West Highland College. Internal Audit 2014/15 Annual Report August 2015

Transcription

1 Internal Audit 2014/15 Annual Report August 2015

2 TABLE OF CONTENTS Section Page 1. Introduction 3 2. Executive Summary Audit Findings Benchmarking Key Performance Indicators 13 Appendices A. Grading Structure 14 2

3 1 INTRODUCTION The provision of Internal Audit Services is covered by the Financial Memorandum issued by the Scottish Funding Council ("SFC"). The Financial Memorandum sets out that the internal auditors are required to produce an Annual Report on the internal audit activities addressed to the Board of Management and the Principal. The Financial Memorandum also sets out that the Annual Report should be considered by the Audit Committee prior to the Audit Committee producing its annual report to the Board of Management. This Annual Report has been drawn up in accordance with the Financial Memorandum. A copy of this report requires to be submitted to the Scottish Funding Council. 3

4 2 EXECUTIVE SUMMARY Opinion Overall Opinion We are satisfied that sufficient internal audit work has been undertaken to allow us to draw a conclusion as to the adequacy and effectiveness of the College s risk management, control and governance processes. In our opinion did have adequate and effective risk management and governance to manage its achievement of the College s objectives at the time of our audit work however we have noted a number of weak conclusions in relation to internal control for certain of the audits. Further details are provided in Section 3 of this report. In our opinion, the College has proper arrangements to promote and secure value for money, subject to the recommendations made in our reports. Our fieldwork was carried out between February and June 2015 and we have not undertaken any further internal audit assignments at the time of this report. The overall findings and conclusion of each report are highlighted in Section 3. As can be seen from the summary in Section 3 all areas included in the Operational Plan for 2014/15 are complete. In forming our opinion above, we have carried out the following work: a review and appraisal of financial and other controls operated by the College; a review of the established policies and procedures adopted by the College; an assessment of whether or not the internal controls are reliable as a basis for producing the financial accounts; a review of accounting and other information provided to management for decision making; compliance and substantive audit testing where appropriate; a review of the College's procedures in place to promote and secure value for money. The analysis of performance indicators for the internal audit work carried out in the year is included at section 5. 4

5 2 EXECUTIVE SUMMARY Basis of Opinion As the Head of Internal Audit at we are required to provide the Board of Management and the Principal with an opinion on the adequacy and effectiveness of the College s risk management, control and governance processes. In giving our opinion it should be noted that assurance can never be absolute. The most that we can provide to the Board of Management is reasonable assurance that there are no major weaknesses in the College s risk management, control and governance processes. In assessing the level of assurance given, we have taken into account: All audits undertaken during the year ended 31 July 2015; Any follow-up action taken in respect of audits from previous periods; Any significant recommendations not accepted by management and the consequent risks; The effects of any significant changes in the College s objectives or systems; Matters arising from previous reports to the Board of Management; Any limitations which may have been placed on the scope of internal audit; The extent to which resource constraints may impinge on the head of Internal Audit s ability to meet the full audit needs of the College; What proportion of the College s audit need has been covered to date; The outcomes of our quality assurance processes. 5

6 3 AUDIT FINDINGS Summary of Work Undertaken The following table summarises the audit work undertaken in 2014/15. The grading structure used in our reports can be found in Appendix A. Area Planned Days Actual Days Status Overall Conclusion High Priority Recommendations Medium Priority Recommendations Low Priority Recommendations Purchasing & Payments 2 2 Complete Weak Payroll 2 2 Complete Weak Sub Contracting & Outsourcing 3 3 Complete Weak Complaints Handling 2 2 Complete Strong Data Protection 2 2 Complete Weak Internal Communications 2 2 Complete Substantial Energy Costs & Control Mechanisms 1 1 Complete Substantial IT Systems 2 2 Complete Weak Follow Up Review (Partially implemented or outstanding recommendations) 2 2 Complete Substantial Audit Management 2 2 Complete N/A N/A N/A N/A Total

