AUDIT AND GOVERNANCE COMMITTEE

27th September, 2006 AGENDA ITEM 12

Subject: Report by: INTERNAL AUDIT REPORTS AUDIT AND PERFORMANCE MANAGER

Enquiries contact: Ray Joy (01245 606424) Email ray.joy@chelmsford.gov.uk

Purpose This report: details any item which should be brought to Members' attention; lists the audits which have been completed together with their main objectives and high risk recommendations lists the audits, together with their main objectives, which are in progress; and identifies those auditees who have not responded to internal audit reports within the agreed timescales. Recommendation 1. It is recommended that the report be noted.

Corporate Implications Legal: Financial: Personnel: Risk Management: Equalities and Diversity: Health and Safety: IT: Other: Consultees: The Council is required by law to maintain an effective Internal Audit function There are no finance implications not provided for within existing budgets No additional staffing requirements are envisaged The Internal Audit function contributes to the effectiveness of the Councils risk management arrangements None None None None Deputy Chief Executive Director of Financial Services Legal and Democratic Manager

Policies and Strategies The report takes into account the following policies and strategies of the Council: Fraud and Corruption Policy Statement

Corporate Priorities The report relates to the following corporate priority/priorities [tick the relevant box] Social Inclusion Excellent Customer Services Regeneration Value for Money Environment

1 1.1

Text of Report Seven reports have been issued since the last report to this Committee on 29th June, 2006. These are listed in Appendix 1. In addition, eight planned audits and five unplanned audits, excluding the special investigation referred to in 1.3 below, are in progress. These are listed in Appendix 2. One Special Investigation, which is not listed, may result in disciplinary action. Officers from the Audit team continue to monitor the response times of the auditees.

1.2

1.3

1.4

List of Appendices (1) List of Audits Completed since the previous report with their main objectives and high risk recommendations List of Audits Currently In Progress with their main objectives and position to-date.

(2)

Background Papers Nil

APPENDIX 1 Audits Completed Since The Previous Report As at 11th September 2006 Main Financial Audits Debtors Audit Year 2005/06 Main Objectives of Audit

Main Auditee
Director of Financial Services

PKF requirement All chargeable services provided and goods despatched are identified and billed at the correct amounts Periodic income sources are identified and billed All income due is invoiced and correctly recorded Credit control and debt recovery processes are adequate Credit notes and refunds are valid and are properly authorised Write off of uncollectable debt is properly authorised Amounts due are properly recorded There is adequate segregation in the invoicing and receipting functions Follow up the implementation of the previous audits recommendations High Risk Recommendations A separate audit is undertaken in order to review the controls operated within the Scuba system at the Parks Depot. Another officer is trained in the debtors procedures operated within Parking Services An officer, who does not have the ability to write off debts verifies a sample of write offs actioned on the system to ensure that: an authorised request was received; and the total amount of write offs authorised agrees to the total actually written off. To facilitate the sample checks, each month (or defined period), the Control Section staff pass reports of write offs actioned directly to the senior member of staff delegated to undertake sample checks; and Report to show write offs actioned to be run even in those months (or defined period) where authorisation for write offs has not been sought. A second officer is trained to undertake reconciliations between the debtors system and the General Ledger. .

APPENDIX 1 Audits Completed Since The Previous Report As at 11th September 2006 Main Financial Audits Debtors (Continued) Audit Year 2005/06 Main Objectives of Audit High Risk Recommendations (Continued) The spreadsheet containing the reconciliations: is set up so that the comments (detailing the reasons for the discrepancies) are displayed; and is printed off each month and signed and dated by both the person undertaking the reconciliation and the person reviewing it. The printed copies to be retained. The Resignation Check List is amended as follows: A line is added under the section to be completed by the employee and employing service as follows: Notify the relevant services that access to computer systems is no longer required. Please see list of systems on the reverse of this form and place a tick against the relevant one or add systems if not specified; and

Main Auditee

Computer systems are listed on the reverse of the checklist with space for other The issues surrounding the restriction of amendments to invoices should be raised as a system weakness with Consilium.

APPENDIX 1 Audits Completed Since The Previous Report As at 11th September 2006 Main Financial Audits Payroll Audit Year Main Objectives of Audit

Main Auditee
Director of Personnel Services

2005/06

PKF requirement All employees on the payroll are valid and are employed by the organisation Payments are made only for hours worked or allowable expenses Payroll costs and statutory or material voluntary deductions are properly calculated and in accordance with approved pay rates or staff contracts Payments to staff and other collecting bodies are correct Payroll costs are properly accounted for in the main accounting system Overpayment of salary is recovered Segregation of duties is in place Upgrades PAYE, tax tables and grade pay updates are properly controlled Follow up the implementation of the previous audits recommendations High Risk Recommendations IT Services set up a report showing for each service: the names of all officers currently charged to each service; the post held; the salary grade; and the expenditure coding of each post. Report to be run, automatically on a periodic basis (i.e. once a year, on a randomly selected month) and distributed to Directors (and other relevant officers), by Personnel Services (i.e. independent of the Payroll Section); and Director of Personnel Services to advise Directors (and other relevant officers) of the need for them to arrange for a review of the report in order to confirm the accuracy of the payroll records regarding staffing within their service(s). Changes to pay rates are only actioned on receipt of a signed authorisation from Personnel Services. To be effective, the authorisation must be signed as soon as it is produced in order to allow Payroll to action the changes without delay. If the notification is in electronic form then consideration is given to using scanned signatures

