Coleg Gwent Internal Audit Report 2012/13 Payroll and HR. Assurance Rating: Payroll

Transcription

1 Coleg Gwent Internal Audit Report 2012/13 Payroll and HR Assurance Rating: Payroll HR

2 Distribution List: Final Report Audit Committee Principal Vice Principal, (Finance, Estates and Information Services) Clerk to the Corporation Responsible Officer(s) Date of fieldwork: May and June 2013 Date of draft report: June 2013 Date of final report: June 2013 This report and the work connected therewith are subject to the Terms and Conditions of the contract dated 1 October 2012 between Coleg Gwent and Deloitte LLP. This document is confidential and prepared solely for your information. Therefore you should not, without our prior written consent, refer to or use our name or this document for any other purpose, disclose them or refer to them in any prospectus or other document, or make them available or communicate them to any other party. No other party is entitled to rely on our document for any purpose whatsoever and thus we accept no liability to any other party who is shown or gains access to this document. This report has been prepared on the basis of the limitations set out at Appendix D Deloitte LLP

3 Contents Page 1. EXECUTIVE SUMMARY Background Audit Objectives and Scope Key Findings Conclusion Restriction of Use Acknowledgement OBSERVATIONS AND RECOMMENDATIONS HR: Online Barred List Checks High Priority Payroll: Authorisation of Overtime/Additional Hours Medium Priority Payroll: Audit of Timesheets Medium Priority Payroll: Leavers Information Processing Date Low Priority Payroll: Review of Payroll Reports Low Priority HR: Update of Policy Documents Low Priority HR: Segregation of Duties Low Priority HR: Maintenance of Personnel Files Low Priority APPENDIX A REPORTING DEFINITIONS APPENDIX B STAFF INTERVIEWED APPENDIX C TERMS OF REFERENCE APPENDIX D STATEMENT OF RESPONSIBILITY Deloitte LLP

4 1. Executive Summary 1.1 Background Internal audit assessed the adequacy and effectiveness of Coleg Gwent s (the College s) internal controls in operation regarding Payroll and HR. The internal audit work was carried out by discussion with appropriate staff, reading of documents and testing, as necessary, to confirm the effectiveness of the controls in place. 1.2 Audit Objectives and Scope Internal audit assessed the adequacy and effectiveness of internal controls in operation. Weaknesses were brought to the attention of management and advice issued on how particular problems may be resolved and control improved to minimise future occurrence. This review sought to provide reasonable assurance over the following areas: Payroll and HR policies and procedures are in place, are up to date and have been communicated to all relevant members of staff; Roles and responsibilities for payroll and HR have been clearly defined; Segregation of duties are in place in relation to Payroll and HR; HR records and the payroll system are updated promptly for starters and leavers; Procedures are in place to ensure that the correct processes are followed for all starters and leavers (e.g. starters are only taken on following approval of a vacancy and appropriate pre-employment checks); Changes to payroll data (e.g. employee bank account details, addresses etc.) are submitted to payroll staff on a timely basis, processed accurately and are adequately controlled; Timesheets requiring authorisation (e.g. hourly paid teaching staff and some business support staff) are approved by an authorised member of staff on a timely basis and are processed accurately; Deductions and temporary changes (e.g. overtime payments) are approved by an authorised member of staff on a timely basis, and are processed accurately; Exception reports are prepared on a regular basis, there is evidence of their review and unusual variances are investigated; and Controls exist to ensure that the BACS payment run is an accurate reflection of data from the Payroll and HR systems. As part of our internal audit we will document the processes undertaken by the HR and payroll teams and seek to identify any areas of duplication of effort. 1.3 Key Findings Payroll The Payroll Department holds up to date policy documents which outline current payroll practices and procedures in place at the College. These include in-depth descriptions of the roles and responsibilities for each staff member associated with the process. Information relating to starters and leavers and amendments to current employee data is sent to the Payroll Department from the HR Department. Payroll payments are made via BACS transfer which is authorised by the Payroll Manager and the Finance Manager prior to processing. Following the BACS payment, the Director of Finance and/or the Vice Principal (Finance, Estates & Information Services) will review the payment and analyse an exception report which shows all employees with net pay exceeding 2,000 for the month Deloitte LLP 1

