ARGYLL & BUTE COUNCIL Internal Audit Section INTERNAL AUDIT REPORT



Similar documents
Internal Control Deliverables. For. System Development Projects

ARGYLL AND BUTE COUNCIL SUPPORT SERVICES REVIEW HR & PAYROLL EXECUTIVE SUMMARY- 2 NOVEMBER 2011

Report 7 Appendix 1d Final Internal Audit Report Sundry Income and Debtors (inc. Fees and Charges) Greater London Authority February 2010

ELECTRONIC SIGNATURES AND ASSOCIATED LEGISLATION

Internal Audit Report

ARGYLL AND BUTE COUNCIL SUPPORT SERVICES REVIEW 15 DECEMBER 2011 SUMMARY REPORT

Newcastle University Information Security Procedures Version 3

INTERNAL AUDIT FINAL REPORT CNES FINANCE AND CORPORATE RESOURCES DEPARTMENT CLOUD IT SYSTEMS AND THE CRM SYSTEM OFFICIAL OFFICIAL

LONDON BOROUGH OF HARROW. Overview & Scrutiny Committee

Debit Card Procurement Protocol and Procedure. Procurement Card

Annual Report of Internal Audit 2012/13

Argyll and Bute Council. Information Management Strategy

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

COMMUNICATING ELECTRONICALLY WITH CUSTOMS

Recommendations which have been implemented have been removed from this report. The original numbering of recommendations has been retained.

The legal admissibility of information stored on electronic document management systems

Information & ICT Security Policy Framework

Banking Supervision Policy Statement No.18. Agent Banking Guideline

Minnesota State Colleges and Universities System Guideline Chapter 5 Administration

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

Guidelines Related To Electronic Communication And Use Of Secure Central Information Management Unit Office of the Prime Minister

Information Security Policies. Version 6.1

Internal Audit Final Report Strategic Finance Accounts Receivable March 2014

PRACTICE NOTE 1013 ELECTRONIC COMMERCE - EFFECT ON THE AUDIT OF FINANCIAL STATEMENTS

Automating the Order to Cash Process

CORPORATE TRAVEL & ENTERTAINMENT PAYMENT CARDS THE BENEFITS FOR TRAVEL MANAGERS

National Occupational Standards in Accounting

ISO27001 Controls and Objectives

10 Tips for Selecting the Best Digital Signature Solution

Head of Information & Communications Technology Responsible work team: ICT Security. Key point summary... 2

INFORMATION TECHNOLOGY SECURITY STANDARDS

A Rackspace White Paper Spring 2010

Records and Information Management. General Manager Corporate Services

How To Use A Corporate Credit Card

Information security controls. Briefing for clients on Experian information security controls

SRI LANKA AUDITING PRACTICE STATEMENT 1013 ELECTRONIC COMMERCE EFFECT ON THE AUDIT OF FINANCIAL STATEMENTS

ROYAL BOROUGH OF WINDSOR AND MAIDENHEAD SECURITY POLICY. Processing Electronic Card Payments

INTERNATIONAL AUDITING PRACTICE STATEMENT 1013 ELECTRONIC COMMERCE EFFECT ON THE AUDIT OF FINANCIAL STATEMENTS

Procurement of Goods, Services and Works Policy

Chapter 9. Learning Objectives. Define internal control. Objective 1. Internal Control and Cash

Controls should be appropriate to the scale of the assets at risk and the potential loss to the University.

