internal audit report 2014/2015 - lambeth · internal audit report 2014/2015 final internal audit...

www.pwc.co.uk

Internal AuditReport 2014/2015

Key Financial SystemsFINAL

March 2015

Lambeth LivingLimited

Internal AuditReport 2014/2015 FINAL

Internal audit report forLambeth Living Limited PwC Contents

Contents

1. Executive summary 1

2. Background and scope 3

3. Detailed current year findings 4

Appendix 1. Basis of our classifications 17Appendix 2. Terms of Reference 19Appendix 3. Limitations and responsibilities 22

Distribution List

For action: Patrick Pedder – Head of Finance

Candice Cupid – Finance Manager

Steve Davies – Head of Human Resources and Organisational Development

Shida Ashrafi – Head of Human Resources Operations, London Borough ofLambeth

For information: Audit and Resources Committee members

Terry Gallagher – Chief Executive

This report has been prepared by PwC in accordance with our engagement letter dated 6 August 2014.

At the request of Lambeth Living Limited, PwC’s internal audit methodology has not been followed whenreviewing general ledger and bank reconciliations and therefore we may not have identified all findings thatwould have been raised in a full scope review using PwC’s methodology. This is further explained in Appendix 2of our report.

Our work and deliverables are not designed or intended to comply with the International Auditing andAssurance Standards Board (IAASB), International Framework for Assurance Engagements (IFAE) andInternational Standard on Assurance Engagements (ISAE) 3000.


Internal audit report forLambeth Living Limited PwC 1

Reportclassification

High risk

Trend

The number and

severity of findings

has increased from

the 2013/14 review

which was rated as

low risk. Further

explanation is

provided in the

summary below.

Total number of findingsCritical High Medium Low Advisory

Control

implementation- - 1 - -

Control design - 1 - - -

Operating

effectiveness- - 2 3 2

Total - 1 3 3 2

Headlines / summary of findings:

This report sets out the findings from our work undertaken in January and February 2015 to review theimplementation, design and operating effectiveness of key controls in relation to key financial systems. Ourwork covers the period from 1 April 2014 to 21 January 2015.

Lambeth Living Limited (“Lambeth Living”) is reliant on the London Borough of Lambeth (“the Council”) forthe operation of many controls. This is because Lambeth Living uses a shared version of the Oracle generalledger system and key elements of system are the responsibility of the Council.

In August 2014, Lambeth Living migrated from Oracle 11i to Oracle 12. As a result of the change in systems,there have been changes in key processes including: changes to Lambeth Living’s accounts payable process; achange in payroll system from Cyborg to Oracle 12; and changes to the way in which payroll is posted to thegeneral ledger.

However, since the migration in August 2014, Lambeth Living has been experiencing difficulties in obtainingkey reports from the Council. This includes a listing of open purchase orders and a listing of purchase orderswhich have generated accruals. This has meant that key controls in place prior to the migration have not beenable to continue operating effectively, resulting in the downward trend from the 2013/14 Key Financial Systemsreview. Further context on the difficulties that Lambeth Living has faced since the migration have beenprovided by management in the section on the next page.

This report has been classified as high risk. We identified nine findings, one of which has been rated as highrisk, three as medium risk, three as low risk and two as advisory.

The high risk finding relates to the following area:

Payments made post migration to Oracle 12 – the list of payments to be made via the BACS paymentsystem can be altered before payment. No checks are made of the final list of payments to ensure allpayments are valid.

There is a risk that loss through error or misappropriation is not prevented if these checks are notmade. See finding 1

The medium risk findings relate to the performance of reconciliations, communication with the payroll teamand payroll processing. The low risk findings relate to the processing of journals and purchasing controls beforeand after the implementation of Oracle 12. Full details of these findings can be found in section 3 of the report.

1. Executive summary



We would like to thank Patrick Pedder (Head of Finance), Candice Cupid (Finance Manager), Shida Ashrafi(Head of Human Resource Operations), Steve Davies (Head of Human Resources and OrganisationalDevelopment) and their teams for their assistance during the review.

