Essex County Council - Internal Audit Report 2007/08 -

Transcription

1 Essex County Council - Internal Audit Report 2007/08 - Corporate Credit Cards FINAL REPORT 1. Executive Summary Department: Corporate Resources Audit Sponsor: Bob Coomber Interim Executive Director of Finance Distribution List: Margaret Lee Head of Corporate Finance Date of last review: July 2005 Scope of the Review: Overall Opinion LIMITED ASSURANCE Direction of Travel The control environment has not changed since our prior audit. Number of Control Design issues identified Critical Major Best Number of Controls Operating in issues identified Critical Major Best The objectives of the audit were review the controls in place to mitigate the reputational, financial, fraud and governance risks identified within the Terms of Reference, and noted as unregistered risks below. Critical and Major Priority Findings and Recommendations It is concerning to note that the main findings from this review of the use of corporate credit cards reflect those of previous reviews (2003/04 and 2005/06). The value of corporate credit card transactions for the 12 month period November 2006 October 2007 (being the latest submission at the time of review) totalled 177, It was noted that corporate credit card expenditure is not, in all instances, subject to any documented independent scrutiny / authorisation, and a significant proportion of this expenditure is not adequately supported. With increased public right of access to this information, via the Freedom of Information Act and the publication of members allowances, this represents a major reputational risk to the authority in terms of the potential for adverse media coverage / impact on public opinion. We strongly recommended that a formally recorded independent scrutiny process is implemented for all expenditure. Whilst no misuse of Council resources has been evidenced, the lack of supporting documentation and detail of card expenditure means that it cannot be said that there is no inappropriate card expenditure. There has been much use of corporate cards exceeding the authority s guidelines for use and travel and subsistence policy. Some guidance needs to be reconsidered, mindful of what levels of expenditure would be deemed reasonable by the public, and all guidance reissued to cardholders. Card Use and Authorisation Procedures Documented Application Process Guidance Available Each of the areas for this review are shown as segment s of the wheel. The key to the colours on the wheel is as follows: No / Minor Design of Controls or Controls Operating in Practise Issues identified priority Design of Controls or Operating in Practise issues identified Major priority Controls Design or Controls Operating in Practise issues identified Critical priority Controls Design or Controls Operating in Practise issues identified 1

2 Auditor: Barry Hills Fieldwork Commenced: 12/11/2007 Risk Register Updates: The Audit Sponsor is responsible for updating all findings relating to registered risks and for ensuring that unregistered risks have been incorporated within the Councils risk registers. Draft Report Issued: 17/12/2007 Management Comments Received: 27/5/2008 Final Report: 3/6/2008 Issues raised and officers responsible for implementation Name Critical Major Best Total Agreed Monitoring officer Executive Director of Finance Unregistered Risks Reviewed Risk Ref Risk Risk already identified Risk managed N/A Reputational inappropriate use of corporate credit cards may result in adverse publicity. N/A Financial where original supporting evidence is not provided expenditure may be inappropriate/the Council may be unable to reclaim all relevant VAT. N/A Anti-fraud expenditure may be incurred by the Council that relates to goods and services that are not for the benefit of the authority. N/A Governance inappropriate guidance on the use of credit cards may lead to unintentional misuse of Council resources/ lack of appropriate challenge when claims are authorised may lead to unintentional misuse of Council resources. 2