Working Practices for Protecting Electronic Information

Scotland s Commissioner for Children and Young People Records Management Policy

Aberdeen City Council. Fleet Management Final Report

Independent Auditors Report to the Commissioner for Law Enforcement Data Security -

Third Party Security Requirements Policy

The Business Case for Automated Solutions from B2B Payment Providers

TREASURER S DIRECTIONS CASH MANAGEMENT TRANSACTION MANAGEMENT Section C3.3 : Corporate Credit Cards

Management of Accounts Receivable

Aberdeen City Council IT Asset Management

Audit, Risk Management and Compliance Committee Charter

USE OF BUSINESS CREDIT CARDS FOR PURCHASING

Programme Governance and Management Plan Version 2

Solutions to Student Self Assessment Questions

CLOUD-BASED BIM AND SMART ASSET MANAGEMENT: ADOPTING A SECURITY-MINDED APPROACH

AIB Visa Purchasing Card Application Form

APPENDIX 23 ATTACHMENT 1. City of Joondalup Review of Financial Management Systems and Procedures. March 2015

Interim Audit Report. Borough of Broxbourne Audit 2010/11

Formal response to the Consultation Paper: Monitoring and Regulation of Migration

Purchasing Card CARDHOLDER MANUAL

Code of Practice on Electronic Invoicing in the EU

INFORMATION TECHNOLOGY CONTROLS

Sage 200 v5.10 What s New At a Glance

Audit Committee, 20 March Internal Audit Report Partners Expenses. Executive summary and recommendations. Introduction

UNIVERSITY OF ST ANDREWS

LIMPOPO PROVINCIAL GOVERNMENT

Remote Access and Mobile Working Policy. Document Status. Security Classification. Level 4 - PUBLIC. Version 1.1. Approval. Review By June 2012

Information Security Policy. Chapter 13. Information Systems Acquisition Development and Maintenance Policy

The Use of Electronic signatures for Prescribing Chemotherapy and data entries on the Aria MedOncology system V3.0

Information Management and Security Policy

CPA Student Training Records

NHS Commissioning Board: Information governance policy

EAST AYRSHIRE COUNCIL CABINET 23 JUNE 2010 REVISED COMPETENCY FRAMEWORK. Report by Executive Director of Finance and Corporate Support

An Introduction to Continuous Controls Monitoring

Spread Betting Guide V1.1

Albany epay. Intelli gent Payments Management

HKUST CA. Certification Practice Statement

Delivering e-procurement Local e-gov National e-procurement Project Overarching Guide to e-procurement for Schools

Manual 074 Electronic Records and Electronic Signatures 1. Purpose

Process Control Optimisation with SAP

Accounts Payable Automation

Policy Document Control Page

Transcription:

ARGYLL & BUTE COUNCIL Internal Audit Section INTERNAL AUDIT REPORT CUSTOMER DEPARTMENT AUDIT DESCRIPTION AUDIT TITLE CUSTOMER SERVICES SYSTEM BASED AUDIT REVIEW OF ELECTRONIC SIGNATURES AND AUTHORISATION METHODS AUDIT DATE SEPTEMBER 2015 2015/2016

1. BACKGROUND A corporate policy review of the use Electronic Signatures within the organisation has been planned as part of the 2015/16 Internal Audit programme. An electronic signature is the electronic equivalent of a written signature. Electronic signature means data in electronic form which are attached to or logically associated with other electronic data and which serve as a method of authentication. Electronic signatures come in many forms, including: Typewritten Scanned An electronic representation of a handwritten signature A unique representation of characters A digital representation of characteristics, for example, fingerprint, retina A signature created by cryptographic means Electronic signatures can be divided into three groups: Simple electronic signatures - these include scanned signatures and tick box plus declarations. Advanced electronic signatures - can identify the user, is unique to them, is under the sole control of the user and is attached to a document in a way that it becomes invalidated if the contents are changed. Qualified electronic signatures - an advanced electronic signature with a digital certificate encrypted by a secure signature creation device e.g. smart card. Electronic signatures are only as secure as the business processes and technology used to create them. High value or more important transactions need better quality electronic signatures - signatures used for these transactions need to be more securely linked to the owner in order to provide the level of assurance needed and to ensure trust in the underlying system. Better quality electronic signatures can offer: Authentication linking the originator to the information Integrity allowing any changes to the information provided to be detected more easily Non-repudiation ensuring satisfaction (in a legal sense) about where the electronic signature has come from Page 1

