Interim Audit Report. Borough of Broxbourne Audit 2010/11

Transcription

1 Interim Audit Report Borough of Broxbourne Audit 2010/11

2 The Audit Commission is an independent watchdog, driving economy, efficiency and effectiveness in local public services to deliver better outcomes for everyone. Our work across local government, health, housing, community safety and fire and rescue services means that we have a unique perspective. We promote value for money for taxpayers, auditing the 200 billion spent by 11,000 local public bodies. As a force for improvement, we work in partnership to assess local public services and make practical recommendations for promoting a better quality of life for local people.

3 Contents Introduction...2 Background...2 Audit approach...3 Main conclusions...3 Detailed report...4 Review of Information Technology Control Environment...4 Financial systems audit...7 Appendix 1 Action Plan...8 Audit Commission Interim Audit Report 1

4 Introduction 1 The Audit Commission s Code of Audit Practice requires that we give an opinion on the Council's annual financial statements. We plan and perform our work following International Standards on Auditing (ISAs), and to meet this requirement, have undertaken a pre-statement audit at the Council. 2 We undertake our pre-statement audit work to comply with ISA315 - understanding the entity. This requires the auditor to obtain an understanding of the entity and its environment, including its internal controls, so we can identify and assess the risks of material misstatement of the financial statements whether due to fraud or error, and can design and perform further audit procedures. 3 This report summarises the findings from our pre-statement audit. Background 4 Our pre-statement audit included: identifying the risk of material error in the financial statements at the audited body level; This included an assessment of external and internal factors, business risks, financial performance, internal control and any other risks, based on existing knowledge, discussion with Council staff, and review of agendas and minutes and other key documentation; identifying the risks of material error in the financial statements at the systems level; We have sought to understand and document all the significant financial systems that produce material entries in the financial statements. This includes procedures to initiate, record, process and report the transactions during the year, and to maintain accountability for the related assets and liabilities; Revised auditing standards (ISAs) have an increased focus and emphasis on understanding Information Technology arrangements and we have therefore carried out a review to understand the Council's Information Technology controls and environment. determining a testing strategy; Our testing strategy is the way we seek to obtain sufficient assurance on the entries in the financial statements, enabling us to form our opinion. It can consist of reliance on controls, on substantive testing of figures in the financial statements, or a combination of both. We have to ensure that our testing is sufficient to mitigate the risks of material error identified in the previous steps. pre-statement testing; Where our understanding of the system identified that we could get assurance from controls, we tested these controls on a sample basis. Audit Commission Interim Audit Report 2

5 5 Under ISA 240 we also have to consider and identify throughout our work if there is any risk of material fraud. Fraud encompasses both misappropriation of assets and intentional misstatements within the financial statements. Audit approach 6 The systems we identified as being significant for the financial statements are: general ledger; accounts receivable; accounts payable; treasury management/investments; NNDR; council tax; housing benefits; cash receipting; payroll; and fixed assets. 7 Wherever possible, we placed reliance on the work already performed by internal audit on these systems to avoid duplication of work and added burden on your staff. 8 Our work involved documenting the system to identify key controls that act to prevent or detect material error in the financial statements, and a walk through test to ensure the system was operating as documented. 9 We tested the key controls to ensure they had been operating effectively throughout the financial year. We test key controls in specific systems on a three year cyclical basis. Main conclusions 10 A new standard (ISA 265) has been introduced that requires us to communicate any significant deficiencies in internal control to 'those charged with governance' at the Council. 11 In general, we have gained the planned assurance from our prestatements testing and have not identified any additional risks to our audit opinion above the ones set out in our Audit Opinion Plan (January 2011). 12 We have however identified a number of weaknesses and we have set these out below. In particular, our review of the control environment for information technology (IT) identified a significant number of weaknesses. 13 We were able to rely on the work carried out by internal audit on the main financial systems and they were also able to inform our work on the IT control environment. 14 We would like to express our gratitude for the assistance that we received from all staff during our audit. Audit Commission Interim Audit Report 3

