INTERNAL AUDIT SERVICES Internal audit report of Derwent Entertainment Centre financial business and operating systems ADVISORY
Contents Executive summary...2 Internal audit findings...4 Summary of other internal audit findings...7 Follow up of prior period report...9 Appendix 1 Objective, scope and approach...14 Appendix 2 Classification of internal audit findings...15 Appendix 3 Detailed testing sample sizes...17 Inherent limitations Because of the inherent limitations of any internal control structure, it is possible that fraud, error or non-compliance with laws and regulations may occur and not be detected. Further, the internal control structure, within which the control procedures that have been subject to internal audit operate, has not been reviewed in its entirety and, therefore, no opinion or view is expressed as to its effectiveness of the greater internal control structure. An internal audit is not designed to detect all weaknesses in control procedures as it is not performed continuously throughout the period and the tests performed on the control procedures are on a sample basis. Any projection of the evaluation of control procedures to future periods is subject to the risk that the procedures may become inadequate because of changes in conditions, or that the degree of compliance with them may deteriorate. We believe that the statements made in this report are accurate, but no warranty of completeness, accuracy or reliability is given in relation to the statements and representations made by, and the information and documentation provided by s management and personnel. We have indicated within this report the sources of the information provided. We have not sought to independently verify those sources unless otherwise noted within the report. We are under no obligation in any circumstance to update this report, in either oral or written form, for events occurring after the report has been issued in final form unless specifically agreed with the. The internal audit findings expressed in this report have been formed on the above basis. Third party reliance This internal audit report has been prepared at the request of the s Alderman in connection with our engagement to perform internal audit services as detailed in the engagement contract, dated 17 December 2004. Other than our responsibility to the Alderman and Management of the, neither KPMG nor any member or employee of KPMG undertakes responsibility arising in any way from reliance placed by a third party, including but not limited to the organisation s external auditor, on this internal audit report. Any reliance placed is that party's sole responsibility. GCC06-DEC-FINAL-Council-R1406.doc
Executive summary Summary of objective and scope An internal audit of the Derwent Entertainment Centre (DEC) financial, business and operating systems was performed in. The overall objective of the internal audit was to consider the adequacy of, and compliance with, systems of internal control to ensure the financial activities of the DEC are being accurately accounted for and the associated assets / resources are being adequately protected, and progress achieved in respect to the implementation of prior recommendations. In addition to these objectives we have also considered issues associated with the efficiency and effectiveness of systems, to the extent that they came to our attention during the course of the engagement. The specific objectives, scope and approach of the internal audit, as detailed in Appendix 1 to this report, were derived from the Council s 2005/2006 Annual Internal Audit plan and were agreed with Council Management prior to the commencement of this project. The internal audit activity has been structured as far as practicable to compliment the external audit process being undertaken by the external auditor as well as incorporating coverage in respect of specific areas of focus. The focus of this project is the core financial transaction streams administered by Corporate Services together with specific consideration given to leases and licences. Linking to your strategic risk assessment The financial, business and operating systems processes subject to this internal audit project are associated with the following Council business risks: Inappropriate / inaccurate data in Corporate information systems; Misappropriation of organisational resources; Significant statutory non-compliance; and Non-compliance with Taxation requirements. Notwithstanding the above association, it is important to note that this does not indicate full coverage or satisfaction of the business risk as a business risk is managed through a number of business processes and control procedures. Key findings and recommendations The findings identified during the course of this internal audit have been classified in accordance with the rating table detailed in Appendix 2 to this report. The classification framework has been used to assist the DEC to prioritise internal audit findings, based on the effect that the control weakness identified may have on the process objective. The specific key findings arising from this internal audit are summarised in the table in the following section. The Summary of other internal audit findings section represents a high level summary of the other, or more minor findings identified during the course of our current review. A separate report of these items, inclusive of management responses has been prepared in conjunction with management and is available from management upon request. These findings and recommendations were discussed with DEC and GCC management responsible for the operations of the processes subject to consideration. Management have accepted the findings and have agreed action plans to address the recommendation. 2