5 Per discussion with the Director of Finance, the Finance Manager and the Payroll Manager, we identified that there is concern that timesheets completed and authorised at campus, especially the Newport and Ebbw Vale campuses, are not being completed accurately and are sometimes duplicated. In addition, there is concern that errors are not being identified by the authorisers (Heads of Schools and Campus Resource Managers). Whilst our sample testing did not identify any duplication, we have raised a recommendation to improve the controls in place. HR The HR Department has numerous policies in place which are all available on the College s intranet. Procedural documents for HR staff members also exist to give further guidance on more practical processes and systems within the HR Department. The HR Department is the first point of contact for starters and leavers. Information is subsequently sent to the Payroll Department for review. Personnel files are held with the HR Department at the Usk campus. Duplication of Effort Throughout the internal audit review, we have assessed whether any duplication of effort exists between the HR department and the Payroll department and therefore whether opportunities for improved efficiency and value for money exist. We found that the two departments perform distinct roles and did not identify any instances of duplication of effort. Processes for starters and leavers are divided between the two departments: the HR department inputs the information onto the system and the Payroll department subsequently reviews this information. Personnel files are held only in the HR department and as such, the only duplication of documents is starter/leaver forms which are initially completed by the HR department then a copy will get sent to the Payroll department to complete. Copies are considered necessary since the two departments are located at different campuses, however the College may wish to consider an electronic document workflow solution. Amendments to payroll data are either completed by the employee themselves on the HR portal or amended by the HR department. Depending on the amendment it is either checked by a member of the HR department or if it involves the employee s pay (such as changes to bank details), it will be sent to the Payroll department for processing and checking. Timesheets and BACS payment processes do not concern the HR department and as such we have identified no duplication of effort in these areas. We identified one high priority issue which should be brought to the attention of management and the Audit Committee: HR: Online Barred List Checks - We identified that it is the College s policy to perform a Barred List check on all new starters before they commence their role at the College. This is done online and is a preliminary safeguard before an enhanced DBS check is performed (formerly known as the CRB check). It informs the College of whether an individual has been barred from working with Children and Vulnerable Adults. From our sample of 21 new starters tested, a Barred List check was required to be performed for 19 individuals. This was carried out in all cases. However, in eight cases, the check had not been carried out until after the employee had assumed their new positions. It is recommended that new starters may not commence their job at the College until a Barred List check has been performed by the HR department to ensure no criminal records are held against the individual. HR staff members should be reminded that a Barred List check must be carried out against all new starters before they commence their job, not afterwards. We have identified two medium priority issues which we consider require management s attention and provide scope for improvements to be made. These concerned: Payroll: 2013 Deloitte LLP 2

6 Payroll: Authorisation of Overtime/Additional Hours - We identified that temporary changes to staff hours such as overtime, additional post hours and business support hours are to be authorised by the relevant line manager and subsequently reviewed and sent to the Payroll department by the Campus Resource Manager (CRM), Deputy Director or Director. We selected a sample of 20 temporary changes to ensure that they had been authorised appropriately and found that in all cases, forms had been reviewed by the CRM, Deputy Director or Director before being sent to the Payroll department. However, we identified one instance from our sample where the overtime had not been authorised by the line manager. During our time on site, two further cases of unsatisfactory authorisation were brought to our attention by management; one instance where the temporary change had not been authorised by the line manager and a further instance where the change had been authorised, but not by an appropriate member of staff. We consider it good practice that the CRM, Deputy Director or Director review the temporary changes, however, a line manager will have greater knowledge of the employee s day to day working programme and thus should authorise the claim. It is recommended that Campus Resource Managers (CRMs), Deputy Directors and Directors who review temporary changes to staff hours such as overtime, additional post hours and business support hours are reminded to ensure that all claims have been authorised by the relevant line manager before they authorise it and the information is sent to the Payroll department. Payroll: Audit of Timesheets - We identified that management are concerned that timesheets completed and authorised at campus, especially the Newport and Ebbw Vale campuses, are not being completed accurately and are sometimes duplicated. In addition, there is concern that errors are not being identified by the authorisers (Heads of Schools and Campus Resource Managers). An audit performed by RSM Tenon in the previous academic year picked up numerous timesheet errors, such as employees charging for time on bank holidays and duplications of hours. A regular audit would not only help to identify more of these inaccuracies but also encourage staff to take more care when completing timesheets and make authorisers more aware of potential errors that they should look out for. We have performed sample testing on timesheets that are authorised at campus level. No issues were identified, however duplication of timesheets would not be identified without review of all timesheets. Our testing did highlight, however, that due to system limitations, no record is kept of who authorised timesheets. It is important to be able to trace the authoriser for accountability in the case that inaccurate or fraudulent timesheets are approved and paid. We also identified that in one case out of 20 timesheets tested, the employee had not signed or dated their timesheet. Timesheets should be signed in order to confirm the employee s agreement that the timesheet is an accurate reflection of the hours worked. It is recommended that a regular audit of timesheets is carried out by the Payroll/Finance department. This could be performed each term or on a quarterly basis and would involve reviewing timesheets held at each campus to confirm their accuracy. Management may wish to consider using a data analytics tool to carry this out efficiently, for example a spreadsheet tool that sorts claims by employee/date/value to identify potential duplicate claims. We also recommend that management investigates whether it is possible to update the Payroll software so that it displays who authorised the timesheets. In addition, authorising staff should be reminded only to authorise timesheets that have been signed and dated by the employee. In addition we have raised five low priority recommendations concerning minor issues which nevertheless need to be addressed. Detailed findings are set out in the Observations and Recommendations section Deloitte LLP 3

