Interim Audit Report. Borough of Broxbourne Audit 2010/11

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "Interim Audit Report. Borough of Broxbourne Audit 2010/11"

Transcription

1 Interim Audit Report Borough of Broxbourne Audit 2010/11

2 The Audit Commission is an independent watchdog, driving economy, efficiency and effectiveness in local public services to deliver better outcomes for everyone. Our work across local government, health, housing, community safety and fire and rescue services means that we have a unique perspective. We promote value for money for taxpayers, auditing the 200 billion spent by 11,000 local public bodies. As a force for improvement, we work in partnership to assess local public services and make practical recommendations for promoting a better quality of life for local people.

3 Contents Introduction...2 Background...2 Audit approach...3 Main conclusions...3 Detailed report...4 Review of Information Technology Control Environment...4 Financial systems audit...7 Appendix 1 Action Plan...8 Audit Commission Interim Audit Report 1

4 Introduction 1 The Audit Commission s Code of Audit Practice requires that we give an opinion on the Council's annual financial statements. We plan and perform our work following International Standards on Auditing (ISAs), and to meet this requirement, have undertaken a pre-statement audit at the Council. 2 We undertake our pre-statement audit work to comply with ISA315 - understanding the entity. This requires the auditor to obtain an understanding of the entity and its environment, including its internal controls, so we can identify and assess the risks of material misstatement of the financial statements whether due to fraud or error, and can design and perform further audit procedures. 3 This report summarises the findings from our pre-statement audit. Background 4 Our pre-statement audit included: identifying the risk of material error in the financial statements at the audited body level; This included an assessment of external and internal factors, business risks, financial performance, internal control and any other risks, based on existing knowledge, discussion with Council staff, and review of agendas and minutes and other key documentation; identifying the risks of material error in the financial statements at the systems level; We have sought to understand and document all the significant financial systems that produce material entries in the financial statements. This includes procedures to initiate, record, process and report the transactions during the year, and to maintain accountability for the related assets and liabilities; Revised auditing standards (ISAs) have an increased focus and emphasis on understanding Information Technology arrangements and we have therefore carried out a review to understand the Council's Information Technology controls and environment. determining a testing strategy; Our testing strategy is the way we seek to obtain sufficient assurance on the entries in the financial statements, enabling us to form our opinion. It can consist of reliance on controls, on substantive testing of figures in the financial statements, or a combination of both. We have to ensure that our testing is sufficient to mitigate the risks of material error identified in the previous steps. pre-statement testing; Where our understanding of the system identified that we could get assurance from controls, we tested these controls on a sample basis. Audit Commission Interim Audit Report 2

5 5 Under ISA 240 we also have to consider and identify throughout our work if there is any risk of material fraud. Fraud encompasses both misappropriation of assets and intentional misstatements within the financial statements. Audit approach 6 The systems we identified as being significant for the financial statements are: general ledger; accounts receivable; accounts payable; treasury management/investments; NNDR; council tax; housing benefits; cash receipting; payroll; and fixed assets. 7 Wherever possible, we placed reliance on the work already performed by internal audit on these systems to avoid duplication of work and added burden on your staff. 8 Our work involved documenting the system to identify key controls that act to prevent or detect material error in the financial statements, and a walk through test to ensure the system was operating as documented. 9 We tested the key controls to ensure they had been operating effectively throughout the financial year. We test key controls in specific systems on a three year cyclical basis. Main conclusions 10 A new standard (ISA 265) has been introduced that requires us to communicate any significant deficiencies in internal control to 'those charged with governance' at the Council. 11 In general, we have gained the planned assurance from our prestatements testing and have not identified any additional risks to our audit opinion above the ones set out in our Audit Opinion Plan (January 2011). 12 We have however identified a number of weaknesses and we have set these out below. In particular, our review of the control environment for information technology (IT) identified a significant number of weaknesses. 13 We were able to rely on the work carried out by internal audit on the main financial systems and they were also able to inform our work on the IT control environment. 14 We would like to express our gratitude for the assistance that we received from all staff during our audit. Audit Commission Interim Audit Report 3

6 Detailed report Review of Information Technology Control Environment 15 The Information Technology (IT) element of internal control is an important part of the general control environment. The IT control environment underpins the whole control environment for financial and information systems and therefore impacts on all the subsidiary information systems which create the entries in the financial statements. Weaknesses identified in the general IT control environment may undermine the effectiveness of controls within the applications or subsidiary information systems that operate in that environment. 16 The auditor is required by ISA 315 to understand the key elements of the IT control environment and to consider any risks of material misstatement arising from any weaknesses. 17 A significant number of weaknesses were identified from our review suggesting that the overall IT environment needs strengthening. We were able to identify sufficient mitigating controls or to rely on other procedures to enable us to conclude that the overall risk of material error occurring in the financial statements as a result of weaknesses in the IT control environment is low. 18 We have set out the results of our review in more detail below. IT entity level controls 19 The management, structure and operating responsibilities of the IT department can affect how robust general IT controls are. 20 Deficiencies in this area could impact the validity and accuracy of financial reporting and disclosure of an entity. Insufficient controls over processing accuracy may result in inaccurate financial results and weaknesses could result in loss of integrity of the organisation s systems and data. 21 The Council's IT strategy is out of date as it covers the period The IT department are currently in a period of transition, following the recent departure of the Head of IT, for example we found that there is no formal organisational structure chart in place for the department. 22 Internal audit have the skills and experience to perform their role and have performed specific IT systems work during the year. They have not however reviewed the IT function itself. Audit Commission Interim Audit Report 4