Summary of internal audit findings Ref # Description of internal audit findings and recommendations Finding classification 1 Contractual agreements with hirers: During testing of contracts an instance was noted where the event agreement was only signed by the hirer, not the DEC event manager, an instance where public liability insurance certificate was not located at the time of the visit and an instance where the hirer did not have sufficient public liability cover. 2 Incorrect settlements/invoicing of hirers: During our review of settlements, an instance was noted where the hirer was charged on-costs twice and an instance where GST was included twice when on charging the cleaning costs. High Moderate Management has provided responses in respect to our recommendations and these are included in the balance of the report. On the assumption that the proposed actions are appropriately implemented we are satisfied that the responses adequately resolve our concerns. 3
Internal audit findings 1. Contractual agreements with hirers Rating of internal audit finding: High Finding(s) and impact The standard event contract has been modified to now include the separate cost agreement as a schedule to the contract. The schedule includes the rates inclusive of on costs and GST and specifies the estimated quantity and total cost. The contract is then signed by the DEC manager on behalf of the Council and the event promoter. Standard contracts are entered into with hirers of the DEC with specified clauses attached for specific hirers. A standard clause in the contract is public liability insurance covering the event. During testing the following issues were noted: An instance where the event agreement was only signed by the hirer (Rosetta High School), and not the DEC event manager; An instance where public liability insurance was requested by the DEC Manager however a copy of the cover could not be located at the time of the visit and as a result there is no evidence to confirm that the necessary insurance was held (Combined Primary Schools Concert Band); and An instance where the event contract required $20 million public liability insurance, however the event promoter only had US$3 million cover (Job #667). In the event of a dispute, between the hirer and Council, should the underlying contract not be evidenced as having been agreed by each party the contract may be deemed invalid and could possibly be considered non-binding. Failure to ensure that DEC hirers maintain appropriate insurance cover may expose the Council to potential claims or direct loss. This finding has been classified as High due to there being a threat of contractual non-compliance together with potential for the DEC/Council to incur significant financial loss due to lack of sufficient public liability insurance. Recommendation(s) It is recommended that evidence (eg. Certificate of currency) be obtained from the hirer confirming that appropriate public liability insurance is held. It is also recommend 4
that the officer be reminded of the requirement to ensure all contractual documentation be executed in full in order to ensure the terms of engagement are clearly understood and defensible, should a claim/dispute arise. Agreed Management action(s) Agreed. The DEC Manager will ensure that all event agreements and contracts are signed by the hirer and the requisite level of public liability insurance is obtained. Responsibility DEC Manager Target date 30/06/06 5
2. Incorrect settlements/invoicing of hirers Rating of internal audit finding: Moderate Finding(s) and impact The settlement process is undertaken after the final show of an event in order to provide the hirers sales / attendance figures. If costs were incurred during the organising and conducting of the event these are taken into account in order to settle the event. During our review of settlements, the following issues were noted: An instance where the hirer was charged labour related on-costs twice (job #667). The price for backstage labour and ushers in the contract included on-costs and oncosts were added as a separate line item on the invoice; and An instance where GST was charged twice on the cleaning expenses (job #52). The price on the invoice was inclusive of GST and then GST was added to the total of the invoice. Where contracted prices are not adhered to it increases the chance of overcharging / undercharging of hirers and disputes arising. While it is acknowledged that the financial impact of the above is low, this finding has been rated as Moderate as the above items represents a contractual non-compliance with an external party that may result in a claim and adverse reputational impacts. Recommendation(s) It is recommended that the spreadsheet used to calculate the final costs include the rate per the contract and that this rate be broken down to the base rate, on costs and GST. The three separate components can then be calculated in separate columns and the total of the on costs column will tie in with the on costs recovery per the invoice. Considerations should also be given to the introduction of an independent review (at least on major settlements) to ensure that the rates utilised in the spreadsheet agree to the contract. Agreed Management action(s) Agreed. The DEC has now developed a spreadsheet, which is broken down into base rate, on costs and GST for the recovery of costs to a hirer. An independent review will occur wherever possible. Responsibility DEC Manager Target date 30/06/06 6
