Coleg Gwent Internal Audit Report 2012/13 Assets and Inventory. Assurance Rating:

Transcription

1 Coleg Gwent Internal Audit Report 2012/13 Assets and Inventory Assurance Rating:

2 Distribution List: Draft Report: Principal Vice Principal, (Finance, Estates and Information Services) Clerk to the Corporation Responsible Officer(s) Final report: Audit Committee Principal Vice Principal, (Finance, Estates and Information Services) Clerk to the Corporation Responsible Officer(s) Date of fieldwork: April 2013 Date of draft report: May 2013 Date of final report: June 2013 This report and the work connected therewith are subject to the Terms and Conditions of the contract dated 1 October 2012 between Coleg Gwent and Deloitte LLP. This document is confidential and prepared solely for your information. Therefore you should not, without our prior written consent, refer to or use our name or this document for any other purpose, disclose them or refer to them in any prospectus or other document, or make them available or communicate them to any other party. No other party is entitled to rely on our document for any purpose whatsoever and thus we accept no liability to any other party who is shown or gains access to this document. This report has been prepared on the basis of the limitations set out at Appendix D Deloitte LLP

3 Contents Page 1. EXECUTIVE SUMMARY Background Audit Objectives and Scope Key Findings Conclusion Restriction of Use Acknowledgement OBSERVATIONS AND RECOMMENDATIONS Acquisition of Assets: Asset Tags Medium Priority Disposals: Timely Removal of IT Assets Medium Priority IT Asset Register: Completeness of the Database Medium Priority Inventory: Completion of Inventory Records Medium Priority Reconciliations: Reconciliation to the General Ledger Low Priority... 8 APPENDIX A REPORTING DEFINITIONS... 9 APPENDIX B STAFF INTERVIEWED APPENDIX C TERMS OF REFERENCE APPENDIX D STATEMENT OF RESPONSIBILITY Deloitte LLP

4 1. Executive Summary 1.1 Background The internal audit assessed the adequacy and effectiveness of Coleg Gwent s (the College s) internal controls in operation regarding Assets and Inventory. The internal audit work was carried out by discussion with appropriate staff, reading of documents and testing, as necessary, to confirm the effectiveness of the controls in place. 1.2 Audit Objectives and Scope The internal audit assessed the adequacy and effectiveness of internal controls in operation. Weaknesses were brought to the attention of management and advice issued on how particular problems may be resolved and control improved to minimise future occurrence. The internal audit sought to provide reasonable assurance over the following areas: Clearly defined fixed assets and inventory policies and procedures including additions, disposals, impairments, transfers and maintenance of fixed assets have been established and communicated to all relevant members of staff; There is evidence that the College s policies and procedures in relation to inventory are followed; Fixed assets acquired are recorded accurately in the asset register in accordance with the fixed asset policy; The asset register includes enough information for each asset to be physically verified; Fixed asset disposals and transfers are identified and the asset register amended accordingly; The asset register accurately records depreciation charges; The asset register is reconciled to the general ledger on a regular basis; There are controls in place to secure the asset register against unauthorised access and data loss; The asset register is capable of recording asset segments; A fixed asset verification exercise is undertaken periodically; and Senior officers are responsible for ensuring appropriate maintenance and monitoring the effectiveness, cost efficiency and operational use of assets. As part of the internal audit we selected a sample of assets on the fixed asset register to confirm existence. We also selected a sample of assets and confirmed that they were included on the fixed asset register. 1.3 Key Findings The College s Financial Control Procedures set out the procedures in relation to assets and inventory. The Financial Control Procedures are communicated to staff via the College s intranet. At the time of the internal audit, we confirmed that they were in the process of being reviewed and updated by management. The Campus Resource Managers are responsible for overseeing the inventory at their campus. An inventory listing should be maintained for each applicable room on campus, with a designated technician allocated responsibility for verification on an annual basis. An inventory listing should be held in each room, with any additions/disposals/transfer being recorded and communicated to the Campus Resource Manager by the Technician. As part of the College s budget setting process, a capital budget is prepared by the Vice Principal (Finance, Estates & Information Services). The Principal then presents the budget to the Resources Committee for recommendation to the Corporation. Any capital expenditure proposal exceeding 5,000 must be supported by a Capital Expenditure Proposal Summary (CEP). For all capital expenditure proposals exceeding 100,000 the CEP must be supported by a business case. All capital expenditure proposals are issued by the Operations Accounting Assistant to the Director (Estates & Facilities), the Head of IT and the Campus Directors and are sequentially numbered and recorded in the CEP Register. Each CEP requires approval and asset acquisitions are allocated against the corresponding nominal code on the finance system Deloitte LLP 1

