south ayrshire council
TRANSCRIPT
South Ayrshire Council
Internal Controls Report 2015/16
Prepared for South Ayrshire Council
June 2016
Key contacts
Fiona Mitchell-Knight, Assistant Director
Dave Richardson, Senior Audit Manager
Sarah Lawton, Senior Auditor
Audit Scotland
4th Floor (South Suite)
8 Nelson Mandela Place
Glasgow
G2 1BT
Telephone: 0131 625 1500
Website: www.audit-scotland.gov.uk
The Accounts Commission is a statutory body which appoints external auditors to Scottish local
government bodies. (www.audit-scotland.gov.uk/about/ac)
Audit Scotland is a statutory body which provides audit services to the Accounts Commission and
the Auditor General. (www.audit-scotland.gov.uk)
The Accounts Commission has appointed Fiona Mitchell-Knight, Assistant Director, Audit Scotland
as the external auditor of South Ayrshire Council for the period 2011/12 to 2015/16.
This report has been prepared for the use of South Ayrshire Council and no responsibility to any
member or officer in their individual capacity or any third party is accepted.
Contents
Summary……………………………………………………3
Audit Findings………………………………………….....4
Appendix 1: Action plan…………………..……………10
Summary
South Ayrshire Council Page 3
Summary
Introduction
1. We are required by auditing standards to obtain an understanding of
the accounting and internal control systems in place for the
administration of the financial affairs of the audited body to allow us
to plan the audit and develop an effective financial statements audit
approach.
2. Accordingly, we seek to gain assurance that South Ayrshire Council:
has systems of recording and processing transactions which
provide a sound basis for the preparation of the financial
statements and the effective management of assets and
liabilities
has systems of internal control which provide an adequate
means of preventing or detecting material misstatement, error,
fraud or corruption
complies with established policies, procedures, laws and
regulations.
Summary of findings
3. We tested the key controls operating over the financial systems of
South Ayrshire Council to assess whether they are operating
satisfactorily.
4. In the main we found that controls were operating satisfactorily
although we identified some areas where the controls could be
strengthened. These include:
Controls over the creation of suppliers within the trade payables
system
Reconciliations between the rent accounting system and the
asset register
Timeous preparation and authorisation of bank reconciliations
5. Appendix 1 is an action plan setting out our recommendations to
address the risks we have identified from our controls testing.
Officers have considered the issues and agreed to take the specific
steps in the column headed "Management response".
6. Our overall conclusion is that the internal controls within the
council’s main financial systems are operating effectively and this
allows us to take planned assurance on these systems for the audit
of the 2015/16 financial statements.
Acknowledgement
7. The contents of this report have been discussed with relevant
officers to confirm factual accuracy.
Audit Findings
Page 4 South Ayrshire Council
Audit Findings
Systems of internal control
8. Our audit approach includes planned controls assurance on the key
financial systems of South Ayrshire Council. The key systems which
were tested during 2015/16, including those where we have placed
reliance on prior year work and/or the work of internal audit are as
follows:
General ledger
Payroll
Trade payables
Trade receivables
Cash and banking
Treasury Management
Housing rents
Housing benefits
Council tax billing and collection
Non-domestic rates billing and collection
9. In addition, we reviewed the council’s arrangements for complying
with European Union state aid regulations and the council’s
arrangements to counter and defend against cyber attack.
10. To obtain our controls assurance, testing strategies were developed
and work undertaken during March and April 2016. Our review
involved the identification and assessment of the risks inherent in
the key systems and the adequacy of the procedures and controls in
place to address the risks.
Key Findings
11. We did not identify any significant risk exposure or major
weaknesses in the internal controls system from our review.
However, addressing the following issues which further strengthen
the council’s systems of internal control:
Trade payables
12. Creation of suppliers: The supplier masterfile contains the
information necessary for the system to generate a payment to a
supplier (for example, supplier address, bank details etc). In
2014/15 we reported that the trade payables system now includes
the facility for service staff to create “one-off” suppliers for specific
types of payment such as debtor refunds, redecoration allowances
etc. We expressed concern that the absence of adequate
authorisation procedures for the insertion of new records to the
supplier masterfile exposed the council to an increased risk of error
and fraud. Management advised that they considered that the
requirement for line manager authorisation of payments made to
such “one-off” suppliers reduced the risk to acceptable levels.
13. We sample tested thirty new suppliers created during 2015/16,
seven of those were “one-off” suppliers which had been created by
Audit Findings
South Ayrshire Council Page 5
service staff. Five of the seven were for redecoration allowances,
one was a grant to a voluntary organisation and one was a refund of
a debtor account overpayment. While there is no evidence to
suggest that these were not valid payments, there is no evidence on
the system which provides an audit trail demonstrating the validity of
such payments. In the absence of an audit trail on the system it is
unclear how management gain assurance that authorisation
arrangements in place are sufficiently robust to prevent the
processing of inappropriate payments.