Management comments

Lambeth Living along with five other boroughs migrated its general ledger system from Oracle 11i to Oracle 12.This implementation resulted in a change in the controls of the Accounts Payable system, the use ofcommitment accounting, payroll journals being posted directly to the ledgers and the implementation of theOracle Business Intelligence reporting tool.

Lambeth Living in collaboration with the Council have managed the critical risks of ensuring contractors andemployees are being paid in a timely manner and that management accounts are being issued on a monthlybasis

Oracle 12 system issues and delays from the Council have resulted in a delay in the performance of monthlybalance sheet reconciliations. Whilst these are factors outside the control of Lambeth Living, mitigating actionssuch as a weekly review of the bank account have been put in place. Bank and payroll reconciliations up toDecember 2014 have now been received from the Council.



Background

Key financial controls form an essential part of Lambeth Living’s internal control environment to enablemanagement to effectively control the accounting function.

The processes that we focused on for the financial year 2014/15 are as follows (having liaised with LambethLiving’s external auditors):

journals; accounts payable; payroll; bank (limited to walkthrough testing); and reconciliations (limited to walkthrough testing).

During 2014/15, the Oracle general ledger system has been upgraded from Oracle 11i to Oracle 12. Themigration took place in August 2014. The transition period started in mid-July 2014, when Oracle 11i ceased tobe used, and finished on 4 August 2014, when the Oracle 12 was brought online.

We have considered the migration between systems as part of a specific Oracle 12 review.

Scope and limitations of scope

We have reviewed the key controls in place relating to the key financial systems specified in the Terms ofReference in Appendix 2 from 1 April 2014 to 21 January 2015 to ensure that these controls are designed andoperate effectively during the period under review. We have only reviewed the sub processes detailed in theTerms of Reference in Appendix 2.

As agreed with management, we performed walkthroughs of the general ledger and bank reconciliations sub-processes to verify that controls have been implemented. However, we did not perform tests to assess theoperating effectiveness of these controls.

The Council was unable to run a report detailing the people who had changed hours or grade since August 2014from the new payroll system, Oracle 12. Therefore, we were unable to perform testing to test the operatingeffectiveness of controls in place to approve these changes.

This review was dependent upon information provided by the staff interviewed throughout the course of thereview, not all oral representations have been validated to supporting evidence.

Findings were relevant at the time of testing. Additional remediation work subsequently undertaken bymanagement was not further reviewed.

2. Background and scope



1) Payments made post-migration to Oracle 12 – control design

Finding

The process for making payments is handled by the Council’s Exchequer Services team. This team extracts thelist of payments from Oracle 12 and manually transfers this list of payments to the BACS payments system.

We noted the following control design deficiency:

The list extracted from Oracle 12 can be altered before it is transferred to the BACS payment system.Since the migration, neither Lambeth Living nor the Council perform a further review of paymentsmade within the three working day period in which payments can be recalled. This is because paymentruns now take place daily, whereas they previously occurred twice per week, resulting in a constraint incapacity to conduct the checks.

We examined a sample of 20 payment runs which took place between the Oracle 12 migration and 21 January2015 and we found that, in all cases, the amount paid out agreed to the amount generated in Oracle 12.

Implications

Invalid or inaccurate payments may be made if files relating to payment runs can be altered and no furtherchecks are made before processing.

Action plan

Finding rating Agreed action Responsible person / title

High risk

The finance team should review payments madeto ensure that they relate to valid payments andLambeth Living should request that the Councilensures that payments are reviewed for validityprior to payment being made.

Candice Cupid, Finance Manager

Target date

31 May 2015

Reference number

KFS 14/15 1

Management comments

The Council has the following controls in place in relation to payment runs:

The BACS run is generated by Oracle and the BACS file is automatically placed on a server.

Only three payments officers in Exchequer Team have access to this server. One of these offices placesthe file in C-Series, the system which is used to send the BACS payments information to the bank.

Nobody in the business has access to this file

3. Detailed current year findings



2) Reconciliations post-migration – control implementation

Finding

Reconciliations are carried out monthly on balance sheet accounts to ensure that financial reporting iscomplete, valid and accurate. Reconciliations are carried out on control accounts and Lambeth Living’s bankaccounts. Lambeth Living is responsible for all reconciliations, other than the payroll (until December 2014)and bank reconciliations, which are prepared by the Council for Lambeth Living to review.