5 IT assets are purchased through the College s preferred supplier, Stone PC s (appointed for a three year term following a competitive tender process). Stone PC s holds a roll of asset tags and any new equipment purchased arrives at the College already tagged. For assets that are connected to the College s network, they are automatically detected and added to the IT asset database. Portable assets that are not connected to the network are added to the IT asset database manually by a member of IT staff. This is completed on an ongoing basis, although the majority of items are purchased as part of the College s rolling IT upgrade programme. Assets are recorded in the fixed asset register(far) with the following information: Asset ID; Item Description; Acquisition year/period; Category ID; Original Cost; Depreciation; Book Value; and Location. Testing confirmed that the FAR includes enough information for each asset to be physically verified. Disposals are completed at year end by the Director of Finance. Since August 2012 there has only been one disposal sent through to Finance. As it was fully depreciated, it has been taken off the FAR and archived in the fixed assets database. The Finance Manager and Procurement Manager are notified by the Campus Resource Manager of all assets to be disposed of, other than land and buildings, using the Disposal of Assets Form to enable the FAR to be maintained accurately. Disposal of Asset Forms must be authorised by the Campus Director and the Director of Finance and are then sent to the Procurement Department to determine whether they can be sold. Disposal of land and buildings with a capital cost in excess of 100,000 may only take place with the authorisation of the Corporation. Disposal of land and buildings with a capital cost of between 10,000 and 100,000 require the approval of the Resources Committee. Welsh Government consent may also be required if exchequer funds were involved in the acquisition of the asset. For IT transfers, the asset transfer form is completed, and replicated on the IT asset database. The item is moved and the form is sent to the Finance Department, where the FAR is updated. For IT disposals, the IT supplier, Stone PC s have to dispose of the equipment in an environmentally friendly way. Items requiring disposal (usually as part of the rolling IT upgrade plan) are moved to a secure storage location on campus until Stone PC s can remove them. In the fixed asset database, items are placed in a disposed of container. Stone PC s collect the items and send the College an itemised list of the items received. The IT Manager checks this list and removes the items from the database. The asset disposal form is then completed and sent to the Finance Department, and the FAR is updated. The FAR is held with the finance system, QLX, which is subject to the College s IT security controls. It was confirmed that QLX has defined user groups and officers with access to the FAR were deemed appropriate. A reconciliation is undertaken between the FAR and the general ledger on a monthly basis. The FAR is able to record depreciation charges and asset segments. A fixed asset verification exercise is due to be undertaken in May 2013 by the Operations Accounting Assistant. Assets from the FAR will be selected at random and physically verified. The College has a rolling programme of IT asset upgrades. We have identified four medium priority issues in relation to assets and inventory which we consider require management s attention and provide scope for improvements to be made. These concerned: Asset Tags - When assets are acquired, they are assigned a unique tag which contains an identifying number. This is then recorded against the asset in the FAR and then physically attached to the asset. Testing identified that for four out of 10 assets examined, there was no visible asset tag in place. We recommend that asset tags are re-issued where they are identified as missing on the assets. Asset tags should be placed in a visible location Deloitte LLP 2