3 2. Basis of our opinion and assurance statement Risk rating Critical Assessment rationale Major financial loss - Large increase on project budget/cost: (Greater of 1.0M of the total Budget or more than 15 to 30% of the departmental budget). Statutory intervention triggered. Impact the whole council. Cessation of core activities, Strategies not consistent with government s agenda, trends show service is degraded. Failure of major Projects elected Members & SMBs are required to intervene. Intense political and media scrutiny i.e. front-page headlines, TV. Possible criminal, or high profile, civil action against the Council, members or officers. Life threatening or multiple serious injuries or prolonged work place stress. Severe impact on morale & service performance. Mass strike actions etc High financial loss Significant increase on project budget/cost: (Greater of 0.5M of the total Budget or more than 6 to 15% of the departmental budget). Service budgets exceeded. Significant disruption of core activities. Key targets missed, some services compromised. Management action required to overcome med term difficulties. Major Scrutiny required by external agencies, Audit Commission etc. Unfavourable external media coverage. Noticeable impact on public opinion. Serious injuries or stressful experience requiring medical many workdays lost. Major impact on morale & performance of more than 100 staff. Best Medium financial loss - Small increase on project budget/cost: (Greater of 0.3M of the total Budget or more than 3 to 6% of the departmental budget). Handled within the team Significant short-term disruption of non-core activities. Standing Orders occasionally not complied with, or services do not fully meet needs. Service action will be required. Scrutiny required by internal committees or internal audit to prevent escalation. Probable limited unfavourable media coverage. Injuries or stress level requiring some medical treatment, potentially some workdays lost. Some impact on morale & performance of up to 100 staff. Minimal financial loss Minimal effect on project budget/cost: < 3% (Negligible effect on total Budget or <1% of departmental budget) Minor errors in systems/operations or processes requiring action or minor delay without impact on overall schedule. Handled within normal day to day routines. Internal Review, unlikely to have impact on the corporate image. Minor injuries or stress with no workdays lost or minimal medical treatment. No impact on staff morale. Level of assurance Full Substantial Limited No Description Full assurance there is a sound system of internal control designed to achieve the objectives of the system/process and manage the risks to achieving those objectives. Recommendations will normally only be Advice and Best Substantial assurance whilst there is basically a sound system of control, there are some areas of weakness, which may put the system/process objectives at risk. There are recommendations indicating weaknesses but these do not undermine the system s overall integrity. Any Critical recommendation will prevent this assessment, and any Major recommendations relating to part of the system would need to be mitigated by significant strengths elsewhere Limited assurance there are significant weaknesses in key areas in the systems of control, which put the system/process objectives at risk. There are Major recommendations indicating significant failings. Any Critical recommendations relating to part of the system would need to be mitigated by significant strengths elsewhere No assurance internal controls are generally weak leaving the system/process open to significant error or abuse. There are Critical recommendations indicating major failings Auditors Responsibilities It is management s responsibility to develop and maintain sound systems of risk management, internal control and governance and for the prevention and detection of irregularities and fraud. Internal audit work should not be seen as a substitute for management s responsibilities for the design and operation of these systems. We shall endeavour to plan our work so that we have a reasonable expectation of detecting significant control weaknesses and, if detected, we shall carry out additional work directed towards identification of consequent fraud or other irregularities. However, internal audit procedures alone, even when carried out with due professional care, do not guarantee that fraud will be detected. Accordingly, our examinations as internal auditors should not be relied upon solely to disclose fraud, defalcations or other irregularities which may exist, unless we are requested to carry out a special investigation for such activities in a particular area. 3