7 Recommendation R1 Update the IT strategy. R2 Utilise the skills of Internal Audit to perform an assessment on the IT function and IT entity level controls on a regular cyclical basis to gain assurance over the control environment supporting the Council's financial systems. Access security controls 23 Access controls are the mechanisms that specify what users on a system can and cannot do and that only those users with the proper need and authority can access the system and associated data. 24 Weaknesses in access controls can lead to: unauthorised access to systems to change, delete or misappropriate data contained within business systems; increased likelihood of fraud or malicious activity and increased risk of error in financial reporting; and compromise of system authorisation rules and segregation of duties. Internal audit testing identified weak access controls in the iworld Council tax system as staff leaving did not have their access rights deleted in a timely manner, if at all. This raises a risk of inappropriate access. Internal Audit also identified risks regarding weak password parameters on the iworld system, and that too many users have administrator rights. We understand that most of internal audit's recommendations in relation to these weaknesses have now been implemented. Recommendation R3 Ensure that all of the remaining recommendations made by Internal Audit in relation to the iworld system are implemented. Data centre and network controls 25 A data centre is a facility used for housing and protecting the equipment and data necessary to support business operations. Many of the general IT controls needed to support the functioning of application controls operate within the data centre environment. 26 The corporate network at the Council provides the first access point to the organisations systems, hardware and data related organisational assets. Weaknesses in data centre and network controls can lead to; Insufficient controls over processing accuracy which may result in inaccurate financial results; and Loss of integrity, confidentiality and availability of the organisation s IT systems and data. Audit Commission Interim Audit Report 5

8 27 The Service Level Agreement (SLA) with CINTRA for the outsourcing of the Payroll system does not cover IT controls. The council needs assurance that there are controls operating in outsourced systems to ensure services are secure, accurate, available and support processing integrity. IT risks of outsourcing a key financial system should be identified and the mitigating controls and sources of assurance on those controls included in the SLA. 28 During our audit visit, the door to the data centre was found to be unlocked and the room unoccupied. In addition, there is no log of visitors to the data room. There is no electronic or video monitoring of the room. This obviously poses a risk to the physical security of the data centre. 29 Business continuity testing of the system has not been undertaken. However, there were nine instances of successful back-up recoveries having been performed during the last calendar year. 30 The deployment of the antivirus software to the Council's computers is controlled by an inventory list which IT acknowledges is out-of-date. As many as 155 of the machines on the list may no longer be in use and therefore IT are unable to confirm that all active computers are included on the listing and have received the latest anti virus updates and are therefore appropriately protected. Recommendation R4 Carry out an IT risk assessment for outsourced systems and ensure adequate assurance arrangements are in place to address any identified risks. R5 Ensure physical security of the data centre is maintained and consider making use of a visitor's log. R6 Ensure the inventory list of the computers in use is kept updated. The status of machines listed as 'unmanaged' should be investigated. Program change controls, new systems acquisition and development 31 The risk of introducing errors to financial systems and data is reduced by ensuring that changes to application and operating systems are appropriately authorised, tested, documented and implemented. 32 These controls are applicable when new systems are implemented and when existing systems are changed (eg the implementation of new releases of packaged software). 33 Weaknesses in these controls increase the risk of: poor understanding of the impact of program changes which could result in system errors due to inadequate testing; program errors not being detected before live use, resulting in for example security weaknesses, operational problems; increased risk of data errors; implementation of developments that may not be fit for purpose; and Audit Commission Interim Audit Report 6

9 unreliable financial systems leading to excessive down-time. We found there is no change control policy in place, and logs of changes are not kept. Whilst there have been no new systems implemented in 2010/11, change controls should be applied to updates to the existing systems Recommendation R7 Draw up and maintain a change control policy and keep detailed logs of all updates and changes made to the Council's systems. End user computing (EUC) 34 End user computing is the term applied to small scale office-system developments by user departments, e.g. spreadsheets developed by the finance department as part of the financial reporting process. An assessment of the general controls applied to end user computing is required to gain assurance that there will be no adverse impact on the financial statements. 35 The IT department do not have input in to the use of End-User Computing tools at the council. Whilst network & backup controls exist for these, there are no password controls, change controls, or risk assessments conducted on these. EUC covers a number of spreadsheets that are used to produce the accounts from the Trial Balance and the figures in the ledger. 36 The spreadsheets used to produce the accounts are sufficiently tested by our substantive audit procedures and therefore the audit opinion risk is relatively low. Financial systems audit Payroll system 37 We placed reliance on Internal Audit's testing of the key controls in the payroll system. Internal Audit's report raised a number of control issues and several recommendations were made which, if implemented, would improve the effectiveness of the controls and the efficiency of the payroll function. We agree with their findings and recommendations. Recommendation R8 Ensure the recommendations in Internal Audit's Payroll Report are implemented. Audit Commission Interim Audit Report 7

10 Appendix 1 Action Plan Recommendations Recommendation 1 Update the IT strategy. Acting head of computer services Priority 2 Date December 2011 The existing ICT strategy is for and is due for update. However in view of the management changes that took place in late 2010, this was not considered to be high priority; the strategy will be updated during Recommendation 2 Utilise the skills of Internal Audit to perform an assessment on the IT function and IT entity level controls on a regular cyclical basis to gain assurance over the control environment supporting the Council's financial systems. Internal audit manager Priority 2 Date By March 2012 The IT function and IT entity level controls are included in the IT audit plan for 2011/12. Recommendation 3 Ensure that all of the remaining recommendations made by Internal Audit in relation to the iworld system are implemented. Head of Revenues & Exchequer / System Controller Priority 1 Date n/a Complete Audit Commission Interim Audit Report 8

11 Recommendation 4 Carry out an IT risk assessment for outsourced systems and ensure adequate assurance arrangements are in place to address any identified risks. Acting Head of Computer Services Priority 2 Date September 2011 Agreed. An IT risk assessment will be carried out. Recommendation 5 Ensure physical security of the data centre is maintained and consider making use of a visitor's log. Acting Head of Computer Services Priority 1 Date n/a Complete. All IT staff have been reminded that the data centre should remain locked at all times when unoccupied. The Council investigated the cost of implementing an electronic locking system that identifies and logs access using individual pin codes or similar, but has concluded that this is not worthwhile. The small size of the Council's data centre and regularity of access by only a small number of people makes a paper based visitor log of little use, while slowing down our response to issues. Recommendation 6 Ensure the inventory list of the computers in use is kept updated. The status of machines listed as "unmanaged" should be investigated. Acting Head of Computer Services Priority 1 Date September 2011 This issue was being addressed, but had not been given a high priority. The priority has now been raised to ensure the recommendation is implemented. Recommendation 7 Draw up and maintain a change control policy and keep detailed logs of all updates and changes made to the Council's systems. Acting Head of Computer Services Priority 1 Date n/a Complete. The ICT section have implemented the change control part of the ICT Helpdesk system. Audit Commission Interim Audit Report 9