After the migration to Oracle 12 in August 2014, payroll is now posted directly to Lambeth Living’s generalledger and accruals are generated when a member of staff receipts a purchase order.

We conducted walkthrough testing to ensure that reconciliations had taken place after the migration. Weidentified the following control deficiencies:

Council controlled reconciliations

Bank reconciliations had not been received from the Council since the migration took place, when weconducted our review. These have since been received for the period until the end of December 2014.

Payroll reconciliations had not been completed by the Council to the satisfaction of Lambeth Living’sfinance team at the time of our review. These have since been completed up to January 2015 by theCouncil and Lambeth Living.

Lambeth Living controlled reconciliations

Three balance sheet general ledger codes had not been reconciled since the migration, namely;o 132210 – inter/intra receivables;o 235210 – inter/intra payables; ando 235300 – accruals.

Upon investigation, we ascertained that:

No bank reconciliations had been completed because the cash manager module of Oracle 12 wasattempting to reconcile bank transactions to the wrong general ledger code. The correct general ledgercode was the one where cash transactions were being posted. This was due to an error in the setup ofOracle 12 by the Council. The Council team responsible for bank reconciliations confirmed this wasresolved in December 2014 and reconciliations were then performed for the intervening period.

All differences had not been explained on the payroll reconciliations. Lambeth Living has sinceestablished the reasons for the differences and approved the reconciliations.

Lambeth Living’s finance team were not able to explain the use of the general ledger codes 133210 and235210, because no legacy general ledger codes were mapped to these two codes. When we discussedthese balances, the balance on each of these codes was below £25k. Some of the entries on generalledger code 133210 have been identified as relating to the recording of payroll costs.

For general ledger code 235300, the accruals balances could not be reconciled because Lambeth Livingcould not obtain a report of the amounts accrued on receipted purchase orders at a point in time fromthe Council. Lambeth Living confirmed that, as at the end of February 2015, they had now obtained therelevant report and were working on the reconciliation.

Implications

Financial reporting may be inaccurate if the balances held on balance sheet GL codes are not reconciled todetailed listings regularly.

Loss through error or misappropriation may not be detected promptly if reconciliations are not carried outregularly.



2) Reconciliations post-migration – control implementation (continued)

Action plan


Medium risk

The finance team should ensure reconciliationsare performed for the affected balance sheetgeneral ledger accounts to cover the period sincethe migration to Oracle 12.

Going forward, the finance team should performreconciliations for all balance sheet generalledger codes monthly.

The finance team should continue to press theCouncil for access to all required reports, andescalate if necessary.

Bank reconciliations should be obtained from theCouncil by the finance team and reviewed by theFinance Manager.


Target date

31 May 2015

Reference number

KFS 14/15 2

Management comments

There were issues with the initial set up of Oracle 12, which meant bank reconciliations could not be performeduntil this was fixed. Journal entries for bank transactions were back-dated to allow the bank and payrollreconciliations for the period July 2014 to November 2014 to be performed in January 2015.

The Council has retained responsibility for performing bank reconciliations. However, Lambeth Living will nowperform payroll reconciliations.

Bank reconciliations from the Council have not yet been received for the months of January and February.Lambeth Living will continue to chase. Lambeth Living is in the process of performing the other balance sheetreconciliations.



3) Communication with payroll – operating effectiveness

Finding

Starters

Before recruiting a new member of staff, an essential expenditure authorisation (“EEA”) form is required to becompleted and authorised by the Head of Human Resources and the appropriate Director. An appointmentproforma is then sent to the Council’s payroll team to add the starter to the payroll system.

We examined the records held for a sample of 20 new starters to ensure that an EEA form had been completedand that the employee was correctly added to the payroll system. We noted the following operating effectivenessissues:

1/20 employees did not have a completed and authorised EEA form. This was because the employeewas re-employed less than one month after they had left. The manager decided to re-employ themwithout completing an EEA form.