7 1.4 Conclusion Based on the work undertaken as detailed in the Audit Objective and Scope section, our overall assessment is that the classification of assurance that can be taken in respect of each area is: Payroll HR Management should be aware that our internal audit work was performed according to UK Government Internal Audit Standards (GIAS) which are different from audits performed in accordance with International Standards on Auditing (UK and Ireland) issued by the Auditing Practices Board. Similarly, the assurance classifications provided in our internal audit report are not comparable with the International Standard on Assurance Engagements (ISAE 3000) issued by the International Audit and Assurance Standards Board. Our internal audit testing was performed on a judgemental sample basis and focussed on the key controls mitigating risks. Internal audit testing is designed to assess the adequacy and effectiveness of key controls in operation at the time of an audit. Definitions of the assurance classifications and recommendation classifications used in this internal audit report are provided in Appendix A. 1.5 Restriction of Use We wish to draw to your attention that this report may only be used in accordance with our contract and may not be made available to third parties, except as may be required by law. 1.6 Acknowledgement We would like to thank the staff who participated in this internal audit for their assistance and co-operation Deloitte LLP 4

8 2. Observations and Recommendations 2.1 HR: Online Barred List Checks High Priority Recommendation Rationale Priority It is recommended that new starters may not commence their job at the College until a Barred List check has been performed by the HR department to ensure no criminal records are held against the individual. HR staff members should be reminded that a Barred List check must be carried out against all new starters before they commence their job, not afterwards. We identified that it is the College s policy to perform a Barred List check on all new starters before they commence their role at the College. This is done online and is a preliminary safeguard before an enhanced DBS check is performed (formerly known as a CRB check). It informs the College of whether an individual has been barred from working with children or vulnerable adults. From our sample of 21 new starters tested, a Barred List check was required to be performed for 19 individuals. This was carried out in all cases. However, in eight cases, the check had not been carried out until after the employee had assumed their new positions although it may be that for lecturing staff they had not yet delivered any lectures. There is a risk that the College may employ new starters who commence their role involving caring for, supervising or being in sole charge of children or adults without prior clearance from the Disclosure and Barring Service that no criminal records are held against them. Management Response All salaried employees have a check against the On-line Barred list prior to commencement. Hourly paid staff are recruited directly by line managers who should comply with the Recruitment Staff Checklist issued by Human Resources. This states clearly that prior to an individual commencing employment that an on-line check must be carried out. The discrepancy in timing within the hourly paid staff group is a result of the nature of the recruitment, the process to manage the recruitment paperwork and the often urgent requirement to appoint. The check is carried out when recruitment paperwork is received in HR and any concern would be acted upon immediately. Managers and HR do work together when there is an immediate need by requesting an on-line check by telephone. The Barred list has only those who are prevented from working with Children and Vulnerable Adults as a result of a prosecution or event which has been deemed to make the person unsuitable for employment working with these groups. Any individual, who would be aware they are on the Barred List, would also know it is a criminal offence for them to apply or take up employment in Education. This is an additional check in recruitment. There are appointments where the start date for individual employment in this group of staff is earlier than their actual first working day with the College and the on-line check is done before they commence and in good time. The DBS is introducing an up-date service for employers and employees from this month, which will over time, remove the need to use the Barred List check altogether. We will remind line managers of this requirement through re-issuing of the Recruitment Check-list and instructions on risk assessment related to the new DBS arrangements. Responsibility/ Deadline VP(HR&OD) July Deloitte LLP 5

