Internal audit – Summary of findings Audit... · We do not accept or assume any liability or duty...
Transcript of Internal audit – Summary of findings Audit... · We do not accept or assume any liability or duty...
Aberdeen City Council
Internal audit
Report to Audit and Risk Committee– 29 November 2011
Internal Audit
Aberdeen City Council
November 2011
Aberdeen City Council
Internal audit – Summary of findings
Report to Audit and Risk Committee29 November 2011
Summary of findings
Report to Audit and Risk Committee
Statement of responsibility
This report, which covers the key findings of our reviews between September and November, has been prepared solely for Aberdeen City Council (ACC) in accordance with the terms and conditions set
out in our engagement contract with ACC. We do not accept or assume any liability or duty of care for any other purpose or to any other party. This report should not be disclosed to any third party,
quoted or referred to without our prior written consent.
Contents
Section 1 – Introduction ..........................................................................................................................................................................................................................1
Section 2 – Business Continuity Planning...............................................................................................................................................................................................2
Section 3 – Financial Ledger ...................................................................................................................................................................................................................5
Section 4 – Children Requiring Additional Support for Learning Needs ................................................................................................................................................7
Section 5 – Commercial Estates ............................................................................................................................................................................................................10
Section 6 – Staff Recruitment and Induction Procedures .....................................................................................................................................................................12
Section 7 - Creditors ..............................................................................................................................................................................................................................14
Appendix A – Progress against 2011/12 plan as at November 2011 ......................................................................................................................................................16
Appendix B – Basis of our classifications ..............................................................................................................................................................................................18
Appendix C – Limitations and Responsibilities ....................................................................................................................................................................................19
Internal Audit Progress Report – November 2011
PwC
1
Background
1.01 The assurance you receive through the internal audit programme is a keycomponent of your overall governance framework, ultimately reflected inthe Statement on Corporate Governance presented in the annualfinancial statements. The purpose of this report is to highlight the keyfindings arising from the Internal Audit work completed since the 20September Audit and Risk Committee.
Internal Audit Activity
1.02 Our overall approach to internal audit is to deliver challenge and supportacross the continuum from value protection (where we primarily provideassurance by protecting the current position) to value enhancement(where we add value with forward looking reviews).
Completed reviews (reports with management commentsfinalised)
1.03 Since the last Audit and Risk Committee meeting we have finalised thefollowing reviews and agreed detailed action plans with management toaddress the recommendations made.
Business Continuity Planning (Housing & Environment) Financial Ledger (Corporate Governance); Children Requiring Additional Support for Learning Needs
(Education, Culture & Sport); Commercial Estates (Enterprise, Planning & Infrastructure);
Staff Recruitment and Induction Procedures (Social Care &Wellbeing );
Creditors (Corporate Governance)
1.04 Within the report we have set out in detail the higher priority findingsand recommendations and summarised the management action inrelation to those recommendations categorised as being of high andmedium priority.
Fieldwork complete (draft reports in progress)
1.05 In terms of current work in progress, we have completed our fieldwork inthe following areas and are in the process of finalising draft reports witha view to issuing these for management comment and response:
Contract Management/Procurement (Corporate Governance/SocialCare & Wellbeing Service)
Common Good Fund (Corporate Governance) Risk Management Arrangements (Corporate Governance) Capital and Repairs Project Management (Housing & Environment) Treasury Arrangements
1.06 In addtion, we have been liasing with the project manager for theCorporate Governance externalisation project to determine internalaudit input at key stages of the project between now and the end of theproject.
1.07 We plan to report the key findings from the above reports at theFebruary 2012 Audit and Risk Committee.
Section 1 – Introduction
Internal Audit Progress Report – November 2011 2
Report classification
High Risk
Number of Findings
Critical High Medium Low Advisory Total
- 1 5 1 - 7
Background
2.01 The Civil Contingencies Act 2004 requires local authorities to haveeffective Business Continuity Plans (BCPs) in place covering keyactivities. As a result the Council’s Corporate Management Team(CMT) has identified key service areas which require BCPs, and hasprioritised a number of these as being critical on the basis of thepotential impact of disruption to service provision should a disastersituation arise.
