General Ledger final - Oxfordmycouncil.oxford.gov.uk/Data/Audit and Governance... · General Ledger...
Transcript of General Ledger final - Oxfordmycouncil.oxford.gov.uk/Data/Audit and Governance... · General Ledger...
Oxford City Council
General Ledger
Internal Audit Final Report 09_10 1.7
Assurance rating this review Limited Assurance
Distribution List
Peter Sloman - Chief Executive
Penny Gardner / Sarah Fogden - Heads of Finance
Nigel Pursey – Interim Executive Director, Finance
Anna Winship – Chief Accountant
Performance Board
General Ledger
Final Internal Audit Report
2009/10
2
Contents
Background and Scope………………………………………………………………….. 3
Our Opinion & Assurance Statement…………………………………………………. 4
Executive Summary……………………………………………………………………… 5
Limitations and Responsibilities………………………………………………………. 7
Findings and Recommendations………………………………………………………. 8
Appendix 1. Terms of Reference………………………………………………………. 18
Appendix 2. Assurance Ratings………………………………………………………. 21
General Ledger
Final Internal Audit Report
2009/10
3
Background and scope
Introduction
This review was undertaken as part of the 2009/10 Internal Audit Plan agreed by the Auditand Governance Committee.
This report has been prepared solely for Oxford City Council in accordance with the termsand conditions set out in our letter of engagement. We do not accept or assume any liabilityor duty of care for any other purpose or to any other party. This report should not be disclosedto any third party, quoted or referred to without our prior written consent.
Background
The Authority operates their General Ledger using the Agresso system. This system issupported by a number of feeder systems which are regularly interfaced. The system isoperated and monitored by the Financial Management Team which is responsible forstatutory duties such as the preparation, monitoring and reporting of revenue and capitalbudgets; the closedown of the accounts each financial year; the publication of the financialstatements and the completion of statutory returns and claims.
Approach and scope
Approach
Our work is designed to comply with Government Internal Audit Standards [GIAS] and theCIPFA Code.
Scope of our work
In accordance with our Terms of Reference (Appendix 1), agreed with the Chief Accountantwe undertook a limited scope audit of the General Ledger.
This limited scope audit involved a review of the design of the key controls together withdetailed testing to determine whether the controls are operating in practice.
Limitations of scope
The scope of our work was limited to those areas identified in the terms of reference.
Staff involved in this review
We would like to thank all client staff involved in this review for their co-operation andassistance.
Name of client staff
Anna Winship – Chief Accountant
Marie Molyneux – Corporate Management Accountant
Dave Swan – Technical Officer
General Ledger
Final Internal Audit Report
2009/10
4
Our opinion and assurancestatement
Introduction
This report summarises the findings of our review of the General Ledger
Each of the issues identified has been categorised according to risk as follows:
Riskrating
Assessment rationale
Critical
Control weakness that could have a significant impact upon, not only thesystem, function or process objectives but also the achievement of theauthority’s objectives in relation to:
the efficient and effective use of resources;
the safeguarding of assets;
the preparation of reliable financial and operational information; and
compliance with laws and regulations.
High
Control weakness that has or is likely to have a significant impact upon theachievement of key system, function or process objectives.
This weakness, whilst high impact for the system, function or process doesnot have a significant impact on the achievement of the overall authorityobjectives.
Medium
Control weakness that:
has a low impact on the achievement of the key system, function orprocess objectives; and
has exposed the system, function or process to a key risk, however thelikelihood of this risk occurring is low.
Low
Control weakness that does not impact upon the achievement of key system,function or process objectives; however implementation of therecommendation would improve overall control.
General Ledger
Final Internal Audit Report
2009/10
5
Executive Summary
Department:Finance
Audit Owner:
Anna Winship
Date of lastreview:
-
Overall Opinion:
Limited Assurance
There are some weaknesses in the design and / or operationof controls around journals, suspense accounts and fixedassets which could have a significant impact on theachievement of the General Ledger but should not have asignificant impact on the achievement of organisationalobjectives. However, there are discrete elements of the keysystem, function or process where we have not identified anysignificant weaknesses in the design and / or operation ofcontrols which could impair the achievement of the objectivesof the system, function or process. We are therefore able togive limited assurance over certain discrete aspects of thesystem, function or process.