9 2.2 Payroll: Authorisation of Overtime/Additional Hours Medium Priority Recommendation Rationale Priority It is recommended that Campus Resource Managers (CRMs), Deputy Directors and Directors who review temporary changes to staff hours such as overtime, additional post hours and business support hours are reminded to ensure that all claims have been authorised by the relevant line manager before they authorise it and the information is sent to the Payroll department. We identified that temporary changes to staff hours such as overtime, additional post hours and business support hours are to be authorised by the relevant line manager and subsequently reviewed and sent to the Payroll department by the Campus Resource Manager (CRM), Deputy Director or Director. We selected a sample of 20 temporary changes to ensure that they had been authorised appropriately and found that in all cases, forms had been reviewed by the CRM, Deputy Director or Director before being sent to the Payroll department. However, we identified one instance from our sample where the overtime had not been authorised by the line manager. During our time on site, two further cases of unsatisfactory authorisation were brought to our attention by management; one instance where the temporary change had not been authorised by the line manager and a further instance where the change had been authorised, but not by an appropriate member of staff. We consider it good practice that the CRM, Deputy Director or Director review the temporary changes, however, a line manager will have greater knowledge of the employee s day to day working programme and thus should authorise the claim. There is a risk that the College may pay employees for temporary changes to their hours such as overtime, additional post hours and business support hours which have not been authorised and as a result, may be inaccurate or fraudulent. Management Response Campus Management will be reminded to ensure that all claims are correctly authorised and sent to the Payroll department Responsibility/ Deadline Finance Manager July Deloitte LLP 6

10 2.3 Payroll: Audit of Timesheets Medium Priority Recommendation Rationale Priority It is recommended that a regular audit of timesheets is carried out by the Payroll/Finance department. This could be performed each term or on a quarterly basis and would involve reviewing timesheets held at each campus to confirm their accuracy. Management may wish to consider using a data analytical tool to carry this out efficiently, for example a spreadsheet tool that sorts claims by employee/date/value to identify potential duplicate claims. We also recommend that management investigates whether it is possible to update the Payroll software so that it displays who authorised the timesheets. In addition, authorising staff should be reminded only to authorise timesheets that have been signed and dated by the employee. We identified that management are concerned that timesheets completed and authorised at campus, especially the Newport and Ebbw Vale campuses, are not being completed accurately and are sometimes duplicated. In addition, there is concern that errors are not being identified by the authorisers (Heads of Schools and Campus Resource Managers). An audit performed by RSM Tenon in the previous academic year picked up numerous timesheet errors, such as employees charging for time on bank holidays and duplications of hours. A regular audit would not only help to identify more of these inaccuracies but also encourage staff to take more care when completing timesheets and make authorisers more aware of potential errors that they should look out for. We have performed sample testing on timesheets that are authorised at campus. No issues were identified however duplication of timesheets would not be identified without review of all timesheets. Our testing did highlight, however, that due to system limitations, no record is kept of who authorised timesheets. It is important to be able to trace the authoriser for accountability in the case that inaccurate or fraudulent timesheets are approved and paid. We also identified that in one case out of 20 timesheets tested, the employee had not signed or dated their timesheet. Timesheets should be signed in order to confirm the employee s agreement that the timesheet is an accurate reflection of the hours worked. There is a risk that the College are paying employees for incorrect hours worked. In addition, there is a risk that if inaccuracies occur, the College may not be able to hold staff accountable, since the system does not record who authorises timesheets. Management Response Timesheet audits will be carried out termly with effect from the start of the 2013/14 academic year The Payroll software will be reviewed to determine whether it can display who authorises timesheets Authorising staff will be reminded to only authorise timesheets that have been signed and dated by the employee Responsibility/ Deadline Payroll Manager - December 2013 Payroll Manager - September 2013 Finance Manager - July Deloitte LLP 7