4 3. Detailed Findings Recommendations and Action Plan Risk / Process Control Effectiveness Authorisation of card expenditure 3.1 A high proportion of credit card expenditure authorised (42% between June August 2007) is not in accordance with ECC guidance. Each cardholder's credit card statement expenditure should be recorded on a Credit Card Transaction Log which is authorised by a Line Manager / Leader of the Council. From a sample of 31 authorised Credit Card Transaction Logs covering the three month sample period (June, July and August), 25 (80%) of the transaction logs included expenditure which was either: not in accordance with ECC corporate credit card guidelines / conditions of use; not in accordance with the HR policy on travel and subsistence allowances / members allowances guidance; or not supported by invoice / receipt / other supporting documentation. NOTE: The Leader of the Council self authorises the Credit Card Transaction Logs recording his own expenditure. Please also refer to point 4.7 below. Risk: Financial and Reputational Where authorisation of corporate credit card expenditure is completed without effective scrutiny, misuse or inappropriate use of the card may not be detected. ECC may: fail to be able to reclaim all relevant VAT; be exposed to fraudulent activities (i.e. where original receipts / supporting documentation is not available, the cardholder may be able to claim the same expenditure from another party / make duplicate claims or make claims relating to personal expenditure); be subject to negative publicity should it be known that inappropriate expenditure is being authorised. The authorisation of expenditure recorded on Credit Card Transaction Logs must be effective and independent. Transactions should only be allowed, and authorised, which are permitted by the ECC corporate card guidelines / conditions, meet with the HR policy on travel and subsistence allowances / members allowances guidance and are supported by invoice, receipt or other documentation. Where a Credit Card Transaction Log relates to expenditure by the Chief Executive / Leader of the Council, the transaction log should be subject to review. Agreed: Yes Major Action to be taken: Guidance for the completion of credit cards logs to be re-issued so that all are aware of the need to conform to guidance and conditions of use. Pending the revision of Members allowances interim guidance to be issued in relation to appropriate expenditure. Officers travel and subsistence guidance to be reviewed and re-issued Leader s office to ensure that monthly log is created and completed giving details of expenditure supported by receipts. implementation: No Responsible Officer: Monitoring officer, Exec Director of Finance and Head of Leader s Office Target Date:

5 Risk / Process Control Effectiveness Unsupported card expenditure 3.2 A high number of transactions (32% for the period June August 2007) were not supported by documentation. During June, July and August in the current year, a total of 211 transactions were completed using corporate credit cards. Of these, at the time of audit field work, authorised Credit Card Transaction Logs covering 25 transactions had not been forwarded to the Purchase to Pay Team for processing. Of the remaining 186 tested transactions, 59 (32%) were not supported by invoice, receipt or other documentation. Risk: Financial and Reputational Where receipts (supporting documentation) for corporate credit card expenditure are not provided to ECC by the cardholder, scrutiny of expenditure cannot be effective, and misuse or inappropriate use of the card may not be detected. Whilst the cardholder statements issued by Barclays provide details of the establishment providing goods / services, and the category of spend, details of actual expenditure cannot be known, and it cannot be demonstrated that details provided on the Credit Card Transaction Log are accurate. Consequently, it also cannot be determined if expenditure complies with conditions imposed by ECC (either for corporate card use or in relation to travel and subsistence allowances), and it would not always be possible to detect inappropriate expenditure (e.g. where a receipt not provided is used to obtain reimbursement elsewhere, or expenditure is for the cardholder's personal use). Without the provision of receipts officers / members may suffer a personal tax / NI liability since the HM Revenue and Customs may deem it that there has been a personal benefit. Where receipts for corporate card expenditure are not provided, the authority is unable to recover VAT due (see also ref. 4.6 below). Each transaction made using an ECC corporate card must be supported by the relative invoice, receipt or other documentation. The receipts must accompany Credit Card Transaction Logs submitted for authorisation and subsequent processing. NOTE: This is in accordance with the Company Barclaycard - Guidelines for Officers / Members, the HR policy on travel and subsistence allowances and the Members Handbook. Where the authoriser, is unable, due to the lack of supporting evidence, to positively establish that expenditure is wholly for the benefit of the authority and policy has been complied with, the cardholder must be considered personally liable, and reimbursement sought. Agreed: Yes Major Action to be taken: Guidance for the completion of credit cards logs to be re-issued so that all are aware of the need to conform to guidance and conditions of use. Particular attention to be drawn for the need to supply receipts in all cases and the consequences of failing to do so reiterated. Leader s office to ensure that monthly log is created and completed giving details of expenditure supported by receipts. implementation: No Responsible Officer: Monitoring officer, Exec Director of Finance and Head of Leader s Office Target Date:

6 Risk / Process Control Effectiveness Card Applications 3.3 ECC application forms for all three corporate credit cards issued within the last 12 months had not been completed. From a review of ECC corporate card applications held, it was established that, for the three cards issued in the last 12 months, no ECC application form has been completed. The Barclaycard additional cardholder application only has been completed. By extending the review to all ECC corporate card applications held, it was found that application forms are held for 7 cardholders from a total of 11. Four of the 7 ECC application forms held contained errors / omissions (i.e. not signed by applicant or not approved by line manager). Risk: Governance Where an ECC corporate card application has not been completed a card may be issued where the required use is not in accordance with the Council's specific guidelines for issue. This may subsequently result in the card not being used in accordance with permitted expenditure, i.e. normal payment / procurement processes are appropriate, including reimbursement of travel and subsistence. Any officer or member wishing to apply for a corporate card must complete an ECC 'Application for Provision of a Corporate Credit Card', detailing the reason (business case) for which the card is being requested and including the cardholder's signature agreeing to the conditions of use of the card. Applications must be authorised by Line Manager / Leader of the Council. Where an application is made by the Leader of the Council / Chief Executive, the request should be authorised in accordance with the established protocol. Agreed: Yes Action to be taken:] Ensure that cards are issues in accordance with the requirements and that authorities are secured before use. Review circumstances in which cards are issued Establish protocol for the issue of cards to Leader/Chief Executive implementation: No Responsible Officer: Executive Director of Finance NOTE: The requirement within the ECC corporate card application for a specific business case to be made for issue of the card, and line management approval, is designed to ensure cards are only issued when justified and avoid inappropriate applications. Target Date: 30 September

7 Risk / Process Control Effectiveness Issue of Guidelines Six of the 12 corporate credit cards assignees have not signed the Company Barclaycard Guidelines. Upon issue of a corporate card, officers and members are required to read and sign a copy of the document 'Company Barclaycard - Guidelines for Officers / Members' confirming that they will comply with the guidelines and those detailed within the HR Policy Framework (section PF05.1 and PF05.2) / Members Handbook. No signed copy of the 'Guidelines for Officers' is held for 5 cardholders from the 11 corporate cards issued to officers, and no signed copy of the Guidelines for Members is held for the corporate card issued to a Member. Risk: Governance and Reputational If officers or members have either not been issued with, or evidence is not held to demonstrate that they have received a copy of the corporate card 'Guidelines for Officers / Members': Inappropriate use of the card outside of the permitted expenditure detailed in the guidelines may be through ignorance rather than intent. As a result: the authority is not in a position to take action against non-compliance; and potential exists that Officers / Members will be exposed to challenge over inappropriate expenditure. The document 'Company Barclaycard - Guidelines for Officers / Members' should be issued to all new officers / members upon approved application for a corporate card, and a signed copy obtained, confirming that the guidelines, and those within the HR Policy Framework / Members Handbook, will be complied with. The document 'Company Barclaycard - Guidelines for Officers / Members' should also be issued to the five cardholders in respect of existing corporate cards held, and to the Leader of the Council in respect of his existing corporate card. Signed copies should be obtained, confirming that the guidelines, and those within the HR Policy Framework / Members Handbook, will be complied with. Agreed: Yes Action to be taken: Ensure that the guidelines are signed implementation: No Responsible Officer: Executive Director of Finance Target Date: 30 September

