FINAL INTERNAL AUDIT REPORT. Steve Allen, Managing Director, Finance



Similar documents
FINAL INTERNAL AUDIT REPORT

FINAL INTERNAL AUDIT REPORT

Agency Temporary Worker Processes (IA /F v1) Tricia Riley, HR Director. Audit Conclusion: Audit Closed

Financial Controls over Payments to Contractors on Major Projects (IA F) Leon Daniels, Managing Director, Surface Transport

Business Continuity Arrangements for Management and Support Activities (IA /F) EXECUTIVE SUMMARY... 3 STATUS OF AGREED ACTIONS...

Transport for London. Minutes of the Audit and Assurance Committee

FINAL INTERNAL AUDIT REPORT

Voluntary Severance Process (IA /F) Tricia Riley, Director of Human Resources. Audit Conclusion: Audit Closed

INTERIM INTERNAL AUDIT REPORT

3.5 The findings from the review will be reported to the next meeting of the Audit and Assurance Committee.

Management of NEC3 Compensation Events (IA ) Andrew Wolstenholme, Chief Executive. Audit Conclusion: Adequately Controlled and Audit Closed

TRANSPORT FOR LONDON AUDIT COMMITTEE STRATEGIC RISK MANAGEMENT PROGRESS REPORT

Process Control Optimisation with SAP

HOWARD UNIVERSITY POLICY

Final. Internal Audit Report. Creditors System

Accounts Payable Automation

SAP Solution Brief SAP ERP SAP Invoice Management by OpenText. Take Control with Invoice Management Software

Automating the Order to Cash Process

Welcome to the topic on managing delivery issues with Goods Receipt POs.

Report of Don McLure, Corporate Director of Resources

Procure-to-Pay Solutions:

Supply Chain Shared Services (SCSS)

Aberdeen City Council. Performance Management Process. External Audit Report o: 2008/19

South Northamptonshire Council Contract Assurance: Leisure Contract

What s new in Sage Evolution Version 6.81

How To Audit Health And Care Professions Council Security Arrangements

Recommendations which have been implemented have been removed from this report. The original numbering of recommendations has been retained.

Vendor Invoicing Through Payment FI-AP /17/08 09/18/08. LaGOV. Version 1.0

Accounts Payable Outsourcing Audit April 2014

E-INVOICING A COMPANY-WIDE PROJECT?

SCHEDULE 16. Exit Plan. sets out the strategy to be followed on the termination (including Partial Termination) or expiry of this Agreement; and

Office of the City Auditor. Audit Report. AUDIT OF ACCOUNTS PAYABLE APPLICATION CONTROLS (Report No. A10-003) October 2, 2009.

Agreement for the provision of IT Management Services and IT Services

Efficiency Scrutiny Committee 16 th September 2014 IT - Scrutiny of the Service Review process and viability of options for change

ALSTOM Grid Private Community Powered by Amalto e-business Cloud

Commonwealth of Pennsylvania Governor's Office

PAYMENT FOR WORKS, GOODS AND SERVICES FINANCIAL PROCEDURE 11

S24 - Governance, Risk, and Compliance (GRC) Automation Siamak Razmazma

PROCURE-TO-PAY TRANSFORMATION FOR CFOs. Achieving Control, Visibility & Cost Savings.

Get Invoice Processing That s Ready for the Digital Economy and Your IT Landscape

ABB s Supplier Qualification System Registration in Achilles Power & Tech Frequently Asked Questions (FAQs) June 2013

Information Commissioner's Office

Southern California AFP Luncheon

ConocoPhillips Supplier Qualification System (SQS) FAQ for Suppliers

1.0 Policy Statement / Intentions (FOIA - Open)

Performance Audit City s Payment Process

Procure-to-Pay Best Practices

Audit Report for South Lakeland District Council. People and Places Directorate Neighbourhood Services. Audit of Grounds Maintenance

Table of Contents. Transmittal Letter Executive Summary Background Objectives and Approach Issues Matrix...

Data Quality - A Review of the Audit Committee

Operational and Strategic Benefits in Automating Accounts Payable

CITY OF VAUGHAN EXTRACT FROM COUNCIL MEETING MINUTES OF FEBRUARY 17, 2015

Aberdeen City Council IT Asset Management

Best Practice exensys Asset Purchases

STL Microsoft Dynamics CRM Consulting and Support Services

SUPPLIER PAYMENT GUIDE

Steve Turpie, Chair of Audit Committee David Swales, Assistant Director of Finance

Jenny Obee, Head of Information Management Tel: Micailah Fleming, IT Director

London Borough of Sutton. Corporate Debt Recovery Policy

Update on Programme Management Controls & Risks

Manchester City Council

Information Commissioner's Office

Note: Your security settings may prohibit you from viewing or modifying the current list of marketing promotions.