Direction ofTravel
No previousreview has beenconducted byPwC. Workconducted by theprodecessorauditor identifiedno issues.
Number ofControl Designissuesidentified
0 Critical
3 High
4 Medium
2 Low
Number of ControlsOperating in Practiceissues identified
0 Critical
2 High
3 Medium
1 Low
Key Areas of Risk
Journals are not authorised and arefrequently not accompanied bysupporting documentation
Material Fixed Asset balances arenot reconciled to the GeneralLedger on a periodic basis
Opening balances for the 2009/10year have not been rolled forward
Suspense account balances arelarge and are not being clearedregularly
Other Considerations
Use of Resources-related
Financial reporting issues mayimpact on Use of Resourcesscores
Corporate Plan-related
None noted
VFM-related
None noted
Financial Reportingrelated
Accuracy of financialaccounts is hindered byhigh risk issues raised(see key areas of risk)
Scope of the Review
To ensure that adequate controls exist overaccess and amendments to the GeneralLedger and all transactions are accuratelyrecorded in a timely manner.
General Ledger
Final Internal Audit Report
2009/10
6
Compliance Summary
Compliance Testing
0%
20%
40%
60%
80%
100%
120%
1 2 3 4 5 6 7 8
Test
%
Expected Compliance
Actual Compliance
Tests Performed:
1. Month end closedown performed on a timely basis2. Payroll, Academy and Spectrum interfaces
performed accurately and verified as checked3. New cost centres and codes accompanied by
authorised form4. ‘Performance Matters’ reports published on a
timely basis5. Journals provided with completed input form and
supporting documentation6. Accounts Payable and Receivable reconciliations
performed and reviewed with no exceptions noted7. New Agresso user request forms in place (raised in
minor issues report)8. Agresso users still employed by the Authority
General Ledger
FInal Internal Audit Report
2009/10
7
Limitations and responsibilities
Limitations inherent to the internal auditor’s work
We have undertaken a review of the General Ledger, subject to the following limitations.
Internal control
Internal control, no matter how well designed and operated, can provide only reasonable andnot absolute assurance regarding achievement of an organisation's objectives. The likelihoodof achievement is affected by limitations inherent in all internal control systems. These includethe possibility of poor judgement in decision-making, human error, control processes beingdeliberately circumvented by employees and others, management overriding controls and theoccurrence of unforeseeable circumstances.
Future periods
The assessment of controls relating to the General Ledger is that historic evaluation ofeffectiveness is not relevant to future periods due to the risk that:
the design of controls may become inadequate because of changes in operatingenvironment, law, regulation or other; or
the degree of compliance with policies and procedures may deteriorate.
Responsibilities of management and internal auditors
It is management’s responsibility to develop and maintain sound systems of risk management,internal control and governance and for the prevention and detection of irregularities andfraud. Internal audit work should not be seen as a substitute for management’sresponsibilities for the design and operation of these systems.
We shall endeavour to plan our work so that we have a reasonable expectation of detectingsignificant control weaknesses and, if detected, we shall carry out additional work directedtowards identification of consequent fraud or other irregularities. However, internal auditprocedures alone, even when carried out with due professional care, do not guarantee thatfraud will be detected.
Accordingly, our examinations as internal auditors should not be relied upon solely to disclosefraud, defalcations or other irregularities which may exist, unless we are requested to carryout a special investigation for such activities in a particular area.
General Ledger
Final Internal Audit Report
2009/10
8
Findings and recommendationsRef Specific risk Control weakness found Risk
ratingRecommendations Management response Officer
responsible &implementationdate
Control Design
1 Periods may not beclosed down on atimely basis.
Late closure ofaccounts at year endincreases the risk ofcut off issues in thefinancial accounts.