7 3 AUDIT FINDINGS High Priority Recommendations The following high priority recommendations were raised in the year: Area Finding Recommendation Management Response Purchasing & Payments The College have no formal documented procedures in place for processing changes in supplier details. There is a risk that changes to details are not coming from the legitimate source. We recommend that the College develop clear written procedures for changes to supplier bank details to ensure there is a consistent approach taken towards change requests from suppliers. The College will prepare and adopt a procedure for this. Purchasing & Payments During our testing we found that the Library Office has access to the College s credit card details. Our findings indicated that purchases were being made by the Library Officer using credit card details that are saved on the College s Amazon account. The transactions are not being authorised by the credit card holder. We recommend that the College introduce a process which ensures credit cards are only used by the holder and purchases are being authorised by Management and the Director of Finance. We also recommend that the College change the login details for Amazon immediately and that credit card details are not saved to any accounts where anyone other than the credit card holder has access. The College will update their procedures and ensure that all staff comply with this procedure. Payroll The College have no controls in place to check amendments made to payroll by the Finance Administrator. There is a risk that unauthorised changes could be made in the payroll system. We recommend the Director of Finance carries out a monthly payroll review of amendments, net pay comparison and starters and leavers to ensure they are correct. A spreadsheet has been setup to monitor changes to payroll and this will be signed off by HR. Subcontracting & Outsourcing The College are currently breaching their financial regulations as they are required to go out to tender for choice of suppliers over 5,000 which is not currently happening for subcontracted and outsourced services. The College do not have any contracts in place for outsourced and subcontracted services. Services such as cleaning, maintenance and networking are provided and invoiced monthly. There is a risk that the College are not obtaining the best value for money as the arrangements have not been put out to competitive tender and the College also have no control over the company increasing costs on services or changing the terms. We recommend the College follow their Financial Regulations and tender for services over 5,000 to ensure they are receiving best value for money. The College should have contracts in place for all subcontracted and outsourced services. The College is in the process of re-structuring support staff and intend to create a part-time procurement officer role to manage this process. 7

8 3 AUDIT FINDINGS Area Finding Recommendation Management Response Subcontracting & Outsourcing Currently there are no formal procedures or guidance for the management of subcontracted and outsourced services. We recommend the College implement a policy and procedures to provide efficient guidance and management for outsourced and subcontracted services. They should ensure they are in line with financial and tendering policies as well as outlining responsibilities for managing theses services and service contracts. This should also provide guidance for ensuring the proper checks have been carried out before employing the service provider. Other examples of procedures we would expect to see are monitoring the performance of service providers, business continuity procedures for loss of the service and ensuring reporting of the service is being provided to management. The College is in the process of preparing a register of subcontractors with the assistance of APUC. Follow Up - Catering Original Finding No assessment is made of the gross margin of products sold in the catering department. The college would benefit from having this information, particularly on high volume items in order to provide a tool for setting prices as well as adding or removing items from the menu. Pricing is set by the catering department, there is no input from the Finance Department. Original Recommendation We recommend that the finance department work in conjunction with the catering department to calculate the gross margin on high volume products. Original Management Response A process of costing products sold in the café will shortly be introduced alongside changes to the location of the café kitchen area making direct cost and margins easier to measure and report. Finding from our 2014/15 Follow Up No further action has been taken by the College with regards to calculating gross margin on high volume products. We reiterate our original recommendation. The College have re-positioned and re-configured their commercial kitchen and an independent catering contractor has been employed to create/monitor margins. 8

9 3 AUDIT FINDINGS Area Finding Recommendation Management Response Follow Up Catering Original Finding The cash income from the catering department is banked every Friday by the Finance & Payroll Administrator. The College is not currently sufficiently segregating duties around cash income. Original Recommendation We recommend that the College make arrangements for another member of staff to take the cash to the bank. This would be documented as part of the Catering procedures. The College should also review controls around the counting and posting of cash income to the nominal ledger. Original Management Response The College will review its cash management policies as part of its operating procedures and accepts there is an element of weakness in its current operation. Finding from our 2014/15 Follow Up No further action has been taken by the College with regard to another member of staff taking the cash to the bank. We reiterate our original recommendation. The College will review this situation and assign an independent person to take the cash to the bank. IT Systems The College currently use Sophos anti-virus, however it was noted during sample testing one of the class laptops tested did not have Sophos anti-virus installed leaving it vulnerable to security threats. It was also explained that there are machines with the older outdated version of McAfee installed, these machines are updated as they are discovered. There is a risk that infected machines are connecting to the network due to the outdated anti-virus software. We recommend the College ensure all devices connecting to the network have up to date anti-virus installed. Accept: Sophos is not on every device, MS Endpoint is on laptops. We require to undertake an audit o all devices in context of inventory management. 9