12 Recommendation 8 Ensure the recommendations in Internal Audit's Payroll Report are implemented. Priority Date As set out in the internal audit report (primarily Head of Personnel & Payroll) As defined in internal audit report As agreed in internal audit report A follow up audit will be undertaken during 2011/12. Recommendations that remain outstanding past the agreed implementation dates will be reported to the Borough Management Team and the Audit Committee. Audit Commission Interim Audit Report 10

13 If you require a copy of this document in an alternative format or in a language other than English, please call: Audit Commission Design and production by the Audit Commission Publishing Team. Image copyright Audit Commission. The Statement of Responsibilities of Auditors and Audited Bodies issued by the Audit Commission explains the respective responsibilities of auditors and of the audited body. Reports prepared by appointed auditors are addressed to non-executive directors, members or officers. They are prepared for the sole use of the audited body. Auditors accept no responsibility to: any director/member or officer in their individual capacity; or any third party. Audit Commission 1st Floor Millbank Tower Millbank London SW1P 4HQ Telephone: Fax: Textphone (minicom): June 2011

Annual Audit Letter. Basildon and Thurrock University Hospitals NHS Foundation Trust Audit 2009/10 August 2010

Annual Audit Letter. Basildon and Thurrock University Hospitals NHS Foundation Trust Audit 2009/10 August 2010 Annual Audit Letter Basildon and Thurrock University Hospitals NHS Foundation Trust Audit 2009/10 August 2010 Contents Key messages 3 Financial statements and statement on internal control 5 Securing economy,

More information

Data Quality. Carlisle City Council Audit 2008-2009 January 2009

Data Quality. Carlisle City Council Audit 2008-2009 January 2009 Data Quality Carlisle City Council Audit 2008-2009 January 2009 Contents Introduction 3 Detailed findings 5 Appendix 1 Action Plan 9 Status of our reports The Statement of Responsibilities of Auditors

More information

IT Assurance - Business Continuity and Disaster Recovery

IT Assurance - Business Continuity and Disaster Recovery Audit Summary Report October 2006 PAPER D IT Assurance - Business Continuity and Disaster Recovery Audit 2006/2007 Paper D - 1 External audit is an essential element in the process of accountability for

More information

Data Quality Spot Checks. Thanet District Council Audit 2008/09 October 2009

Data Quality Spot Checks. Thanet District Council Audit 2008/09 October 2009 Data Quality Spot Checks Thanet District Council Audit 2008/09 October 2009 Contents Overview 3 Detailed findings 5 Main conclusion 7 Appendix 1 Approach 8 Appendix 2 Action Plan 9 Status of our reports

More information

Review of Data Quality. Guildford Borough Council Audit 2008/09 January 2009

Review of Data Quality. Guildford Borough Council Audit 2008/09 January 2009 Review of Data Quality Guildford Borough Council Audit 2008/09 January 2009 Contents Introduction 3 Main conclusions 4 Audit approach 6 Management arrangements 7 Analytical review 10 Data Quality spot

More information

Audit Summary Report. Date. Last saved: 10/01/2008 14:26:00. Data Quality. Manchester City Council. Audit 2007/08

Audit Summary Report. Date. Last saved: 10/01/2008 14:26:00. Data Quality. Manchester City Council. Audit 2007/08 Audit Summary Report Date Last saved: 10/01/2008 14:26:00 Data Quality Audit 2007/08 - Audit Commission descriptor to be inserted by Publishing- Document Control Author Filename Yogita Das Formal Data

More information

Service Children s Education

Service Children s Education Service Children s Education Data Handling and Security Information Security Audit Issued January 2009 2009 - An Agency of the Ministry of Defence Information Security Audit 2 Information handling and

More information

NHS Dorset Clinical Commissioning Group. Internal Audit Annual Report 2014/15. May 2015

NHS Dorset Clinical Commissioning Group. Internal Audit Annual Report 2014/15. May 2015 Internal Audit Annual Report 2014/15 May 2015 Internal Audit Annual Report INTRODUCTION This is the 2014/15 Annual Report by TIAA on the internal control environment at Dorset Clinical Commissioning Group.

More information

Against the odds Re-engaging young people in education, employment and training

Against the odds Re-engaging young people in education, employment and training Against the odds Re-engaging young people in education, employment and training Technical paper Creating a predictive model of the characteristics of young people NEET July 2010 The Audit Commission is

More information

Newcastle University Information Security Procedures Version 3

Newcastle University Information Security Procedures Version 3 Newcastle University Information Security Procedures Version 3 A Information Security Procedures 2 B Business Continuity 3 C Compliance 4 D Outsourcing and Third Party Access 5 E Personnel 6 F Operations

More information

Report 7 Appendix 1d Final Internal Audit Report Sundry Income and Debtors (inc. Fees and Charges) Greater London Authority February 2010

Report 7 Appendix 1d Final Internal Audit Report Sundry Income and Debtors (inc. Fees and Charges) Greater London Authority February 2010 Report 7 Appendix 1d Final Internal Audit Report Sundry Income and Debtors (inc. Fees and Charges) Greater London Authority February 2010 This report has been prepared on the basis of the limitations set

More information

Data Quality Report. February 2008. Data Quality Report. Croydon London Borough Council. Audit 2007/08

Data Quality Report. February 2008. Data Quality Report. Croydon London Borough Council. Audit 2007/08 Data Quality Report February 2008 Data Quality Report Audit 2007/08 External audit is an essential element in the process of accountability for public money and makes an important contribution to the stewardship

More information

Improving data quality in the NHS Executive summary

Improving data quality in the NHS Executive summary Improving data quality in the NHS Executive summary Health 2010 The Audit Commission is an independent watchdog, driving economy, efficiency and effectiveness in local public services to deliver better

More information

Performing Audit Procedures in Response to Assessed Risks and Evaluating the Audit Evidence Obtained

Performing Audit Procedures in Response to Assessed Risks and Evaluating the Audit Evidence Obtained Performing Audit Procedures in Response to Assessed Risks 1781 AU Section 318 Performing Audit Procedures in Response to Assessed Risks and Evaluating the Audit Evidence Obtained (Supersedes SAS No. 55.)