Summary of other internal audit findings In this section we have provided a high level summary of the nature of the other, or more minor findings identified during the course of our current visit. These items, in broad terms, relate to the non-compliance by Council officers with secondary level control processes or procedures, and as such are not considered to have a significant impact on the effectiveness of the Council s control structure, accordingly we have only reported them in a summary form in this report. Minor issues were identified in the following areas: Ref Description of internal audit findings and recommendations # 3 Superannuation overpayment: During our review of payroll, an instance was noted where an employee was having 12.5% superannuation paid to the employee s superannuation fund, however per the employees letter of offer, the employee superannuation should have been paid at 9%. 4 Contract rate incorrectly applied for full time employee: During our review of payroll, an instance was noted where a full time employee was not getting paid at the contractual rate for one year of employment with the DEC. 5 Review of payroll documentation: During our review of payroll, an instance was noted where the EFT payment authorisation form was not evidenced as authorised by the DEC Manager, an instance where an employees timesheet was not signed by the employee and an instance was noted where an employee s timesheet was not signed by the employee s manager/supervisor. 6 Timeliness of review of monthly reconciliations: During our review of monthly reconciliations, it was noted that the monthly reconciliations for March and April had been prepared, however were not reviewed until the end of May. 7 Minor expenditure job costing: While conducting our review of petty cash vouchers, an instance was noted where minor expenditure was made for a hirer and this was noted on the minor expenditure voucher, however when entered into MYOB it was not allocated to the relevant job number. 8 Collecting of hirer deposits: During testing three instances were noted where deposits were not received as required by the event agreements with hirers. 9 Cash receipting variance analysis and verifications of cash balancing: Two instances were noted where cashier reconciliation control procedures were not complied with. Finding classification Low Low Low Low Low Low Low 7
Ref # Description of internal audit findings and recommendations 10 Inappropriate costing of transactions: A number of instances were identified where miscellaneous transactions had been inappropriately costed within the trial balance. In order to improve the integrity of DEC financial reporting it is recommended that such transactions be costed to a general ledger code that better reflects the nature of the item/cost. Finding classification Low KPMG have discussed these issues with management and are satisfied with the management responses provided and subsequent actions proposed by management in relation to these minor findings. KPMG will continue to monitor the organisation s ongoing compliance with the identified issues at future reviews. Should the full details of these minor issues and proposed management actions be required, the Management Report is available upon request from the General Manager. 8
Follow up of prior period report As noted in the current year Internal Audit Plan, we have allocated time during this visit to perform follow-up procedures in respect to the issues noted in our previous Key Financial System audit reports. The following comments are made in respect to the status of implementation of our previous recommendations. April 2005 3.1 Overtime rates incorrectly calculated for casuals Reported issue Proposed management action Current status DEC casual staff are paid under the Entertainment and Broadcasting Industry Live Theatre and Concert Award 1998 (the Award). While the Award specifies double time, in the case of an employee engaged by the hour, as being twice the hourly casual rate, it was noted casual staff are currently being paid overtime at a rate of 1.92 times the hourly casual rate. The amount of underpayment calculated during this period has been calculated by the DEC Finance Officer to be $2,174. The following steps are now being undertaken: The DEC will pay all amounts owing to those casual staff we still employ, To ensure this does not happen again, the DEC will ensure the GCC payroll officer checks the DEC payroll on a quarterly basis and will check such items as award payments, Superannuation and leave entitlements. All casual staff, that are still employed by the DEC, were payed all monies owing to them. The rate at which casual employees are paid for double time has now been corrected. The GCC payroll officer also checks payments made to employees on a quarterly basis. 9
4.1 Leave entitlement accrual rules Reported issue Proposed management action Current status Internal Audit s scrutiny of the employee leave entitlement accrual rules configured within the DEC s MYOB accounting system revealed the following: In order to accommodate the payment of leave loading for permanent part time employees, MYOB has been setup to use two annual leave entitlement codes for each permanent part-time employee. One of these is used to record the annual leave taken while the other one is used for the purposes of calculating the leave loading applicable to the annual leave taken. While the above codes have been established, it was noted that MYOB has been incorrectly setup to accrue annual leave entitlement on the leave loading component of annual leave taken by permanent part time staff. As a result, a manual adjustment to the annual leave entitlement is required each time a permanent part-time employee takes annual leave, and It was also noted the Venue Manager leave entitlement was accruing at 4 weeks per year when her entitlement is for 5 weeks per year. An adjustment has been made to the DEC MYOB system which has rectified this issue. A separate leave entitlement code has been established for the Venue Manager s leave entitlements Adjustment has been made to the DEC MYOB which has rectified the issue and all leave loading now corrected. Venue Manager leave entitlement now accruing at the correct rate. 10