8 Risk / Process Control Design Content of Guidance 3.5 Existing guidance on permitted hospitality is considered vague. The Members Handbook includes guidance addressed to members on travelling expenses, subsistence and hospitality. Apart from the requirement for member visits to be authorised by the Leader of the Council / Cabinet Member for Finance and Resources when for foreign travel or in excess of 500 ( 1000 for more than one councillor), the handbook provides no instruction on scrutiny and authorisation of travel, subsistence and hospitality claimed / expenses incurred, either for members or the Leader of the Council. Whereas guidance on travel and subsistence expenses / claims is fairly specific, regarding hospitality, guidance is less specific, advising "Councillors should only provide hospitality and claim it back in exceptional circumstances. If providing hospitality is deemed necessary then arrangements are best put in place in advance, including agreeing arrangements for meeting the cost". Risk: Governance and Reputational Without documented requirements for the independent scrutiny and authorisation of travel, subsistence and hospitality claimed / expenses incurred by both members and the Leader of the Council, and guidance as to what is reasonable, inappropriate or unjustified claims could be made and expenditure incurred without challenge. This could potentially leave the Council exposed in the event of requests for details of members allowances under regulation 15 of the Local Authorities (Members Allowances) (England) Regulations 2003, or a request for details of hospitality provided under the Freedom of Information Act. The Members Handbook should include guidance on the scrutiny and authorisation of expenditure incurred / travel and subsistence allowances claimed, both for members and the Leader of the Council. A protocol needs to be established and documented relating to the responsibility for the review of expenditure / claims by the Leader of the Council. More specific guidance should be provided defining for which events it is suitable to provide hospitality and what level of expenditure is considered reasonable. Agreed: Yes Action to be taken: Pending the revision of Members allowances interim guidance to be issued in relation to appropriate expenditure. Guidance to include the scrutiny and authorisation of expenditure incurred/travel and subsistence allowances claimed for Members and the Leader of the Council Guidance on the provision of hospitality to be issued. implementation: No Responsible Officer: Executive Director of Finance/Monitoring Officer/Head of Governance and Member Services Target Date: 30 June

9 Risk / Process Control Design Procedural guidance for corporate card application / issue 3.6 Procedural guidance for corporate card application / issue contains omissions. The Financial Operations Cashiers Team Processes/Procedures Company Barclaycard document contains omissions compared to the procedures that had been instigated by the Purchase to Pay Team in response to original review of corporate credit cards by Internal Audit in 2003/04. The procedures do not provide for: The completion of the ECC 'Application for Provision of a Corporate Credit Card' by the prospective cardholder, including line manager approval and agreement to conditions of use. The issue of the ECC document 'Company Barclaycard - Guidelines for Members / Officers' to new cardholders, against their signature, undertaking to comply with the guidelines and those in the Members Handbook / HR Corporate Policy Framework section PF05.1 and PF05.2 (as appropriate). Risk: Governance Through the lack of up to date, accurate procedure notes relating to the corporate credit card application process, the correct procedures have not been applied to the three cards issued during the last 12 months (please refer to point 3.3. above). As a result of this, there has been the potential for the inappropriate issue of cards (where the anticipated expenditure detailed in the request may not have corresponded with permitted expenditure within the conditions of use). Whilst, for the three new cardholders not having been advised of important conditions and guidelines for the use of the cards, there has also been the potential for inappropriate use of cards (where actual expenditure may not have corresponded with permitted expenditure within the guidelines / conditions of use). The Financial Operations Cashiers Team Processes/Procedures Company Barclaycard document should be updated to include: The completion of the ECC 'Application for Provision of a Corporate Credit Card' by the prospective cardholder, including line manager approval and agreement to conditions of use. The issue of the ECC document 'Company Barclaycard - Guidelines for Members / Officers' to new cardholders, against their signature, undertaking to comply with the guidelines and those in the Members Handbook / HR Corporate Policy Framework section PF05.1 and PF05.2 (as appropriate). Any increase / decrease of a card credit limit must be requested in writing. The issue of documented guidance to card expenditure authorisers detailing their responsibilities. Agreed Yes Action to be taken: Amend document in accordance with recommendations implementation: No Responsible Officer: Executive Director for Finance Target Date: Additionally it is not clearly stated that any increase / decrease of a card credit limit must be requested in writing. There is no procedure noted for advising card application authorisers of the subsequent responsibilities of card expenditure authorisation. 9