More information

KANSAS CITY, MISSOURI RESPONSES TO THE FISCAL YEAR 2013 AUDIT MANAGEMENT LETTER

KANSAS CITY, MISSOURI RESPONSES TO THE FISCAL YEAR 2013 AUDIT MANAGEMENT LETTER KANSAS CITY, MISSOURI RESPONSES TO THE FISCAL YEAR 2013 AUDIT MANAGEMENT LETTER Material Weaknesses (0) No material weaknesses were reported for FY 2013. Significant Deficiencies (1) Grant Receivable Accounting

More information

Fundamentals Level Skills Module, Paper F8 (INT)

Fundamentals Level Skills Module, Paper F8 (INT) Answers Fundamentals Level Skills Module, Paper F8 (INT) Audit and Assurance (International) June 2014 Answers 1 (a) Trombone Co s payroll system deficiencies, controls and test of controls Deficiencies

More information

Internal Audit Monitoring Report. Audit Report status Assurance. Payroll Final Limited

Internal Audit Monitoring Report. Audit Report status Assurance. Payroll Final Limited Appendix 1 Internal Audit Monitoring Report Audit Report status Assurance Payroll Final Limited The Payroll system was reviewed to seek assurance that processes and procedures are operating effectively

More information

Dacorum Borough Council Final Internal Audit Report

Dacorum Borough Council Final Internal Audit Report Dacorum Borough Council Final Internal Audit Report ICT Change Management Distribution list: Chris Gordon Group Manager Neil Telkman - Information, Security and Standards Officer Gary Osler ICT Service

More information

Improving information to support decision making: standards for better quality data

Improving information to support decision making: standards for better quality data Public sector November 2007 Improving information to support decision making: standards for better quality data A framework to support improvement in data quality in the public sector Improving information

More information

Islington ICT Physical Security of Information Policy A council-wide information technology policy. Version 0.7 June 2014

Islington ICT Physical Security of Information Policy A council-wide information technology policy. Version 0.7 June 2014 Islington ICT Physical Security of Information Policy A council-wide information technology policy Version 0.7 June 2014 Copyright Notification Copyright London Borough of Islington 2014 This document

More information

Dacorum Borough Council Final Internal Audit Report. IT Business Continuity and Disaster Recovery

Dacorum Borough Council Final Internal Audit Report. IT Business Continuity and Disaster Recovery Dacorum Borough Council Final Internal Audit Report IT Business Continuity and Disaster Recovery Distribution list: Chris Gordon Group Manager Performance, Policy and Projects John Worts ICT Team Leader

More information

Internal Control Systems

Internal Control Systems D. INTERNAL CONTROL 1. Internal Control Systems 2. The Use of Internal Control Systems by Auditors 3. Transaction Cycles 4. Tests of Control 5. The Evaluation of Internal Control Component 6. Communication

More information

REVIEW OF THE FIREWALL ARRANGEMENTS

REVIEW OF THE FIREWALL ARRANGEMENTS WEST DORSET DISTRICT COUNCIL REVIEW OF THE FIREWALL ARRANGEMENTS Report issued: December 2007 The matters raised in this report are only those, which came to the attention of the auditor during the course

More information

BARRAMUNDI L IMITED RISK MANAGEMENT POLICY

BARRAMUNDI L IMITED RISK MANAGEMENT POLICY BARRAMUNDI L IMITED RISK MANAGEMENT POLICY Last updated: 25 August 2014 THE OBJECTIVES OF RISK MANAGEMENT Risk management is the systematic process of managing an organisation's risk exposures to achieve

More information

Aberdeen City Council IT Security (Network and perimeter)

Aberdeen City Council IT Security (Network and perimeter) Aberdeen City Council IT Security (Network and perimeter) Internal Audit Report 2014/2015 for Aberdeen City Council August 2014 Internal Audit KPIs Target Dates Actual Dates Red/Amber/Green Commentary

More information

FMCF certification checklist 2014-15 (incorporating the detailed procedures) 2014-15 certification period. Updated May 2015

FMCF certification checklist 2014-15 (incorporating the detailed procedures) 2014-15 certification period. Updated May 2015 FMCF certification checklist 2014-15 (incorporating the detailed procedures) 2014-15 certification period Updated May 2015 The Secretary Department of Treasury and Finance 1 Treasury Place Melbourne Victoria

More information

Annual Report of Internal Audit 2012/13

Annual Report of Internal Audit 2012/13 Open Decision Item 4 Audit & Governance Committee 19 th June 2013 Annual Report of Internal Audit 2012/13 SYNOPSIS To report on Internal Audit s opinion of the overall adequacy and effectiveness of the

More information

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

Information Security Policy September 2009 Newman University IT Services. Information Security Policy Contents 1. Statement 1.1 Introduction 1.2 Objectives 1.3 Scope and Policy Structure 1.4 Risk Assessment and Management 1.5 Responsibilities for Information Security 2. Compliance 3. HR Security 3.1 Terms

More information

Review of Capital Expenditure. Sedgefield Borough Council Audit 2007/08 September 2008

Review of Capital Expenditure. Sedgefield Borough Council Audit 2007/08 September 2008 Review of Capital Expenditure Sedgefield Borough Council Audit 2007/08 September 2008 Contents Summary report 3 Appendix 1 Action plan 10 Status of our reports The Statement of Responsibilities of Auditors

More information

Performance Detailed Report. May 2008. Review of Performance Management. Norwich City Council. Audit 2007/08

Performance Detailed Report. May 2008. Review of Performance Management. Norwich City Council. Audit 2007/08 Performance Detailed Report May 2008 Review of Performance Management Audit 2007/08 External audit is an essential element in the process of accountability for public money and makes an important contribution

More information

KPMG LLP Suite 12000 1801 K Street, NW Washington, DC 20006 Independent Auditors Report on Internal Control Over Financial Reporting and on Compliance and Other Matters Based on an Audit of Financial Statements

More information

Audit Quality Thematic Review

Audit Quality Thematic Review Thematic Review Professional discipline Financial Reporting Council December 2014 Audit Quality Thematic Review The audit of loan loss provisions and related IT controls in banks and building societies