AP Automation and SAP. An Industry Perspective and Lessons Learned in the SAP ERP market

Finding Nirvana in AP Automation and Outsourcing

Review of the Assurance and Approval Processes applicable to Investment Projects Progress Update

Worksoft Case Study 1

The Gestamp Supplier Risk Management (SRM) system. Supplier Frequently Asked Questions (FAQ)

MANAGING DIGITAL CONTINUITY

Annual EMR Compliance Report. National Grid Electricity Transmission plc

International Institute for Environment and Development. Job Description

Mike Ventrella, Vice President, Sales

2 Matters to report from internal audit work completed during the period

Basware R&D: Tutustu ja vaikuta Laskuautomaatio

Workshop Presentation PRO 08 Self Service Procurement Shopping Cart

Transcription:

FINAL INTERNAL AUDIT REPORT Procure to Pay (IA 13 126/F) Steve Allen, Managing Director, Finance Audit Conclusion: Audit Closed 19 June 2015 Issue categories Agreed actions Satisfactorily addressed Partially addressed No longer applicable Not addressed Priority 1 6 4 2 0 0 Priority 2 8 6 2 0 0 Priority 3 1 1 0 0 0

CONTENTS EXECUTIVE SUMMARY... 3 STATUS OF AGREED ACTIONS... 4 APPENDIX 1 DISTRIBUTION LIST... 16 Audit information Version 2 Draft versions issued 2 Draft report issued 4 June 2015 Audit Graham Tye Director of Internal Audit Clive Walker Page 2

EXECUTIVE SUMMARY Objective To provide assurance over the effectiveness of the TfL procure-to-pay process controls. Scope The audit focused on the control environment in relation to the following key risk areas: Registration of new suppliers; Maintenance and management of supplier details; Raising and processing of shopping carts, purchase orders, invoices, goods receipt notes and credit notes; Procure-to-pay SAP configuration and access controls; Payments to suppliers; Management reporting and monitoring of the above key risk areas; Procedural and guidance documents on the above key risk areas. Summary of findings Our Interim Audit Report dated 31 March entitled Procure-to-Pay identified two Priority 1, five Priority 2, and one Priority 3 issues resulting in 15 management actions. We have now carried out a follow up review of the agreed management actions and can confirm that 11 have been satisfactorily addressed. Four actions remain partially addressed. Two of these are now incorporated into the Vendor Invoice Management (VIM) project, and have an estimated completion date of 31 December 2015. Therefore, whilst we have closed this audit, the remaining actions have been added to Issue Track to ensure they are completed and will be followed up as they become due. Page 3

STATUS OF AGREED ACTIONS Priority 1 actions 1. The FSC, through liaison with IM, will enhance the SAP reporting functionality to more effectively identify duplicate vendors. Geoff Gibbs, Continuous Improvement Implemented The FSC, through liaison with SAP Support, has enhanced the SAP reporting functionality to more effectively identify duplicate vendors. 2. The FSC will complete:- Identifying, blocking purchases from, blocking payments to and removing inactive vendor records; Identifying and rationalizing active duplicate vendor records through, for example, investigating records with the same bank accounts Geoff Gibbs, Continuous Improvement 30 September Extended 31 October Extended again to The FSC has undertaken the following: Investigations revealed that the SAP report had not been working correctly since 2006. This was corrected in late 2013 via SAP Support. The number of inactive records has since been reduced by over 7,000 records. Page 4

or same post codes. 31/01/15 Over 9,000 vendor records were identified by the FSC and deleted. Dunn & Bradstreet were then hired to complete the rationalisation of duplicate vendor records. The records were then amended by the Central Supplier Registration. For example, a further 668 vendors were identified as duplicate, with 478 being registered more than once in different Vendor Account Groups. This was completed by the end of January 2015. 3. The Commercial Centre of Excellence (CCoE) will investigate whether the automated IMG control for checking for the existence of duplicate suppliers can be Graeme King, Procurement Operations Team CCoE has stated that turning on the IMG control will put the interface from Bravo to SAP at risk. There is no test environment available for Page 5

