the systemadministrators should a backup fail. Reporting byexception is deemedsufficient.

Dave Swan

31st

October2009

General Ledger


2009/10

14



Operating Effectiveness

10 Procedure notesmay not reflectcurrent workingpractices thusincreasing the risk oferror and omission.

The Council upgraded theirversion of Agresso to v5.5in March 2009.

Although key procedurenotes have been amendedto reflect the new system,this has not beenperformed for allprocedures notes in place.

Medium

All procedure notes should bereviewed to ensure they reflectAgresso v5.5. Going forward,procedure notes should bereviewed on an annual basis toreflect changes in workingpractices.

Agreed

All procedure notes will bereviewed to ensure that theyare in line with the currentversion of Agresso. This willbe performed in the order ofrisk and importance. Areview date will be detailedon all documents.

Dave Swann

31st

March2010

11 Codes and costcentres may be setup inappropriately orin error.Managementaccounts may notidentify all codes forreporting.

All new codes and costcentres are accompaniedby a set up form. In 6/25new entries tested, formshad not been signed by theresponsible officers. Thesewere all in relation to capitalcost centres. An additional3 forms had not beensigned by financialmanagement to indicatethat the code had been setup in Agresso

Medium

All new codes and cost centreforms should be signed byresponsible officers before set upon Agresso.

Agreed

Checks will be performed toensure that appropriateauthorisation has beenobtained.

Dave Swann


General Ledger


2009/10

15



12 Performance data isnot published forpublic use on atimely basis.Statutory deadlinesmay not be met.

At the time of audit(October 2009), thePerformance Mattersinformation had not beenproduced for August 2009:

Low

Performance statistics should bepublished in line with the settimetable.

Agreed

Performance Board wasscheduled later in the monthand therefore reports weredelayed. Timetables shouldbe updated to reflect anyrearrangements.

Penny Gardner& SarahFogden


13 The balance sheetmay be inaccurateor incomplete.

At the time of audit, theopening balances for2009/10 had not beenrolled forward.

Medium

Opening balances should be rolledforward as a matter or urgency.This process should be formallyreviewed and documentationretained to evidence the process.

The Authority should investigate thepossibility of using a 'trigger' systemwhich will automatically roll forwardOpening Balances.

Agreed

Opening balances weredelayed due to thepreparation of the finalaccounts. This will beperformed as a matter ofurgency.

Anna Winship

31st

October2009

General Ledger


2009/10

16



14 Transactions areposted to the ledgerwithout adequatejustification orauthorisation.

All journals should beaccompanied by an inputform, supportingdocumentation and aledger print to evidence theinput. The following issueswere noted during testing of25 journal transactions:

5/25 journals could notbe provided for audit;

Of the 20 journalsavailable for testing, 9were not accompaniedby a journal form

7/20 journals did notcontain both supportingdocumentation and aledger print asstipulated byprocedures

High

The Authority should ensure thatjournals are only made upon receiptof appropriate supportingdocumentation as stipulated byguidance.

Agreed

Supporting documentation isstill being reviewed for thisissue which is agreed inprinciple.

Some of the transactionsselected for testing were ‘re-postings’ processed to movetransactions between codes.Going forward the budgetholder will provideauthorisation of thesemovements.

Anna Winship


General Ledger


2009/10

17



15 Balances may bemisstated.

The Councils suspenseaccounts have not beencleared during 2009/10. Atthe time of audit, thebalances on the suspenseaccounts were as follows:

Agresso suspenseaccount: £600k

Cash suspenseaccount £100k

High

Suspense accounts should bereviewed on a periodic basis. Allitems should be cleared wherepossible or written off if a correctioncannot be established.

Agreed

The main Agresso suspenseaccount has since beencleared and will be reviewedon a periodic basis. Officerswere aware of one large itemthat was held on suspense.This had been identified butclearing the account was notprioritised.

Efforts will be made to clearthe cash suspense accountbefore the implementation ofthe Councils new cashsystem.

We do not believe that this ahigh risk issue.

Anna Winship

30th

November2009

General Ledger


2009/10

18

Appendix 1 - Terms ofReference

Objectives and deliverables

Objectives

To ensure that adequate controls exist over access and amendments to the General Ledgerand all transactions are accurately recorded in a timely manner.