10 Risk / Process Control Effectiveness Completion of Credit Card Transaction Logs 3.7 Credit Card Transaction Logs do not always provide sufficient details as to how expenditure relates to ECC business. The Credit Card Transaction Logs reviewed during testing frequently lacked precise details of the nature and purpose of expenditure, making it difficult to determine how the expenditure related to ECC business. This applies both to officers and members expenditure. Risk: Reputational The authority may be required to make available details of corporate card expenditure following requests under the Freedom of Information Act, or in respect of requests for details of members allowances in accordance with The Local Authorities (Members Allowances)(England) Regulations The inability to provide sufficient detail would leave the authority exposed to speculation as to inappropriate use of public funds The details of expenditure specified in Credit Card Transaction Logs should be sufficiently detailed to clearly identify the nature and purpose of the payment, including events being attended and the names of those for whom the expenditure is incurred if not the cardholder. This guidance should be incorporated into the Company Barclaycard Guidelines for Officers / Members and reissued to all cardholders. Agreed: Yes Action to be taken: Amend and re-issue guidance implementation: [ No Responsible Officer: Executive Director for Finance Target Date: 30 June

11 4. Advice and Best Matters Arising Advice / Comment Risk Rating Responsible Officer Risk / Process Control Design Corporate card application details record 4.1 Cashiers maintain a spreadsheet record of corporate card / cardholder details which is password protected both for reading and writing to the document. Relevant details are included for current cards issued, including the total of card limits and the account limit. The completion of an ECC corporate card application form, receipt of the Guidelines for Officers / Members and dates of card / PIN issue are not recorded. It was noted that temporary card limit increases for three current cards were recorded as 'comments' against the card limit cell on the spreadsheet. For one of these the expiry date of the increased limit was recorded, without the amount. For a further card, current corporate card statement sheets demonstrated a higher limit than that recorded in the spreadsheet. Control Design Content of Guidelines 4.2 The 'Company Barclaycard - Guidelines for Officers / Members' advises that card expenditure and statements will be scrutinised by finance staff, who will raise any issues of non-compliance with guidelines and policy with the card user. This is inappropriate given that expenditure should already have been authorised, at a level of seniority higher than finance staff processing card expenditure. To be effective, the spreadsheet record of corporate card / cardholder details should be maintained up to date, and limits periodically compared to the details notified on corporate card summary statements. The details recorded on the spreadsheet could be usefully increased to demonstrate which cardholders have completed an internal ECC corporate card application form (including date and authorisation), which have received a copy of the ECC Guidelines for Officers / Members for use of the card, and dates of card / PIN issue. The 'Company Barclaycard - Guidelines for Officers / Members' should be revised to demonstrate the responsibility for scrutiny of card expenditure for compliance with guidelines and policy rests at the point of authorisation of the Credit Card Transaction Log. An escalation process at a suitably senior level should be agreed and documented for use if it is subsequently obvious to finance staff processing payments that the authorisation control has been ineffective (i.e. non-compliance not identified). Control Design Content of Guidance 4.3 The HR Policy Framework includes guidance for officers on travelling expenses, subsistence and hospitality. Whereas guidance on travel and subsistence expenses / claims is fairly specific, hospitality guidance is less specific, advising "It will be for the authorising officer to decide on what hospitality is reasonable. This may include a modest expenditure for alcohol where appropriate". More specific guidance should be provided within the HR Policy Framework defining for which events it is suitable to provide hospitality and what level of expenditure is considered reasonable. 11