More information

Statement of responsibilities of auditors and audited small bodies

Statement of responsibilities of auditors and audited small bodies Statement of responsibilities of auditors and audited small bodies The Audit Commission is a public corporation set up in 1983 to protect the public purse. The Commission appoints auditors to councils,

More information

ICT SECURITY POLICY. Strategic Aim To continue to develop and ensure effective leadership, governance and management throughout the organisation

ICT SECURITY POLICY. Strategic Aim To continue to develop and ensure effective leadership, governance and management throughout the organisation ICT SECURITY POLICY Strategic Aim To continue to develop and ensure effective leadership, governance and management throughout the organisation Responsibility Assistant Principal, Learner Services Jannette

More information

Practice Note. 23Revised. October 2009 AUDITING COMPLEX FINANCIAL INSTRUMENTS INTERIM GUIDANCE

Practice Note. 23Revised. October 2009 AUDITING COMPLEX FINANCIAL INSTRUMENTS INTERIM GUIDANCE October 2009 Practice Note 23Revised AUDITING COMPLEX FINANCIAL INSTRUMENTS INTERIM GUIDANCE The Auditing Practices Board (APB), which is part of the Financial Reporting Council (FRC), prepares for use

More information

Network Security Policy

Network Security Policy IGMT/15/036 Network Security Policy Date Approved: 24/02/15 Approved by: HSB Date of review: 20/02/16 Policy Ref: TSM.POL-07-12-0100 Issue: 2 Division/Department: Nottinghamshire Health Informatics Service

More information

CONTROL AND COMPLIANCE AUDITS

CONTROL AND COMPLIANCE AUDITS V I C T O R I A Auditor-General of Victoria CONTROL AND COMPLIANCE AUDITS Payroll management and Administration of the goods and services tax March 2003 Ordered to be printed by Authority. Government Printer

More information

Mike Casey Director of IT

Mike Casey Director of IT Network Security Developed in response to: Contributes to HCC Core Standard number: Type: Policy Register No: 09037 Status: Public IG Toolkit, Best Practice C7c Consulted With Post/Committee/Group Date

More information

Audit Summary Report. March 2007. Data Quality. Croydon London Borough Council

Audit Summary Report. March 2007. Data Quality. Croydon London Borough Council Audit Summary Report March 2007 Data Quality Audit 2006/2007 External audit is an essential element in the process of accountability for public money and makes an important contribution to the stewardship

More information

Please note this policy is mandatory and staff are required to adhere to the content

Please note this policy is mandatory and staff are required to adhere to the content Policy ICT Security Please note this policy is mandatory and staff are required to adhere to the content Summary DECD is committed to ensuring its information is appropriately managed according to the

More information

BOARD OF DIRECTORS PAPER COVER SHEET. Meeting date: 22 February 2006. Title: Information Security Policy

BOARD OF DIRECTORS PAPER COVER SHEET. Meeting date: 22 February 2006. Title: Information Security Policy BOARD OF DIRECTORS PAPER COVER SHEET Meeting date: 22 February 2006 Agenda item:7 Title: Purpose: The Trust Board to approve the updated Summary: The Trust is required to have and update each year a policy

More information

Appendix 1C. DIRECTORATE OF AUDIT, RISK AND ASSURANCE Internal Audit Service to the GLA PAYROLL CONTROL FRAMEWORK

Appendix 1C. DIRECTORATE OF AUDIT, RISK AND ASSURANCE Internal Audit Service to the GLA PAYROLL CONTROL FRAMEWORK Appendix 1C DIRECTORATE OF AUDIT, RISK AND ASSURANCE Internal Audit Service to the GLA PAYROLL CONTROL FRAMEWORK DISTRIBUTION LIST Audit Team Prakash Gohil, Audit Manager Karen Walker, Risk and Assurance

More information

The Audit Findings for London Borough of Richmond upon Thames

The Audit Findings for London Borough of Richmond upon Thames The Audit Findings for London Borough of Richmond upon Thames. Year ended 31 March 2013 September 2013 Page 13 Paul Grady Director T 020 7728 2681 E paul.d.grady@uk.gt.com Sarah Ironmonger Manager T 07880

More information

Operational Risk Publication Date: May 2015. 1. Operational Risk... 3

Operational Risk Publication Date: May 2015. 1. Operational Risk... 3 OPERATIONAL RISK Contents 1. Operational Risk... 3 1.1 Legislation... 3 1.2 Guidance... 3 1.3 Risk management process... 4 1.4 Risk register... 7 1.5 EBA Guidelines on the Security of Internet Payments...

More information

INTERNAL AUDIT SERVICES Glenorchy City Council Internal audit report of Derwent Entertainment Centre financial business and operating systems

INTERNAL AUDIT SERVICES Glenorchy City Council Internal audit report of Derwent Entertainment Centre financial business and operating systems INTERNAL AUDIT SERVICES Internal audit report of Derwent Entertainment Centre financial business and operating systems ADVISORY Contents Executive summary...2 Internal audit findings...4 Summary of other

More information

FINAL. Internal Audit Report. Data Centre Operations and Security

FINAL. Internal Audit Report. Data Centre Operations and Security FINAL Internal Audit Report Data Centre Operations and Security Document Details: Reference: Report nos from monitoring spreadsheet/2013.14 Senior Manager, Internal Audit & Assurance: ext. 6567 Engagement

More information

TRANSPORT FOR LONDON AUDIT COMMITTEE

TRANSPORT FOR LONDON AUDIT COMMITTEE AGENDA ITEM 6 TRANSPORT FOR LONDON AUDIT COMMITTEE SUBJECT: DATA QUALITY REVIEW 2007/08 DATE: 25 NOVEMBER 2008 1 PURPOSE AND DECISION REQUIRED 1.1 As part of its assessments of TfL, the Audit Commission

More information

Informing the audit risk assessment Enquiries to those charged with governance Calderdale Council. Year ended 31 March 2013

Informing the audit risk assessment Enquiries to those charged with governance Calderdale Council. Year ended 31 March 2013 Informing the audit risk assessment Enquiries to those charged with governance Calderdale Council This version of the report is a draft. Its contents and subject matter remain under review and its contents

