ANNUAL REPORT ON INTERNAL AUDIT ACTIVITY 2006/07 REPORT AUTHOR SANDRA KING, AUDIT MANAGER, SOUTH NORFOLK COUNCIL

Transcription

1 BROADLAND COUNCIL ANNUAL REPORT ON INTERNAL AUDIT ACTIVITY 2006/07 REPORT AUTHOR SANDRA KING, AUDIT MANAGER, SOUTH NORFOLK COUNCIL Summary: This report has been prepared in accordance with the requirements of the Accounts and Audit Regulations 2003, the Accounts and Audit Regulations (Amendment) (England) 2006 and the CIPFA Code of Practice for Internal Audit in Local Government The report contains an opinion as to the adequacy and effectiveness of the Council s systems of internal control for 2006/07, comments on Internal Audit activity in 2006/07 delivered against the Annual Audit Plan and also provides performance information for the Internal Audit Service. Management Summaries for audit assignments finalised between November 2006 and March 2007 are included at Appendix 2 to the report and details of outstanding audit recommendations which have not been implemented within their original target dates, together with high priority recommendations relating to a 2006/07 audit, subject to final reporting after 31 March 2007, can be found in Appendices 3 and 4. 1 INTRODUCTION/BACKGROUND 1.1 The Internal Audit Service at Broadland Council is delivered by means of a partnership arrangement between Broadland, Breckland and South Norfolk Councils. All three Councils have signed an agreement, under which South Norfolk Council procures the services from an external contractor on behalf of all three. The contractor is currently Bentley Jennison Risk Management Ltd. This organisation has been operating in the role since 23 September 2005, when it became necessary to novate the contract after the original service provider went into administration. The current partnership outsourcing of audit assignments has been ongoing since 1 April The original contract was let for a period of 3 years and was subsequently extended for a further twelve months from 1 April 2006 to 31 March A decision was then taken at Broadland Cabinet on 4 December 2006 to continue to retain the external contractor for an additional six months from 1 April 2007, after which the contract would be re-tendered. (the original contract allowed for up to 2 years extension) 1.2 The Audit Manager of South Norfolk Council has continued to be responsible for managing the delivery of the Internal Audit Service at Broadland Council; acts in the capacity of Contract Manager and serves as the main point of contact with the external contractor. A total of days was spent providing audit management support on behalf of the Council during 2006/ There has been a change in management of the Internal Audit Service during 2006/07. The original post holder retired in mid June 2006 although he continued to manage the service on a part-time consultancy basis until the current Audit Manager joined the audit partnership on 2 October In April/May 2006, there were major problems with the external contractor regarding the resourcing of the Annual Audit Plan for 2006/07, culminating in an exchange of correspondence and meetings between the then Audit Manager and Bentley Jennison s nominated Client Partner and Client Manager. Resourcing issues, caused by staff sickness and turnover, were not fully resolved until the autumn, by which time, some slippage against planned reviews had occurred. This, in turn, has

