south ayrshire council

South Ayrshire Council

Internal Controls Report 2015/16

Prepared for South Ayrshire Council

June 2016

Key contacts

Fiona Mitchell-Knight, Assistant Director

[email protected]

Dave Richardson, Senior Audit Manager

[email protected]

Sarah Lawton, Senior Auditor

[email protected]

Audit Scotland

4th Floor (South Suite)

8 Nelson Mandela Place

Glasgow

G2 1BT

Telephone: 0131 625 1500

Website: www.audit-scotland.gov.uk

The Accounts Commission is a statutory body which appoints external auditors to Scottish local

government bodies. (www.audit-scotland.gov.uk/about/ac)

Audit Scotland is a statutory body which provides audit services to the Accounts Commission and

the Auditor General. (www.audit-scotland.gov.uk)

The Accounts Commission has appointed Fiona Mitchell-Knight, Assistant Director, Audit Scotland

as the external auditor of South Ayrshire Council for the period 2011/12 to 2015/16.

This report has been prepared for the use of South Ayrshire Council and no responsibility to any

member or officer in their individual capacity or any third party is accepted.

Contents

Summary……………………………………………………3

Audit Findings………………………………………….....4

Appendix 1: Action plan…………………..……………10

mailto:[email protected]

http://www.audit-scotland.gov.uk/

Summary


Summary

Introduction

1. We are required by auditing standards to obtain an understanding of

the accounting and internal control systems in place for the

administration of the financial affairs of the audited body to allow us

to plan the audit and develop an effective financial statements audit

approach.

2. Accordingly, we seek to gain assurance that South Ayrshire Council:

has systems of recording and processing transactions which

provide a sound basis for the preparation of the financial

statements and the effective management of assets and

liabilities

has systems of internal control which provide an adequate

means of preventing or detecting material misstatement, error,

fraud or corruption

complies with established policies, procedures, laws and

regulations.

Summary of findings

3. We tested the key controls operating over the financial systems of

South Ayrshire Council to assess whether they are operating

satisfactorily.

4. In the main we found that controls were operating satisfactorily

although we identified some areas where the controls could be

strengthened. These include:

Controls over the creation of suppliers within the trade payables

system

Reconciliations between the rent accounting system and the

asset register

Timeous preparation and authorisation of bank reconciliations

5. Appendix 1 is an action plan setting out our recommendations to

address the risks we have identified from our controls testing.

Officers have considered the issues and agreed to take the specific

steps in the column headed "Management response".

6. Our overall conclusion is that the internal controls within the

council’s main financial systems are operating effectively and this

allows us to take planned assurance on these systems for the audit

of the 2015/16 financial statements.

Acknowledgement

7. The contents of this report have been discussed with relevant

officers to confirm factual accuracy.

Audit Findings


Audit Findings

Systems of internal control

8. Our audit approach includes planned controls assurance on the key

financial systems of South Ayrshire Council. The key systems which

were tested during 2015/16, including those where we have placed

reliance on prior year work and/or the work of internal audit are as

follows:

General ledger

Payroll

Trade payables

Trade receivables

Cash and banking

Treasury Management

Housing rents

Housing benefits

Council tax billing and collection

Non-domestic rates billing and collection

9. In addition, we reviewed the council’s arrangements for complying

with European Union state aid regulations and the council’s

arrangements to counter and defend against cyber attack.

10. To obtain our controls assurance, testing strategies were developed

and work undertaken during March and April 2016. Our review

involved the identification and assessment of the risks inherent in

the key systems and the adequacy of the procedures and controls in

place to address the risks.

Key Findings

11. We did not identify any significant risk exposure or major

weaknesses in the internal controls system from our review.

However, addressing the following issues which further strengthen

the council’s systems of internal control:

Trade payables

12. Creation of suppliers: The supplier masterfile contains the

information necessary for the system to generate a payment to a

supplier (for example, supplier address, bank details etc). In

2014/15 we reported that the trade payables system now includes

the facility for service staff to create “one-off” suppliers for specific

types of payment such as debtor refunds, redecoration allowances

etc. We expressed concern that the absence of adequate

authorisation procedures for the insertion of new records to the

supplier masterfile exposed the council to an increased risk of error

and fraud. Management advised that they considered that the

requirement for line manager authorisation of payments made to

such “one-off” suppliers reduced the risk to acceptable levels.

13. We sample tested thirty new suppliers created during 2015/16,

seven of those were “one-off” suppliers which had been created by

Audit Findings


service staff. Five of the seven were for redecoration allowances,

one was a grant to a voluntary organisation and one was a refund of

a debtor account overpayment. While there is no evidence to

suggest that these were not valid payments, there is no evidence on

the system which provides an audit trail demonstrating the validity of

such payments. In the absence of an audit trail on the system it is

unclear how management gain assurance that authorisation

arrangements in place are sufficiently robust to prevent the

processing of inappropriate payments.