APPENDIX 1 Audits Completed Since The Previous Report As at 11th September 2006 Main Financial Audits Main Accounting Audit Year Main Objectives of Audit

Main Auditee
Director of Financial Services

2005/06

PKF requirement All journal inputs to the general ledger are complete, accurate and properly authorised Transactions posted from feeder systems are complete and accurate Unrecognised accounts or suspense balances are reviewed and cleared on a timely basis Follow up the implementation of the previous audits recommendations High Risk Recommendations None

Housing Benefits

2005/06

PKF requirement Benefit entitlement is assessed only upon receipt of a valid claim Benefit entitlement parameters are correct Benefit awarded is correctly calculated Payments are made only in respect of awarded benefits Expenditure and payments are properly recorded Overpaid benefit is properly recorded There is segregation in the assessment and payment process Follow up the implementation of the previous audits recommendations

Director of Financial Services

High Risk Recommendations All reconciliations are brought up to date and completed promptly in future Commencing at the top of the list at Appendix 1, all the cases are reviewed sequentially and: if we have a current address and they are not making regular payments, they are referred to Legal Services; and if they are making regular payments a higher level of payment is sought in any instances where payment level is no longer deemed appropriate. the NFI action plan should be updated and sent to the Audit Commission during the first week in May.

APPENDIX 1 Audits Completed Since The Previous Report As at 11th September 2006 Other Audits Hylands House Revenue Overspend Audit Year 2005/06 Main Objectives of Audit Investigate the reporting of Hylands House Revenue Overspend

Main Auditee
Director of Financial Services

High Risk Recommendations The Director of Financial Services, should be consulted before any outside financial consultant is approached to determine whether such skills are available in-house; and Consideration is given to amending Contract Standing Orders so that the appropriate Director is consulted before an outside consultant, whose skills may already be available within the Council, is appointed. Any exception report to Members, either at Cabinet or Audit and Governance Committee, where a judgement is made should include the details of the criteria used. The Revenue Budget Monitoring Report which Audit and Governance Members receive on a quarterly basis provides figures at Service Summary level and not Service level. Financial Services receive a copy of the key assumptions on which the Service Estimates are based. Review evidence produced by Services to support their BVPIs Ensure correct information reported in BVPP Ascertain reasons if this Councils performance varied by +/-15% (10% for financial BVPIs) as compared to the previous year. High Risk Recommendations None All Directors

Performance Indicators 2006/07

APPENDIX 1 Audits Completed Since The Previous Report As at 11th September 2006 Other Audits Management of Suppliers Audit Year 2005/06 Main Objectives of Audit Contracts are let in accordance with corporate procedures The Contractors database is effectively managed The spend against individual contractors is monitored

Main Auditee
Legal and Democratic Services Manager

High Risk Recommendations A senior officer is given overall responsibility for ensuring compliance with Contract Standing Orders. A review of all expenditure is made to identify areas where Standing Orders may not have been followed in respect of aggregation. If it is intended to continue to place work with Essex Arboriculture, Prelude Consulting and other suppliers with whom there is a history of ad hoc contracting for services. Standing Orders are followed in respect of the aggregation issue. Relevant staff are trained in the requirements of Standing Orders and procurement practice in relation to their area of work.

APPENDIX 2 Audits Currently In Progress As at 11th September 2006 Main Financial Audits Creditors Audit Year 2005/06 Position Of Audit Draft Report issued and awaiting a response from an auditee Main Objectives of Audit PKF requirement Only authorised staff may commit the organisation to expenditure Invoices are processed only when the goods or services have been received and at the correct amount All expenditure is accurately recorded Payments are made only in respect of approved invoices and for the correct amounts Manual cheques for urgent payments are subject to the same authorisation controls Expenditure and payments are properly recorded There is segregation in the ordering, receiving and payment functions Follow up the implementation of the previous audits recommendations Main Auditee Director of Financial Services

APPENDIX 2 Audits Currently In Progress As at 11th September 2006 Other Audits Improvement Grants Audit Year 2005/06 Position Of Audit Report drafted and awaiting response from auditee before Final Report is issued Awaiting response from Director of Personnel Services Awaiting response from Director of Personnel Services Awaiting meeting with Chairman of the Town Centre Partnership Main Objectives of Audit To undertake a review on Improvement Grants as requested by the Director of Strategic Housing and Environmental Services Main Auditee Director of Strategic Housing and Environmental Services Director of Personnel Services Director of Personnel Services Corporate Communications Manager

IT E-Mail Personalised Signatures Follow Up Staff Recruitment Follow Up Town Centre Partnership

2005/06

To ensure that the recommendations contained in the September 2004 Audit Report have been implemented.