6 Timely Removal of IT Assets - The College has a preferred supplier for IT equipment (Stone PC s). They periodically remove disposed assets from the College campuses. Once they have collected the assets, they send confirmation to the IT team, who verify the list and update the IT asset database to reflect that they have been removed from site. It was confirmed via discussions with the IT Helpdesk Supervisor that the list of disposed items received from the College s preferred supplier (Stone PC s) in April 2012 has yet to be verified and reflected on the IT asset database. It is recommended that management ensure the timely verification of the IT assets disposals list received from Stone PC s. In addition, items disposed of should be removed from the FAR in a timely manner. Completeness of IT Asset Database In September 2010, the College upgraded to version 8 of the IT asset database software, Audit Wizard. Following the upgrade, it was identified that the College were unable to migrate the data across from version 7 of the software. As such, all IT assets in the database needed to be manually transferred, requiring significant resources. From our testing of a sample of 10 assets to ensure that they had been transferred, it was identified that in one case, the asset was only recorded on the older version of database (version 7). It is recommended that an exercise is undertaken to provide assurance that all IT assets recorded on the old IT asset database have been transferred across to the new database. Completion of Inventory Records - From a sample of four inventory listings, it was identified that for the City of Newport Campus, the inventory was last reviewed in June For the Crosskeys Campus, there was no inventory listing in place; rather the Resource Manager maintains her own list of assets rather than inventory. It is recommended that checks are completed on the existence of inventory listings across campuses. Individuals responsible for maintaining the inventory should also be reminded of the process. In addition, we have raised one low priority recommendation which nevertheless needs to be addressed. 1.4 Conclusion Based on the work undertaken as detailed in the Audit Objective and Scope section, our overall assessment is that the classification of assurance that can be taken in respect of Assets and Inventory is Substantial Assurance. Management should be aware that our internal audit work was performed according to UK Government Internal Audit Standards (GIAS) which are different from audits performed in accordance with International Standards on Auditing (UK and Ireland) issued by the Auditing Practices Board. Similarly, the assurance classifications provided in our internal audit report are not comparable with the International Standard on Assurance Engagements (ISAE 3000) issued by the International Audit and Assurance Standards Board. Our internal audit testing was performed on a judgemental sample basis and focussed on the key controls and mitigating risks. Internal audit testing is designed to assess the adequacy and effectiveness of key controls in operation at the time of an audit. Definitions of the assurance classifications and recommendation classifications used in this internal audit report are provided in Appendix A. 1.5 Restriction of Use We wish to draw to your attention that this report may only be used in accordance with our contract and may not be made available to third parties, except as may be required by law. 1.6 Acknowledgement We would like to thank the staff who participated in this internal audit for their assistance and co-operation Deloitte LLP 3

7 2. Observations and Recommendations 2.1 Acquisition of Assets: Asset Tags Medium Priority Recommendation Rationale Priority We recommend that asset tags are re-issued where they are identified as missing on the assets. Asset tags should be placed in a visible location. When assets are acquired, they are assigned a unique tag which contains an identifying number. This is then recorded against the asset in the FAR and then physically attached to the asset. Testing identified that for four out of 10 assets examined, there was no visible asset tag in place. There is an increased risk that assets may be misappropriated if they are not uniquely identifiable. Management Response Agreed. Would consider this to be low risk though as tagging an asset doesn t significantly lower the risk of it being misappropriated. Responsibility/ Deadline DoF/Operations Accounting Assistant - Immediate 2013 Deloitte LLP 4

8 2.2 Disposals: Timely Removal of IT Assets Medium Priority Recommendation Rationale Priority It is recommended that management ensure the timely verification of the IT assets disposals list received from Stone PC s. In addition, items disposed of should be removed from the FAR in a timely manner. The College has a preferred supplier for IT equipment (Stone PC s). They periodically remove disposed assets from the College s campuses. Once they have collected the assets, they send confirmation to the IT Team, who verify the list and update the IT asset database to reflect that they have been removed from site. It was confirmed via discussions with the IT Helpdesk Supervisor that the list of disposed items received from the College s preferred supplier (Stone PC s) in April 2012 has yet to be verified and reflected on the IT asset database. There is a risk that where the FAR is not updated in a timely manner, records are not maintained in an accurate and complete manner. Management Response Agreed The Helpdesk Supervisor will contact the college PCs supplier (Stone PC s) and request that the list of disposed equipment is sent to the Finance Department and a copy sent to the IT department enabling the FAR to be updated in a timely manner. Responsibility/ Deadline Helpdesk Supervisor - immediate 2013 Deloitte LLP 5