Coverage of Key Plans
2.02 At the time of our review plans have been developed covering thefollowing key service areas as defined by the CMT:
Aberdeen Scientific Services Laboratory (Public Analystlaboratory)
Bereavement Services (including cemeteries and AberdeenCrematorium)
Facilities Management (covering the provision and maintenance ofall staff accommodation)
Homelessness Services (including temporary accommodation) ICT (provision of key computer systems, email and telephone
network) Payroll and HR Regional Communications Centre (Community Alarm service) and
Customer Contact Centre City Registrar Revenues and Benefits (including Council Tax and Housing Rents) Roads Maintenance (including winter road clearing) Social Care (including residential and day care centres, protection
of vulnerable groups and statutory responsibilities) Schools Trading Standards and Environmental Health Waste collection and disposal
Process for BCP Plan Development
2.03 The plans were developed using a standard process which involvedcarrying out a Business Impact Analysis. As part of this process, aBusiness Continuity Workbook was completed by staff within eachrelevant service area, and was reviewed by Grampian EmergencyPlanning Unit staff for completeness and to ensure that the key risksaffecting the service area had been considered.
Section 2 – Business Continuity Planning
Internal Audit Progress Report – November 2011 3
Responsibility for BCP
2.06 It is the responsibility of the Director of each of the Council’s Services toensure that BCPs within their Service are maintained up to date and aresubject to regular testing.
Approach and Scope
2.07 The overall objective of our review was to assess the status of theCouncil’s business continuity plans, considering the extent to which keysystems, facilities and resources have been subject to a business impactanalysis and appropriate continuity plans have been developed andtested.
Our review involved specific consideration of the following matters:
Development and implementation of a formal BCP project plan
Implementation of a BCP training and awareness programme Completion of Business Impact Analysis
BCPs are in place for critical processes
BCPs are subject to periodic review
Programme of periodic testing of BCPs is in place
Successful recovery of critical business processes has beendemonstrated in either a test or live situation
2.08 Our review involved discussion with key control and the identificationand evaluation of key controls. This review did not cover emergencyplanning arrangements, i.e. the processes necessary to deal withincidents or emergencies having a direct impact external to AberdeenCity Council. The role of GEPU with regard to Aberdeenshire andMoray councils was also not examined.
Summary of Findings
2.09 Our review identified that BCPs had been developed for all functionswhich CMT considers to be critical to the Council’s operations. TheseBCPs were verified as covering all of the key customer facing and
internal activities necessary for the Council to deliver its core services,and were developed using a standard process to ensure that they arecomplete and robust.
2.10 No critical recommendations were noted during our review. However,we did identify one high risk and a number of medium priority areas formanagement’s consideration to further enhance business continuityplanning arrangements. In particular, action plans have been agreedwith management in respect of the following recommendations.
Impact of Staff Relocations (high risk)
2.11 We reviewed the current BCPs to assess whether the information withinthe BCPs was accurate and up to date, recognising that a programme ofreview of the critical BCPs is currently being undertaken.
2.12 We noted that whilst many of the current BCPs are up to date or requireonly minor amendments, the programme of staff relocation from StNicholas House and Crown House to Marischal College (which is due tobe completed by early Autumn 2011) will have an impact upon manyBCPs.
2.13 Management should ensure that all BCPs are subject to updatefollowing completion of the current programme of staff relocations toensure that replacement arrangements have been made for anyaccommodation or storage of documentation at St Nicholas House,Crown House, or any other locations which will not be available goingforward. Particular care should be taken to consider the implicationswhere for example shared disaster recovery arrangements were madebetween service functions which previously operated from differentlocations but which however now find themselves in close proximitywithin the same building.
Officer’s response: Agreed. All BCPs will be updated by 31January 2012
Internal Audit Progress Report – November 2011 4
2.14 In addition, we have outlined 5 medium risks including:
Health and Safety and Payroll BCP plans should be reviewed; a consistent approach should be adopted for storing BCPs across
the Council; additional training for BCP lead officers due to changes in staffing
in certain areas; testing of BCPs should be undertaken per the agreed testing
timetable; and when reviewing BCP’s the critical business processes should be
reviewed to ensure still relevant and applicable.