6 Detailed report Review of Information Technology Control Environment 15 The Information Technology (IT) element of internal control is an important part of the general control environment. The IT control environment underpins the whole control environment for financial and information systems and therefore impacts on all the subsidiary information systems which create the entries in the financial statements. Weaknesses identified in the general IT control environment may undermine the effectiveness of controls within the applications or subsidiary information systems that operate in that environment. 16 The auditor is required by ISA 315 to understand the key elements of the IT control environment and to consider any risks of material misstatement arising from any weaknesses. 17 A significant number of weaknesses were identified from our review suggesting that the overall IT environment needs strengthening. We were able to identify sufficient mitigating controls or to rely on other procedures to enable us to conclude that the overall risk of material error occurring in the financial statements as a result of weaknesses in the IT control environment is low. 18 We have set out the results of our review in more detail below. IT entity level controls 19 The management, structure and operating responsibilities of the IT department can affect how robust general IT controls are. 20 Deficiencies in this area could impact the validity and accuracy of financial reporting and disclosure of an entity. Insufficient controls over processing accuracy may result in inaccurate financial results and weaknesses could result in loss of integrity of the organisation s systems and data. 21 The Council's IT strategy is out of date as it covers the period The IT department are currently in a period of transition, following the recent departure of the Head of IT, for example we found that there is no formal organisational structure chart in place for the department. 22 Internal audit have the skills and experience to perform their role and have performed specific IT systems work during the year. They have not however reviewed the IT function itself. Audit Commission Interim Audit Report 4

7 Recommendation R1 Update the IT strategy. R2 Utilise the skills of Internal Audit to perform an assessment on the IT function and IT entity level controls on a regular cyclical basis to gain assurance over the control environment supporting the Council's financial systems. Access security controls 23 Access controls are the mechanisms that specify what users on a system can and cannot do and that only those users with the proper need and authority can access the system and associated data. 24 Weaknesses in access controls can lead to: unauthorised access to systems to change, delete or misappropriate data contained within business systems; increased likelihood of fraud or malicious activity and increased risk of error in financial reporting; and compromise of system authorisation rules and segregation of duties. Internal audit testing identified weak access controls in the iworld Council tax system as staff leaving did not have their access rights deleted in a timely manner, if at all. This raises a risk of inappropriate access. Internal Audit also identified risks regarding weak password parameters on the iworld system, and that too many users have administrator rights. We understand that most of internal audit's recommendations in relation to these weaknesses have now been implemented. Recommendation R3 Ensure that all of the remaining recommendations made by Internal Audit in relation to the iworld system are implemented. Data centre and network controls 25 A data centre is a facility used for housing and protecting the equipment and data necessary to support business operations. Many of the general IT controls needed to support the functioning of application controls operate within the data centre environment. 26 The corporate network at the Council provides the first access point to the organisations systems, hardware and data related organisational assets. Weaknesses in data centre and network controls can lead to; Insufficient controls over processing accuracy which may result in inaccurate financial results; and Loss of integrity, confidentiality and availability of the organisation s IT systems and data. Audit Commission Interim Audit Report 5

8 27 The Service Level Agreement (SLA) with CINTRA for the outsourcing of the Payroll system does not cover IT controls. The council needs assurance that there are controls operating in outsourced systems to ensure services are secure, accurate, available and support processing integrity. IT risks of outsourcing a key financial system should be identified and the mitigating controls and sources of assurance on those controls included in the SLA. 28 During our audit visit, the door to the data centre was found to be unlocked and the room unoccupied. In addition, there is no log of visitors to the data room. There is no electronic or video monitoring of the room. This obviously poses a risk to the physical security of the data centre. 29 Business continuity testing of the system has not been undertaken. However, there were nine instances of successful back-up recoveries having been performed during the last calendar year. 30 The deployment of the antivirus software to the Council's computers is controlled by an inventory list which IT acknowledges is out-of-date. As many as 155 of the machines on the list may no longer be in use and therefore IT are unable to confirm that all active computers are included on the listing and have received the latest anti virus updates and are therefore appropriately protected. Recommendation R4 Carry out an IT risk assessment for outsourced systems and ensure adequate assurance arrangements are in place to address any identified risks. R5 Ensure physical security of the data centre is maintained and consider making use of a visitor's log. R6 Ensure the inventory list of the computers in use is kept updated. The status of machines listed as 'unmanaged' should be investigated. Program change controls, new systems acquisition and development 31 The risk of introducing errors to financial systems and data is reduced by ensuring that changes to application and operating systems are appropriately authorised, tested, documented and implemented. 32 These controls are applicable when new systems are implemented and when existing systems are changed (eg the implementation of new releases of packaged software). 33 Weaknesses in these controls increase the risk of: poor understanding of the impact of program changes which could result in system errors due to inadequate testing; program errors not being detected before live use, resulting in for example security weaknesses, operational problems; increased risk of data errors; implementation of developments that may not be fit for purpose; and Audit Commission Interim Audit Report 6