2 had an adverse impact on performance indicators for the Internal Audit Service and completing individual audit assignments by 31 March Moreover, the delayed delivery of planned audits in parallel with the letting of the new Internal Audit Services contract have caused significant work pressures for the current Audit Manager. 1.5 In the course of 2006/07, it has also been necessary to respond to a review of Internal Audit by External Audit. This piece of work is performed on a 3-yearly cycle and early feedback suggested that further realignment to CIPFA s Code of Practice for Internal Audit in Local Government in the United Kingdom ( the Code ) was required. The relevant work was undertaken in April 2007 and a report presented to the Senior Management Team on 14 May The work done in this area follows best practice advocated by the new Code, which was published in December Finally, the Accounts and Audit Regulations 2003 were revised in April 2006 by the Accounts and Audit (Amendment) (England) Regulations 2006 and one of the amended regulations (No.6) now requires bodies to review the effectiveness of their system of Internal Audit once a year and for the findings of the review to be considered by a committee of the body, or by the body as a whole, as part of the consideration of the system of internal control referred to in regulation 4. Detailed Guidance by CIPFA regarding a review of effectiveness has now been published (last updated at the end of January 2007) and this report will comment on work done in this direction to date. 2 OPINION OF THE AUDIT MANAGER ON THE OVERALL ADEQUACY OF THE INTERNAL CONTROL ENVIRONMENT AT BROADLAND COUNCIL 2.1 The overall standards of internal control are satisfactory, based upon the internal audit work undertaken in relation to the 2006/07 Annual Audit Plan, testing of key controls on fundamental financial systems that were not originally covered by planned systems review work in 2006/07, a recent review of the status of agreed actions implemented by management during the financial year, levels of assurance given by External Audit and the extent of audit recommendations rated as High priority which have yet to be put in place. Although it has been recognised that a number of agreed actions have yet to be progressed, there were no instances in which internal control problems reported previously, created significant risks for Council activities or services. 3 ISSUES RELEVANT TO THE STATEMENT ON INTERNAL CONTROL 3.1 In accordance with Regulation 4 of the Account and Audit Regulations 2003, the Council is responsible for ensuring that the financial management of the body is adequate and effective and that the body has a sound system of internal control which facilitates the effective exercise of that body s functions and which includes arrangements for the management of risk. To confirm compliance with this statutory duty, a Statement on Internal Control has to be published each year with the Council s financial statements and should focus on: Reviewing the accuracy of internal control arrangements; Recognising where arrangements need to be improved; and, Communicating to users and stakeholders what the Council plans to do to improve the arrangements and how the planned improvements in internal control should lead to better quality public services and best use of resources. 3.2 Amended Account and Audit Regulations issued in April 2006 also now require the findings of the review of the system of internal control to be considered by a committee of the relevant body, or by members of the body meeting as a whole.

3 3.3 To assist the process outlined in 3.1 and 3.2 above, Internal Audit has recently undertaken work to: Assess the current position prior to preparing the Statement on Internal Control, taking into account the findings of internal audit reviews conducted during 2006/07. Examine the operation of key controls for each of the main financial systems not subject to systems audit review in the course of the financial year. Revisit the status of high priority audit recommendations previously accepted by management in order to gauge the extent to which the internal control environment is being further developed by management to address the risks facing their services. 3.4 All key controls relating to the Council s nine main financial systems (i.e. Main Accounting System, Cash Receipting, Investments, Creditors, Debtors, Payroll, Housing Benefits, Council Tax and National Non Domestic Rates), as stated previously, have been evaluated either through coverage as part of the 2006/07 Audit Plan or through subsequent testing of material controls as part of the Internal Audit review for Statement on Internal Control purposes, as mentioned in 3.3. Work undertaken has indicated some deficiencies within key controls as follows: Main Accounting System / General Ledger There has been some deviation from the authorisation of journal input sheets which needs to addressed. Debtors Segregation of duties has not always been observed to ensure that an officer cannot raise a debtor s invoice and subsequently receive the respective payment. This observation has been based on a review and comparison of the current access list for the debtors module of the new Civica system to the access list for the Radius cash receipting system, whereby we found that 4 Payments Section Finance staff had the ability to both raised invoices and receive payment for them on the system. The debtors control account has not been reconciled monthly to the general ledger since November 2006, following the implementation of the new Civica system and technical/training difficulties which have occurred subsequently. Creditors The creditors control account has similarly not been reconciled on a monthly basis to the general ledger since November 2006 due to issues relating to the new Civica system, although Internal Audit has been informed of management s intention for reconciliation to re-commence as soon as possible, i.e. from April 2007 onwards. The issues highlighted should also feature in the Statement on Internal Control for 2006/ It is similarly important to note that four High priority recommendations have been made in the final report on Ordering, Creditor Payments, Corporate Credit Cards, Insurances, Car Loans and Leased Cars, which was issued after 31 March Appendix 4 to this report contains details of the relevant recommendations put forward. The Statement on Internal Control for 2006/07 should likewise reflect the control weaknesses arising here.