Overall officer’s response to the report recommendations:Action agreed in respect of all recommendations, and allrecommendations will be implemented by February 2012.
Internal Audit Progress Report – November 2011 5
Report classification
Low Risk
Number of Findings
Critical High Medium Low Advisory Total
- - 1 3 4
Background
3.01 eFinancials is the Council’s corporate finance system and containsseparate modules for debtors, creditors and the general ledger. Thissystem is used by a number of local authorities and other public bodies.There are nine interfaces into the ledger which automatically transferdata from Council systems which carry out financial processing,including cash receipting, payroll and revenues.
3.02 Processing of journal adjustments are restricted to a limited number ofsenior Services and Financial Accounting staff.
3.03 The Principal Accountant, Corporate Accounting Team hasresponsibility for 40 control accounts. This team carries out monthlyreconciliations on the major control accounts relating to debtors,creditors, payroll and banking. Control Accounts relating to Education,Culture & Sport (EC&S) and Social Care & Wellbeing (SC&W) are theresponsibility of specific accountants. The remaining control accountsare the responsibility of five different accounting staff, which isallocated to work within the different Services.
Approach and Scope
3.04 The overall objective of the review was to review the controls in placeover the financial ledger, in particular the controls over entries to theledger (automatic interfaces and journal adjustments), performanceand approval of key control account reconciliations and month endreview procedures.
3.05 Computer Assisted Audit Techniques (CAATs) were used to target ourjournal testing. A set of 16 automated reports were produced coveringjournal activities over a 15 month period. The first 5 reportssummarised the journal data by period, posting user, document type,account code and cost centre.
3.06 Our review involved discussion with key personnel and review ofrelevant documentation. Bank reconciliations were not considered aspart of this review and only a sample of suspense accounts werereviewed.
Summary of Findings
3.07 We noted that appropriate automated checks were in place to ensurethe integrity of the transfer of data from systems interfacing witheFinancials. We reviewed a sample of control account reconciliationrecords and noted that all required reconciliations were carried out on atimely basis and that there were no unresolved discrepanciesremaining.
3.08 No critical or high recommendations were as part of this review.
Section 3 – Financial Ledger
Internal Audit Progress Report – November 2011 6
However, one medium risk recommendation was raised formanagement’s attention.Journal Adjustments (medium risk)
3.09 From a test of sixty journal transactions we noted the followingexceptions:
in eight cases the signature of the authoriser was illegible; the spreadsheets completed for block accruals or reversals are not
authorised by a party independent of the officer who created thespreadsheet prior to these being emailed to AccountingDevelopment for posting;
in two cases where journals had been posted by senior staff thesehad not been independently authorised; and
one journal voucher and supporting documentation could not belocated.
Officer’s response: Agreed. Process will be reviewed andcommunicated by end November 2011
3.10 Low risk recommendations included ensuring an appropriate audit trailwas in place to evidence review of key documents for example transferof data via automatic interfaces, and control account reviews.
Overall officer’s response: Action agreed in respect of allrecommendations, which will be implemented by 30th
November 2011.
Internal Audit Progress Report – November 2011 7
Report classification
Medium risk
Number of Findings
Critical High Medium Low Advisory Total
- - 3 - 2 5
Background
4.01 The Education (Additional Support for Learning) (Scotland) Act 2004and Education (Additional Support for Learning) (Scotland) 2009provide local authorities and other bodies with a common framework toaddress children’s learning needs by planning and co-ordinatingsupport to prevent, remove or alleviate barriers within the learningenvironment.
4.02 Per the Act a child or young person will have additional support needsif, “the child or young person is or is likely to be unable withoutprovision of additional support benefit from school education providedor to be provided for the child or young person”. Local authorities arerequired to make appropriate arrangements for identifying andsupporting children and young people with additional support needs.
4.03 ACC has a policy of “Inclusion” which aims to ensure that children andyoung people with additional support needs receive adequate andefficient provision as stated in the Education (Additional Support forLearning) (Scotland) Act 2004 and in line with The Education(Additional Support for Learning) (Scotland) Act 2009.
4.04 A staged intervention process is in place within ACC to identify andmeet the learning support needs of children and young people. Supportis initially provided in house by classroom teachers and additionallearning support centres within schools. However, if the support needsof the child or young person are more complex, then there is provisionfor support to be provided out with the school via external agencies andspecialist learning centres.