There is no timetable inplace to outline thedeadline for closing downthe general ledger at monthend. Best practice wouldindicate that this should beperformed no later then 7days following the monthend.
In 3/3 months tested, theledger was closed after this7 day period. In 1 case(July 09) the period wasreopened over a monthafter closedown.
Medium
A timetable should be put in placeto outline key dates for the closedown of period ends. The ledgershould be closed down in line withthis timetable and should only bereopened in exceptionalcircumstances and to ensureaccuracy of management reporting.
Agreed
A timetable will be put inplace to indicate cut off datesfor close down. The monthwill only be reopened forsignificant journals (e.g. VATreturn) and will be performedby System Administratorsonly.
Anna Winshipand Dave Swan
With ImmediateEffect
General Ledger
Final Internal Audit Report
2009/10
9
Ref Specific risk Control weakness found Riskrating
Recommendations Management response Officerresponsible &implementationdate
2 Excessive numbersof codes may in use.
Codes may be usedincorrectly or notidentified formanagementreporting.
The Council does notundergo a regular review ofcost centres and accountcodes to ensure theyremain valid and in use.
It was noted through reviewof the ledger that 21account codes have beenset up outside of the normalcoding structure. In additionit appears that a number ofcodes have duplicatenames and descriptions(e.g. creditors, windows,unidentified corporatesavings)
Low
The Authority should seek to reviewtheir chart of accounts on an annualbasis. All dormant and duplicatecodes should be removed.
Agreed
This process was performeda number of years ago butwill be introduced on anannual basis going forward.
AnnaWinship/DaveSwan
31st
March2010
3 Inadequatemanagementinformation canresult in potentialissues not beingidentified and actedupon in a timelymanner.
Whilst the Authorityproduces detailedManagement Accounts ona monthly basis, other keymanagement reports arenot produced.
Medium
The Authority should considerdistributing a managementinformation 'pack' on a monthlybasis. This could include reportsshowing:
Significant balances onsuspense accounts;
Individually significant journaltransactions
Agreed
The production of reportsindicating significant journalsand suspense accounts willhelp to mitigate against anumber of risks identifiedduring the General Ledgerreview. These will be passedto Heads of Finance forreview.
Anna Winshipand Dave Swan
1st
December2009
General Ledger
Final Internal Audit Report
2009/10
10
Ref Specific risk Control weakness found Riskrating
Recommendations Management response Officerresponsible &implementationdate
4 Transactions areposted to the ledgerwithout adequatejustification orauthorisation.
Journals aregenerally acceptedto be moresusceptible to fraudas they are oftenbased on accountingestimates.
There is no process inplace for authorisingjournals. The Council hasintroduced a method of‘parking’ larger journalsbefore they are processedbut it is not possible toevidence this on Agresso.
High
Best practice would indicate that alljournals should be authorisedbefore being processed onAgresso.
The Council should investigate thefunctionality of Agresso to includean automated workflow for journaltransactions.
Partially Agreed
It is not deemed efficient toauthorise all journals where alarge majority of transactionsare reversed out after periodend. That said, theimplementation of a review ofall significant journals (seeissue ‘#3) will mitigateagainst the risk of materialmisstatement due to journalcalculations.
Further consideration will begiven to the journal workflowwithin Agresso.
Anna Winshipand Dave Swan
1st
December2009
5 Fixed Assetbalances may bematerially misstated.
Reconciliations betweenthe General Ledger and theFixed Asset Register areonly performed at year end.The Council hasencountered significantissues with thecompleteness of FixedAsset data in theclosedown of prior yearaccounts.
High
Periodic reconciliations should beperformed between the Fixed AssetRegister and General Ledger. Allreconciling items should be clearedon a timely basis.
Agreed
A fundamental review ofFixed Assets is underway.Going forwards the FixedAsset Register will bereconciled to the GeneralLedger on a monthly basis.
Anna Winship
31st
December2009
General Ledger
Final Internal Audit Report
2009/10
11
Ref Specific risk Control weakness found Riskrating
Recommendations Management response Officerresponsible &implementationdate
6 Close down issueswill not be identifiedbefore year endleading to anincreased risk ofaudit issues.
The Council does notcurrently perform a trialclose down before yearend.