Action Point 1
14. Duplicate suppliers: The integrity of the supplier masterfile is
essential for ensuring that payments are only made to valid
creditors. Following the upgrade to Oracle R12 in June 2014 the
number of suppliers on the masterfile increased substantially as all
benefit claimants had to be added to the system as suppliers to
facilitate payment of benefits. The council recognised that the initial
approach used to add benefit claimants to the masterfile required
review to take account of individuals with the same or similar
names. Steps were taken to ensure that all claimants could be
easily identified through the adoption of a formal naming convention
when masterfile records were created.
15. The creation of duplicate suppliers entails the risk of duplicate
payments being made against the same invoice. During 2015/16
the council undertook a review of the suppliers masterfile to identify
duplicate suppliers. This review resulted in a number of supplier
accounts being terminated so that only one account existed for each
supplier. This was an extensive exercise and the supplier masterfile
now numbers 29,340 suppliers (as at April 2016). To mitigate the
risk of duplicate suppliers being created in future, the council should
seek to adopt a formal naming convention for each type of supplier
and this should be communicated to all staff who have the facility to
create suppliers.
Action Point 1
16. Exception reporting: A system of exception reporting is an
important tool in preventing and detecting errors or potential fraud at
an early stage through the review of transactions meeting
predetermined criteria. The Oracle system has a workflow section
whereby any issues identified by the system such as invalid
accounting periods, invoices which don’t match the corresponding
purchase order or an invoice relating to an invalid supplier are
flagged and must be followed up by a member of the Central
Accounts Payable (CAP) team before payment can be made.
17. However, no exception reports are produced which identify potential
issues such as high value invoices, duplicate suppliers or amended
bank details. The council should consider whether routine reporting
and review of uncommon output from the system would strengthen
the existing control environment.
Action Point 2
Housing rents
18. Reconciliation of housing stock numbers: The council manages
a housing stock of over 8,000 properties. The periodic reconciliation
of properties on the rent roll to the asset register is an important
control to ensure that the council is levying rental charges on all of
Audit Findings
Page 6 South Ayrshire Council
its properties. At the time of our testing no reconciliation had been
prepared during 2015/16. Management advised that due to staffing
changes within the Property and Risk section, the reconciliation was
not completed quarterly throughout 2015/16. A full year
reconciliation was however completed as part of the council’s year
end processes.
Action Point 3
19. Credit balances: Overpayments on tenants rent accounts occur for
a variety of reasons including deliberate overpayments, changes in
rent liability and payments continuing in error. Such overpayments
show on the housing rents system as credit balances and will be
refunded to tenants when identified.
20. Our testing on refunds of overpayments found that while these were
all legitimate refunds, a number of these had been accruing for a
significant period of time. To reduce the instances of significant
overpayments the council should introduce regular reporting on
credit balances to identify and resolve overpayments promptly.
Action Point 4
Cash and banking
21. Bank reconciliations are an essential control in ensuring that the
council’s ledger cash balance is verified to the balance held in the
council’s bank account. Bank reconciliation statements should be
prepared timeously after the period end to ensure that financial
information is accurate and that differences can be promptly
identified and satisfactorily explained.
22. Our audit testing of 34 bank reconciliations found eight instances
where the bank reconciliation had not been completed within four
weeks of the period end.
23. Bank reconciliations should be signed and dated by the preparing
officer and reviewed and signed off by supervisory staff. Two of the
sample of reconciliations tested were not available in hard copy, we
were, therefore unable to confirm that the prescribed control had
been applied. Where bank reconciliations are not being timeously
performed, approved and filed in accordance with the council’s
prescribed arrangements there is an increased risk of fraud or error.
Action Point 5
Housing benefits
24. Each year the council prepares a subsidy claim for reimbursement
from the Department for Work and Pensions (DWP) in respect of
benefits paid to claimants during the year.
25. Uncashed benefit cheques: The subsidy claim includes a cell to
record the value of uncashed cheques at the year end. Given the
nature of benefit payments, we consider it unusual for claimants not
to cash cheques within a fairly short period. The council recorded
£27,127 of uncashed cheques for 2014/15 which was significantly
higher than in previous years and higher than other Scottish
councils. While officers have explained that these were
predominantly the result of landlords not cashing issued cheques
we consider that a more in-depth explanation for the apparent
anomaly should be pursued. The council should investigate this
Audit Findings
South Ayrshire Council Page 7
issue thoroughly to identify any underlying issues and take
appropriate remedial action.
Action Point 6
State aid
26. The UK Government defines state aid as “any advantage granted by
public authorities through state resources on a selective basis to
any organisations that could potentially distort competition and trade
in the European Union (EU).” The advantage can apply to grants,
loans, tax incentives or the use or sale of assets for free or below
market value.