4.2 Terms of employment for permanent part time administration staff Reported issue Proposed management action Current status The letter of employment for the Booking Officer states that the pay rate for this employee would be set at Level 4 of the above Award, with an additional over the award payment of $2 to reflect the additional duties performed by this officer. However, this employee has a permanent/part time position, and as such receives 20% less than the award rate. This reduction in the award rate is not explicitly documented in the employee s letter of employment. Agreed. Documentation has been corrected and processes have been put in place to eliminate such discrepancies in the future. The employee documentation has been corrected and the GCC payroll officer now checks payments made to employees on a quarterly basis. 4.3 Superannuation guarantee scheme Reported issue Proposed management action Current status The superannuation guarantee scheme requires employers to contribute a minimum super contribution of 9% for employees who earn over $1,350 per quarter. It was noted, for the December quarter, that two DEC employees earned more than $1,350, however the employer super contribution was only approximately 7%. The DEC will undertake a review of employer superannuation contributions to ensure compliance with the superannuation guarantee scheme. The DEC Finance Officer will forward a copy of all superannuation payments to be made on a monthly and quarterly basis to the GCC payroll officer to ensure compliance. DEC Manager now undertakes a review of employer superannuation contributions and this is also checked by the GCC payroll officer on a quarterly basis. While no further instances were noted in the current visit, attention is drawn to the overpayments raised in point 3 of the current report. 11
4.4 Interest receipt recorded as GST inclusive Reported issue Proposed management action Current status Interest is received on the operating and trust bank accounts. On 1 July 2004, $555.59 interest was received on the operating account and coded to miscellaneous income as GST inclusive. As there is no GST on interest revenue this has resulted in incorrect GST being reported to the Australian Taxation Office. A GST adjustment will be performed in the next BAS and a journal performed to correct costing. In addition, a new account has been set up to reflect this income stream. A separate account has been set up to reflect this income stream and the account is coded to default to GST input taxed. No further instances noted this visit. 4.5 Minor expenditure vouchers Reported issue Proposed management action Current status Minor expenditure vouchers used for minor expenditure do not require the recipient to evidence they have received the money. Agreed Management action(s) All recipients of minor expenditure funds will sign vouchers as evidence they have received the funds in full. Petty cash vouchers used for minor expenditure now require the recipient to evidence they have received the money. While conducting our testing of minor expenditure vouchers, two instances were noted where the minor expenditure vouchers were not signed by the recipient to acknowledge that monies were received. Your recommendation is noted, and the DEC Finance Officer will create a separate account for interest payments and merchandise variances. Responsibility DEC Manager Target date 30/06/06 12
September 2004 3.1 Currency of Ticketmaster 7 contract Reported issue Proposed management action Current status Currently the DEC use the Ticketmaster7 ticketing system. This arrangement was previously governed by a contract with Ticketmaster7 that expired in July 2002. While the DEC continue to use this system, we understand that the terms of this use are now governed by a new Ticketmaster7 contract, which has not yet been signed by the DEC. It is our understanding that the DEC is currently undertaking a cost/benefit analysis to determine if using another ticketing system would be more cost effective than signing another 5 year contract with Ticketmaster7. Responsible Officer: Venue Manager In September 2004, the DEC responded that they were currently reviewing the financial terms of the Ticketmaster7 contract with a view to purchasing a new ticketing system altogether. In the previous visit, the contract for the supply of a ticketing system was going out to tender. Only one tender was received from the tender process undertaken in 2005. Ticketmaster7 was the successful tender and a 5-year contract was signed between the Derwent Entertainment Centre and Ticketmaster7 in May 2005. 13
Appendix 1 Objective, scope and approach In accordance with the 2005/2006 Annual Internal Audit Plan of Glenorchy City Council as approved by Council, an internal audit of financial business and operating systems is to be performed. The internal audit activity has been structured as far as practicable to compliment the external audit process being undertaken by the external auditor as well as incorporating coverage in respect of specific areas of focus. The focus of this project is the Derwent Entertainment Centres (DEC) financial, business and operating systems. Objective The overall objective of the internal audit was to consider the effectiveness of key controls as identified with Management and compliance with current policies and procedures relating to DEC financial, business and operating systems, and to identify any improvement opportunities. Purchasing, payments and payables; Payroll and personnel; and General ledger integrity; Approach The internal audit of the DEC financial, business and operating systems is to be performed using the following approach: Planning and project administration; Discussions/interviews with relevant key staff; Update our understanding and documentation in respect of systems subject to consideration; and Undertake detailed testing where necessary. The internal audit was to update our understanding and documentation of the key financial, business and operating systems and controls within the identified processes and undertake compliance testing. Scope The internal audit of DEC financial, business and operating systems covered the following: Revenue, receipts and receivables; Contracting; 14