Approach and Scope
4.05 As part of this review we specifically considered the following sub-processes and related control objectives:
Planning of provision for Additional Support Needs
Policy developed regarding means of addressing each category ofneed and priorities for funding identified.
Forecast of numbers of ASN children calculated over short, mediumand long term.
Section 4 – Children Requiring Additional Supportfor Learning Needs
Internal Audit Progress Report – November 2011 8
Assessment of Referrals for Assistance
Assessments carried out in accordance with policies and withoutundue delay.
Wishes of parents taken into consideration during assessmentprocess.
Priority given within budgetary constraints to supporting childrenwith the most urgent needs.
Effectiveness of inter-disciplinary working
Appropriate inter-disciplinary working with key internal andexternal stakeholders, for example, social care and wellbeing andalso NHS and voluntary sector on availability of specialist skills.
Costed options developed for inter-disciplinary working, includingimplications for ACC schools estate.
Measures in place to monitor the effectiveness of support provisionby partner provider.
4.06 Our audit approach involved obtaining an understanding of theprocesses in place through discussions with key personnel, evaluatingcontrols in place and testing the operating effectiveness of key control.
4.07 The scope of this review did not involve addressing the overall schoolsestates strategy or schools zoning policy, other than where these impactupon the accessibility to education for children with additional supportneeds.
Summary of Findings
4.08 From our review we noted that the staged intervention model adoptedby ACC is an adequate framework for meeting the additional supportneeds of children as it allows for prompt identification and assessmentof pupil needs.
4.09 The Learning Strategy outlines how the Council will enhance learningopportunities for children, young people and adults in the short term(1-2 years), medium term (3-5 years) and long term (5-10 years). Thestrategy includes ACC’s priorities for children and young people withASN.
4.10 Whilst no critical or high risk findings were noted we identified anumber of areas where existing controls could be enhanced. We haveagreed an action plan with management in respect of the medium riskfindings and these are summarised below.
Staff Procedure Manual
4.11 In delivering the Learning Strategy, ACC staff follow the proceduresdocumented within the Additional Support for Learning ProcedureManual. From a review of this document we noted that the key sectionshave been updated to reflect current legislation however staff aredirected towards the Scottish Government’s Code of Practice(Supporting Children’s Learning) as the main reference source.
4.12 As part of the planned review of the Inclusion Strategy, a decision willbe made by management about updating the remaining sections of theAdditional Support for Learning Procedure Manual or cross referring tothe Scottish Government’s Code of Practice
Assessment of Referrals for Assistance
4.13 A detailed record of the discussions of the Admission Panel inconsidering referrals and reaching a decision is not maintained,however the result of the process regarding award of support, orotherwise is recorded in a spreadsheet maintained for each base.
4.14 Management will issue the guidelines covering referrals prior tocommencing the next scheduled process in November 2011, and updatethe document as and when required to reflect changed circumstances.In addition, management should as a means of enhancing transparency,maintain records of the key discussion points from the AdmissionPanel.
Internal Audit Progress Report – November 2011 9
Financial Arrangements
4.15 Management are currently working through the impact of the budgetreductions which came into effect at the commencement of the newacademic year in August 2011. As part of ongoing management,performance data such as pupil achievements, attendance, and otherfactors will be analysed to determine the impact of the reduced budgetprovision. In addition, a review of the Inclusion Strategy will considerthe consequences of the reduced budget and whether the needs ofchildren with the highest need for support are being met.
4.16 Management may wish to consider further measures designed to assessand address the risks involved with the reduced budget provision foradditional learning support with periodic reports on the mattersubmitted to the Education, Culture and Sport Committee.
Overall officer’s response: Action agreed in respect of allrecommendations, which will be implemented by April 2012.