27. Public bodies are responsible for ensuring that they comply with the
rules. While we found no evidence of the rules being breached, the
council does not currently have a formal protocol in place for
ensuring compliance with EU state aid requirements. There is a risk
that the council could inadvertently breach state aid restrictions
without appropriate guidance to officers being available.
Action Point 7
Information and Communications Technology (ICT)
28. Risk register: Risk information relating to ICT has been captured at
a strategic level and some operational risk information included in
the Finance and ICT Service Improvement Plan Risk Register. The
council should, however, prepare without further delay, a
comprehensive ICT risk register which identifies the risks associated
with the council's ICT arrangements. This would give a clear focus
to specific issues and allow management and members to have
clear sight of the risks relating to ICT and the mitigation strategy in
place.
Action Point 8
29. Cyber security: Like all organisations, councils face the increasing
risk of cyber attacks targeting ICT systems, networks and
infrastructure. The threat to public sector organisations is very real
as evidenced by a recent ransomware shutdown of IT systems at
Lincolnshire Council and a denial of service attack on the national
education network, JANET.
30. Cyber attacks can occur through entering systems via weaknesses
in software. Regular “patching” contributes to system security by
eliminating known software weaknesses. Other controls such as
firewalls, anti-virus software, email filtering etc. should act as
barriers to unpatched software. Outdated software however
increases the risk of a successful attack. There is a risk that the
council is exposed to an elevated level of risk where systems are
not routinely updated.
31. An IT health check can be used to provide assurance that an
organisation’s external systems are protected from unauthorised
access or change. It does this by highlighting security vulnerabilities
which the organisation can then seek to address. Our review found
that the last full IT health check carried out by the council was in
2013. There is a risk that the council is not fully aware of
vulnerabilities in its ICT systems and may be at risk of unauthorised
access and subsequent damage and interruption to its IT services.
Action Point 9
Audit Findings
Page 8 South Ayrshire Council
National Fraud Initiative
32. The National Fraud Initiative (NFI) is a bi-annual data-matching
exercise which aims to identify possible cases of fraud by matching
information held across public bodies. The most recent exercise
was undertaken in 2015, the results of which were published by
Audit Scotland in June 2016.
33. The matches identified by the process are risk assessed and as this
can be a resource intensive process, in February 2015 the
Leadership Panel agreed that only high quality matches would be
followed up. NFI activity is summarised in the following table.
Total Matches Processed 448
Cases Cleared 440
Total Frauds 3
Total Errors 5
34. Reporting findings: While we are satisfied that the council has
followed up such matches, findings from the NFI process were
reported to members in a Members Bulletin. The council has
agreed that the findings from future NFI exercises will be reported to
an appropriate panel for scrutiny.
Internal Audit
35. Internal audit is provided by the council’s in-house internal audit
section. Internal audit supports management in maintaining sound
corporate governance and internal controls through the independent
examination and evaluation of control systems and the reporting of
weaknesses to management.
36. Our annual review of internal audit, reported to the Audit and
Governance Panel on 10 February 2016, found that the council has
effective internal audit arrangements in place.
37. Our annual audit plan, issued in March 2016, set out the areas of
internal audit work upon which we would be placing reliance.
38. The 2015/16 internal audit plan is now substantially complete. We
confirm that our reliance on controls work and our wider
responsibility work under the Code of Audit Practice will proceed as
planned.
Overall conclusion
39. We have concluded that internal controls are, generally, operating
satisfactorily. There are, however, a number of areas where
management should review the existing arrangements and consider
strengthening the control environment.
Management action
40. A summary of those areas where identified risk exposure requires
management consideration is included at appendix 1. Planned
Audit Findings
South Ayrshire Council Page 9
action, responsibilities and timescales for action in response to our
recommendations have been provided by management.
Acknowledgement
41. The contents of this report have been discussed with relevant
officers to confirm factual accuracy. The co-operation and
assistance we received during the course of our audit is gratefully
acknowledged.
Appendix 1: Action plan
Page 10 South Ayrshire Council
Appendix 1: Action plan
No. Para. Risk / Recommendation Responsible officer Management response /
Planned action
Target date
1 13 &
15
Trade payables: Creation of and payments
to suppliers
Risk – There is a risk that duplicate supplier
records are created, potentially resulting in
duplicate payments and authorisation
arrangements in place are not sufficiently
robust to prevent inappropriate payments.
Recommendation – The council should adopt
a formal naming convention when adding
suppliers to the Masterfile and should ensure
there is a complete audit trail in place to
support payments to one-off suppliers.
Tim Baulk (Head of
Finance & ICT)
Current approval and risk mitigation
process remains in place. E-
financials Board currently considering
alternative methodology for the
creation of suppliers together with a
new software package/ management
tool to supplement and enhance
control mechanism. In addition the
merits of a cleansing exercise needs
to be considered to resolve current
duplicate supplier records.