2006/07

To ensure that the recommendations contained in the September 2005 Audit Report have been implemented.

2006/07

Review of: the partnership arrangement the financing accounting arrangements Town Centre events including collection of pitch fees. licensing and risk assessments. To ensure that the recommendations contained in the February 2006 Audit Report have been implemented.

Play Areas Follow Up

2006/07

Assignment Sheet has been issued

Director of Parks Service

APPENDIX 2 Audits Currently In Progress As at 11th September 2006 Other Audits Parks Scuba System Audit Year 2006/07 Position Of Audit Audit and Performance Manager has reviewed Draft Report and clarification is being obtained to some issues raised. Awaiting response from an auditee before drafting report Majority of testing complete Awaiting response from an auditee before finalising report Control Objectives agreed with auditees Main Objectives of Audit Main Auditee Director of Parks

To establish the reasons for purchasing the Scuba system. To ascertain the procedures followed in making the procurement. To identify the IT controls in using the system. To identify the controls operated by Parks in using the system.

Mail meter Follow Up

2006/07

To follow up the implementation of the recommendations raised in the Corporate ICT Manager audit report 2004/05.

Retail Market Riverside Electrical

2006/07 2006/07

To determine the amount of Market Stall spillover To examine the letting of a contract

Director of Operational Services Director of Leisure and Cultural Services Director of Financial Services

Bank Reconciliation

2006/07

To ensure that appropriate reconciliations between the TASK system and the General and Clearing Accounts are in place and are up to date and any outstanding items are promptly resolved; To ensure that the bank statement for the General Bank Account is processed on the day of receipt and the transactions are promptly and accurately posted to the authoritys financial systems using appropriate procedures.

APPENDIX 2 Audits Currently In Progress 11th September 2006 Other Audits Acquisition of IT hardware and software Audit Year 2005/06 Position Of Audit Report drafted and awaiting response from an auditee before Final Report being issued Main Objectives of Audit Main Auditee

To ensure that the acquisition of hardware and software acts in Corporate ICT accordance with the Councils strategic objectives, internal procedures Manager and IT Strategy; and procurement also conforms to all relevant legislation i.e. internal regulations and EU directives and regulations The procedures are in place to ensure that appropriate resources are allocated to enable the effective implementation of IT facilities and adequate consideration is given to structural, electrical and other environmental requirements The council establishes an approved project management process to assist in the implementation of IT facilities The council establishes satisfactory processes to ensure users are adequately consulted so that their requirements and expectations can be clearly identified To ensure that the contracts are drawn up between the organisation and supplier, and all copies of contracts are held securely. The council establishes minimum specification/standards for software, to ensure compatibility with existing systems To make certain that the council sets up a standard/minimum specification for hardware To ensure that a separate secure holding area exists to allow delivery to and loading from data processing areas and computer rooms The procedures are in place to ensure that council has adequate insurance for the IT facilities

APPENDIX 2 Audits Currently In Progress As at 11th September 2006 Other Audits Internet, E-mail and Viruses Audit Year 2006/07 Position Of Audit Reviewing Officer to review draft report and working papers Main Objectives of Audit Main Auditee

Corporate ICT 1. Internet and Viruses: To ensure that the Council has established an approved and documented E-mail and Manager Internet policy and the procedures are in place to ensure that all staff and other relevant persons are made aware of, and have ready access to, the policy. The contracts are in place between the Council and the Internet Service Provider (ISP) and services level agreements are in place between the IT Service and IT users. A risk assessment is undertaken in order to identify the risks associated with Internet and email usage. There are adequate procedures in place to ensure that only authorised staff are able to access Internet and external communication links. 2. Firewall: The responsibility for the administration and security of the Councils firewall has been designated to a specific post. Ensure that the security policy includes administration of the firewall. Ensure that the firewall is logically secure from the internal and external threats. Ensure that all the firewall components are located in the secure area. The policy (Security or firewall) has been established governing the configuration of the firewall, its settings, maintenance schedules and the records to be maintained. Ensure that the Council establishes a disaster recovery and business continuity plan. The plan includes operations of the firewall and is constructed as a result of a risk assessment. 3. Website(s). Ensure that the Council has established a business case and the IT strategy sets out the purpose and aims of the website. There are appropriate contracts in place between the Council and the Website manager, where the website is managed externally. Ensure that the Council establishes a strategy for the content and use of the website. The adequate physical and logical security controls are in place to prevent unauthorised access to data on the website. The procedures are in place to ensure that the website is regularly checked. There are adequate disaster recovery and back-up arrangements in place.