Internal Audit Progress Report – November 2011 10
Report classification
Medium risk
Number of Findings
Critical High Medium Low Advisory Total
- 5 - - 5
Background
5.01 Aberdeen City Council (ACC) maintains a portfolio of 457 commercialproperties, which generate annual rental income of approximately £8.1million. The portfolio covers industrial, office and retail shop units andfarm land. As approved by the Finance and Resources Committee, theAsset Management and Operations team (AMOT) are currentlyundertaking detailed reviews of the commercial property portfolio as abasis for establishing individual strategies for each property grouping.The Estateman system, which has been used for recording andmonitoring commercial property activities, is currently being replacedwith a new database called Uniform, with the transition expected to becompleted by the end of September 2011. This database is expected todeliver additional benefits including ease of navigating between screensand improved facilities for checking that specific tasks have been carriedout by staff.
5.02 Overall, a key objective of the Council is to maximise income from itscommercial property portfolio. The commercial property portfolioconsists of properties varying in age from 15 to 100 years old.Maintenance and repair work to date has been minimal and carried outto ensure that properties are wind and water tight.
Approach and scope
5.03 The overall objective was to to review the current usage of itscommercial estate and consideration of options to upgrade, change ordevelop to meet local business requirements and ensure that incomepotential from the estate is realised where possible. As part of thisreview we specifically considered the following sub-processes andrelated control objectives:
Commercial Estates Strategy
Ensure appropriate overarching commercial estates strategyimplemented regarding
Information gathered on local business requirements and propertymarket movements
Commercial property portfolio reviewed and assets
Options Appraisal Process
Properties for potential upgrade, development, disposal or changeof use identified
Proposed investments or disposals subjected to formal optionsappraisal process
Options selected to maximise income potential
Section 5 – Commercial Estates
Internal Audit Progress Report – November 2011 11
Realisation of Income Potential
Vacant assets identified and marketed for all suitable uses Rent reviews carried out in line with lease terms and ACC financial
objectives Action taken to pursue overdue rental payments
Recording and monitoring of commercial estates activities
Consider the effectiveness of ACC’s arrangements to ensureeffective transfer of information from the Estateman system toUniform.
5.04 Our audit approach involved obtaining an understanding of the overallmanagement of the ACC commercial property portfolio throughdiscussions with key personnel, review of systems documentation andwalkthrough tests where appropriate.
Summary of findings
5.05 We identified good practices in managing vacant properties including
advertising on the Council’s web site and monitoring the number of
voids through management review of monthly reports. The effectiveness
of management action in minimising rental income foregone is
demonstrated by a reduction in the number of voids from 24 properties
in April 2011 to 16 as at 30 June 2011. This improvement generated
additional income of £167,500.
5.06 Our review highlighted 5 medium risk recommendations relating to:
determining the nature, extent and value of improvement workrequired to modernise and improve the quality of properties;
undertaking option appraisal for the main income generatingproperty groups;
maintaining a risk register to cover risks, control measures,proposed action and critical success factors;
formalising arrangements around rent reviews; and preparing a programme to complete the transition to the Uniform
system.
Overall officer’s response: Action agreed in respect of allrecommendations, which will be implemented by 30 June2012.
Internal Audit Progress Report – November 2011 12
Report classification
High risk
Number of Findings
Critical High Medium Low Advisory Total
- 1 1 - 1 3
Background
6.01 Aberdeen City Council’s (ACC) Corporate Recruitment and Inductionprocedures set out the detailed policies and procedures which applywhen recruiting, selecting and inducting new ACC employees. Thesepolicies and procedures are readily accessible to all council staff as theyare contained within ACC’s intranet (zone).
6.02 ACC’s standard corporate procedures apply when recruiting andinducting new employees within the social care and wellbeing service.The Corporate Recruitment and Resourcing team1 is responsible forensuring that recruitment procedures are followed and documentaryevidence relating to the recruitment, selection and induction of staff areretained in a new start’s personnel file. The Recruitment andResourcing team currently compromises of three HR Co-ordinators(two permanent and one relief staff), four assistant HR Co-ordinators
1The Corporate Recruitment and Resourcing team is part of the HR Shared Service
Centre based at AECC.
(three permanent and one relief staff) and two Support Assistants (onepermanent and one relief staff).
Approach and Scope
6.03 Our review considered the process from the point the initial vacancy isapproved to induction, including the selection process, pre-employmentchecks and initial training and briefing. As part of this review wespecifically considered the following sub-processes and related controlobjectives:
Vacancy advertising Authorisation obtained to fill vacant post. Posts advertised promptly and in suitable media once approved. Closing date for applications set within 3 weeks of advertisement
date except in case of hard to fill posts which are left open ended.