More information

Performance Detailed Report. Date. Last saved: 12/10/2007 13:18:00. Property asset management. Bristol City Council. Audit 2006/07

Performance Detailed Report. Date. Last saved: 12/10/2007 13:18:00. Property asset management. Bristol City Council. Audit 2006/07 Performance Detailed Report Date Last saved: 12/10/2007 13:18:00 Property asset management Audit 2006/07 - Audit Commission descriptor to be inserted by Publishing- Document Control Author Filename Bob

More information

The Annual Audit Letter for West Mercia Police and Crime Commissioner and Chief Constable

The Annual Audit Letter for West Mercia Police and Crime Commissioner and Chief Constable The Annual Audit Letter for West Mercia Police and Crime Commissioner and Chief Constable Year ended 31 March 2015 October 2015 John Gregory Director and Engagement Lead T +44 (0)121 232 5333 E john.gregory@uk.gt.com

More information

HSCIC Audit of Data Sharing Activities:

HSCIC Audit of Data Sharing Activities: Directorate / Programme Data Dissemination Services Project Data Sharing Audits Status Approved Director Terry Hill Version 1.0 Owner Rob Shaw Version issue date 26/10/2015 HSCIC Audit of Data Sharing

More information

Special Considerations Audits of Group Financial Statements (Including the Work of Component Auditors)

Special Considerations Audits of Group Financial Statements (Including the Work of Component Auditors) HKSA 600 Issued September 2009; revised July 2010, May 2013, June 2014*, February 2015 Effective for audits of financial statements for periods beginning on or after 15 December 2009 Hong Kong Standard

More information

Grasmere Primary School Asset Management Policy

Grasmere Primary School Asset Management Policy Grasmere Primary School Asset Management Policy 1. INTRODUCTION: 1.1.1 The Governing Body of Grasmere Primary School is responsible for the proper management and security of the school premises and the

More information

Practice Note. 25(Revised) February 2011 ATTENDANCE AT STOCKTAKING

Practice Note. 25(Revised) February 2011 ATTENDANCE AT STOCKTAKING February 2011 Practice Note 25(Revised) ATTENDANCE AT STOCKTAKING The Auditing Practices Board (APB), which is part of the Financial Reporting Council (FRC), prepares for use within the United Kingdom

More information

ICT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY

ICT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY ICT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY Version 1.0 Ratified By Date Ratified Author(s) Responsible Committee / Officers Issue Date Review Date Intended Audience Impact Assessed CCG Committee

More information

ULH-IM&T-ISP06. Information Governance Board

ULH-IM&T-ISP06. Information Governance Board Network Security Policy Policy number: Version: 2.0 New or Replacement: Approved by: ULH-IM&T-ISP06 Replacement Date approved: 30 th April 2007 Name of author: Name of Executive Sponsor: Name of responsible

More information

At its meeting in March 2012, the Committee approved the Internal Audit Plan for 2012-13.

At its meeting in March 2012, the Committee approved the Internal Audit Plan for 2012-13. Audit Committee 28 Internal audit report ICT Security Executive summary and recommendations Introduction Mazars has undertaken a review of ICT Security controls, in accordance with the internal audit plan

More information

Substantive Tests of Transactions and Balances

Substantive Tests of Transactions and Balances 10 CHAPTER Substantive Tests of Transactions and Balances LEARNING OBJECTIVES After studying this chapter you should be able to: 1 2 identify and distinguish between tests of controls and substantive tests

More information

Business Internet Banking security user guide

Business Internet Banking security user guide Business Internet Banking security user guide You must read this user guide before using Business Internet Banking. It is a very important document as it sets out security obligations you must comply with.

More information

INFORMATION TECHNOLOGY SECURITY STANDARDS

INFORMATION TECHNOLOGY SECURITY STANDARDS INFORMATION TECHNOLOGY SECURITY STANDARDS Version 2.0 December 2013 Table of Contents 1 OVERVIEW 3 2 SCOPE 4 3 STRUCTURE 5 4 ASSET MANAGEMENT 6 5 HUMAN RESOURCES SECURITY 7 6 PHYSICAL AND ENVIRONMENTAL

More information

Communicating Internal Control Related Matters Identified in an Audit

Communicating Internal Control Related Matters Identified in an Audit Communicating Internal Control 1843 AU Section 325 Communicating Internal Control Related Matters Identified in an Audit (Supersedes SAS No. 112.) Source: SAS No. 115. Effective for audits of financial

More information

Internal Control Guide & Resources

Internal Control Guide & Resources Internal Control Guide & Resources Section 5- Internal Control Activities & Best Practices Managers must establish internal control activities that support the five internal control components discussed

More information

Appendix 1c. DIRECTORATE OF AUDIT, RISK AND ASSURANCE Internal Audit Service to the GLA REVIEW OF INTERNET- BASED NETWORK SECURITY

Appendix 1c. DIRECTORATE OF AUDIT, RISK AND ASSURANCE Internal Audit Service to the GLA REVIEW OF INTERNET- BASED NETWORK SECURITY Appendix 1c DIRECTORATE OF AUDIT, RISK AND ASSURANCE Internal Audit Service to the GLA REVIEW OF INTERNET- BASED NETWORK SECURITY DISTRIBUTION LIST Audit Team David Esling, Head of Audit Assurance, Risk

More information

Information Security

Information Security Information Security A staff guide to the University's Information Systems Security Policy Issued by the IT Security Group on behalf of the University. Information Systems Security Guidelines for Staff

More information

An Approach to Records Management Audit

An Approach to Records Management Audit An Approach to Records Management Audit DOCUMENT CONTROL Reference Number Version 1.0 Amendments Document objectives: Guidance to help establish Records Management audits Date of Issue 7 May 2007 INTRODUCTION

More information

IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY

IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY Version 3.0 Ratified By Date Ratified April 2013 Author(s) Responsible Committee / Officers Issue Date January 2014 Review Date Intended Audience Impact

More information

IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY (for Cheshire CCGs)

IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY (for Cheshire CCGs) IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY (for Cheshire CCGs) Version 3.2 Ratified By Date Ratified November 2014 Author(s) Responsible Committee / Officers Issue Date November 2014 Review Date