4 3.6 Audit work to support the preparation of the Statement on Internal Control for 2006/07 has additionally considered the quality of Assurance Statements at the Council, which CIPFA s Financial Advisory Network has advised should be submitted by Directors and Managers (e.g. Heads of Services) in relation to the areas under their control. Although this approach was recommended following audit work to assist the preparation of the Statement on Internal Control for 2005/06, management subsequently rejected this recommendation, although it was agreed that the Head of Finance would prepare a draft Assurance Statement for consideration by Strategic Management Team. Recent audit follow up has since confirmed that the 3 Directors at Broadland Council have returned Annual Assurance Statements for 2006/07. However, this delegation to Directors does not comply fully with best practice advocated by CIPFA and Internal Audit is therefore restating its recommendation to seek ongoing Assurance Statements from the Heads of Service. In consequence, this situation should also be acknowledged when formulating the Statement on Internal Control for 2006/ Finally, the Council s overall response to the Audit Commission s Annual Audit and Inspection Letter, published in March 2007, for the period 2005/06 needs to be taken into account for the purposes of the Statement on Internal Control for 2006/07. The letter has focused on 5 key points requiring action by the Council, namely: Continue to take forward action plans resulting from Knowing Your Communities self assessments; Take steps to address variable housing performance. Continue to monitor the Council s financial standing to ensure the Council maintains a sound financial position. Continue to take forward and develop value for money initiatives. Strengthen the Council s counter fraud framework and risk management arrangements. 4 AUDIT WORK UNDERTAKEN IN 2006/ The table below shows in summary the audit coverage that was planned compared with that which has been delivered, whilst a more detailed overview is attached at Appendix 1 to the report, itemising the current status of individual audit assignments. Description Days planned for 2006/07 Days delivered % of planned work delivered Systems audit % Computer audit % Total % Extra work There has been some deviation from the planned audit requirements approved by the Overview and Scrutiny Committee on 29 August 2006, primarily in the area of computer audit whereby 2 reviews were withdrawn following discussions with the Head of Finance, involving job budgets totalling 15 days. One audit that was dropped, namely the Business Continuity, Disaster Recovery, Telecommunications and Physical Security review, is now to be performed as part of the Audit Plan for 2007/08. With regards to systems audit work, there had also been an intention to carry out Performance Indicator quality checks as part of the 2006/07 planned audit coverage but this requirement became obsolete when the Council adopted the new TEN system.

5 4.3 As can be seen in the table at 4.1 on the previous page and at Appendix 1 to the report, a piece of ad hoc work was also undertaken during 2006/07, amounting to 0.5 days. This was requested by the Director of Finance after a potential credit card fraud was reported to the Council by a member of the public. The matter was being investigated but the complainant then failed to co-operate with audit enquiries, which precluded any further progress being made in this matter. 4.4 Attached at Appendix 2 to this report are copies of the abridged Management Summaries of audit reports, which have been finalised since the last Audit Progress Report was presented to the Overview and Scrutiny Committee on 21 November PERFORMANCE OF THE INTERNAL AUDIT SERVICE 5.1 In addition to ensuring delivery of specific work in the Annual Audit Plan, the internal audit contract provides for the service to be measured against the following indicators, as tabulated below. Description of indicator Target Achievement 2005/06 Achievement 2006/07 Work completed compared with 100% 97.5% 91.2% that in the Audit Plan Average delay in issuing draft 10 working 6.6 working days 27.5 working days audit reports days Average delay in issuing final 15 working 19.6 working 24.3 working days audit reports days days Average delay between 25 working 26.2 working 51.8 working days completion of work and issue of final report days days Percentage of audit recommendations accepted 90% 92.5% 90.1% 5.2 It is evident from the above table that reporting targets have not been met in 2006/07 and when comparing with the previous financial year, the timescales involved have actually significantly lengthened, particularly between completion of audit fieldwork and draft reporting stages. Indeed, the turnaround timescales reported to the Overview and Scrutiny Committee on 21 November 2006 have considerably worsened in the second half of the financial year, given that previously it was noted draft reports averaged 19.2 working days to produce, and to progress from draft to final report took an average of 20 working days, equating to an overall average of 39.2 working days to prepare a final audit report upon completion of the requisite audit fieldwork. 5.3 Poor performance has occurred for a number of reasons, some of which rest with the contactor, others falling outside the latter s control. For example, there was a misunderstanding on the part of the contractor linked to working protocols that resulted in 34 days elapsing, before one particular draft report was converted into a final report. Other delays have arisen as a consequence of staffing issues experienced by the contractor, in terms of staff turnover and sickness cover, mentioned previously in 1.4 of the report. Added to this, the Senior Auditor who undertakes the majority of audits at Broadland Council is now engaged on a part-time basis, 3 days per week and this can adversely impact on the speedy turnaround of fieldwork and reports. There have been occasions too, where the Audit Manager has requested additional work after being dissatisfied with preliminary draft reports and the nature of work performed up to that point. Conversely, there have been