Deliverables

Our deliverable will be a report detailing our findings with regard to our assessment of thedesign and effectiveness of controls in place over the General Ledger system.

Scope and approach

Our work will focus on identifying the guidance, procedures and controls in place to mitigatekey risks through:

Documenting the underlying guidance, policy and processes in place and identifying

key controls;

Considering whether the policies and procedures in place are fit for purpose; and

Testing key controls.

The key points that we will focus on are:

All Financial transactions of the organisation are input to the ledger in a complete,

accurate and timely fashion;

All financial information and output from the general ledger system is accurate, timely

and appropriate to need; and

The system is protected against unauthorised access/ processing and is secure

against loss or damage of data.

We will discuss our findings with the Chief Accountant or nominated representative to developrecommendations and action plans. A draft report will be issued to the Head of Finance andany other relevant officers for review and to document management responses.

Limitation of Scope

The scope of our work will be limited to those areas identified above.

General Ledger


2009/10

19

Stakeholders and responsibilities

Role Contacts Responsibilities

Chief Accountant Anna Winship Review draft terms of reference

Review and meet to discuss issuesarising and develop managementresponses and action plan

Review draft report.

Implement agreed recommendationsand ensure ongoing compliance.

Heads of Finance

Interim ExecutiveFinance Director

Penny Gardner

Sarah Fogden

Nigel Pursey

Receive agreed terms of reference

Receive draft and final reports.

Chief Executive Peter Sloman Receive final report

Performance Board Receive final report

Our Team and Timetables

Our team

Chief Internal Auditor Chris Dickens

Audit Manager Katherine Bennett

Auditor Katherine Bennett

Timetable

Steps Date

TOR approval September 2009

Fieldwork commencement 5th

October 2009 (T)

Fieldwork completed T + 2 weeks

Draft report of findings issued T + 4 weeks

Receipt of Management response T + 6 weeks

Final report of findings issued T + 7 weeks

General Ledger


2009/10

20

Budget

Our budget for this assignment is 5 days. If the number of days required to perform thisreview increases above the number of days budgeted, we will bring this to managementattention.

Terms of Reference Approval

These Terms of Reference have been reviewed and approved:

...........................................................................................................

Anna WinshipSignature (Chief Accountant)

...........................................................................................................

Chris DickensSignature (Chief Internal Auditor)

General Ledger

FInal Internal Audit Report

2009/10

21

Appendix 2 - Assurance ratings

Level ofassurance

Description

High No control weaknesses were identified; or

Our work found some low impact control weaknesses which, if addressed wouldimprove overall control. However, these weaknesses do not affect key controls andare unlikely to impair the achievement of the objectives of the system. Therefore wecan conclude that the key controls have been adequately designed and areoperating effectively to deliver the objectives of the system, function or process.

Moderate There are some weaknesses in the design and/or operation of controls which couldimpair the achievement of the objectives of the system, function or process.However, either their impact would be less than significant or they are unlikely tooccur.

Limited There are some weaknesses in the design and / or operation of controls which couldhave a significant impact on the achievement of key system, function or processobjectives but should not have a significant impact on the achievement oforganisational objectives. However, there are discrete elements of the key system,function or process where we have not identified any significant weaknesses in thedesign and / or operation of controls which could impair the achievement of theobjectives of the system, function or process. We are therefore able to give limitedassurance over certain discrete aspects of the system, function or process.

No There are weaknesses in the design and/or operation of controls which [inaggregate] could have a significant impact on the achievement of key system,function or process objectives and may put at risk the achievement of organisationobjectives.

General Ledger


2009/10

22

©2009 PricewaterhouseCoopers LLP. All rights reserved. 'PricewaterhouseCoopers' refers to

PricewaterhouseCoopers LLP (a limited liability partnership in the United Kingdom) or, as the context

requires, other member firms of PricewaterhouseCoopers International Limited, each of which is a

separate and independent legal entity.

General Ledger final - Oxfordmycouncil.oxford.gov.uk/Data/Audit and Governance... · General Ledger...

Documents

Transcript of General Ledger final - Oxfordmycouncil.oxford.gov.uk/Data/Audit and Governance... · General Ledger...