Appendix 2 Classification of internal audit findings The following framework for internal audit ratings has been developed and agreed with Council Management for prioritising internal audit findings according to their relative significance depending on their impact to the process. The individual internal audit findings contained in this report have been discussed and rated with Management. Rating Definition Examples of business impact Extreme Issue represents a control weakness, which could cause or Potential financial impact of > 10% of rates revenue within one year. is causing severe disruption of the process or severe adverse Detrimental impact on operations or functions. effect on the ability to achieve process objectives. Sustained, serious reputation impacts. High Issue represents a control weakness, which could have or is having major adverse effect on the ability to achieve process objectives. Financial viability of the organisation becomes an issue. Decrease in the public s confidence. Serious decline in service/product delivery, value and/or quality recognised by ratepayers / customers. Contractual non-compliance or breach of legislation or regulation with litigation or prosecution and/or penalty. Life threatening. Potential financial impact of between 5% and 10% of rates revenue within one year. Major impact on operations or functions. Serious diminution in reputation. Probable decrease in the public s confidence. Major decline in service/product delivery, value and/or quality recognised by ratepayers / customers. Contractual non-compliance or breach of legislation or regulation with probable litigation or prosecution and/or penalty. Extensive injuries. 15
Rating Definition Examples of business impact Moderate Low Issue represents a control weakness, which could have or is having moderate adverse effect on the ability to achieve process objectives. Issue represents a minor control weakness, with minimal but reportable impact on the ability to achieve process objectives. Potential financial impact of between 1% and 5% of rates revenue within one year. Moderate impact on operations or functions. Reputation will be affected in the short-term. Possible decrease in the public s confidence. Moderate decline in service/product delivery, value and/or quality recognised by ratepayers / customers. Contractual non-compliance or breach of legislation or regulation with threat of litigation or prosecution and/or penalty. Medical treatment required. Potential financial impact of < 1% of rates revenue within one year. Minor impact on internal business only. Minor potential impact on reputation. Should not decrease the public s confidence. Minimal decline in service/product delivery, value and/or quality recognised by ratepayers / customers. Contractual non-compliance or breach of legislation or regulation with unlikely litigation or prosecution and/or penalty. First aid treatment. 16
Appendix 3 Detailed testing sample sizes We perform tests of the operating effectiveness of controls only on those controls that we have determined are suitably designed to prevent, or detect and correct, a significant error or omission. The purpose of testing the operating effectiveness of controls is to obtain evidence that a control has been operating effectively, as designed, at relevant times during the period subject to scrutiny. Tests of operating effectiveness are concerned with: How controls were applied; The consistency with which they were applied during the period; and By whom they were applied. In some situations, a similarly designed control operates at the same time over many different components of a class of transactions, account balance or process. In these situations we use our judgement to select the extent of testing in terms of both the frequency of testing (such as number of days, weeks or months to test) and the number of similar operations to test at each point in time (such as number of locations or different accounts effected). the audit procedure itself is relevant to the specific risk; therefore, the nature of the audit procedure is the most important consideration. Subject to the above considerations the level of detailed testing performed on identified controls is determined with reference to the frequency of the relevant control activity as follow: Frequency of control activity Quarterly Monthly 2 Weekly 5 Daily 15 More than daily 30 Minimum sample size (per annum) 2 (include the period-end) Dependent on the nature of the control and associated process, the samples selected may be stratified such that higher risk transactions/activities within the overall population are selected in conjunction with a random sample of low level transactions. Extent includes the quantity of a specific procedure to be performed, for example, a sample size or the number of observations of a control activity. The extent of procedure is determined after considering the materiality, the assessed risk, and the degree of assurance we plan to obtain. In particular, we ordinarily increase the extent of procedures as the risk of associated with the relevant process increase. However, increasing the extent of an audit procedure is effective only if 17