6 incidents, where the Audit Manager has been responsible for delays, being unable to process draft reports within preset timescales due to other work pressures. Changing work priorities have furthermore led to some stop/starting of audits, and, an inability to access certain client officers has also meant that the outcomes of some reviews could not be discussed in a timely manner leading to the prompt turnaround of the final audit report. 6 IMPLEMENTATION OF AUDIT RECOMMENDATIONS ACCEPTED BY OFFICERS 6.1 It is important to ensure that audit recommendations accepted by officers are actually implemented, if the internal control environment is to benefit from further enhancements. To support members with the task of reviewing the implementation of agreed actions, the current position regarding those recommendations rated as high priority are listed in the table below. Number of recommendations due for 44 implementation by 31 March 2007 Number actually implemented The 6 recommendations that have not been implemented within the deadline first set are itemised at Appendix 3 to the report. 7 REVIEW OF THE EFFECTIVENESS OF INTERNAL AUDIT 7.1 This is a new reporting requirement, as mentioned earlier in the report at paragraph 1.6. The Council or a Committee of the Council are responsible for reviewing the system of Internal Audit currently in place. CIPFA has issued some guidance on conducting such a review but stipulates that the Head of Internal Audit must not be allowed to influence the direction or extent of the review. It is however feasible for the Head of Internal Audit to carry out a self-assessment, the outcomes of which can then be considered by the independently appointed review team. 7.2 The following information is therefore provided to assist an independent review of systems of Internal Audit cover: In the latter part of 2006/07, External Audit carried out a review of Internal Audit and concluded that Internal Audit is compliant with the CIPFA Code of Practice for Internal Audit in Local Government in the United Kingdom, However, a number of areas have been identified for further improvement. As a consequence of the above, Internal Audit working practices have been substantially realigned to the CIPFA Code of Practice for Internal Audit in Local Government in the United Kingdom, 2006 to facilitate greater comparison and clarity. This resulted in the presentation of new Terms of Reference, a Code of Ethics and Audit Strategy to Management Team on 14 May This course of action has effectively ensured that Internal Audit at Broadland Council is now adopting the proper practices set out in the Accounts and Audit Regulations. In addition to the above, in January 2007, the external audit contractor published a Client Briefing mapping Bentley Jennison s risk based internal audit methodology against the CIPFA Code of Practice. Good feedback has been received from the Section 151 Officer at Broadland Council during 2006/07, confirming that Internal Audit Service delivery has met required standards (i.e. providing reliable assurance on internal control). There have been no adverse comments received from External Audit regarding Internal Audit work linked to International Auditing Standards, involving the

7 flowcharting of the Main Accounting System, Creditors and Debtors systems, and the testing of key controls for these systems, which suggests that External Audit have been able to place reliance on the work of Internal Audit. There has been regular reporting throughout the financial year to the Overview and Scrutiny Committee and Cabinet regarding Internal Audit activity, the retendering of the Internal Audit Services contract and the implications for the Council of the Accounts and Audit (Amendment)(England) Regulations In addition, there have been regular monthly meetings with the Section 151 Officer regarding progress against the Annual Audit Plan as well as periodic consultation on the refinement of the new Internal Audit Services Specification, which has necessitated a complete reassessment of working practices. Evidence to support the review of the system of Internal Audit includes the production of: The Annual Report and Opinion of the Head of Internal Audit; Audit Progress Reports; Reports on individual audit assignments which detail significant findings and recommendations to overcome internal control weaknesses identified; Strategic and Annual Audit Plans; and, Key performance indicators on audit inputs and outputs. 7.3 Since January 2007, considerable audit resources have been invested in developing the new Internal Audit Services contract and a number of new quality assurance requirements have been defined to further enhance service delivery. 8 RECOMMENDATIONS (1) To receive and note the Annual Report of the Audit Manager. (2) To note that the overall standards of internal control were satisfactory during 2006/07. (3) To note that the satisfactory opinion on internal control and any issues raised are taken into account when the Statement on Internal Control for 2006/07 is presented to the Final Accounts Committee. (4) To note that initial feedback on the effectiveness of Internal Audit indicates enhancements are being made to service delivery and that closer adherence to the Code of Practice for Internal Audit in Local Government in the United Kingdom is currently ongoing. Appendices: Appendix 1 Audit work delivered compared with the Annual Audit Plan for 2006/07 Appendix 2 Abridged Management Summaries of Audit Reports (where finalised) Appendix 3 Identification of Outstanding Recommendations arising from 2006/07 Audit Reviews Appendix 4 High Priority Recommendations applying to Final Audit Reports issued after 31 March 2007