More information

SOUTH NORTHAMPTONSHIRE COUNCIL 10/11 REMOTE WORKING FINAL REPORT MARCH 2011

SOUTH NORTHAMPTONSHIRE COUNCIL 10/11 REMOTE WORKING FINAL REPORT MARCH 2011 SOUTH NORTHAMPTONSHIRE COUNCIL 10/11 REMOTE WORKING FINAL REPORT MARCH 2011 This report and the work connected therewith are subject to the Terms and Conditions of the contract dated 18/06/07 between South

More information

Version 1.0. Ratified By

Version 1.0. Ratified By ICT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY Version 1.0 Ratified By Date Ratified 5 th March 2013 Author(s) Responsible Committee / Officers Issue Date 5 th March 2013 Review Date Intended Audience

More information

CHAPTER 11 COMPUTER SYSTEMS INFORMATION TECHNOLOGY SERVICES CONTROLS

CHAPTER 11 COMPUTER SYSTEMS INFORMATION TECHNOLOGY SERVICES CONTROLS 11-1 CHAPTER 11 COMPUTER SYSTEMS INFORMATION TECHNOLOGY SERVICES CONTROLS INTRODUCTION The State Board of Accounts, in accordance with State statutes and the Statements on Auditing Standards Numbers 78

More information

The Council for Medical Schemes Accreditation Standards for Third Party Administrators of Medical Schemes

The Council for Medical Schemes Accreditation Standards for Third Party Administrators of Medical Schemes The Council for Medical Schemes Accreditation Standards for Third Party Administrators of Medical Schemes Standards and Measurement Criteria Version 4 Contents SECTION 1: INTRODUCTION... 1 1. Executive

More information

TONBRIDGE & MALLING BOROUGH COUNCIL INTERNET & EMAIL POLICY AND CODE

TONBRIDGE & MALLING BOROUGH COUNCIL INTERNET & EMAIL POLICY AND CODE GENERAL STATEMENT TONBRIDGE & MALLING BOROUGH COUNCIL INTERNET & EMAIL POLICY AND CODE 1.1 The Council recognises the increasing importance of the Internet and email, offering opportunities for improving

More information

Policy Document. Communications and Operation Management Policy

Policy Document. Communications and Operation Management Policy Policy Document Communications and Operation Management Policy [23/08/2011] Page 1 of 11 Document Control Organisation Redditch Borough Council Title Communications and Operation Management Policy Author

More information

Rotherham CCG Network Security Policy V2.0

Rotherham CCG Network Security Policy V2.0 Title: Rotherham CCG Network Security Policy V2.0 Reference No: Owner: Author: Andrew Clayton - Head of IT Robin Carlisle Deputy - Chief Officer D Stowe ICT Security Manager First Issued On: 17 th October

More information

IT OUTSOURCING SECURITY

IT OUTSOURCING SECURITY IT OUTSOURCING SECURITY February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced in whole or in part without

More information

DORSET & WILTSHIRE FIRE AND RESCUE AUTHORITY Performance, Risk and Business Continuity Management Policy

DORSET & WILTSHIRE FIRE AND RESCUE AUTHORITY Performance, Risk and Business Continuity Management Policy Not Protectively Marked Item 6 Appendix B DORSET & WILTSHIRE FIRE AND RESCUE AUTHORITY Management Policy The Dorset & Wiltshire Fire and Rescue Authority () is the combined fire and rescue authority for

More information

Kenmore State High School Student Laptop Charter

Kenmore State High School Student Laptop Charter Kenmore State High School Student Laptop Charter 2 Contents Student Laptop Charter... 4 Loan equipment... 4 Equipment ownership... 5 Fee for provision of laptop... 5 Laptop care... 6 Data security... 6

More information

2007-08 Data Quality Review

2007-08 Data Quality Review INFRASTRUCTURE, GOVERNMENT AND HEALTHCARE 007-08 Data Quality Review London Borough of Hounslow 11 January 008 AUDIT Content The contacts at KPMG in connection with this report are: Neil Thomas Engagement

More information

PART 10 COMPUTER SYSTEMS

PART 10 COMPUTER SYSTEMS PART 10 COMPUTER SYSTEMS 10-1 PART 10 COMPUTER SYSTEMS The following is a general outline of steps to follow when contemplating the purchase of data processing hardware and/or software. The State Board

More information

auditing in a computer-based

auditing in a computer-based auditing in a computer-based RELEVANT TO cat paper 8 and ACCA QUALIFICATION PAPERs f8 The accounting systems of many companies, large and small, are computer-based; questions in all ACCA audit papers reflect

More information

INTERNATIONAL STANDARD ON AUDITING (UK AND IRELAND) 520 ANALYTICAL PROCEDURES CONTENTS

INTERNATIONAL STANDARD ON AUDITING (UK AND IRELAND) 520 ANALYTICAL PROCEDURES CONTENTS INTERNATIONAL STANDARD ON AUDITING (UK AND IRELAND) 520 ANALYTICAL PROCEDURES CONTENTS Paragraph Introduction... 1-3-4 Nature and Purpose of Analytical Procedures... 4-7 Analytical Procedures as Risk Assessment

More information

Fundamentals Level Skills Module, Paper F8. Section A

Fundamentals Level Skills Module, Paper F8. Section A Answers Fundamentals Level Skills Module, Paper F8 Audit and Assurance June 2015 Answers Section A Question Answer See Note 1 D 1 2 C 2 3 A 3 4 D 4 5 C 5 6 B 6 7 C 7 8 B 8 9 A 9 10 A 10 11 B 11 12 D 12

More information

Aberdeen City Council IT Asset Management

Aberdeen City Council IT Asset Management Aberdeen City Council IT Asset Management Internal Audit Report 2014/2015 for Aberdeen City Council January 2015 Terms or reference agreed 4 weeks prior to fieldwork Target Dates per agreed Actual Dates

More information

Small businesses: What you need to know about cyber security

Small businesses: What you need to know about cyber security Small businesses: What you need to know about cyber security March 2015 Contents page What you need to know about cyber security... 3 Why you need to know about cyber security... 4 Getting the basics right...