Trust is the basis of business and commerce and can be enhanced by the use of electronic signatures. Some types of electronic signatures can: prove the origin of the message show whether a message has been altered ensure messages remain confidential The use of and interest in the use of electronic signatures across the Council is growing and can aid the efficiency and effectiveness of services. The Electronic Commerce Act 2000 provides for a number of offences of electronic fraud, for example the fraudulent use of electronic signatures, signature creation devices and electronic certificates. In many cases for internal processes an actual signature is unnecessary, an alternative method of automated authorisation is often more effective and efficient. 2. AUDIT SCOPE AND OBJECTIVES The main objective of the audit was to: Review any current processes, policies and protocols relating to the use of electronic signatures. Review existing internal use of manual and electronic signatures across key areas of the Council. Assess implications, associated costs/ savings and the security of information for future development in the use of electronic signatures. The use of electronic signatures to make agreements with third parties is not covered by this audit. 3. RISKS CONSIDERED Failure to utilise available technologies leading to cumbersome practice resulting in inefficiencies. Potential internal control weaknesses leading to increased incidence of fraud and irregularities. Page 2

4. FINDINGS The following findings were generated by the review. General Many of the functions undertaken by service departments have naturally migrated to a form of electronic authorisation via their specific management information systems (MIS). Where services specifically use a MIS it was evident that manual signing processes have become redundant and have been replaced by electronic authorisations. Assurance can be taken from previous internal audit reports and from sample testing of some of the systems that appropriate access, segregation of duties and authorisation controls are in place. The Council systems that assurance is taken from include Oracle, Tranman, PECOS and CareFirst. Policy Finding 1 There is currently no protocol on the use of electronic signatures and automated authorisation within Argyll and Bute Council. Recommendation 1 The development of a protocol should be considered which gives cognisance to the undernoted factors: Provide clear guidance on the acceptable use of electronic signatures, e-mailed authorisation and automated approvals. Risk exposure in respect of fraud, error or misuse of the various types of electronic signatures and automated authorisation. Reference any legal or regulatory requirement or implications in using electronic signatures. Page 3

Processes Finding 2 It was evidenced that there is use of Electronic Signatures for authorisation in the form of a picture of the authoriser s handwritten signature; some services are using a control point of acceptance only if sent via the authorisers email account. The possible control failures associated with this type of signature include: Extraction of signatures to be used for unauthorised purposes. Records can be changed after the signature has been attached. No audit trail is easily identified. These include return to work, self-certification documentation, PRD s and some limited use in other areas including invoice batches. Finding 3 A number of cross service themes were identified relating to manual authorisation processes which were deemed to be timeconsuming and cumbersome. These relate to the requirement to manually sign agreement documents such as user acceptance forms and other IT forms, advert authorisations, cheque or payment requests and manual invoice batching. Finding 4 There is evidence of documents such as travel request authorisations and IT forms being printed from the system, signed by the authoriser and scanned back onto the system to be e-mailed onto the correct department for processing, this practise is time consuming and resource intensive. Workflows and automated authorisations to replace these cumbersome processes can be created within SharePoint (a Microsoft application) which is currently in use across some departments within the Council. As well as having the capacity for workflows which contain audit trails, SharePoint can be used as a document management system. It can utilise version control and automated document retention management, which will aid compliance with the demands of the keeper of records. In some instances the levels and number of authorisations required within processes could be overly restrictive or at too high a level, for example Heads of Service required to sign where 3 rd tier manager would suffice. Page 4