9 2.3 IT Asset Register: Completeness of the Database Medium Priority Recommendation Rationale Priority It is recommended that an exercise is undertaken to provide assurance that all IT assets recorded on the old IT asset database have been transferred across to the new database. In September 2010, the College upgraded to version 8 of the IT asset database software, Audit Wizard. Following the upgrade, it was identified that the College were unable to migrate the data across from version 7 of the software. As such, all IT assets in the database needed to be manually transferred, requiring significant resources. From our testing of a sample of 10 assets to ensure that they had been transferred, it was identified that in one case, the asset was only recorded on the older version of database (version 7). There is a risk that the IT asset database may be incomplete and not up to date. Management Response Agreed The IT Department will ensure that all IT assets are transferred to the new version. This has already been identified by the Helpdesk Supervisor and the Campus IT technicians have been tasked with making sure all IT assets are on the new version. Responsibility/ Deadline Helpdesk Supervisor/It Technicians July Deloitte LLP 6

10 2.4 Inventory: Completion of Inventory Records Medium Priority Recommendation Rationale Priority It is recommended that checks are completed on the existence of inventory listings across campuses. Individuals responsible for maintaining the inventory should also be reminded of the process. From a sample of four inventory listings (which cover low value items not held on the FAR such as tables, chairs and white boards), it was identified that for the City of Newport Campus, the inventory was last reviewed in June For the Crosskeys Campus, there was no inventory in place; rather the Resource Manager maintains her own list of assets rather than inventory. There is a risk that where inventory listings are not maintained and reviewed on a regular basis that items are misappropriated, causing financial loss to the College and possible difficulties with day to day operations. Management Response The Fixed Assets and Inventories Financial Control Procedures are currently under review. Once approved, the new Financial Control Procedures will address this issue. Responsibility/ Deadline DoF/VP(F,E&IS) July Deloitte LLP 7

11 2.5 Reconciliations: Reconciliation to the General Ledger Low Priority Recommendation Rationale Priority It is recommended that the reconciliations between the FAR and the general ledger are signed and dated by the completing officer and are subject to independent review by a second officer. The Operations Accountant Assistant completes a reconciliation between the general ledger and the FAR on a monthly basis. Examination of the reconciliations to the general ledger identified that they are not signed and dated by the completing officer or reviewed by a second independent officer. We were therefore unable to determine whether they had been completed in a timely manner. There is a risk that reconciliations are not completed in a timely manner, subjected to an independent review and that variances are not identified and rectified. Management Response Agreed. This procedure will be incorporated into the month end review procedures, where all balance sheets reconciliations are signed by the preparer and counter-signed by the reviewer. Responsibility/ Deadline Finance Manager/ Operations Accounting Assistant - Immediate 2013 Deloitte LLP 8

12 Appendix A Reporting Definitions Audit Assurance We have four categories by which we classify internal audit assurance over the systems we examine: Full, Substantial, Limited or None which are defined as follows: Assurance Level Evaluation and Testing Conclusion The controls tested are being consistently applied. There is a sound system of internal control designed to achieve the system objectives. There is evidence that the level of non-compliance with some of the controls may put some of the system objectives at risk. While there is a basically sound system of internal control, there are weaknesses, which put some of the system objectives at risk. The level of non-compliance puts the system objectives at risk. Weaknesses in the system of internal controls are such as to put the system objectives at risk. Significant non-compliance with basic controls leaves the system open to error or abuse. Control is generally weak leaving the system open to significant error or abuse. The assurance gradings provided here are not comparable with the International Standard on Assurance Engagements (ISAE 3000) issued by the International Audit and Assurance Standards Board and as such the grading of Full Assurance does not imply that there are no risks to the stated control objectives. Grading of Recommendations In order to assist management in using our reports, we categorise our recommendations according to their level of priority as follows: Priority Level Definition Recommendations which are fundamental to the system and upon which the organisation should take immediate action; Recommendations which, although not fundamental to the system, provide scope for improvements to be made; and Recommendations concerning issues which are considered to be of a minor nature, but which nevertheless need to be addressed Deloitte LLP 9

13 Appendix B Staff Interviewed Mark Williams Mike Showler Theresa Thompson Paul Philips Brian Farr Will Silcox Mark Chicken Rosie Williams Director of Finance Finance Manager Operations Accounting Assistant Campus Resource Manager Consultant Systems Administrator IT support/helpdesk Supervisor Secretary to the Directorate 2013 Deloitte LLP 10