9 unreliable financial systems leading to excessive down-time. We found there is no change control policy in place, and logs of changes are not kept. Whilst there have been no new systems implemented in 2010/11, change controls should be applied to updates to the existing systems Recommendation R7 Draw up and maintain a change control policy and keep detailed logs of all updates and changes made to the Council's systems. End user computing (EUC) 34 End user computing is the term applied to small scale office-system developments by user departments, e.g. spreadsheets developed by the finance department as part of the financial reporting process. An assessment of the general controls applied to end user computing is required to gain assurance that there will be no adverse impact on the financial statements. 35 The IT department do not have input in to the use of End-User Computing tools at the council. Whilst network & backup controls exist for these, there are no password controls, change controls, or risk assessments conducted on these. EUC covers a number of spreadsheets that are used to produce the accounts from the Trial Balance and the figures in the ledger. 36 The spreadsheets used to produce the accounts are sufficiently tested by our substantive audit procedures and therefore the audit opinion risk is relatively low. Financial systems audit Payroll system 37 We placed reliance on Internal Audit's testing of the key controls in the payroll system. Internal Audit's report raised a number of control issues and several recommendations were made which, if implemented, would improve the effectiveness of the controls and the efficiency of the payroll function. We agree with their findings and recommendations. Recommendation R8 Ensure the recommendations in Internal Audit's Payroll Report are implemented. Audit Commission Interim Audit Report 7

10 Appendix 1 Action Plan Recommendations Recommendation 1 Update the IT strategy. Acting head of computer services Priority 2 Date December 2011 The existing ICT strategy is for and is due for update. However in view of the management changes that took place in late 2010, this was not considered to be high priority; the strategy will be updated during Recommendation 2 Utilise the skills of Internal Audit to perform an assessment on the IT function and IT entity level controls on a regular cyclical basis to gain assurance over the control environment supporting the Council's financial systems. Internal audit manager Priority 2 Date By March 2012 The IT function and IT entity level controls are included in the IT audit plan for 2011/12. Recommendation 3 Ensure that all of the remaining recommendations made by Internal Audit in relation to the iworld system are implemented. Head of Revenues & Exchequer / System Controller Priority 1 Date n/a Complete Audit Commission Interim Audit Report 8

11 Recommendation 4 Carry out an IT risk assessment for outsourced systems and ensure adequate assurance arrangements are in place to address any identified risks. Acting Head of Computer Services Priority 2 Date September 2011 Agreed. An IT risk assessment will be carried out. Recommendation 5 Ensure physical security of the data centre is maintained and consider making use of a visitor's log. Acting Head of Computer Services Priority 1 Date n/a Complete. All IT staff have been reminded that the data centre should remain locked at all times when unoccupied. The Council investigated the cost of implementing an electronic locking system that identifies and logs access using individual pin codes or similar, but has concluded that this is not worthwhile. The small size of the Council's data centre and regularity of access by only a small number of people makes a paper based visitor log of little use, while slowing down our response to issues. Recommendation 6 Ensure the inventory list of the computers in use is kept updated. The status of machines listed as "unmanaged" should be investigated. Acting Head of Computer Services Priority 1 Date September 2011 This issue was being addressed, but had not been given a high priority. The priority has now been raised to ensure the recommendation is implemented. Recommendation 7 Draw up and maintain a change control policy and keep detailed logs of all updates and changes made to the Council's systems. Acting Head of Computer Services Priority 1 Date n/a Complete. The ICT section have implemented the change control part of the ICT Helpdesk system. Audit Commission Interim Audit Report 9

12 Recommendation 8 Ensure the recommendations in Internal Audit's Payroll Report are implemented. Priority Date As set out in the internal audit report (primarily Head of Personnel & Payroll) As defined in internal audit report As agreed in internal audit report A follow up audit will be undertaken during 2011/12. Recommendations that remain outstanding past the agreed implementation dates will be reported to the Borough Management Team and the Audit Committee. Audit Commission Interim Audit Report 10

13 If you require a copy of this document in an alternative format or in a language other than English, please call: Audit Commission Design and production by the Audit Commission Publishing Team. Image copyright Audit Commission. The Statement of Responsibilities of Auditors and Audited Bodies issued by the Audit Commission explains the respective responsibilities of auditors and of the audited body. Reports prepared by appointed auditors are addressed to non-executive directors, members or officers. They are prepared for the sole use of the audited body. Auditors accept no responsibility to: any director/member or officer in their individual capacity; or any third party. Audit Commission 1st Floor Millbank Tower Millbank London SW1P 4HQ Telephone: Fax: Textphone (minicom): June 2011