11 2.4 Payroll: Leavers Information Processing Date Low Priority Recommendation Rationale Priority It is recommended that Payroll staff members are reminded to record the date that leavers information is processed, usually with a stamp. Payroll staff members should also ensure that the full date is recorded, not just the month and year. We identified that Payroll staff members stamp leavers termination forms with the date that the information is processed. From our sample of nine leavers tested, three were stamped by the Payroll department with the full date. However, three were only stamped with the month and year that the information was processed, and a further three were not stamped at all, meaning no date was recorded. There is a risk that leavers information may not be processed in a timely manner, or if an issue of timeliness arises, it may not be possible to identify wherein the process the issue lies. Management Response Payroll staff will be reminded to correctly record the full date when processing leavers information Responsibility/ Deadline Payroll Manager July Deloitte LLP 8

12 2.5 Payroll: Review of Payroll Reports Low Priority Recommendation Rationale Priority It is recommended that management information reports run showing payroll data for the year to date are signed and dated by the preparer and reviewer. We identified that management information payroll reports are prepared by the Payroll Manager and reviewed by the Finance Manager. The reports compare the current month s payroll with that of previous months in the academic year and are sorted by deduction type, such as overtime. We reviewed a sample of three of these monthly reports and found that they had been prepared, but not signed and dated by the reviewer. There is a risk that no evidence exists to confirm that these reports have been reviewed independently and on a timely basis. Management Response There is evidence of review of the payroll management information reports by the annotations on the Finance Managers copy of the report, however to ensure complete transparency, the reports will be signed by the Payroll Manager as the preparer and the Finance Manager as the reviewer. Responsibility/ Deadline Payroll Manager/Finance Manager July Deloitte LLP 9

13 2.6 HR: Update of Policy Documents Low Priority Recommendation Rationale Priority It is recommended that the HR department ensure that all policy documents under its control are updated on a regular basis, in line with each policy s next review date. We identified that the HR department holds numerous policy documents which are updated at various times throughout the year. We selected a sample of five policy documents to ensure that they were up to date: 1. Adoption/Maternity Leave Booklet; 2. Anti-Fraud Policy; 3. Equal Opportunity Policy; 4. Whistle Blowing Policy; and 5. Health, Safety and Wellbeing Policy. We found that three of the five were up to date, however, the Whistle Blowing Policy was last reviewed in November 2009 and was due for next review in Autumn 2012, and the Health, Safety and Wellbeing Policy was last reviewed in September 2011 and was due for review in September As such, these policies have exceeded their review date. There is a risk that procedures documented do not reflect current practice and that management may not be able to hold staff accountable for any non-compliance. Management Response Reviews are undertaken in line with statutory changes, HR&OD objectives and the Corporation Policy Review cycle. All these policies have been reviewed although their review dates may not have been recorded. The review dates for each HR policy will be identified. A spread sheet will be created specifying the review dates and will act as a tracking document. A nominated HR Advisor will be responsible for ensuring that policies are reviewed at the appropriate time. Responsibility/ Deadline VP(HR&OD) August Deloitte LLP 10

14 2.7 HR: Segregation of Duties Low Priority Recommendation Rationale Priority It is recommended that the HR department ensure that independent HR staff members input and review amendments to College staff data. HR staff members should also sign and date the amendments audit report to confirm who completed the review. For similar audit reports created for new starter information, HR staff members should ensure that they sign and date reports once they have been checked. We identified that certain amendments to College staff data, such as additional hours or a change in post, are input onto the system by members of the HR department. Subsequently, an audit report is run showing all amendments requested which is agreed to the system as a way of reviewing the amendments that have been input. From our time on site and discussions with HR staff members, we found that this review may be performed by the same person who input the data. We reviewed the amendment reports from September 2012 to April 2013 and found that they were not signed or dated by the member of HR staff that reviewed the amendments; therefore, we were not able to gain assurance that a separate member of HR staff was inputting and reviewing the amendments. We note that amendments that affect payroll data are sent to the Payroll department for review (such as change in bank details etc.) and these amendments are therefore subject to additional review. We also reviewed similar reports for new starter information from September 2012 to April 2013, and found that in one of eight cases, the report was signed by the reviewer but was not dated. There is a risk that errors and inaccuracies to amendments may not be identified by the reviewer if they are the same person who originally input the amendment. There is also a risk that review may not take place on a timely basis. Management Response HR Administrators will input data into the HR system and sign/date the appropriate documentation. HR Advisors will sign/date audit reports. Responsibility/ Deadline VP(HR&OD) Data entered into the system for July 2013 payroll onwards Deloitte LLP 11