8 Appendix 1 AUDIT WORK DELIVERED COMPARED WITH THE ANNUAL AUDIT PLAN FOR 2006/07 Project description Days planned Days delivered Status PLANNED WORK - SYSTEMS AUDIT Work to support Statement on Internal Control Completed. Final Report issued 19 June 2006 Performance Indicator quality control checks 5 0 Deleted from the Audit Plan by agreement with the Head of Finance Council Offices, Concessionary Fares, Postages and IT Contract Management Follow Up Completed. Final Report issued 16 October 2006 Waste Management** Completed. Final Report issued 7 March 2007 Payroll and Personnel Services Completed. Final Report issued 24 October 2006 Housing Advice, Common Housing Register and Homelessness Completed. Final Report issued 11 October 2006 Community Safety, Performance Management and Grants to External Bodies Completed. Final Report issued 9 November 2006 Housing Benefit and Council Tax Benefit** Completed. Final Report issued 8 May 2007 Ordering, Creditor Payments, Corporate Credit Cards, Insurances, Car Loans and Leased Cars** Completed. Final Report issued 8 May 2007 Council Tax and National Non Domestic Rates** Completed. Final Report issued 14 February 2007 Compliance with International Auditing Work completed 02 April 2007 Standards Broads Authority All work completed by 27 February 2007 TOTAL SYSTEMS AUDIT PLANNED WORK - COMPUTER AUDIT Computer Audit Follow Up on 2004/05 and 2005/06 reviews 4 4 Follow Up completed in May and October 2006 Information Security Management** Completed. Final Report Business Continuity, Disaster Recovery, Telecommunications and Physical Security issued 22 March Audit deleted. Agreement to undertake the work as part of the Audit Plan for 2007/08. Broads Authority Disaster Recovery 5 0 Audit withdrawn at request of the Head of Finance TOTAL COMPUTER AUDIT EXTRA WORK Investigation of potential credit card fraud 0.5 Unable to progress as complainant failed to respond to further communications from the Internal Auditors. TOTAL EXTRA WORK 0.5 GRAND WORK TOTAL **Abridged Management Summaries attached for information at Appendix 2.

9 Appendix 2 (1) Audit review of Waste Management Report No. BRD/07/04 issued 7 March 2007 Management Summary (abridged) Audit Opinion Refuse and Street Cleansing Internal Audit considers the processes in place within the day to day systems for monitoring these contracts and controlling expenditure and any income due to be sound. Supporting evidence and internal audit testing indicate that the controls are operating effectively. Testing also indicates that the processes in operation for tendering and contracting present and future refuse and street cleaning contracts have been performed in compliance with the Council s official rules and regulations. Internal Audit would also advise the Council to make every effort to ensure that contracts are signed prior to commencement of services. This is to protect the Council s position should there be issues with service delivery at an early stage, and enforcement of contract terms and conditions would present the best way forward to resolve any problem(s). Recycling Internal Audit believes the Council s systems in place to control the collection and disposal of recycled waste are suitable. The obtaining of more specific evidence of the amount of glass collected would enhance control but the possibility of the glass collection service becoming cross-border should allow a more definitive checking process. Abandoned Cars Whilst the systems adopted for dealing with reports of abandoned cards are sound, there is a need to adequately document them from the point of view of providing a continuity of service should key staff become absent. There is also a need to establish whether income (albeit small) is due from the County Council is respect of recovery of vehicle recovery charges. Cesspools/Septic Tanks Internal Audit believes that the contract renewal and monitoring processes adopted are sound and are being operated effectively. Previous Recommendations Of 21 recommendations made in the previous report, one had not been agreed. Of the remaining 20, one had not been addressed due to staff sickness but the others had been actioned either directly or in new systems being put in place that address them automatically. Recommendations The number of recommendations generated by the review is detailed below. Priority rating Number of recommendations High 0 Medium 5 Low 0 As can be seen from the table, there were no High priority recommendations put forward.