Action Point 1

14. Duplicate suppliers: The integrity of the supplier masterfile is

essential for ensuring that payments are only made to valid

creditors. Following the upgrade to Oracle R12 in June 2014 the

number of suppliers on the masterfile increased substantially as all

benefit claimants had to be added to the system as suppliers to

facilitate payment of benefits. The council recognised that the initial

approach used to add benefit claimants to the masterfile required

review to take account of individuals with the same or similar

names. Steps were taken to ensure that all claimants could be

easily identified through the adoption of a formal naming convention

when masterfile records were created.

15. The creation of duplicate suppliers entails the risk of duplicate

payments being made against the same invoice. During 2015/16

the council undertook a review of the suppliers masterfile to identify

duplicate suppliers. This review resulted in a number of supplier

accounts being terminated so that only one account existed for each

supplier. This was an extensive exercise and the supplier masterfile

now numbers 29,340 suppliers (as at April 2016). To mitigate the

risk of duplicate suppliers being created in future, the council should

seek to adopt a formal naming convention for each type of supplier

and this should be communicated to all staff who have the facility to

create suppliers.

Action Point 1

16. Exception reporting: A system of exception reporting is an

important tool in preventing and detecting errors or potential fraud at

an early stage through the review of transactions meeting

predetermined criteria. The Oracle system has a workflow section

whereby any issues identified by the system such as invalid

accounting periods, invoices which don’t match the corresponding

purchase order or an invoice relating to an invalid supplier are

flagged and must be followed up by a member of the Central

Accounts Payable (CAP) team before payment can be made.

17. However, no exception reports are produced which identify potential

issues such as high value invoices, duplicate suppliers or amended

bank details. The council should consider whether routine reporting

and review of uncommon output from the system would strengthen

the existing control environment.

Action Point 2

Housing rents

18. Reconciliation of housing stock numbers: The council manages

a housing stock of over 8,000 properties. The periodic reconciliation

of properties on the rent roll to the asset register is an important

control to ensure that the council is levying rental charges on all of

Audit Findings


its properties. At the time of our testing no reconciliation had been

prepared during 2015/16. Management advised that due to staffing

changes within the Property and Risk section, the reconciliation was

not completed quarterly throughout 2015/16. A full year

reconciliation was however completed as part of the council’s year

end processes.

Action Point 3

19. Credit balances: Overpayments on tenants rent accounts occur for

a variety of reasons including deliberate overpayments, changes in

rent liability and payments continuing in error. Such overpayments

show on the housing rents system as credit balances and will be

refunded to tenants when identified.

20. Our testing on refunds of overpayments found that while these were

all legitimate refunds, a number of these had been accruing for a

significant period of time. To reduce the instances of significant

overpayments the council should introduce regular reporting on

credit balances to identify and resolve overpayments promptly.

Action Point 4

Cash and banking

21. Bank reconciliations are an essential control in ensuring that the

council’s ledger cash balance is verified to the balance held in the

council’s bank account. Bank reconciliation statements should be

prepared timeously after the period end to ensure that financial

information is accurate and that differences can be promptly

identified and satisfactorily explained.

22. Our audit testing of 34 bank reconciliations found eight instances

where the bank reconciliation had not been completed within four

weeks of the period end.

23. Bank reconciliations should be signed and dated by the preparing

officer and reviewed and signed off by supervisory staff. Two of the

sample of reconciliations tested were not available in hard copy, we

were, therefore unable to confirm that the prescribed control had

been applied. Where bank reconciliations are not being timeously

performed, approved and filed in accordance with the council’s

prescribed arrangements there is an increased risk of fraud or error.

Action Point 5

Housing benefits

24. Each year the council prepares a subsidy claim for reimbursement

from the Department for Work and Pensions (DWP) in respect of

benefits paid to claimants during the year.

25. Uncashed benefit cheques: The subsidy claim includes a cell to

record the value of uncashed cheques at the year end. Given the

nature of benefit payments, we consider it unusual for claimants not

to cash cheques within a fairly short period. The council recorded

£27,127 of uncashed cheques for 2014/15 which was significantly

higher than in previous years and higher than other Scottish

councils. While officers have explained that these were

predominantly the result of landlords not cashing issued cheques

we consider that a more in-depth explanation for the apparent

anomaly should be pursued. The council should investigate this

Audit Findings


issue thoroughly to identify any underlying issues and take

appropriate remedial action.