1/20 employees was added to payroll more than one month after they started. This was because therewas a delay between the employee starting and the communication of paperwork to the payroll team.Management were unable to provide a reason for this delay.

1/20 employees was underpaid in the first month they were employed. This was corrected the followingmonth, after payroll was informed of the correct starting pay band for the employee.

Leavers

When a member of staff leaves Lambeth Living, the Council’s payroll team should be notified promptly of themember of staff leaving.

We examined the records held for a sample of 20 leavers to ensure that the removal from the payroll systemwas done promptly. We noted the following operating effectiveness issue:

2/20 leavers were overpaid because the Council’s payroll team were not informed by Lambeth Livingthat the employee had left Lambeth Living’s employment. The total amount overpaid was £4,441.34and invoices have been requested to recover these overpayments. Management are currently takingsteps to ensure this overpayment is recovered.

Review of payroll

Each month, Lambeth Living compares net pay for each employee with the previous month’s net pay andobtains explanations for all movements of greater than 20%.

We examined the comparisons performed for a sample of 2 months between April 2014 and January 2015 toensure that the comparisons had been performed. We noted the following operating effectiveness issue:

For 2/2 months, no explanations were provided. On these two reconciliations, 161 differences of greaterthan 20% were identified with the value of the differences being £361,363. Lambeth Living was unableto resolve the differences as Lambeth Living was unable to obtain information from the Council’spayroll team despite repeated attempts.

Implications

Lambeth Living may recruit staff who are not required if EEA forms are not completed and approved.

Lambeth Living may over pay staff who leave if they do not notify payroll of a leaver promptly.

Lambeth Living may not identify fraud or error in payroll payments if they do not obtain explanations forunusual movement in payments made.



3) Communication with payroll – operating effectiveness (continued)

Action plan

Finding rating Agreed action Responsible people / title

Medium risk

Management should remind teams of the need toensure that all staff recruitments have beenapproved through the EEA process.

Management should remind teams of the need tocomplete paperwork on time and ensure thatleavers are notified to the Council’s payroll teampromptly.

Management should ensure that checks forleavers are made as part of the budgetmonitoring process.

Steve Davies, Head of HumanResources and OrganisationalDevelopment


Target date

31 May 2015

Reference number

KFS 14/15 3

Management comments

The three proposed actions, above, are agreed.

Requests for explanations of payroll variances are sent through to the payroll support services and HRdepartment. However, responses are not received. In the meantime, Finance agrees starters and leavers to thelist of starters and leavers.



4) Payroll processing – operating effectiveness

Finding

Starters

The Council’s payroll team is responsible for adding starters correctly to payroll, based on the informationprovided by Lambeth Living.

We examined the records held for a sample of 20 new starters that the employee was correctly added to thepayroll system. We noted the following operating effectiveness issue:

1/20 employees was overpaid. This was because the employee was paid at the rates applicable from 1January 2015 for the period from 22 December 2014 to 31 December 2014. This was because of adecision made by the Council’s payroll team to avoid having to make multiple manual adjustments.

Leavers

When a member of staff leaves Lambeth Living, the Council’s payroll team check any annual leave remainingand then calculate the employee’s final payment.

We examined the records held for a sample of 20 leavers to ensure that the check of annual leave has takenplace and that the leaver’s final pay was calculated correctly. We noted the following operating effectivenessissues:

2/2o leavers were underpaid annual leave payments which they were entitled to receive. In the firstcase, the Council’s payroll team calculated annual leave due as being less than that stated in thecompromise agreement. In the second case, the annual leave due was notified and calculated after theemployee’s final salary was paid. At the time of the review, neither of these former employees hadreceived an additional payment for these amounts. Annual leave requests are now processed using aself-service function which ensures that the Council’s payroll team have access to up to date annualleave records.

1/20 leavers was overpaid. This was because the request to pay 7 hours additional salary due to flexi-hours not being taken was treated as a request to pay 7 days. Management is currently taking steps toensure this overpayment is recovered.

Implications

Lambeth Living may be exposed to additional liabilities if payments made are incorrect.

Lambeth Living may overpay staff if incorrect calculations are not identified.