Selection Process Reasons for interview selection clearly recorded and supportable
based on application details. Reasons for selection or rejection of candidate(s) at interview
clearly recorded and supportable based on details recorded andconsider appropriate balance of experience regarding recruitmentdecisions.
No offers made until satisfactory completion of pre employmentchecks (including Disclosure, right to work in UK, qualifications andreferences).
Appropriate procedures in place for ensuring compliance with new‘protection of vulnerable groups’ legislation.
Section 6 – Staff Recruitment and InductionProcedures
Internal Audit Progress Report – November 2011 13
Review the effectiveness of arrangements over Robert GordonUniversity recruitment route.
Selection Process
Arrangements made prior to start regarding basic administrativearrangements.
Initial briefing given including introduction to supervisor andcolleagues, explanation of key responsibilities, and administrativearrangements.
Management maintain contact with new employee over first fewweeks to determine any additional training and guidance requiredand to provide feedback on initial performance.
Summary of Findings
6.04 One high risk finding was identified during our review. All findingshave been agreed by management and an action plan agreed.
Compliance with procedures on recruitment of foreignnationals (High Risk)
6.05 From our review we have identified issues which indicate that CorporateRecruitment and Resourcing staff may not be correctly complying withthe procedures for eligibility checks to be carried out in recruitingforeign nationals - both European Economic Area (EEA) and non EEAnationals.
6.06 For example during our testing of a sample of 20 employee personnelfiles (of which 5 related to foreign nationals) we noted that althoughdocumentation to confirm an employee’s right to live and work in theUK (work permit) had been obtained and retained when employing nonEEA nationals the work permit retained in one instance was not valid asit did not cover the employees period of employment. The employee inquestion commenced employment in February 2011 however the copyof the work permit held on file had expired in January 2011 and was
therefore not valid for employment commencing February 2011onwards.
6.07 In another instance during our sample testing we noted that theAccession State Worker Registration Scheme Certificate2 which hadbeen retained when employing a foreign national from within the EEAwas not valid (for employment with ACC) as it was issued in reference toAberdeenshire Council. We understand that Corporate Recruitment andResourcing staff have not been formally trained in procedures to befollowed and checks to be carried out in recruitment of foreign nationalshowever general guidance notes (on employing foreign nationals) areavailable on the council’s intranet.
Officer’s response: Special briefings were held in October 2011 for staff
within the HR Service Centre to clarify legislations and requirements in relation
to recruitment of foreign nationals. Furthermore additional controls for
identifying employee work permits due for renewal have also been put in place
as a result of recent payroll audit which was carried out in August 2011.
6.08 In addition, one medium recommendation was raised in relation to:
Ensuring that documentary evidence is retained to supportrecruitment, selection and induction of social work staff inaccordance with ACC procedures.
Overall officer’s response: Action agreed in respect of allrecommendations, which will be implemented by start ofDecember 2011. .
2This document is issued by the UK Home Office to EEA nationals seeking employment
in the UK. It authorises the person to work for an employer specified in the certificate.
Internal Audit Progress Report – November 2011 14
Section 7 - Creditors
Report classification
Low risk
Number of Findings
Critical High Medium Low Advisory Total
- - 1 1 - 2
Background
7.01 The national e-procurement system, PECOS, is used for ordering andreceipting goods and services by all ACC services. Supplier invoices areprocessed and paid centrally by the accounts payable section, which isbased at the Aberdeen Exhibition and Conference Centre (AECC). TheInfosmart system is used to enable payment of supplier invoices andretain documentary evidence to support payments made. Infosmart alsorecords the date invoices are received and applies automated checks toensure proper authorisation prior to payment.
7.02 To ensure that all goods and services are ordered through PECOS asrequired, the accounts payable section complete a monthly reportproviding details of individuals not using PECOS, which is sent to eachService directorate.