Action Point 6

State aid

26. The UK Government defines state aid as “any advantage granted by

public authorities through state resources on a selective basis to

any organisations that could potentially distort competition and trade

in the European Union (EU).” The advantage can apply to grants,

loans, tax incentives or the use or sale of assets for free or below

market value.

27. Public bodies are responsible for ensuring that they comply with the

rules. While we found no evidence of the rules being breached, the

council does not currently have a formal protocol in place for

ensuring compliance with EU state aid requirements. There is a risk

that the council could inadvertently breach state aid restrictions

without appropriate guidance to officers being available.

Action Point 7

Information and Communications Technology (ICT)

28. Risk register: Risk information relating to ICT has been captured at

a strategic level and some operational risk information included in

the Finance and ICT Service Improvement Plan Risk Register. The

council should, however, prepare without further delay, a

comprehensive ICT risk register which identifies the risks associated

with the council's ICT arrangements. This would give a clear focus

to specific issues and allow management and members to have

clear sight of the risks relating to ICT and the mitigation strategy in

place.

Action Point 8

29. Cyber security: Like all organisations, councils face the increasing

risk of cyber attacks targeting ICT systems, networks and

infrastructure. The threat to public sector organisations is very real

as evidenced by a recent ransomware shutdown of IT systems at

Lincolnshire Council and a denial of service attack on the national

education network, JANET.

30. Cyber attacks can occur through entering systems via weaknesses

in software. Regular “patching” contributes to system security by

eliminating known software weaknesses. Other controls such as

firewalls, anti-virus software, email filtering etc. should act as

barriers to unpatched software. Outdated software however

increases the risk of a successful attack. There is a risk that the

council is exposed to an elevated level of risk where systems are

not routinely updated.

31. An IT health check can be used to provide assurance that an

organisation’s external systems are protected from unauthorised

access or change. It does this by highlighting security vulnerabilities

which the organisation can then seek to address. Our review found

that the last full IT health check carried out by the council was in

2013. There is a risk that the council is not fully aware of

vulnerabilities in its ICT systems and may be at risk of unauthorised

access and subsequent damage and interruption to its IT services.

Action Point 9

Audit Findings


National Fraud Initiative

32. The National Fraud Initiative (NFI) is a bi-annual data-matching

exercise which aims to identify possible cases of fraud by matching

information held across public bodies. The most recent exercise

was undertaken in 2015, the results of which were published by

Audit Scotland in June 2016.

33. The matches identified by the process are risk assessed and as this

can be a resource intensive process, in February 2015 the

Leadership Panel agreed that only high quality matches would be

followed up. NFI activity is summarised in the following table.

Total Matches Processed 448

Cases Cleared 440

Total Frauds 3

Total Errors 5

34. Reporting findings: While we are satisfied that the council has

followed up such matches, findings from the NFI process were

reported to members in a Members Bulletin. The council has

agreed that the findings from future NFI exercises will be reported to

an appropriate panel for scrutiny.

Internal Audit

35. Internal audit is provided by the council’s in-house internal audit

section. Internal audit supports management in maintaining sound

corporate governance and internal controls through the independent

examination and evaluation of control systems and the reporting of

weaknesses to management.

36. Our annual review of internal audit, reported to the Audit and

Governance Panel on 10 February 2016, found that the council has

effective internal audit arrangements in place.

37. Our annual audit plan, issued in March 2016, set out the areas of

internal audit work upon which we would be placing reliance.

38. The 2015/16 internal audit plan is now substantially complete. We

confirm that our reliance on controls work and our wider

responsibility work under the Code of Audit Practice will proceed as

planned.

Overall conclusion

39. We have concluded that internal controls are, generally, operating

satisfactorily. There are, however, a number of areas where

management should review the existing arrangements and consider

strengthening the control environment.

Management action

40. A summary of those areas where identified risk exposure requires

management consideration is included at appendix 1. Planned

Audit Findings


action, responsibilities and timescales for action in response to our

recommendations have been provided by management.

Acknowledgement

41. The contents of this report have been discussed with relevant

officers to confirm factual accuracy. The co-operation and

assistance we received during the course of our audit is gratefully

acknowledged.

Appendix 1: Action plan



No. Para. Risk / Recommendation Responsible officer Management response /

Planned action

Target date

1 13 &

15

Trade payables: Creation of and payments

to suppliers

Risk – There is a risk that duplicate supplier

records are created, potentially resulting in

duplicate payments and authorisation

arrangements in place are not sufficiently

robust to prevent inappropriate payments.

Recommendation – The council should adopt

a formal naming convention when adding

suppliers to the Masterfile and should ensure

there is a complete audit trail in place to

support payments to one-off suppliers.