4) Payroll processing – operating effectiveness (continued)

Action plan


Medium risk

Final payments should not be made until annualleave has been checked by the Payroll team.

If there is a dispute over annual leave to be paid,this should be escalated to Lambeth Livingmanagement to be resolved.

Lambeth Living should be required to approveany changes in rates enacted prior to their agreedimplementation date.

Shida Ashrafi, Head of HumanResources Operations, LondonBorough of Lambeth

Target date

31 May 2015

Reference number

KFS 14/15 4

Management comments

The decision made in relation to changes in rates was applicable to all new starters effective from 22ndDecember onwards and was made by the Council’s payroll team. Had the Council’s payroll team chosen not toallow the system to calculate pay, then they would have had to make two manual calculations; one for theperiod 22nd December to the 31st December on the old rates and then another for the period from 1st Januaryto the 31st January.

An invoice has been raised on Oracle 12 for the recovery of the overpayment made to the leaver.



5) Purchasing after the implementation of Oracle 12 – operatingeffectiveness

Finding

Following the migration to using Oracle 12 in August 2014, the process for approving invoices changed. Invoicesare now approved for payment provided there is a valid, authorised purchase order and a member of staff hasrecorded that the goods or services have been received. In addition, the finance team may record the receipt ofgoods or services on behalf of the team who ordered the goods or services.

We noted the following control design deficiencies:

There were no reviews of open purchase orders during the period under review. This review isperformed to ensure that purchase orders which are not required are closed promptly and not left openindefinitely. Upon investigation, we found that Lambeth Living had been unable to obtain this reportdue to issues with the reporting function of Oracle 12. These issues have now been resolved and reportsare now issued to budget holders to review on a monthly basis.

We also examined a sample of 25 payments made through the payables ledger between the Oracle 12 migrationand 21 January 2015. 21 of these invoice payments required purchase orders and receipting approval beforepayment could be made. We noted the following operating effectiveness issues:

2/21 invoices were released for payment by the Council’s accounts payable team without receiptingapproval. These were invoices initially recorded on Oracle 11i but not approved for payment. They werereleased for payment following the migration.

1/21 invoices was receipted by a member of the finance team based on approval from the team receivingthe goods or services. However, evidence of the approval could not be provided.

Implications

Payments may be made for goods or services not required or received if open purchase orders are not reviewedand closed.

Payments may be made for goods or services not received if receipt is recorded by the finance team withoutapproval from the team which ordered the goods or services.

Action plan


Low risk

The finance team should ensure that no invoicesare released for payment by the Council withoutreceipting approval.

The finance team should continue to ask budgetholders to review open purchase order reports ona monthly basis. Any purchase orders which areno longer required should be closed.

The finance team should retain anycorrespondence from other areas of LambethLiving when they record the receipt of goods orservices.


Target date

31 May 2015

Reference number

KFS 14/15 5



5) Purchasing after the implementation of Oracle 12 – operatingeffectiveness (continued)

Management comments

With the implementation of Oracle 12 Lambeth Living no longer has access to Cash Manager. Cash Manager isrequired to report on cash in transit transactions which includes payments to suppliers.

Invoices paid by the Council without receipting approval related to invoices migrated from Oracle 11i to Oracle12. There is no risk of invoices being paid without receipting approval for invoices processed solely in Oracle 12because the system will not allow invoices to be paid without receipting approval.

The R12 open PO report was unstable and unreliable when the Oracle Business Intelligence reportingfunctionality was initially implemented. The report has since stabilised, is reliable and is now being distributed.



6) Journals – operating effectiveness

Finding

Journals are input to the general ledger by one member of the finance team before being reviewed by anothermember. It is then posted to the general ledger by a third member of the finance team.

We tested a sample of 20 journals to ensure that this process had been followed and noted the followingoperating effectiveness issues:

1/20 journals was reviewed after it was posted to the general ledger because the journal’s approver wason annual leave.

1/20 journals was signed as reviewed before it was signed as input to the GL. For 2/20 journals, we were unable to confirm the date the review before posting took place because the

review date was not recorded on the approval slip.

In all cases, there was segregation of duties between the requesting and approval of the journals once approvaltook place.