enabled. If appropriate, it will then be enabled. 30 September Bravo to SAP. Taking these factors into account CCoE concluded that turning on the IMG control is not appropriate. In mitigation, together with Bravo Solutions and the FSC, the CCoE has investigated how to eliminate the circumstances under which a duplicate account is automatically created in SAP if vendors select the incorrect options in the supplier portal. For example: o Review of the web forms used by the supplier registration to capture supplier details to remove unwanted fields (currently ask circa 100 questions, the responses to the majority of which are never used). o Changes to the remittance section of the web form that, if completed incorrectly by the supplier, creates multiple requests for the supplier in SAP. Page 6

o o o Automatic population of fields on the web form with information from Dunn and Bradstreet (registered office, turnover, financial risk etc.) Automatic update of existing supplier information with information from Dunn and Bradstreet Ability for supplier to enter and maintain bank details Discussions are ongoing and outcomes will be fed into the Run Better Programme (RBP), subject to funding. However, the earliest that changes can be made in SAP is June 2015. The number of staff with the ability to approve new suppliers in SAP has been reduced from 243 to 55. 4. Taking into account the decision on how SAP Supplier Relationship Module (SRM) 4.0 will be replaced, Graeme King, Procurement Operations The Commercial Systems Transformation Programme (CSTP Page 7

Commercial management will identify how the search facility for suppliers on SAP SRM shopping carts can be enhanced. An appropriate change request will be submitted to IM to effect this change. Team 30 September - part of the RBP) has within its scope the SRM module. The programme will put forward recommendations for the replacement or upgrade of SRM after a period of requirements gathering from all stakeholders. The CSTP is not expected to complete until late 2015 or early 2016. The requirement to improve supplier searching has been provided to the programme and as such it is not appropriate to raise a change request to alter the existing functionality of SRM 4.0. 5. Users with procure to pay roles in SAP will be reviewed and all inappropriate access will be removed. Brian Davey, Head of Financial Services Centre Completed Partially addressed. SAP P2P roles have been reviewed at the FSC and inappropriate access removed. P2P high risks have been reduced from 2,590 across 171 users to 1,382 across 165. Complete the review of high risk P2P roles across the rest of TfL, outside of the FSC. 31 July 2015. Page 8

However, this has not been completed for the rest of TfL. This will be completed via the periodic meetings of the SAP Governance Review Council (GRC). The first meeting was held in December. 6. New roles will be developed and rolled out which will further reduce the risk of inappropriate access being given to staff. Brian Davey, Head of Financial Services Centre 30 September Partially addressed The ongoing review of roles had ceased following the departure of previous Head of FSC. This was performed via the SAP GRC, the last meeting being in May. A wider review of high risk SAP roles (HRS for example) has begun. We have been informed that as at 29 October the high risks roles in the FSC stood at 6,561. 3,087 are in Accounts Payable and 1,525 in Accounts Receivable. The target is to reduce to below 1,000. Complete the review of high risk SAP roles across the rest of TfL, outside of the FSC. 31 July 2015. However, this is yet to be completed Page 9

Priority 2 actions 7. 8. Commercial management will identify a planned course of action with a timetable to resolve the issues affecting the supplier registration process. The course of action will take into account the decision on how SAP SRM 4.0 will be replaced. A reminder has been sent to relevant staff to instruct them to check if suppliers are registered on SAP, before Graeme King, Procurement Operations Team 30 September Diane Wadsworth, Accounts Payable for the rest of TfL. The CSTP has within scope the existing supplier front end portal managed by Bravo Solutions. There is a clear requirement to improve the interface between suppliers and TfL by replacing the current portal. Commercial management has engaged with the FSC and RBP team to agree the scope and funding. The project is not expected to complete until June 2015 and so a number of minor changes to the existing portal and interface have been suggested to provide some low cost quick wins to address supplier registration issues (see response to action 3). Reminders have been sent to relevant staff to instruct them to check if suppliers are registered on Page 10

paying them through the unsupported invoice process. Implemented SAP, before paying them through the unsupported invoice process. 9. Management will implement a swipe card access system to control entry to the 1 st Floor, 14 Pier Walk. Brian Davey, Head of Financial Services Centre Access to the 1 st Floor, 14 Pier Walk is now controlled by a swipe card access system. Implemented 10. Commercial management will consider if the delivery address on a purchase order should be made a sensitive field which would require rerelease if amended. If this is considered appropriate, it will then be made a sensitive field. Graeme King, Procurement Operations Team 31 May Extended to 30 September Commercial management has concluded that the delivery address should be not made a sensitive field in the short term. SAP SRM 4.0 is now out of support (and extended support) and is only supported through best endeavours by SAP. Commercial management considers that the risk of fraud associated with the change to the delivery address is small compared to the risk of changing an out of support SAP module. Page 11