12 Matters Arising Advice / Comment Risk Rating Responsible Officer Risk / Process Control Effectiveness Prompt receipt of Credit Card Transaction Logs / Processing of corporate card transactions 4.4 At the time of undertaking audit fieldwork, in November: One officer's July corporate card statement transactions had not been processed (the Credit Card Transaction Log had been authorised on 22 August, however, Purchase to Pay staff were still trying to resolve discrepancies). Two officer's and the Leader of the Council's August corporate card statement transactions had not been processed (the Credit Card Transaction Logs for the two officers had not been received, whilst the transaction log for the Leader of the Council was received on 29 August, however, Purchase to Pay staff were still trying to resolve discrepancies). One officer's September Credit Card Transaction Log had not been received by Purchase to Pay staff. Control Design Credit Card Transaction Log authorisation process 4.5 The Credit Card Transaction Log for use with officer s corporate card expenditure includes provision for authorisation by the cardholder s line manager, whereas the Credit Card Transaction Log for use with member s corporate card expenditure includes provision only for the cardholder s signature. Neither document provides any guidance on authorisation procedures. In accordance with the 'Company Barclaycard - Guidelines for Members / Officers', following receipt of corporate credit card statements by cardholders, Credit Card Transaction Logs should be completed, expenditure authorised, and statements, transaction logs and receipts forwarded to the Purchase to Pay Team within two weeks. Since overall corporate card expenditure each month is cleared by direct debit, the ability to process card expenditure promptly assists the Council's bank reconciliation procedures. The delays identified by Internal Audit negatively impact on the bank reconciliations. Finance staff currently scrutinise Credit Card Transaction Logs received (as noted at ref. 4.2) and during testing printed exchanges were seen where finance staff were chasing for receipt of missing receipts / other issues. This should not be necessary and is inefficient. The Credit Card Transaction Log for use by members should include provision for independent authorisation of expenditure. To improve effectiveness of the authorisation control, it is suggested that Credit Card Transaction Logs be revised to include (for both officers and members), for each payment recorded, check boxes for use by the authoriser to demonstrate that payments are supported, in accordance with ECC corporate card guidelines / condition, and in accordance with the HR Policy Framework / the Members Handbook. Control Effectiveness VAT recovery 4.6 For the sample of corporate card transactions tested, which included all transactions completed by each cardholder recorded on corporate card statements issued in June, July and August of the current year, it was found that 16 of the invoices / receipts provided were not valid for the recovery of VAT. Considering these invoices together with those instances where no receipt or invoice has been provided, it is estimated that ECC has been unable to recover in the region of 300 during the three month period through a lack of VAT invoices. Correct authorisation procedures and use of the check boxes should be included in documented guidance issued to card expenditure authorisers detailing their responsibilities (see ref. 3.6 also). Valid VAT invoices or receipts must be provided for all applicable expenditure in order that ECC may recover all VAT input tax due. This figure is a prudent estimate since the descriptions of the relative transactions per Credit Card Transaction Logs are not sufficiently detailed to determine whether it would be possible to recover VAT on some hospitality expenditure. 12

13 Matters Arising Advice / Comment Risk Rating Responsible Officer Risk / Process Control Effectiveness Use for official business and in accordance with terms and conditions 4.7 The sample of corporate card transactions examined included all transactions recorded on corporate card statements issued in June, July and August for the current year. From186 transactions tested: 54 did not comply with the ECC terms and conditions for use of corporate cards (permitted expenditure is stated as hotel accommodation, travel and hospitality where normal payment / procurement processes are not possible; non-compliance frequently related to UK subsistence and local travel, which should be borne by the cardholder officer / member and reimbursement claimed); 24 did not comply with ECC rules for travel and subsistence as detailed within the HR Policy Framework and the Members Handbook (noncompliance related to breaching of maximum amounts payable); and For the seven cardholders who have completed an ECC application form, including a business case justifying use of the card, 39 transactions did not correspond with the business case submitted. All expenditure made using corporate cards should be for official use / approved purposes, in accordance with the conditions of use stated in the ECC 'Application for Provision of a Corporate Credit Card', the 'Company Barclaycard - Guidelines for Officers / Members, HR policy on travel and subsistence and the Members Handbook. Where correct card application procedures have been applied, and an ECC application form held, use of the corporate card should correspond with that stated in the business case. Non-compliant corporate card expenditure should not be authorised without challenge. The audit findings support the recommendation at ref. 3.5 concerning effectiveness of corporate card expenditure authorisation The revision of Credit Card Transaction Logs as recommended at ref. 3.5 should have the effect of reducing noncompliance. 13