31 August 2017
Appendix 1: Action plan
South Ayrshire Council Page 11
2 17 Trade payables: Exception reports
Risk – The council does not have adequate
arrangements in place to promptly identify
anomalous payments.
Recommendation – The council should
introduce a suite of exception reports within
the trade payables system to identify
transactions which merit further review.
Tim Baulk (Head of
Finance & ICT)
SAC are initiating discussions with
external providers (July 2016) to
carry out a health check on Payables
data, suppliers and payments. It is
intended that following the initial
health check that ongoing
management information will be
provided to mitigate the risk
identified.
31 December 2016
3 18 Housing rents: Reconciliation of housing
stock numbers
Risk - The council may not be realising all
rental income due on its properties or may mis-
state the value of the stock in its financial
statements through inaccurate records.
Recommendation – The council should
introduce a regular reconciliation between the
rent accounting system and the asset register.
Ijaz Bashir (Asset
Systems Manager)
Due to staffing changes within
Property & Risk, the reconciliation
was not completed at each quarter
throughout 2015/16. However the
reconciliation was completed for the
year ending 31 March 2016 as part of
the year end process. Arrangements
for carrying out quarterly
reconciliations are now in place.
Completed
Appendix 1: Action plan
Page 12 South Ayrshire Council
4 20 Housing rents: Credit balances
Risk – Substantial overpayments are made
against tenant rent accounts.
Recommendation - The council should
introduce regular reporting on credit balances
to identify and resolve overpayments promptly.
.
Michael Alexander
(Manager (Housing
Operations)
A reporting system is currently in
place and is used by staff with our
Revenues and Arrears Team to
identify and prioritise cases eligible
for refunds. In recognition of the
number of accounts involved, we
have recently increased the level and
allocation of staff resources to deal
with accounts with a credit balance.
Refunds are being processed on an
ongoing basis and we are prioritising
remaining accounts based on the
level of the credit balance.
Completed
5 23 Cash and banking: Preparation of bank
reconciliations
Risk – Bank reconciliations are not being
prepared and reviewed timeously which could
result in delays identifying issues.
Recommendation – The council should
ensure that reconciliations are prepared,
reviewed and filed in accordance with the
council’s prescribed arrangements.
Tom Simpson (corporate
Accounting Manager)
Bank reconciliations continue to be a
high priority for the service and
accordingly will be prepared and
reviewed on a timely basis as
commensurate with available
resources. Officers continue to work
with colleagues in other services in
order to improve the quality of and
streamline the flow of information to
allow reconciling items to be
identified and investigated as quickly
as possible.
31 December 2016
Appendix 1: Action plan
South Ayrshire Council Page 13
6 25 Housing benefits: Uncashed benefit
cheques
Risk - The council recorded £27,127 of
uncashed cheques for 2014/15 which was
significantly higher than in previous years and
higher than other Scottish councils.
Recommendation – The council should
investigate this issue thoroughly to identify any
underlying issues and take appropriate
remedial action.
Billy Phillips (Revenues &
Benefits Manager)
This is not considered a significant
area of risk however following the
audit of the 2014/15 subsidy claim,
reports are now provided on a
monthly basis in order to identify and
resolve the reasons why cheques
may not be cashed at an early stage.
Procedures have been updated to
ensure that where payments are
uncashed, the benefit claim is
reviewed and where necessary
updated or referrals to Fraud may be
considered in appropriate cases.
Completed
7 27 State Aid
Risk - The council could inadvertently breach
state aid requirements without a protocol in
place.
Recommendation – The council should
develop appropriate guidance for officers.
Jill Cronin (Head of
Enterprise,
Development &
Leisure)
SAC along with North and East
Ayrshire Councils are developing
a protocol and control handbook
which will provide guidelines in
respect of state aid issues.
30 September 2016
Page 14 South Ayrshire Council
8 28 ICT: Risk register
Risk – The council does not have clear sight
of the risks relating to ICT and the mitigation
strategy in place.
Recommendation – The council should
develop an ICT risk register without further
delay.
Carol Boyd (Risk &
Safety Manager)
An ICT Digital Transformational
change risk register is being
developed in line with the
Transform South Ayrshire
initiative.
31 March 2017
9 31 ICT: Cyber security
Risk – The council is not fully aware of
vulnerabilities in its ICT systems and may be at
risk of unauthorised access, damage and
interruption to its ICT services.
Recommendation – The council should
undertake an ICT health check and review its
arrangements for updating software.
Tim Baulk (Head of
Finance and IT)
Anti-virus updates and Microsoft
security patches are applied and
an annual health check of our
PSN network is completed each
year however a health check on
the wider network has not been
completed for some time.
The Digital Transformational
change programme of work will
address this aspect.
31 March 2017