10 Latest Information on the Implementation of Agreed Recommendations It is too early to undertake any audit follow up in respect of the agreed actions arising from this review given that the audit report was only finalised in March 2007 and the timetable for the implementation of the agreed recommendations relates to the period April to August 2007.

11 Appendix 2 (2) Audit review of Information Security Management Report No. BRD/07/09 issued 22 March 2007 Management Summary (abridged) Audit Opinion The audit has identified a substantial number of recommendations, many of which are rated as Low priority (see table on next page). However, a number of other recommendations are rated as either Medium or High, and it is apparent that there are a couple of instances where previous recommendations have yet to be implemented, despite their agreed action date having elapsed. However, we have also identified a number of effective management controls in place which mitigate some of the risk to data integrity and reduce the likelihood of the systems failing. These include: An effective performance management framework between the Council and Digica, with performance targets continuously being achieved and in many instances being exceeded; Effective ICT asset management arrangements are in place; The Council have implemented an Electronic Access Policy, which all permanent members of staff have to complete prior to gaining access to Council systems and information; Physical security arrangements for the main server room provide a high-level of protection; Effective Change Management controls are in place; Desktop screensavers are password protected in accordance with good practice; and Software asset registers are in place, licensing thresholds complied with, and staff are prevented from loading software onto their PCs. Recommendations The number of recommendations made is shown below. Priority rating Number of recommendations High 1 Medium 9 Low 11

12 The recommendation rated as High was: The Council, in collaboration with Digica, should configure the Windows Active Directory Audit Policy to expected good practice guidelines. These are as follows: Audit Account logon events = Success, Failure Audit Account Management = Success, Failure Audit logon events = Success, Failure Audit policy change = Success, Failure Audit privilege use = Success, Failure Audit system events = Success, Failure Latest Information on the Implementation of Agreed Recommendations A total of 11 of the 21 agreed actions were due for implementation and recent audit follow up has confirmed that 8 have been cleared within the target dates set by management. However, 3 recommendations (1 Medium priority and 2 Low priority) remain outstanding, although developmental work is currently ongoing. It is now intended to revisit the Council s Electronic Access policy and update it, where appropriate, by September From July 2007, it is envisaged that Digica will produce regular reports listing all network accounts not accessed during the previous three months and any accounts identified, will then be queried with management to establish whether the accounts are still required. Moreover, all line managers will be reminded to notify both Digica and the Human Resources Department when temporary or contract staff leave the Council s employ. Finally, the IT security policy and links to the setting/restricting of user access rights will be subject to further development in the next few months. The outstanding agreed actions noted above have also been recorded in full at Appendix 3 to the report.

13 Appendix 2 (3) Audit review of Housing Benefit and Council Tax Benefit Report No. BRD/07/10 issued 8 May 2007 Management Summary (abridged) Audit Opinion We found that controls were generally operating satisfactorily although there are some issues that were noted which would strengthen existing controls, in particular: A formalised process for the collection of overpayments Evidence of review on creditor reconciliations (incorporating benefits) Revision of the fraud training file to provide a formal training log Visiting staff to be regularly reminded of the need to take security precautions when seeing claimants out in the patch More formal reporting of fraud activity to elected members Greater publicity of prosecutions made for benefit fraud Recommendations The number of recommendations made is shown below. Priority rating Number of recommendations High 0 Medium 4 Low 3 There were no High priority recommendations arising from this report. Latest Information on the Implementation of Agreed Recommendations Internal Audit can confirm that the 2 recommendations with early implementation dates have been appropriately dealt with. The other 5 recommendations have target dates ranging from June to December 2007.