The number of Commercial users who can modify purchase orders has been reduced to mitigate the risk in the meantime. The requirements for additional checks have been given to the CSTP and will be addressed as part of that programme. 11. 12. Commercial management will investigate if it is appropriate to ensure all purchase orders have a tolerance limit of 0.1 per cent for value changes, above which they will require re-release. If this is considered appropriate, the value limit will then be implemented. Commercial management will consider if changes to various other fields, eg material group or outline agreement, need to be approved via re-release to minimise the risk of errors. (Changes might only be Graeme King, Procurement Operations Team 31 May Graeme King, Procurement Operations Team Agreement was reached at the Procurement User Group that this change was appropriate following engagement with stakeholders in BCV Limited and SSL Limited. The change will be made on the 12 November following a period of testing. With SAP SRM 4.0 out of support, the requirements for additional checks have been given to the CSTP and will be addressed as part of that programme. Page 12

directed for re-release for large orders above a certain value.) If it is deemed appropriate to change release strategies in such a way, this will be implemented. 31 May 13. Management will identify a planned course of action, with a timetable, to address informing managers of multiple tasks which have to be completed for work flowed items. Brian Davey, Head of Financial Services Centre 30 September Partially addressed. As part of RBP, the FSC is looking to introduce Optical Character Recognition as part of the Vendor Invoice Management (VIM) project and as part of this project workflows will be revisited in its entirety. Current estimation of delivery of this project is December 2015. Complete the VIM project and revisit workflows as part of RBP. 31 December 2015. 14. A request to reduce the timescales for workflow escalation to two days for the initial recipient, and then three days for any escalated requests, for payments to suppliers will be submitted to the Finance Leadership Brian Davey, Head of Financial Services Centre 30 June Partially addressed. Work on this has started but not been completed. A SAP Change Request has been completed and input into SAP which will reduce the workflow timescales Agree the reduction in workflow escalation and implications for the VIM project with the FLT and revise the SAP Change Request, if necessary. Communicate agreed Page 13

Team (FLT). This will be part of a piece of work on Supplier Chain Finance. Actual payment will not be made early unless the supplier is prepared to offer a discount. If management deem this to be appropriate, a change request will be submitted to IM to change the workflows. Extended to 30 September down to three days for the initial recipient rather than the intended two. The escalation period is to be three days as intended. However, whilst this was approved at the Procurement User Group and the Finance User Group, it was not agreed with the FLT. Further testing of workflows is being undertaken to demonstrate the impact of such a change to ensure an informed FLT decision. Any change will also now need to be aligned with the VIM project. workflow change to the business and then activate change in SAP. 31 December 2015 Priority 3 actions 15. Commercial management will identify an appropriate, secure planned course of action with a timetable, to reduce the cost of transmission of purchase orders. Graeme King, Procurement Operations Team 30 The cost of transmission of purchase orders will be addressed as part of CSTP by enabling suppliers to view orders online. However, it is recognised that upgrading or replacing the SRM module will require the SRM data to Page 14

This course of action will take into account the decision on how SAP SRM 4.0 will be replaced. September be of a high quality. Addressing the transmission details for active suppliers is not reliant on making changes to the SRM module and is therefore low risk. Accordingly, the following plan is ongoing. For TfL Corporate and Transport Trading the default method of transmission was changed to E Mail from FAX. The default output destination of active suppliers used by Surface Transport is now being altered to email from print. Since May all purchase order destinations have been checked for all Company codes and suppliers with no email address corrected. Page 15

APPENDIX 1 Distribution list This report was sent to Steve Allen, Managing Director, Finance, by Clive Walker, Director of Internal Audit, and copied to: Andrew Quincey Brian Davey Andrew Pollins Patrick Doig Steve Townsend Paul Boulton Diane Wadsworth David Young Mike Lycett Philip Hewson Kevin Smith Sarah Atkins Graeme King Najam Israr Kathy McMahon Geoff Gibbs Wayne Fitzgerald Carol Lynton Nigel Blore Andrea Clarke Howard Carter Karl Havers Director of Commercial Head of FSC Interim Chief Finance Officer Director of Finance, Surface Transport Chief Information Officer Transforming IM Service Design Authority Accounts Payable, FSC Head of Commercial Services Head of Commercial Centre of Excellence Head of Commercial ICT Head of Commercial Surface Commercial Director, Rail and Underground Technology, Process and Reporting Commercial Centre of Excellence Financial Operations and Performance, FSC IM SAP Functional Operations Continuous Improvement Senior Quality, Assurance and Risk Analyst as Corporate Services Key Risk Representative Head of Group Insurance Director of TfL Legal General Counsel EY Page 16

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information