10 3 AUDIT FINDINGS Area Finding Recommendation Management Response IT Systems The web protection in place at the College is inadequate. The guest UHI wireless network currently does not filter any websites so we were able to access offensive and explicit websites. It was also noted we were able to by-pass the web filter on the corporate networks to access offensive and explicit images as well as gambling sites and proxy avoidance sites, which could put the College's reputation at stake. It was also noted that the College do not block dangerous file types from being downloaded from websites, this combined with users having local administrative rights to machines creates a high security risk and a lack of control over the network. We recommend the College ensure all networks are filtered by an adequate web filtering solution which will block access to offensive/explicit websites and images as well as proxy avoidance sites and all other categories they wish to block. We would also recommend the College block the downloading of dangerous files types to further safeguard the network. Accept but this is UHI s domain of control. UHI Update awaited. IT Systems The College do not have disaster recovery and business continuity plans in place for IT systems. In the event of a disaster there is no formal documented plan which has been tested to ensure recovery of business critical systems and data. We recommend the College carry out a business impact analysis to determine what areas and services are required to ensure business continues. There should be ranking of systems to determine the degree of importance and consequence of that system being unavailable for a period of time. This will lead to establishing recovery time and recovery point order for systems to ensure that business resumption plans are established to correctly reflect business criticality and that recovery takes place in the correct sequence after a disaster. From this the College can create formal disaster recovery and business continuity plans for departments and the overall College functionality. The plans should be reviewed and tested at least once a year with results and lessons learned documented to ensure the plan is as relevant as possible. All data on network drives is backed up by UHI both in Inverness and Perth server facilities; the college s multicentre structure protects the College to some degree from local IT systems failure; if the failure is within the UHI-wide network, the College is not protected. UHI s disaster recovery and business continuity policy applies, the College has a business continuity and disaster recovery policy but requires to annually test this within an IT systems context. 10

11 3 AUDIT FINDINGS Area Finding Recommendation Management Response IT Systems It was noted that the College file server is currently running very low on storage space. We were also informed that there were issues with duplication of data which is unnecessarily adding to the storage space. There is a risk that low server space will bring service to a stop and could also tempt users to save data to local devices/areas that aren t being backed up. It was explained that UHI had plans for implementing Sharepoint as a document management system but this was put on hold along with the Shared Services project. It would be of great benefit to introduce a document management system and process to help provide more efficient data management. We highly recommend the College replace or upgrade the server as soon as possible. It would also be beneficial to implement a record management policy and procedures to ensure there is standardisation across the College campuses when saving data to the network. File server space is being monitored and storage space has been restored to normal levels. UHI have plans to progress Sharepoint as a document management system. Data Protection The College's Data Protection Policy names the Director of Finance & Corporate Services as the Data Controller for the College. However in discussion it was noted that the Director was not aware of this duty and only the role of the Freedom of Information Officer which is currently being fulfilled. We also note there is no documented procedure or job description for the role of Data Controller. We recommend that the College ensure the selected Data Controller has full awareness of the tasks involved in the role such as the management and implementation of the Data Protection and Records Management & Archiving policies. The College should implement formal documented procedures for all roles involved in Data Protection. There is an ongoing review of support staff responsibilities and this will be resolved as part of this. 11

12 4 BENCHMARKING We include for your reference comparative benchmarking data of the number and ranking of recommendations made for audits of a similar nature in the year ended 31 July Area High Medium Low Total Purchasing & Payments Average number of recommendations in similar audits Recommendations at Payroll Average number of recommendations in similar audits Recommendations at IT Systems Average number of recommendations in similar audits Recommendations at Complaints Handling Average number of recommendations in similar audits Recommendations at Summary Average number of recommendations in similar audits Recommendations at As highlighted above, has an overall higher number of recommendations in comparison with the colleges it has been benchmarked against. Benchmarking information was not available for the other audits undertaken as these were bespoke to. 12

13 5 KEY PERFORMANCE INDICATORS Analysis of Performance Indicators Performance Indicator Target Actual Internal audit days completed in line with agreed timetable and days allocation 100% 100% Draft scopes provided no later than 10 working days before the internal audit start date and final scopes no later than 5 days before each start date 100% 100% Draft reports issued within 10 working days of exit meeting 100% 56% Note 1 Management provide responses to draft reports within 15 days of receipt of draft reports 100% 0% Note 2 Final reports issued within 5 days of receipt of management responses 100% 100% Recommendations accepted by management 100% 100% Draft annual internal audit report to be provided by 31 August each year 100% 100% Attendance at audit committee meetings by a senior member of staff 100% 100% Suitably experienced staff used on all assignments 100% 100% Note 1: 5 of the 9 reports were issued within 10 working days. The remaining 4 reports were issued within 15 working days. Note 2: This was due to staff restructuring. 13

14 APPENDIX A GRADING STRUCTURE For each area of review we assign a grading in accordance with the following classification: Assurance Classification Strong Substantial Weak No Controls satisfactory, no major weaknesses found, some minor recommendations identified Controls largely satisfactory although some weaknesses identified, recommendations for improvement made Controls unsatisfactory and major systems weaknesses identified that require to be addressed immediately No or very limited controls in place leaving the system open to significant error or abuse, recommendations made require to be implemented immediately For each recommendation we make we assign a grading either as High, Medium or Low priority depending upon the degree of risk assessed as outlined below: Grading Risk Classification High High Risk Major weakness that we consider needs to be brought to the attention of the Audit Committee and addressed by senior management of the College as a matter of urgency Medium Medium Risk Significant issue or weakness which should be addressed by the College as soon as possible Low Low Risk Minor issue or weakness reported where management may wish to consider our recommendation 14