14 Appendix 2 (4) Audit review of Ordering, Creditor Payments, Corporate Credit Cards, Insurances, Car Loans and Leased Cars Report No. BRD/07/11 issued 8 May 2007 Management Summary (abridged) Audit Opinion Ordering There is a need to improve the link between the ordering and payment systems to allow for better tracking of a transaction from inception to payment. There is no requirement in the present creditor payment system for order numbers to be recorded and, as such, it is not always possible to confirm that orders, deliveries and invoices have been matched. It is understood that the new electronic ordering system will require finance department input at an early stage and will include order numbers throughout which should provide for a more complete audit trail. There is a need for the Central Services department to ensure that there is a clear segregation of duties between preparing and authorising of orders and the authorising of invoices. Creditor Payments Based on Internal Audit testing, the creditor payment system is generally operating well. There is a need, however, for payments staff to verify that goods received boxes are completed in every case and that officers are authorising within their agreed financial limits. Corporate Credit Cards The systems employed for controlling corporate credit cards are satisfactory. Internal Audit, however, consider the number of credit cards to be excessive, particularly as a number of them remain unused in the Finance safe. In addition, there should be a separation of duties between corporate credit card holders and the officer assigned to check and reconcile the Council s credit card statements. Insurances The re-tendering of the insurance service has given greater assurance that the Council is achieving best value for money. The systems for monitoring and updating insurances and for dealing with claims remain well controlled. Car Loans/Leases Systems employed for controlling the allocation and repayment of car loans and contract hire leases remain satisfactory. Previous Recommendations Previously agreed recommendations made in January 2005 have been addressed.

15 Recommendations The number of recommendations made is shown below: Priority rating Number of recommendations High 4 Medium 8 Low 0 The following high priority recommendations arising from this audit have been made: Official orders should be signed by a requisitioning officer and a different authorising officer to demonstrate appropriate segregation of duties Separation of duties is required between the raising of orders, receipt of goods and the authorising of corresponding invoices for payment within the Central Services Department. Invoices should only be authorised by officers within their designated financial limits The need for the large number of corporate credit cards, currently located in the Finance safe, should be reviewed and the number reduced particularly where there is no evidence that they have been used. Latest Information on the Implementation of Agreed Recommendations The additional control features generated by the 11 audit recommendations receiving management endorsement, are due to be implemented by the end of June Internal Audit will therefore be reviewing the position in August 2007 to ascertain the extent to which the agreed actions have been progressed.

16 Appendix 2 (5) Audit review of Council Tax and National Non Domestic Rates (NNDR) Report No. BRD/07/13 issued 14 February 2007 Management Summary (abridged) Audit Opinion We found that controls were, for the most part, found to be operating satisfactorily, although some issues were noted which require management attention, in particular: There is still no clear segregation of duties with regard to maintaining billing records and collection / recovery responsibilities for both Council Tax and NNDR. This issue was raised in previous Audit Report No. BRD/05/08 but was not accepted by management, and we have confirmed that this situation remains unchanged, given that management continue to accept the risks associated with this internal control weakness. There is no reconciliation of composite properties between the Council Tax and NNDR lists and, similarly, relief granted is not reconciled to the total approved. A greater level of evidencing of some of the annual debit processes should be initiated. Implementation of management checks on some areas where authorisation processes are weak, such as suspense transfers, needs to be introduced. Periodic review of reports of transfers between accounts should be undertaken by management. Recommendations The number of recommendations made is shown below: Priority rating Number of recommendations High 0 Medium 6 Low 0 There were no High priority recommendations arising from this report. Latest Information on the Implementation of Agreed Recommendations Of the 5 recommendations accepted by management (the one to be rejected concerned the existence of documented procedures covering the setting up and maintenance of Council Tax/NNDR records, where it was felt that up-to-date guidance of the key processes was already been maintained), we have established that 4 agreed actions have been carried out, but in the case of the remaining recommendation, the intention to agree composite properties in the Council Tax list to the NNDR list in order to avoid anomalies between the two systems has had to be rescheduled to the end of September Furthermore, this outstanding recommendation is covered in more detail in Appendix 3 to the report.