Implications

Accounting records maybe inaccurate or incomplete leading to inappropriate financial reporting.

Loss through error or misappropriation of assets may not be detected promptly.

Action plan


Low risk

The finance team should ensure all journals arereviewed prior to posting and that the date ofreview is recorded accurately.


Target date

31 May 2015

Reference number

KFS 14/15 6

Management comments

The journals signed as being approved after annual leave were in reality approved by the person who posted thejournal. Moving forward, the journals would be reviewed by a member of the Management Accounting teambefore being posted in the absence of colleagues in the Financial Transaction team.



7) Purchasing before Oracle 12’s implementation – operating effectiveness

Finding

Open purchase order reports

Prior to the migration to Oracle 12, a report listing all open purchase orders was sent to managers that staffclose purchase orders which were no longer needed.

We selected a sample of two months between April 2014 and July 2014 and examined email correspondence toconfirm that these reports had been sent out. We noted the following operating effectiveness issue:

In 1/2 months, no open purchase order report was sent out for review.

Upon investigation, this was because an exercise had taken place to close all open purchase orders which werenot needed before year end. This was done at a time when Lambeth Living had expected to migrate betweenOracle 11i and Oracle 12. When the migration was delayed, management decided not to continue sending thesereports until the migration took place.

Cut-over period

During the period when Lambeth Living’s did not have access to Oracle 11i or Oracle 12, known as the “cut-overperiod”, a process was put in place to allow CHAPS payments to be made to pay invoices which required urgentpayment. This process was used to make eight payments. Those invoices paid were then to be uploaded toOracle to ensure that duplicate payments could not be made.

We examined a sample of the two payments made during the cut-over period to verify that the invoice had beenincluded on Oracle 12 to prevent duplicate payments. We noted the following control operating effectivenessissue:

1/2 invoices paid with value £6,624 had not been uploaded to Oracle 12. When brought tomanagement’s attention, they requested that the invoice was added to the payables ledger andconfirmed no duplicate payment had been made. Management were unable to confirm why this was notrecorded on the ledger.

Implications

Payments may be made for goods or services not required or received if open purchase orders are not reviewedand closed.

Duplicate payments may be made if invoices paid during the cut-over period are not recorded on Oracle 12.



7) Purchasing before Oracle 12’s implementation – operating effectiveness(continued)

Action plan


Low risk

Lambeth Living should ensure that all invoicespaid during the cut-over period are recorded onthe general ledger.


Target date

31 May 2015

Reference number

KFS 14/15 7

Management comments

Invoices not loaded onto the payables ledger would have been highlighted as not being posted through theperformance of the bank reconciliation. The delay in the bank reconciliations meant that this was not noticed.



8) Purchasing requisition forms – operating effectiveness

Finding

Prior to a purchase order being raised, a purchase requisition form should be raised by a member of thebusiness unit and approved by the Business Unit Manager.

As part of our testing of invoices paid between 1 April 2014 and 21 January 2015, we reviewed 47 purchaserequisition forms.

We noted that:

2/47 purchase requisition forms were requested and authorised by the same individual. However, thepurchase order for the goods purchased was approved by a separate member of staff.

Recommendation

It is good practice that a purchase requisition form should be completed and authorised by different membersof staff and forms should not be processed without this review taking place.

9) Approval of purchase orders – operating effectiveness

Finding

Purchase orders require approval in line with the scheme of delegation which requires Heads of Service, ormore senior members of staff, to approve purchase orders in excess of £50,000.

As part of our testing of invoices paid between 1 April 2014 and 21 January 2015, we reviewed 41 purchaserequisition forms.

We noted that:

34/41 purchase orders were approved by the Head of Finance. Only 3 of these purchase orders were inexcess of £50,000.

Therefore, whilst this is in line with Lambeth Living’s scheme of delegation, a significant amount of theauthorising of purchase orders are centred on the Head of Finance. This time could be more effectively used.

Recommendation

Financial responsibility should be encouraged to stretch wider than the core finance team as denoted in the

scheme of delegation, allowing senior members of staff to effectively use their time.