We are aware that theCouncil is planning toscope plans for a trial closedown in the comingmonths.
High
A trial close down should beperformed ahead of the newcalendar year. This should involvereconciliation of balance sheetcodes to ensure completeness ofinformation and target testing oftransactions to supportingdocumentation. Review ofinformation for inclusion in thefinancial accounts should beconsidered.
Agreed
A trial close down is beingplanned for December 2009.
Anna Winship
31st
December2009
7 Access may not beremoved on a timelybasis leading toincreased risk ofmisappropriation ofCouncil systems.
Monthly leavers reports aresent from payroll toAgresso administrators.This ensures that allleavers are removed fromthe system.
There is no process inplace for removingtemporary agency staff.
Medium
A process should be put in place toensure that system administratorsare able to remove temporaryagency staff access rights whenthey have left.
This may involve a regular listingbeing sent from the agency contractmanager or a periodic review of allusers.
Agreed
A regular report will berequested from responsibleofficer to detail all temporaryagency staff who have leftthe Authority.
We will liaise with ICT toascertain whether a processfor informing departments ofagency staff leavers can bedevised.
Dave Swan
31st
December2009
General Ledger
Final Internal Audit Report
2009/10
12
Ref Specific risk Control weakness found Riskrating
Recommendations Management response Officerresponsible &implementationdate
8 If users are removedwithout transferringtheir subscriptions,the Council maymiss key paymentdeadlines.
Retention of userson Agressoincreases the risk ofunauthorisedaccess.
Officers are able to set upsubscriptions on Agresso toallow ongoing periodicpayments to be madethroughout the year.
It was brought to auditsattention that if an officersubsequently leaves theAuthority and theirusername is parked, thesubscription payments arecancelled. These users aretherefore kept live onAgresso.
Low
A listing of all users who have setup subscriptions should begenerated and compared to leaverslists provided from payroll. Linemanagers of leavers with thisaccess should be contacted and anew responsible officer identified.Subscriptions should be moved tothe new individual and the leaverparked on Agresso.
Agreed
Mitigating controls are inplace to ensure that leaverswho have subscriptionresponsibilities cannot haveaccess to Agressofunctionalities. A call will belogged with Agresso toestablish whether a solutioncan be put in place.
Dave Swan
31st
December2009
General Ledger
Final Internal Audit Report
2009/10
13
Ref Specific risk Control weakness found Riskrating
Recommendations Management response Officerresponsible &implementationdate
9 Increased risk ofdata loss orinstability.
The Council outsourcedtheir IT functions in 2009/10and consequently allresponsibilities for back upsof the ledger have beenpassed to the CountyCouncil.
No notification is sent to theAgresso systemadministrator to confirmthat backups have occurredor more importantly whenerrors have arisen.
It was commented that anissue with backup of theledger occurred inDecember 2008. Thesystem administrator wasnot made aware of thisinstance until errors werenoted by end users.
Medium
Notification should be requestedfrom the County Council to ensurethat backups have been performedcorrectly. All failures should benotified to the system administratoras a matter or urgency.
Agreed
Exception reports will beprovided to the systemadministrators should a backup fail. Reporting byexception is deemedsufficient.
Dave Swan
31st
October2009
General Ledger
Final Internal Audit Report
2009/10
14
Ref Specific risk Control weakness found Riskrating
Recommendations Management response Officerresponsible &implementationdate
Operating Effectiveness
10 Procedure notesmay not reflectcurrent workingpractices thusincreasing the risk oferror and omission.
The Council upgraded theirversion of Agresso to v5.5in March 2009.
Although key procedurenotes have been amendedto reflect the new system,this has not beenperformed for allprocedures notes in place.
Medium
All procedure notes should bereviewed to ensure they reflectAgresso v5.5. Going forward,procedure notes should bereviewed on an annual basis toreflect changes in workingpractices.