More information

Internal Audit Annual Report 2011/12

Internal Audit Annual Report 2011/12 1 Introduction 1.1 In accordance with the Code of Practice for Internal Audit in Local Government in the United Kingdom, the Internal Audit Annual Report 2011/12 for Cheshire East contains the following:

More information

INSURANCE ACT 2008 CORPORATE GOVERNANCE CODE OF PRACTICE FOR REGULATED INSURANCE ENTITIES

INSURANCE ACT 2008 CORPORATE GOVERNANCE CODE OF PRACTICE FOR REGULATED INSURANCE ENTITIES SD 0880/10 INSURANCE ACT 2008 CORPORATE GOVERNANCE CODE OF PRACTICE FOR REGULATED INSURANCE ENTITIES Laid before Tynwald 16 November 2010 Coming into operation 1 October 2010 The Supervisor, after consulting

More information

Fundamentals Level Skills Module, F8 (IRL)

Fundamentals Level Skills Module, F8 (IRL) Answers Fundamentals Level Skills Module, F8 (IRL) Audit and Assurance (Irish) June 2008 Answers 1 (a) Prior year internal control questionnaires Obtain the audit file from last year s audit. Ensure that

More information

Scottish Sports Council Group and Lottery Fund

Scottish Sports Council Group and Lottery Fund Scottish Sports Council Group and Lottery Fund Annual Audit Report 2012-13 September 2013 2 2013 Grant Thornton UK LLP. All rights reserved Scottish Sports Council Group and Lottery Fund 2012-13 Annual

More information

Modifications to the Opinion in the Independent Auditor s Report

Modifications to the Opinion in the Independent Auditor s Report HKSA 705 Issued September 2009, revised July 2010, June 2014* Effective for audits of financial statements for periods beginning on or after 15 December 2009 Hong Kong Standard on Auditing 705 Modifications

More information

The Use of Spreadsheets: Considerations for Section 404 of the Sarbanes-Oxley Act*

The Use of Spreadsheets: Considerations for Section 404 of the Sarbanes-Oxley Act* The Use of Spreadsheets: Considerations for Section 404 of the Sarbanes-Oxley Act* July 2004 *connectedthinking The Use of Spreadsheets: Considerations for Section 404 of the Sarbanes-Oxley Act Introduction

More information

Audit of IT Asset Management Report

Audit of IT Asset Management Report Audit of IT Asset Management Report Recommended by the Departmental Audit Committee for approval by the President on Approved by the President on September 4, 2012 e-doc : 3854899 1 Table of Contents EXECUTIVE

More information

Policy Document. IT Infrastructure Security Policy

Policy Document. IT Infrastructure Security Policy Policy Document IT Infrastructure Security Policy [23/08/2011] Page 1 of 10 Document Control Organisation Redditch Borough Council Title IT Infrastructure Security Policy Author Mark Hanwell Filename IT

More information

Joint Universities Computer Centre Limited ( JUCC ) Information Security Awareness Training- Session One Information Security and Challenges

Joint Universities Computer Centre Limited ( JUCC ) Information Security Awareness Training- Session One Information Security and Challenges Joint Universities Computer Centre Limited ( JUCC ) Information Security Awareness Training- Session One Information Security and Challenges Agenda Overview of Information Security Management Information

More information

Auditing Standard ASA 600 Special Considerations Audits of a Group Financial Report (Including the Work of Component Auditors)

Auditing Standard ASA 600 Special Considerations Audits of a Group Financial Report (Including the Work of Component Auditors) ASA 600 (October 2009) Auditing Standard ASA 600 Special Considerations Audits of a Group Financial Report (Including the Work of Component Auditors) Issued by the Auditing and Assurance Standards Board

More information

Aberdeen City Council

Aberdeen City Council Aberdeen City Council Internal Audit Report Final Contract management arrangements within Social Care & Wellbeing 2013/2014 for Aberdeen City Council January 2014 Internal Audit KPI Targets Target Dates

More information

IT REVIEW OF THE DISASTER RECOVERY ARRANGEMENTS

IT REVIEW OF THE DISASTER RECOVERY ARRANGEMENTS NOTTINGHAM CITY HOMES IT REVIEW OF THE DISASTER RECOVERY ARRANGEMENTS Report issued: February 2011 Audit Plan: The matters raised in this report are only those that came to the attention of the auditor

More information

3.6 - REPORT BY THE CHAIRMAN OF THE BOARD OF DIRECTORS ON CORPORATE GOVERNANCE, RISK MANAGEMENT AND INTERNAL CONTROLS

3.6 - REPORT BY THE CHAIRMAN OF THE BOARD OF DIRECTORS ON CORPORATE GOVERNANCE, RISK MANAGEMENT AND INTERNAL CONTROLS RISK FACTORS Report by the Chairman of the Board of Directors on corporate governance, risk management and internal controls Property damage and operating loss insurance Property damage/operating loss

More information

RISK MANAGEMENT MATRIX FOR ACADEMIES. Contents. Introduction. Mission/objectives. Law and regulation. Governance and management.

RISK MANAGEMENT MATRIX FOR ACADEMIES. Contents. Introduction. Mission/objectives. Law and regulation. Governance and management. RISK MANAGEMENT MATRIX FOR ACADEMIES Contents A B C D E F G H K J Introduction Mission/objectives Law and regulation Governance and management External factors Operational factors Human resources Environmental

More information

Appendix 1e DIRECTORATE OF AUDIT, RISK AND ASSURANCE INTERNAL AUDIT SERVICE TO THE GLA

Appendix 1e DIRECTORATE OF AUDIT, RISK AND ASSURANCE INTERNAL AUDIT SERVICE TO THE GLA Appendix 1e DIRECTORATE OF AUDIT, RISK AND ASSURANCE INTERNAL AUDIT SERVICE TO THE GLA REVIEW OF PAYROLL February 2012 DISTRIBUTION LIST Audit Team Karen Welsh, Auditor Prakash Gohil, Audit Manager Distribution

More information

FINAL May 2005. Guideline on Security Systems for Safeguarding Customer Information

FINAL May 2005. Guideline on Security Systems for Safeguarding Customer Information FINAL May 2005 Guideline on Security Systems for Safeguarding Customer Information Table of Contents 1 Introduction 1 1.1 Purpose of Guideline 1 2 Definitions 2 3 Internal Controls and Procedures 2 3.1

More information