17 Appendix 3 Review of Agreed Audit Recommendations not yet fully implemented although target dates have been reached Report details Statement of Internal Control for 2005/06 Report ref. BRD/07/01 Priority Rating of Recommendation Medium Recommendation The need for Heads of Service to adhere to the current arrangements for review and update of the existing risk register should be re-enforced. Current Status A series of officer and member risk management seminars were held in March/April 2006 facilitated by Zurich Municipal. All corporate risks identified during the Zurich seminars have been entered and scored on a corporate model which was agreed by Cabinet on 9 October Each service has its own model (held on the TEN performance & risk management system) which will include risks identified during a series of meetings with the Head of Policy and Senior Policy Officer (Performance Management) last Autumn / Winter. The majority of these have been scored, but there are a number of gaps. The risk elements are integrated into the service plans. This model of risk management is thought likely to overcome the problems identified in engaging with Heads of Service.

18 Council Offices, Concessionary Fares, IT Contract etc Report ref. BRD/07/03 IT Security Report ref. BRD/07/09 Medium Medium Cashiers procedure documents should be updated to adequately reflect the changes in the system necessitated by the allocation of free passes from 1/4/2006. The Council should revisit its Electronic Access Policy, ensuring it contains statements concerning: - defining information security, its overall objectives and scope and the importance of security as an enabling mechanism for information sharing; The Facilities Manager left in March Revised procedure notes (reflecting the new organizational structure created on the departure of the Facilities Manager) are currently being drafted. New target date: July 2007 The Electronic Access Policy is still under development and a revised completion date of September 2007 is now anticipated. - a statement of management intent, supporting the goals and principles of information security in line with business strategy and objectives; - a framework for setting control objectives and controls, including the structure of risk assessment and management; - a brief explanation of the security policies, principles, standards and compliance requirements of particular importance - for example, compliance with legislative,

19 regulatory and contractual requirements; security education, training and awareness; business continuity management; consequences of policy violations; - a definition of general and specific responsibilities for IS management, including reporting information security incidents; - Reference to supporting documentation, for example, application security policies or procedures. - The policy should be subject to planned review (i.e. every 12 months) to ensure it remains effective. The policy should require all staff to agree that they will comply with the policy, and this agreement should be obtained in writing - for new and established staff. It is noted that audit report BRD 06/12 Remote Access, Mobile Computing and the Local Area Network also highlighted this requirement, with an agreed implementation date of 30/11/06.

20 IT Security Report ref. BRD/07/09 IT Security Report ref. BRD/07/09 Low Low The Council should request Digica produce a regular report listing all network accounts not accessed during the previous three months. Any accounts listed should be followed up directly with line management to confirm if the account is still required. In addition, all line managers should be reminded of the need to notify both Digica and the HR department when temporary or contract staff leave Council employment. The Council should review controls applied to setting user access rights at the applicationlevel. Settings should be compared against recommended good practice for each application. Regardless of the application, there should be a formal authorisation process for assigning enhanced privileges, detailing the following controls: - identification of those staff with privileged access rights and the reason why this access level is needed; Not yet actioned. To be introduced from July Still under development. - the need to restrict privileged access to a need-to-use and on an event-by-event basis;

21 Council Tax and National Non Domestic Rates Report ref. BRD/07/13 Medium staff with authority to grant privileged access. The need to use a separate user ID for privileged access. Composite properties in the Council Tax list should be agreed to the NNDR list to avoid anomalies between the systems. Work planned to be completed by

22 Appendix 4 High Priority Recommendations applying to Final Audit Reports issued after 31 March 2007 Report details Ordering, Creditor Payments, Corporate Credit Cards, Insurances, Car Loans and Leased Cars Report ref. BRD/07/11 Ordering, Creditor Payments, Corporate Credit Cards, Insurances, Car Loans and Leased Cars Report ref. BRD/07/11 Ordering, Creditor Payments, Corporate Credit Cards, Insurances, Car Loans and Leased Cars Report ref. BRD/07/11 Ordering, Creditor Payments, Corporate Credit Cards, Insurances, Car Loans and Leased Cars Report ref. BRD/07/11 Recommendation Official orders should be signed by a requisitioning officer and a different authorising officer to demonstrate appropriate segregation of duties. Separation of duties is required between the raising of orders, receipt of goods and the authorising of corresponding invoices for payment within the Central Services Department. Invoices should only be authorised by officers within their designated financial limits. The extent of corporate credit cards currently in use should be reviewed and the number reduced particularly where there is evidence that they have never been used.