15 2.8 HR: Maintenance of Personnel Files Low Priority Recommendation Rationale Priority It is recommended that maintenance of College employee personnel files is improved in the following four ways: Any outstanding information which prevents personnel files from being complete, such as signed contracts and medical forms, should be requested from the employee on a regular and timely basis; New starter information should be processed by the HR department in a timely manner; Supporting documentation which shows whether a leaving employee has received the opportunity to complete an exit interview form should always be attached to the personnel file; and HR staff members should be reminded to record the date that new starter information is input onto the system. We identified that, when new starters join, their personnel file is held in a 'pending' drawer until their signed contract, medical form and two references have been received. We tested a sample of files in the 'pending' drawer to see when the new starter was last chased for the information, and found that none had yet been chased for information. The sample included starters who commenced their role in September 2012 so we would expect the information to have been requested by the time of the internal audit (May 2013). We investigated the time taken for new starter information to be processed by the HR department and found that the average number of days taken between the employee s start date and the date that their information was processed by HR was 18 days. We consider that the information should be input onto the system in fewer days where possible. We also identified that, from a sample of nine leavers tested, there were two cases where an exit interview form would have been expected to have been sent to the leaver, however, no evidence of this was attached to the personnel file. Exit interviews are seen by existing employees as a sign of positive culture and can be a valuable source of information beyond learning the reasons why employees are leaving. In addition, we found that in two cases out of 21 new starters tested, no date was recorded for when the new starter information had been processed by the HR department. This is important to ensure that new starter information is processed in a timely manner. There is a risk that personnel files may be incomplete or inaccurate and may not hold details necessary for a satisfactory audit trail. There is also a risk that a failure to hold independent exit interviews will lead to the College missing out on key information which can help to improve practices. Management Response A reminder will be issued to HR staff that outstanding documentation must be chased on a regular basis. Each month there is a period of 6-7 days when data cannot be entered into the HR System due to payroll processing. Taking into consideration resources and the aforementioned availability of the time frame that data can be entered into the HR system, every effort will be made to ensure data is processed in a timely manner. A spread sheet will be implemented to record the issuing and return of exit interview forms. A reminder will be issued to those HR staff who input data that forms must be signed/dated. Responsibility/ Deadline VP(HR&OD) August Deloitte LLP 12

16 Appendix A Reporting Definitions Audit Assurance We have four categories by which we classify internal audit assurance over the systems we examine: Full, Substantial, Limited or None which are defined as follows: Assurance Level Evaluation and Testing Conclusion The controls tested are being consistently applied. There is a sound system of internal control designed to achieve the system objectives. There is evidence that the level of non-compliance with some of the controls may put some of the system objectives at risk. While there is a basically sound system of internal control, there are weaknesses, which put some of the system objectives at risk. The level of non-compliance puts the system objectives at risk. Weaknesses in the system of internal controls are such as to put the system objectives at risk. Significant non-compliance with basic controls leaves the system open to error or abuse. Control is generally weak leaving the system open to significant error or abuse. The assurance gradings provided here are not comparable with the International Standard on Assurance Engagements (ISAE 3000) issued by the International Audit and Assurance Standards Board and as such the grading of Full Assurance does not imply that there are no risks to the stated control objectives. Grading of Recommendations In order to assist management in using our reports, we categorise our recommendations according to their level of priority as follows: Priority Level Definition Recommendations which are fundamental to the system and upon which the organisation should take immediate action; Recommendations which, although not fundamental to the system, provide scope for improvements to be made; and Recommendations concerning issues which are considered to be of a minor nature, but which nevertheless need to be addressed Deloitte LLP 13

17 Appendix B Staff Interviewed Mark Williams Mike Showler Gary Burridge Karen Dirkse Val Jones Sue Naish Victoria Hughes Alison Owens Radha Babu Fiona Rawlins Jacqueline Winton-Evans Director of Finance Finance Manager Payroll Manager Payroll Officer HR Advisor HR Advisor HR Administrative Assistant HR Administrative Assistant Administrative Assistant - Learning & Development Deputy Director (Pontypool) Campus Resource Manager (Pontypool) 2013 Deloitte LLP 14