Recommendation 2 All services to undertake a review to assess scope for reducing the use of wet and electronic signatures and replace with automated authorisations contained within systems and workflows for example use of SharePoint forms and workflows. Where automated alternatives to signatures cannot be found, the use of either the authoriser s emailed approval or secure digital signatures with tamper seals and built in audit trails should be investigated, dependent on the levels of security required. The use of electronic signatures in picture format should no longer be used. Services should include a review of the levels of authorisation alongside risk exposure. Finding 5 Treasury Management services within Strategic Finance are involved in daily banking activities which includes bank transfers and payments. These can be high value transactions and whilst current arrangements have appropriate internal controls, the process does include the use of wet signatures for authorisation. Recommendation 3 Creation of an automated work-flow process within SharePoint, Internal Audit can provide consultancy support. Finding 6 Services have, via a combination of in-house reviews and the use of specific MIS, naturally migrated to electronic authorisation replacing former paper or manual based processes. Examples of systems based authorisations are evident within Debtors, Civica (Document Management & Cash Receipting), Oracle (General Ledger & Creditors), Uniform (Planning and Regulatory Services), PECOS (Purchasing), SEEMIS (Education), Tranman (Roads and Amenity Services) and CareFirst (Integrated Care). Costs and Savings Finding 7 During the review many services expressed the desire to take forward developments specific to their area, however a lack of detailed knowledge and available resource was offered as a reason for not progressing. Page 5

Recommendation 4 Management should ensure that staff have the opportunity at team meetings to suggest areas which could be improved and these should be discussed and solutions sought and developed through consultation with other relevant departments. Finding 8 It is not possible at present to quantify in monetary terms, the benefits, of moving to more automated processes, however expected benefits would include: Process improvements, enhancing efficiency and effectiveness. Savings in postage, printing and paper costs Reduction in lost and delayed paperwork Reduced possibility of fraud Reductions in time spent preparing and authorising Benchmarking Finding 9 A survey of other councils had limited response. One council replied that the risks involved in electronic signatures are too high and they therefore do not use them, another stated they use their e-mail system as a form of authorisation and one is using e-mail for some authorisations but mainly moving towards automated in system authorisation. 5. CONCLUSION Many of the functions undertaken by service departments have naturally migrated to a form of electronic authorisation via their specific management information systems (MIS). However, there is evidence of manual work processes which require wet signatures. A review should be carried out to ensure that services are maximising the use of automated authorisation and electronic signature practises. Thanks are due to staff and management for their co-operation and assistance during the Audit and the preparation of the report and action plan. Page 6

APPENDIX 1 ACTION PLAN Recommendations Agreed Action Responsible person agreed implementation date 1. Protocol A protocol should be developed to ensure practices are in line with the financial and security regulations. 2. Review of Authorisation methods All services to undertake a review to assess scope for reducing the use of wet and electronic signatures and replace with automated authorisations contained within systems and workflows for example use of SharePoint forms and workflows. The use of electronic signatures in picture format should no longer be used. Services should include a review of the levels of authorisation alongside risk exposure. A short life cross departmental working group will be formed to formulate a protocol to take to SMT for agreement and addressing all the areas covered in the report. Including development of a consistent approach for invoice batch authorisation and other cross departmental processes. SMT to delegate to all Heads of Service for implementation of review. Actions resulting from the review should be identified and tracked. Exec Director, Customer Services 31 March 2016 Exec Director, Customer Services 31 March 2016 Page 1

3. Treasury workflows The process workflows should be automated to ensure security and tighter control of these high value processes. 4. Process Development Management should ensure that staff have the opportunity at team meetings to suggest areas which could be improved and these should be discussed and solutions sought and developed through consultation with other relevant departments. The Strategic Finance SharePoint site will be developed to incorporate suitable solutions. A standing item will be recommended for team meetings via SMT to Heads of Service and below. Finance Manager, Corporate Support 31 March 2016 Exec Director, Customer Services 31 March 2016 Page 2

Contact Details Name Address Viv Barker & Mhairi Weldon Whitegates, Lochgilphead, Argyll, PA31 8SY Telephone 01546 604759 and 01546 604294 Email vivienne.barker@argyll-bute.gov.uk and mhairi.weldon@argyll-bute.gov.uk www.argyll-bute.gov.uk Argyll & Bute Realising our potential together

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information