Agreed
All procedure notes will bereviewed to ensure that theyare in line with the currentversion of Agresso. This willbe performed in the order ofrisk and importance. Areview date will be detailedon all documents.
Dave Swann
31st
March2010
11 Codes and costcentres may be setup inappropriately orin error.Managementaccounts may notidentify all codes forreporting.
All new codes and costcentres are accompaniedby a set up form. In 6/25new entries tested, formshad not been signed by theresponsible officers. Thesewere all in relation to capitalcost centres. An additional3 forms had not beensigned by financialmanagement to indicatethat the code had been setup in Agresso
Medium
All new codes and cost centreforms should be signed byresponsible officers before set upon Agresso.
Agreed
Checks will be performed toensure that appropriateauthorisation has beenobtained.
Dave Swann
With ImmediateEffect
General Ledger
Final Internal Audit Report
2009/10
15
Ref Specific risk Control weakness found Riskrating
Recommendations Management response Officerresponsible &implementationdate
12 Performance data isnot published forpublic use on atimely basis.Statutory deadlinesmay not be met.
At the time of audit(October 2009), thePerformance Mattersinformation had not beenproduced for August 2009:
Low
Performance statistics should bepublished in line with the settimetable.
Agreed
Performance Board wasscheduled later in the monthand therefore reports weredelayed. Timetables shouldbe updated to reflect anyrearrangements.
Penny Gardner& SarahFogden
With ImmediateEffect
13 The balance sheetmay be inaccurateor incomplete.
At the time of audit, theopening balances for2009/10 had not beenrolled forward.
Medium
Opening balances should be rolledforward as a matter or urgency.This process should be formallyreviewed and documentationretained to evidence the process.
The Authority should investigate thepossibility of using a 'trigger' systemwhich will automatically roll forwardOpening Balances.
Agreed
Opening balances weredelayed due to thepreparation of the finalaccounts. This will beperformed as a matter ofurgency.
Anna Winship
31st
October2009
General Ledger
Final Internal Audit Report
2009/10
16
Ref Specific risk Control weakness found Riskrating
Recommendations Management response Officerresponsible &implementationdate
14 Transactions areposted to the ledgerwithout adequatejustification orauthorisation.
All journals should beaccompanied by an inputform, supportingdocumentation and aledger print to evidence theinput. The following issueswere noted during testing of25 journal transactions:
5/25 journals could notbe provided for audit;
Of the 20 journalsavailable for testing, 9were not accompaniedby a journal form
7/20 journals did notcontain both supportingdocumentation and aledger print asstipulated byprocedures
High
The Authority should ensure thatjournals are only made upon receiptof appropriate supportingdocumentation as stipulated byguidance.
Agreed
Supporting documentation isstill being reviewed for thisissue which is agreed inprinciple.
Some of the transactionsselected for testing were ‘re-postings’ processed to movetransactions between codes.Going forward the budgetholder will provideauthorisation of thesemovements.
Anna Winship
With ImmediateEffect
General Ledger
Final Internal Audit Report
2009/10
17
Ref Specific risk Control weakness found Riskrating
Recommendations Management response Officerresponsible &implementationdate
15 Balances may bemisstated.
The Councils suspenseaccounts have not beencleared during 2009/10. Atthe time of audit, thebalances on the suspenseaccounts were as follows:
Agresso suspenseaccount: £600k
Cash suspenseaccount £100k
High
Suspense accounts should bereviewed on a periodic basis. Allitems should be cleared wherepossible or written off if a correctioncannot be established.
Agreed
The main Agresso suspenseaccount has since beencleared and will be reviewedon a periodic basis. Officerswere aware of one large itemthat was held on suspense.This had been identified butclearing the account was notprioritised.
Efforts will be made to clearthe cash suspense accountbefore the implementation ofthe Councils new cashsystem.
We do not believe that this ahigh risk issue.
Anna Winship
30th
November2009
General Ledger
Final Internal Audit Report
2009/10
18
Appendix 1 - Terms ofReference
Objectives and deliverables
Objectives
To ensure that adequate controls exist over access and amendments to the General Ledgerand all transactions are accurately recorded in a timely manner.