18 Appendix C Terms of Reference Audit: Payroll and HR Commencement: 28 May 2013 Budget: 8 days Auditor: Naomi Surridge Key contact Mark Williams - Director of Finance Agreed with: Mark Williams - Director of Finance Report distribution: Draft Report: Principal Vice Principal, (Finance, Estates and Information Services) Clerk to the Corporation Responsible Officer(s) Final report: Audit Committee Principal Vice Principal, (Finance, Estates and Information Services) Clerk to the Corporation Responsible Officer(s) Introduction This internal audit forms part of the delivery of the approved internal audit plan for 2012/13. Objectives The internal audit will assess the adequacy and effectiveness of internal controls in operation. Weaknesses and unnecessary controls will then be brought to the attention of management and advice issued on how particular problems may be resolved and controlled. The review will seek to provide reasonable assurance over the following areas: Payroll and HR policies and procedures are in place, are up to date and have been communicated to all relevant members of staff; Roles and responsibilities for payroll and HR have been clearly defined; Segregation of duties are in place in relation to Payroll and HR; HR records and the payroll system are updated promptly for starters and leavers; Procedures are in place to ensure that the correct processes are followed for all starters and leavers (e.g. starters are only taken on following approval of a vacancy and appropriate pre-employment checks); Changes to payroll data (e.g. employee bank account details, addresses etc.) are submitted to payroll staff on a timely basis, processed accurately and are adequately controlled; Timesheets requiring authorisation (e.g. hourly paid teaching staff and some business support staff) are approved by an authorised member of staff on a timely basis and are processed accurately; Deductions and temporary changes (e.g. overtime payments) are approved by an authorised member of staff on a timely basis, and are processed accurately; Exception reports are prepared on a regular basis, there is evidence of their review and unusual variances are investigated; and Controls exist to ensure that the BACS payment run is an accurate reflection of data from the Payroll and HR systems Deloitte LLP 15

19 As part of our internal audit we will document the processes undertaken by the HR and payroll teams and seek to identify any areas of duplication of effort. Methodology The internal audit work will be carried out by discussion with appropriate staff, reading of documents and testing, as necessary, to confirm the effectiveness of the controls in place. The internal audit shall be carried out with due awareness of the risks of fraud and corruption in the processes under examination however it cannot be relied on to identify all fraud and corruption risks. When the internal audit work has been completed, the findings and any recommendations made will be discussed at a pre-arranged exit meeting. Reporting A draft report will be issued within 15 working days from the exit meeting to which the auditee will be asked to formally respond. A final report will be issued when all responses have been received and any outstanding issues addressed Deloitte LLP 16

20 Appendix D Statement of Responsibility We take responsibility for this report which is prepared on the basis of the limitations set out below. The matters raised in this report are only those which came to our attention during the course of our internal audit work and are not necessarily a comprehensive statement of all the weaknesses that exist or all improvements that might be made. Recommendations for improvements should be assessed by you for their full impact before they are implemented. The performance of internal audit work is not and should not be taken as a substitute for management s responsibilities for the application of sound management practices. We emphasise that the responsibility for a sound system of internal controls and the prevention and detection of fraud and other irregularities rests with management and work performed by internal audit should not be relied upon to identify all strengths and weaknesses in internal controls, nor relied upon to identify all circumstances of fraud or irregularity. Auditors, in conducting their work, are required to have regards to the possibility of fraud or irregularities. Even sound systems of internal control can only provide reasonable and not absolute assurance and may not be proof against collusive fraud. Internal audit procedures are designed to focus on areas as identified by management as being of greatest risk and significance and as such we rely on management to provide us full access to their accounting records and transactions for the purposes of our audit work and to ensure the authenticity of these documents. Effective and timely implementation of our recommendations by management is important for the maintenance of a reliable internal control system. Deloitte LLP Cardiff June 2013 In this document references to Deloitte are references to Deloitte LLP. Deloitte LLP is a limited liability partnership registered in England and Wales with registered number OC and its registered office at 2 New Street Square, London EC4A 3BZ, United Kingdom. Deloitte LLP is the United Kingdom member firm of Deloitte Touche Tohmatsu Limited ( DTTL ), a UK private company limited by guarantee, whose member firms are legally separate and independent entities. Please see for a detailed description of the legal structure of DTTL and its member firms. Member of Deloitte Touche Tohmatsu Limited Deloitte LLP 17