14 Appendix C Terms of Reference Internal Audit: Assets and Inventory Commencement: 17 April 2013 Budget: 4 days Auditor: Alison Heather Key contacts: Mark Williams - Director of Finance Agreed with: Mark Williams - Director of Finance Report distribution: Draft Report: Principal Vice Principal, (Finance, Estates and Information Services) Clerk to the Corporation Responsible Officer(s) Final report: Audit Committee Principal Vice Principal, (Finance, Estates and Information Services) Clerk to the Corporation Responsible Officer(s) Introduction This internal audit forms part of the delivery of the approved internal audit plan for 2012/13. Objectives The internal audit will assess the adequacy and effectiveness of internal controls in operation. Weaknesses and unnecessary controls will then be brought to the attention of management and advice issued on how particular problems may be resolved and controlled. The internal audit will seek to provide reasonable assurance over the following areas: Clearly defined fixed assets and inventory policies and procedures including additions, disposals, impairments, transfers and maintenance of fixed assets have been established and communicated to all relevant members of staff; There is evidence that the College s policies and procedures in relation to inventory are followed; Fixed assets acquired are recorded accurately in the asset register in accordance with the fixed asset policy; The asset register includes enough information for each asset to be physically verified; Fixed asset disposals and transfers are identified and the asset register amended accordingly; The asset register accurately records depreciation charges; The asset register is reconciled to the general ledger on a regular basis; There are controls in place to secure the asset register against unauthorised access and data loss; The asset register is capable of recording asset segments; A fixed asset verification exercise is undertaken periodically; and Senior officers are responsible for ensuring appropriate maintenance and monitoring the effectiveness, cost efficiency and operational use of assets. As part of the internal audit we will select a sample of assets on the fixed asset register to confirm existence. We will also select a sample of assets and confirm that they are included on the fixed asset register Deloitte LLP 11

15 Methodology The internal audit work will be carried out by discussion with appropriate staff, reading of documents and testing, as necessary, to confirm the effectiveness of the controls in place. The internal audit shall be carried out with due awareness of the risks of fraud and corruption in the processes under examination however it cannot be relied on to identify all fraud and corruption risks. When the internal audit work has been completed, the findings and any recommendations made will be discussed at a pre-arranged exit meeting. Reporting A draft report will be issued within 15 working days from the exit meeting to which the auditee will be asked to formally respond. A final report will be issued when all responses have been received and any outstanding issues addressed Deloitte LLP 12

16 Appendix D Statement of Responsibility We take responsibility for this report which is prepared on the basis of the limitations set out below. The matters raised in this report are only those which came to our attention during the course of our internal audit work and are not necessarily a comprehensive statement of all the weaknesses that exist or all improvements that might be made. Recommendations for improvements should be assessed by you for their full impact before they are implemented. The performance of internal audit work is not and should not be taken as a substitute for management s responsibilities for the application of sound management practices. We emphasise that the responsibility for a sound system of internal controls and the prevention and detection of fraud and other irregularities rests with management and work performed by internal audit should not be relied upon to identify all strengths and weaknesses in internal controls, nor relied upon to identify all circumstances of fraud or irregularity. Auditors, in conducting their work, are required to have regards to the possibility of fraud or irregularities. Even sound systems of internal control can only provide reasonable and not absolute assurance and may not be proof against collusive fraud. Internal audit procedures are designed to focus on areas as identified by management as being of greatest risk and significance and as such we rely on management to provide us full access to their accounting records and transactions for the purposes of our audit work and to ensure the authenticity of these documents. Effective and timely implementation of our recommendations by management is important for the maintenance of a reliable internal control system. Deloitte LLP Cardiff June 2013 In this document references to Deloitte are references to Deloitte LLP. Deloitte LLP is a limited liability partnership registered in England and Wales with registered number OC and its registered office at 2 New Street Square, London EC4A 3BZ, United Kingdom. Deloitte LLP is the United Kingdom member firm of Deloitte Touche Tohmatsu Limited ( DTTL ), a UK private company limited by guarantee, whose member firms are legally separate and independent entities. Please see for a detailed description of the legal structure of DTTL and its member firms. Member of Deloitte Touche Tohmatsu Limited Deloitte LLP 13