Deliverables
Our deliverable will be a report detailing our findings with regard to our assessment of thedesign and effectiveness of controls in place over the General Ledger system.
Scope and approach
Our work will focus on identifying the guidance, procedures and controls in place to mitigatekey risks through:
Documenting the underlying guidance, policy and processes in place and identifying
key controls;
Considering whether the policies and procedures in place are fit for purpose; and
Testing key controls.
The key points that we will focus on are:
All Financial transactions of the organisation are input to the ledger in a complete,
accurate and timely fashion;
All financial information and output from the general ledger system is accurate, timely
and appropriate to need; and
The system is protected against unauthorised access/ processing and is secure
against loss or damage of data.
We will discuss our findings with the Chief Accountant or nominated representative to developrecommendations and action plans. A draft report will be issued to the Head of Finance andany other relevant officers for review and to document management responses.
Limitation of Scope
The scope of our work will be limited to those areas identified above.
General Ledger
Final Internal Audit Report
2009/10
19
Stakeholders and responsibilities
Role Contacts Responsibilities
Chief Accountant Anna Winship Review draft terms of reference
Review and meet to discuss issuesarising and develop managementresponses and action plan
Review draft report.
Implement agreed recommendationsand ensure ongoing compliance.
Heads of Finance
Interim ExecutiveFinance Director
Penny Gardner
Sarah Fogden
Nigel Pursey
Receive agreed terms of reference
Receive draft and final reports.
Chief Executive Peter Sloman Receive final report
Performance Board Receive final report
Our Team and Timetables
Our team
Chief Internal Auditor Chris Dickens
Audit Manager Katherine Bennett
Auditor Katherine Bennett
Timetable
Steps Date
TOR approval September 2009
Fieldwork commencement 5th
October 2009 (T)
Fieldwork completed T + 2 weeks
Draft report of findings issued T + 4 weeks
Receipt of Management response T + 6 weeks
Final report of findings issued T + 7 weeks
General Ledger
Final Internal Audit Report
2009/10
20
Budget
Our budget for this assignment is 5 days. If the number of days required to perform thisreview increases above the number of days budgeted, we will bring this to managementattention.
Terms of Reference Approval
These Terms of Reference have been reviewed and approved:
...........................................................................................................
Anna WinshipSignature (Chief Accountant)
...........................................................................................................
Chris DickensSignature (Chief Internal Auditor)
General Ledger
FInal Internal Audit Report
2009/10
21
Appendix 2 - Assurance ratings
Level ofassurance
Description
High No control weaknesses were identified; or
Our work found some low impact control weaknesses which, if addressed wouldimprove overall control. However, these weaknesses do not affect key controls andare unlikely to impair the achievement of the objectives of the system. Therefore wecan conclude that the key controls have been adequately designed and areoperating effectively to deliver the objectives of the system, function or process.
Moderate There are some weaknesses in the design and/or operation of controls which couldimpair the achievement of the objectives of the system, function or process.However, either their impact would be less than significant or they are unlikely tooccur.
Limited There are some weaknesses in the design and / or operation of controls which couldhave a significant impact on the achievement of key system, function or processobjectives but should not have a significant impact on the achievement oforganisational objectives. However, there are discrete elements of the key system,function or process where we have not identified any significant weaknesses in thedesign and / or operation of controls which could impair the achievement of theobjectives of the system, function or process. We are therefore able to give limitedassurance over certain discrete aspects of the system, function or process.
No There are weaknesses in the design and/or operation of controls which [inaggregate] could have a significant impact on the achievement of key system,function or process objectives and may put at risk the achievement of organisationobjectives.
General Ledger
Final Internal Audit Report
2009/10
22
©2009 PricewaterhouseCoopers LLP. All rights reserved. 'PricewaterhouseCoopers' refers to
PricewaterhouseCoopers LLP (a limited liability partnership in the United Kingdom) or, as the context
requires, other member firms of PricewaterhouseCoopers International Limited, each of which is a
separate and independent legal entity.