Approach and Scope
7.03 Our review involved obtaining an understanding of the creditors’payment process through discussions with key personnel, review ofsystems documentation and walkthrough tests where appropriate. Aspart of this review we specifically considered the following sub-processes and related control objectives:
Creditors’ payment process
Ensure appropriate procedures are implemented with regard to
ordering goods.
Ensure appropriate procedures implemented with regard to
receipt of invoices and goods and services from suppliers.
Consider the effectiveness of the controls within PECOS to
ensure that payments are only made to bona fide suppliers for
goods and services rendered.
Ensure there are appropriate controls implemented in order
that ACC complies with required payment terms.
Improvements to Creditors established via the Vendormanagement Workshop
Ensure that improved procedures have been implemented and
are operating effectively.
Summary of Findings
7.04 Following our review, we identified that the design of controls in placewas adequate and that controls were operating effectively. No critical orhigh risk recommendations were identified; however, one medium riskrecommendation was raised for management’s attention:
Improvement to the Creditor Process
7.05 The vendor management workshop identified a number ofimprovements that were required to improve ACC’s current creditorpayment process. One of these improvements related to the:
i) CPU validating new suppliers by checking Companies House details
and the proposed supplier’s bank account details.
Internal Audit Progress Report – November 2011 15
7.06 At the time of review, the CPU had not yet implemented a process tovalidate new suppliers. The CPU are working towards implementing thearrangements agreed for validating new suppliers and are establishing ademinimis spend level for which the process should be applied. Insetting the deminimis level, consideration will be given to the number ofrequests from Services to establish new suppliers, estimated spend andtime required to validate each potential vendors details. This processwill be in place by the end of the financial year..
Officer’s response: Action agreed in respect of allrecommendations, which will be implemented by 31 March2012.
Internal Audit Progress Report – November 2011 16
Corporate
Governance
Audit Title Proposed
timing
Terms of
reference
agreed
Draft
Report
Issued
Management
Response
Received
Report
Finalised
Report to Audit
and Risk
Committee
Corporate Governance
Operational Contract management/ Procurement Jun-11 November 2011
Health and Safety Sep-11 February 2011
Performance Management Nov-11 February 2011
Common Good Fund - Best Value Jun-11 November 2011
Risk Management Dec-11 February2012
Finance Housing Benefits Dec 11 March 2012
Pensions Payments May-11 September 2011
Treasury Aug-11
February 2012
Creditors ( payables ) Jul-11 November 2011
Payroll Apr-11 September 2011
Financial Ledger Aug-11 November 2011
Debt Management Dec 11
March 2012
Fraud Governance Jan 11
March 2012
Other finance: Follow up - - - - Ongoing
Core Assurance -
IT
Information Management - data centre Oct-11
February 2012
New hardware / Software Procurement Mar-12
June 2012
IT Control Environment Oct-11
February 2012
Implementation
of Business Plan
Overall Governance and Management of PBB Aug-11
November 2011
Corporate Programme Office Oct 11
February 2012
Implementation of Effective Project Management Sep-11
February 2012
Financial Planning, Budgeting and Monitoring Dec 11
March 2012
Appendix A – Progress against 2011/12 plan as atNovember 2011
Internal Audit Progress Report – November 2011 17
Audit Title Proposed
timing
Terms of
reference
agreed
Draft
Report
Issued
Management
Response
Received
Report
Finalised
Report to Audit
and Risk
Committee
Education, Sport and Culture
Sport Aberdeen Feb-12
June 2012
Human Resource Management Dec 11
March 2012
Establishing Arts and Heritage Trust Nov 11
February 2012
Children with Additional Support Needs Jun-11 November 2011
Enterprise Planning and Infrastructure
AECC/ Hotel Development - Project Management Oct 2011
February 2012
Commercial Estates Jun-11 November 2011
Car parking Apr-11 September 2011
Estates Management (Council Occupied Property) Mar 2012
June 2012
Roads Maintenance (including winter planning) Apr-11 September 2011
Housing and Environment
Regeneration - Strategy and Focus Nov 11
March 2012
Housing rents (implementation) Dec 11
March 2012
Property Maintenance and Repairs Jan-12
June 2012
Capital and Repairs Project Management Jan-12
June 2012
Business Continuity Planning Jun-11 November 2011
Trading Accounts May-11 September 2011
Social Care and Wellbeing
Staff Recruitment and Induction Procedures Jun-11 November 2011
Procurement/Contract Award Jun-11
November 2011
Management of sensitive information Feb-12
June 2012
Internal Audit Progress Report – November 2011 18
IndividualFinding rating
Assessment rationale
Critical A finding that could have a:
Critical impact on operational performance; or
Critical monetary or financial statement impact; or
Critical breach in laws and regulations that could result in material fines or consequences; or
Critical impact on the reputation or brand of the organisation which could threaten its future viability.