Individual finding ratings

Findingrating

Assessment rationale

Critical A finding that could have a:

Critical impact on operational performance; or

Critical monetary or financial statement impact; or

Critical breach in laws and regulations that could result in material fines or consequences; or

Critical impact on the reputation or brand of the organisation which could threaten its futureviability.

High A finding that could have a:

Significant impact on operational performance; or

Significant monetary or financial statement impact; or

Significant breach in laws and regulations resulting in significant fines and consequences; or

Significant impact on the reputation or brand of the organisation.

Medium A finding that could have a:

Moderate impact on operational performance; or

Moderate monetary or financial statement impact; or

Moderate breach in laws and regulations resulting in fines and consequences; or

Moderate impact on the reputation or brand of the organisation.

Low A finding that could have a:

Minor impact on the organisation’s operational performance; or

Minor monetary or financial statement impact; or

Minor breach in laws and regulations with limited consequences; or

Minor impact on the reputation of the organisation.

Advisory A finding that does not have a risk impact but has been raised to highlight areas of inefficiencies or

good practice.

Appendix 1. Basis of ourclassifications



Report classificationsThe report classification is determined by allocating points to each of the findings included in the report

Findings rating Points

Critical 40 points per finding

High 10 points per finding

Medium 3 points per finding

Low 1 point per finding

Report classification Points

Low risk

6 points or less

Medium risk

7– 15 points

High risk

16– 39 points

Critical risk

40 points and over



Terms of reference – Key Financial Systems

To: Terry Gallagher – Lambeth Living

From: Nicholas Haigney – PwC

This review is being undertaken as part of the 2014/2015 internal audit plan approved by the Audit andResources Committee.

BackgroundPrevious internal audit reviews into the key financial systems have noted progressive improvements, with theprevious year’s report rated as low risk. As a result, we intend to focus the review on the most significantfinance processes. We shall liaise with Lambeth Living Limited’s (“Lambeth Living”) external auditors to ensurewe create efficiencies in providing assurance for Lambeth Living across key financial controls.

These financial controls form an essential part of Lambeth Living’s internal control environment to enablemanagement to effectively control the accounting function.

The processes that internal audit will focus on for the financial year 2014/15 are as follows:

journals accounts payable payroll bank (limited to walkthrough testing) reconciliations (limited to walkthrough testing)

During 2014/15, the Oracle system has been upgraded from Oracle 11i to Oracle 12. The transition took place inthe summer of 2014, with a transition period starting in mid-July 2014, when Oracle 11i ceased to be used, andfinishing on 4 August 2014, when the Oracle 12 was brought online. We will consider the transition betweensystems as part of a specific Oracle 12 review.

ScopeWe will review the design and operating effectiveness of key controls in place relating to the financial systems inplace during the period 1 April 2014 to the date the fieldwork occurs, which is scheduled for January 2015 asper the agreed timetable.

The sub-processes and related control objectives included in this review are:

Sub-process Objectives

Reconciliations Control accounts (namely debtors control account,creditors control account, sundry external revenuecontrol account, sundry external debt control accountand those relating to VAT and payroll) are reviewed andreconciled regularly so as to ensure accurate, completeand valid financial reporting.

Bank Cash held in bank accounts is reconciled to cashbalances per the general ledger (and reconciling itemscleared promptly).

Journals Journals are appropriately reviewed and authorised.

Appendix 2. Terms of Reference



Accounts payable Invoices are only paid if they have been appropriatelyauthorised, are accurate, correspond to a valid order andgoods / services have been received by Lambeth Living.

Payments to suppliers are appropriately authorised, areaccurate and pertain to valid invoices or charges andsuppliers.

Payroll Only valid employees are added to the payroll system. Leavers are promptly removed. Amendments and deductions are applied correctly and

promptly actioned. Payruns are valid, complete and accurate.

Limitations of scopeWe will review the above controls to ensure controls are designed and operating effectively for the sub-processes indicated above.

As agreed with management, we will perform a walkthrough of the bank and reconciliations sub-processes toverify that controls have been implemented. However, we will not perform tests to assess the operatingeffectiveness of these controls.

The review is dependent upon information provided by the staff interviewed throughout the course of thereview.