Tim Baulk (Head of

Finance & ICT)

Current approval and risk mitigation

process remains in place. E-

financials Board currently considering

alternative methodology for the

creation of suppliers together with a

new software package/ management

tool to supplement and enhance

control mechanism. In addition the

merits of a cleansing exercise needs

to be considered to resolve current

duplicate supplier records.

31 August 2017



2 17 Trade payables: Exception reports

Risk – The council does not have adequate

arrangements in place to promptly identify

anomalous payments.

Recommendation – The council should

introduce a suite of exception reports within

the trade payables system to identify

transactions which merit further review.

Tim Baulk (Head of

Finance & ICT)

SAC are initiating discussions with

external providers (July 2016) to

carry out a health check on Payables

data, suppliers and payments. It is

intended that following the initial

health check that ongoing

management information will be

provided to mitigate the risk

identified.

31 December 2016

3 18 Housing rents: Reconciliation of housing

stock numbers

Risk - The council may not be realising all

rental income due on its properties or may mis-

state the value of the stock in its financial

statements through inaccurate records.


introduce a regular reconciliation between the

rent accounting system and the asset register.

Ijaz Bashir (Asset

Systems Manager)

Due to staffing changes within

Property & Risk, the reconciliation

was not completed at each quarter

throughout 2015/16. However the

reconciliation was completed for the

year ending 31 March 2016 as part of

the year end process. Arrangements

for carrying out quarterly

reconciliations are now in place.

Completed



4 20 Housing rents: Credit balances

Risk – Substantial overpayments are made

against tenant rent accounts.

Recommendation - The council should

introduce regular reporting on credit balances

to identify and resolve overpayments promptly.

.

Michael Alexander

(Manager (Housing

Operations)

A reporting system is currently in

place and is used by staff with our

Revenues and Arrears Team to

identify and prioritise cases eligible

for refunds. In recognition of the

number of accounts involved, we

have recently increased the level and

allocation of staff resources to deal

with accounts with a credit balance.

Refunds are being processed on an

ongoing basis and we are prioritising

remaining accounts based on the

level of the credit balance.

Completed

5 23 Cash and banking: Preparation of bank

reconciliations

Risk – Bank reconciliations are not being

prepared and reviewed timeously which could

result in delays identifying issues.


ensure that reconciliations are prepared,

reviewed and filed in accordance with the

council’s prescribed arrangements.

Tom Simpson (corporate

Accounting Manager)

Bank reconciliations continue to be a

high priority for the service and

accordingly will be prepared and

reviewed on a timely basis as

commensurate with available

resources. Officers continue to work

with colleagues in other services in

order to improve the quality of and

streamline the flow of information to

allow reconciling items to be

identified and investigated as quickly

as possible.

31 December 2016



6 25 Housing benefits: Uncashed benefit

cheques

Risk - The council recorded £27,127 of

uncashed cheques for 2014/15 which was

significantly higher than in previous years and

higher than other Scottish councils.


investigate this issue thoroughly to identify any

underlying issues and take appropriate

remedial action.

Billy Phillips (Revenues &

Benefits Manager)

This is not considered a significant

area of risk however following the

audit of the 2014/15 subsidy claim,

reports are now provided on a

monthly basis in order to identify and

resolve the reasons why cheques

may not be cashed at an early stage.

Procedures have been updated to

ensure that where payments are

uncashed, the benefit claim is

reviewed and where necessary

updated or referrals to Fraud may be

considered in appropriate cases.

Completed

7 27 State Aid

Risk - The council could inadvertently breach

state aid requirements without a protocol in

place.


develop appropriate guidance for officers.

Jill Cronin (Head of

Enterprise,

Development &

Leisure)

SAC along with North and East

Ayrshire Councils are developing

a protocol and control handbook

which will provide guidelines in

respect of state aid issues.

30 September 2016


8 28 ICT: Risk register

Risk – The council does not have clear sight

of the risks relating to ICT and the mitigation

strategy in place.


develop an ICT risk register without further

delay.

Carol Boyd (Risk &

Safety Manager)

An ICT Digital Transformational

change risk register is being

developed in line with the

Transform South Ayrshire

initiative.

31 March 2017

9 31 ICT: Cyber security

Risk – The council is not fully aware of

vulnerabilities in its ICT systems and may be at

risk of unauthorised access, damage and

interruption to its ICT services.


undertake an ICT health check and review its

arrangements for updating software.

Tim Baulk (Head of

Finance and IT)

Anti-virus updates and Microsoft

security patches are applied and

an annual health check of our

PSN network is completed each

year however a health check on

the wider network has not been

completed for some time.

The Digital Transformational

change programme of work will

address this aspect.

31 March 2017

south ayrshire council

Documents