Internal Audit Report Credit Cards (C4/69, C4/70)

Transcription

1 INFORMATION REPORT Audit Committee 20 October 2011 Governance and Compliance Internal Audit Report Credit Cards (C4/69, C4/70) As part of the 2011 Internal Audit Plan an audit was undertaken on the Credit Cards from 18 August to 22 August The aim of the audit was to; Review, assess and obtain an understanding of the Credit Card processes, systems and controls. Assess the level of risk pertaining to those processes, systems and controls Provide recommendations relating to the findings of the audit to improve the effectiveness of the processes, systems, controls and risk management of the Credit Card function The audit engagement was performed with the cooperation and support of the key stakeholders and users of Credit Cards An overview of the audit is detailed in the Executive Summary section of the Internal Audit Report as shown in Appendix 1 of this report. A full copy of the Internal Audit Report is available on request to the Internal Auditor. Jim Brydson Internal Auditor Tanya Hook Acting Manager, Governance and Policy John Moyle Director, Governance and Compliance File Reference: C4/70 Page 1 of 7

2 Appendix 1 Internal Audit Report Business Unit Name / Activity: Credit Card Audit Reference: CTTG 007 Audit Date: August 2011 Version: FINAL File Reference: C4/70 Page 2 of 7

3 Contents Page Audit Timetable 3 Executive Summary 4-6 Objective and Scope of Work 4 Summary of Findings & Recommendations 5-6 Priority Rating 6 Introduction 7 Background 7 Objectives and Scope Work 7-8 Objectives 7 Scope of Work 7 Approach 7 Reporting 8 Summary Issues 9-10 Audit Findings Appendix 1 Internal Audit Plan and Follow Up Review 16 Appendix 2 CTTG Risk Assessment Criteria File Reference: C4/70 Page 3 of 7

4 Audit Timetable Scoping Meeting: N/A Audit Scope Issued: N/A Audit Commenced: 18 August 2011 Draft Report Issued: 6 September 2011 Final Report Issued: 29 September 2011 File Reference: C4/70 Page 4 of 7

5 Executive Summary A review of the Credit Card process was conducted as part of the 2011 Internal Audit Plan. The Executive summary provides a concise overview of the outcomes and issues arising from the audit to senior management For more details of the findings and recommendations please refer to the body of the report. Objective and Scope of Work The Objectives of the review were to: Gain an understanding of the processes and systems associated with Credit Card use. Assess the effectiveness of the related processes, systems and controls Determine risks associated with department goals and objectives, processes and systems Identify and evaluate the key controls relating to the risks Test the key controls over the major risks by undertaking a: o o Walkthrough of the process Review of supporting documentation (where applicable) Determine action plans and improve the effectiveness of the controls, systems and processes (where applicable) The scope of the review included the following: Internal Controls - Policies, procedures, etc Risk Management Functions & Processes relating to Credit Cards and Credit Card holders File Reference: C4/70 Page 5 of 7

6 Summary of Findings and Recommendations Findings from this audit engagement are based on issues identified prior to the Internal Auditor undertaking NAB Flexi purchase training in late July 2011 No Testing of random samples of transactions were undertaken as part of this engagement As a result of the review of the Credit Card processes, systems and controls, a number of Opportunities for Improvement [OI] were identified. Number of Deficiencies Raised (CPAR) Number of Opportunities for Improvement Raised (OI) 4 The Priority Rating is based on the level of risk relevant to the issue and impact to Council Number of Deficiencies (CPAR) Number of Opportunities for Improvement (OI) Priority Rating Extreme High Medium Low 2 2 Consequently, the following areas that have been identified as having a concerning level of risk exposure that is attributable to Credit Card processes and controls. Internal Controls o Use of Credit Cards to purchase works or services o Credit Card procedure does not reflect all key conditions for the use of Credit Cards Asset Registers Registration of goods into Asset registers after being purchased on a Credit Card Individual Findings Ref Description of Finding Priority Implementation Timeframe CTTG007/01 During the audit it was established that Credit Cards are being used to purchase goods / services / works relevant to the users credit level. However; 1) Where Credit Cards are used to purchase works or a service, there are no controls in place that directs the user to ensure that the supplier / service provider or their Sub Contractor(s) has: Public Liability Professional Indemnity High Proof of OHS Policy and Procedures Workers Registration or Workers Compensation Insurance 2) There are no controls in place that prevents Credit Card holders using this File Reference: C4/70 Page 6 of 7

7 CTTG007/02 CTTG007/03 CTTG007/04 medium for acquiring Consultation services During the Audit it was established that there are no controls / guidelines which direct Credit Card holders as to the types of purchases that can be made. At the time of the audit it was established that a Credit Card was used to acquire computer equipment (IPad). Although approval was obtained from the Manger, KIS to obtain the equipment, it is considered: That any purchase of computer equipment should be undertaken by KIS and not performed by individual Credit card holders. That Credit Cards is not the correct medium to purchase this type of equipment. At the time of the audit, it is unclear who actully undertook Credit Card training as there is no training record available within People and Oganisational Development (POD). Credit Card holders are effectively undertaking a purchasing function and therefore,effective training / controls / guidelines need to be defined for the Credit Card holder as to the types of purchases that can be made. During the audit it was established that there is no level of control that ensures purchases of equipment are placed onto the Asset Register. Medium Medium High All findings have been discussed and agreed with management Priority Rating The priority rating has been based on the CTTG Risk Assessment Criteria (Refer Appendix 2), which is embodied in the Risk Management Framework procedure Priority Rating Extreme High Medium Low Level of Rating Attention, time and resources are generally required immediately Attention required. Minimum requirement should be included in the following years budget and program Requires monitoring. Systems in place to manage and minimise risk Standard operating procedures in place to manage risk. File Reference: C4/70 Page 7 of 7