High A finding that could have a:
Significant impact on operational performance; or
Significant monetary or financial statement impact; or
Significant breach in laws and regulations resulting in significant fines and consequences; or
Significant impact on the reputation or brand of the organisation.
Medium A finding that could have a:
Moderate impact on operational performance; or
Moderate monetary or financial statement impact; or
Moderate breach in laws and regulations resulting in fines and consequences; or
Moderate impact on the reputation or brand of the organisation.
Low A finding that could have a:
Minor impact on the organisation’s operational performance; or
Minor monetary or financial statement impact; or
Minor breach in laws and regulations with limited consequences; or
Minor impact on the reputation of the organisation.
Advisory A finding that does not have a risk impact but has been raised to highlight areas of inefficiencies or good practice.
Appendix B – Basis of our classifications
Internal Audit Progress Report – November 2011 19
Limitations inherent to the internal auditor’s work
Our report is presented, subject to the limitations outlined below.
Internal control
Internal control, no matter how well designed and operated, can provide only reasonable and not absolute assurance regarding achievement of an organisation'sobjectives. The likelihood of achievement is affected by limitations inherent in all internal control systems. These include the possibility of poor judgment indecision-making, human error, control processes being deliberately circumvented by employees and others, management overriding controls and the occurrenceof unforeseeable circumstances.
Future periods
Our assessment of controls relating is as set out in the individual reports. Historic evaluation of effectiveness is not relevant to future periods due to the risk that:
the design of controls may become inadequate because of changes in operating environment, law, regulation or other; or the degree of compliance with policies and procedures may deteriorate.
Responsibilities of management and internal auditors
It is management’s responsibility to develop and maintain sound systems of risk management, internal control and governance and for the prevention anddetection of irregularities and fraud. Internal audit work should not be seen as a substitute for management’s responsibilities for the design and operation of thesesystems.
We endeavour to plan our work so that we have a reasonable expectation of detecting significant control weaknesses and, if detected, we shall carry out additionalwork directed towards identification of consequent fraud or other irregularities. However, internal audit procedures alone, even when carried out with dueprofessional care, do not guarantee that fraud will be detected. Accordingly, our examinations as internal auditors should not be relied upon solely to disclosefraud, defalcations or other irregularities which may exist.
Appendix C – Limitations and Responsibilities
© 2011 PricewaterhouseCoopers LLP. All rights reserved. “PricewaterhouseCoopers” refers to the
PricewaterhouseCoopers LLP (a limited liability partnership in the United Kingdom) or, as the context requires,
other member firms of PricewaterhouseCoopers International Limited, each of which is a separate and
independent legal entity.
This report is protected under the copyright laws of the United Kingdom and other countries. It contains
information that is proprietary and confidential to PricewaterhouseCoopers LLP, and shall not be disclosed
outside the recipient's company or duplicated, used or disclosed in whole or in part by the recipient for any
purpose other than to evaluate this report. Any other use or disclosure in whole or in part of this information
without the express written permission of PricewaterhouseCoopers LLP is prohibited.
In the event that, pursuant to a request which the Council has received under the Freedom of Information
(Scotland) Act 2002 (as the same may be amended or re-enacted from time to time) or any subordinate legislation
made there under (the "Legislation"), the Council is required to disclose any information contained in this report,
it will notify PwC promptly and will consult with PwC prior to disclosing such information. The Council agrees to
pay due regard to any representations which PwC may make in connection with such disclosure and to apply any
relevant exemptions which may exist under the Legislation to such information. If, following consultation with
PwC, the Council discloses any such information, it shall ensure that any disclaimer which PwC has included or
may subsequently wish to include in the information is reproduced in full in any copies disclosed.