Audit approachOur audit approach is as follows:

Obtain an understanding of the key financial systems through discussions with key personnel, review ofsystems documentation and walkthrough tests

Identify the key risks of the sub-processes under review Evaluate the design of the controls in place to address the key risks Test the operating effectiveness of the key controls.



Internal audit team

Name Title Role Contact details

Nicholas Haigney Director Engagement Leader [email protected]

020 7213 5613

Charles Martin Manager Engagement Manager [email protected]

07732 864 402

David Hagger Senior Associate Audit Supervisor [email protected]

07756 028 236

Joshua Williams Associate Auditor [email protected]

020 7804 2572

Key contacts – Lambeth Living

Name Title Role Contact details

Terry Gallagher Chief Executive Audit Liaison and

Responsible Director

[email protected]

Patrick Pedder Head of Finance Audit Owner [email protected]

Candice Cupid Finance Manager Audit Liaison [email protected]

TimetableFieldwork start 12 January 2015

Fieldwork completed 16 January 2015

Draft report to client 30 January 2015

Response from client 6 February 2015

Final report to client 13 February 2015

Agreed timescales are subject to the following assumptions: All relevant documentation, including source data, reports and procedures, will be made available to us

promptly on request Staff and management will make reasonable time available for interviews and will respond promptly to

follow-up questions or requests for documentation.



Limitations inherent to the internal auditor’s workWe have undertaken the review of name of the review, subject to the limitations outlined below.

Internal control

Internal control systems, no matter how well designed and operated, are affected by inherent limitations. Theseinclude the possibility of poor judgment in decision-making, human error, control processes being deliberatelycircumvented by employees and others, management overriding controls and the occurrence of unforeseeablecircumstances.

Future periods

Our assessment of controls is for the period specified only. Historic evaluation of effectiveness is not relevant tofuture periods due to the risk that:

the design of controls may become inadequate because of changes in operating environment, law,regulation or other; or

the degree of compliance with policies and procedures may deteriorate.

Responsibilities of management and internal auditorsIt is management’s responsibility to develop and maintain sound systems of risk management, internal controland governance and for the prevention and detection of irregularities and fraud. Internal audit work should notbe seen as a substitute for management’s responsibilities for the design and operation of these systems.

We endeavour to plan our work so that we have a reasonable expectation of detecting significant controlweaknesses and, if detected, we shall carry out additional work directed towards identification of consequentfraud or other irregularities. However, internal audit procedures alone, even when carried out with dueprofessional care, do not guarantee that fraud will be detected.

Accordingly, our examinations as internal auditors should not be relied upon solely to disclose fraud,defalcations or other irregularities which may exist.

Appendix 3. Limitations andresponsibilities

In the event that, pursuant to a request which Lambeth Living Limited has received under the Freedom of Information Act2000 or the Environmental Information Regulations 2004 (as the same may be amended or re-enacted from time to time)or any subordinate legislation made thereunder (collectively, the “Legislation”), Lambeth Living Limited is required todisclose any information contained in this document, it will notify PwC promptly and will consult with PwC prior todisclosing such document. Lambeth Living Limited agrees to pay due regard to any representations which PwC maymake in connection with such disclosure and to apply any relevant exemptions which may exist under the Legislation tothis document and other related documents. If, following consultation with PwC, Lambeth Living Limited discloses anythis document or any part thereof, it shall ensure that any disclaimer which PwC has included or may subsequently wishto include in the information is reproduced in full in any copies disclosed.

This document has been prepared only for Lambeth Living Limited and solely for the purpose and on the terms agreedwith Lambeth Living Limited in our agreement dated 6 August 2014. We accept no liability (including for negligence) toanyone else in connection with this document, and it may not be provided to anyone else.

© 2015 PricewaterhouseCoopers LLP. All rights reserved. In this document, "PwC" refers to PricewaterhouseCoopers LLP(a limited liability partnership in the United Kingdom), which is a member firm of PricewaterhouseCoopers InternationalLimited, each member firm of which is a separate legal entity.

internal audit report 2014/2015 - lambeth · internal audit report 2014/2015 final internal audit...

Documents