Part One ITEM NO.7
advertisement
Part One ITEM NO.7 REPORT OF THE DIRECTOR OF CUSTOMER & SUPPORT SERVICES TO THE: BUDGET & AUDIT SCRUTINY - AUDIT SUB COMMITTEE ON Monday, 13th June, 2005 TITLE: REPORTS ISSUED MARCH TO MAY 2005 RECOMMENDATIONS: Members are asked to note the contents of the report. EXECUTIVE SUMMARY: The purpose of this report is to inform members of the internal audit activity undertaken by the Audit & Risk Management Unit for the period March 2005 to May 2005 inclusive. BACKGROUND DOCUMENTS: (Available for public inspection) Various reports and working papers. ASSESSMENT OF RISK: Internal Audit projects are managed within the Unit’s risk based audit protocols aimed at giving assurance regarding the management of the City Council’s key business risks. SOURCE OF FUNDING: Existing revenue budget. COMMENTS OF THE STRATEGIC DIRECTOR OF CUSTOMER AND SUPPORT SERVICES (or his representative): 1. LEGAL IMPLICATIONS Customer & Support Services and City Solicitor Provided by: Deputy Director of 2. FINANCIAL IMPLICATIONS Provided by: Head of Finance PROPERTY (if applicable): N/A HUMAN RESOURCES (if applicable): N/A CONTACT OFFICER: Andrew Waine Audit Manager Tel: 0161 793 3357 Email: andrew.waine@salford.gov.uk WARD(S) TO WHICH REPORT RELATE(S): N/A KEY COUNCIL POLICIES: N/A DETAILS: See report attached. AUDIT & RISK MANAGEMENT UNIT Committee Summary PART TWO PART ONE X Directorate Children’s Services Subject Salford Consortium Commencement February 2005 Date Report Number Issued Date 2535 March 2005 Scope A policy of Post Implementation Review has been formalised by Internal Audit. The review took the form of a follow-up visit, seeking to confirm that all the agreed recommendations from the previous internal audit, report reference 2535/EDU/04 issued on the 14th June 2004, have been implemented. Internal Auditor’s Opinion Salford Consortium has made significant progress in implementing the recommendations made within the original audit report. Our post implementation review confirmed that the key concerns regarding quality of the learners’ files, and the evidence on these files to support funding claimed for additional support, has improved considerably. Two minor recommendations had not been sufficiently implemented at the time of this review. However in both instances, systems had been introduced and changes have been agreed that will provide a greater level of control. Original Main Recommendations The Administration Team’s list of people in receipt of ALN/ ASN funding, should be revised, updated, and maintained on an ongoing basis, To ensure that all documents on the file are updated as appropriate, Key Workers, possibly following the learners’ eight-weekly reviews, should regularly review learners’ files. Original Management Response Agreed Agreed Implementation Date Immediately Implemented Agreed 31st August 2005 Current Position Implemented Implemented 2 Committee Summary PART ONE X Directorate Customer & Support Services Subject Payroll Review 2004-05 Commencement Date PART TWO August 2004 Report Number Issued Date 2698 March 2005 Scope The objective of this review was to identify the risks and controls associated with the following processes: New starters and leavers Accuracy and integrity of employee records Deductions from pay and respective payments made to other Organisations Variations to pay Payroll processing and payroll accounts. This years audit review also sought to confirm that the recommendations agreed in last years audit report had been fully implemented. Internal Auditor’s Opinion Our review confirmed that the majority of the controls within Payroll are operating effectively and that the key risks are adequately controlled. However the review did highlight 14 areas requiring action to further enhance the control environment. The more significant of these matters are: The use of exception reports to highlight potential errors or frauds should be extended to provide more comprehensive control The current storage arrangements for paper based employee records do not provide adequate security in respect of Data Protection and confidentiality There is insufficient documentation to confirm that the rates of overtime paid to some higher earners, in excess of the National Salary Scale guidelines, are appropriate and authorised The checks that are required during the leavers’ process are not systematically controlled. Whilst audit recognises that significant progress has been made since our last review with respect to reconciliations, there are still some accounts that are not being reconciled with appropriate frequency, and there are some small historic balances on a number of accounts that should be resolved. Main Recommendations Overtime should only be paid at a rate higher than scale point 31 when such exceptions have been appropriately authorised and the reasoning for the exception to the scale point 31 rule explained. Additional exception reports should also be used to identify instances where: An emergency tax code is used for more than six months Payments are in excess of 25% of their basic salary; Instances of duplicate bank account numbers exist, and There are duplicate names. Plans should be implemented to have individual files for employees stored within central cabinets that will be locked outside of the working hours of the payroll section In order to evidence that all the checks and tasks associated with processing a leaver are completed, a single proforma leavers’ checklist should be introduced, and circulated to the Outstationed Personnel Teams. Those accounts which are not yet reconciled on a regular basis, and any accounts which when subject to monthly visual checks are found to have a balance, should be formally reconciled and any unidentified balances investigated. In addition, every effort should be made to resolve all historic balances prior to year-end. Management Response Agreed Implementatio n Date 01/08/2005 Agreed 01/08/2005 Agreed 01/05/2005 Agreed 01/07/2005 Agreed 31/03/2005 3 AUDIT & RISK MANAGEMENT UNIT Committee Summary PART ONE X Directorate Subject PART TWO Children’s Services Report Number St Clements CE Primary School Commencement March 2005 Date Issued Date 2552 March 2005 Scope A policy of Post Implementation Review has been formalised by Internal Audit. The review took the form of a follow-up visit, seeking to confirm that all the agreed recommendations from the audit have been implemented. Internal Auditor’s Opinion Our Post Implementation Review found that eight of the eleven recommendations made in our original report had been fully implemented. Of those not fully implemented, we acknowledge that some action has been taken towards their implementation. However, further action is still required to fully meet the requirements of the recommendations made. One more significant matter has yet to be fully resolved. The Pupil Savings account indicates a difference, estimated to be around £225, between the amount saved and the amount available in the bank and the cash in hand. Whilst some action has been taken to resolve this, the difference has not yet been fully reconciled. Original Main Recommendations The school should immediately ensure that sufficient funds are made available in the Pupil Savings account to reimburse all relevant individuals to the value of their savings as recorded in the School Savings Bank Registers. The mandate signatories should be reviewed on an annual basis, with verification of the signatories being approved by the school Governors and any such verification should be minuted. The Governing body should approve the scheme of financial delegation on an annual basis. Any such agreement should be minuted. Security arrangements regarding visitors to the School, at the school should be enhanced Original Management Response Agreed Agreed Implementation Date Current Position End of July 04 Not fully implemented Agreed Mid-June 04 Implemented Agreed Mid-June 04 Implemented Agreed 01.06.04 Implemented 4 Committee Summary PART ONE X Directorate Customer and Support Services Subject Council Tax PART TWO Commencement January 2005 Date Issued Date Report Number 2672 March 2005 Scope The Council Tax and Benefits Section is based within the Customer and Support Services Directorate. It is responsible for the processing, billing and collection of Council Tax. A total number of 92,586 Council Tax bills were issued in March 2004 and net collectable income for Salford City Council was £63,895,246. The Council Tax system is a key financial system for Salford City Council. It is also subject to external scrutiny from the Audit Commission and therefore an annual review is required to ensure the system is functioning effectively. The agreed scope of the audit was to identify and evaluate the risks and controls associated with Council Tax. Key risks being: Tax payers not charged Tax payers charged wrong amount Tax not collected Incorrect accounting System failure. Internal Auditor’s Opinion Overall, the audit testing undertaken confirmed that the Council Tax function is well controlled. The majority of controls are operating effectively and key risks identified are adequately controlled. However, a number of weaknesses were identified, the most significant of these were: A significant number of items had been posted to the suspense account that had not been cleared, dating from 5 April 1993 to 8 December 2004 A review of write-off procedures found that write-offs are not formally assessed to ensure only appropriate accounts are written-off, prior to Committee authorisation. Main Recommendations Old items on the suspense account should be investigated, monitored and cleared. To maximise the effectiveness of all Council Tax reminder notices, the format of all the reminder notices should be reviewed and amended. Management Response Unidentified items are subject to prompt investigation, monitoring and clearance. The 61 uncleared items mentioned are the residue of 3369 items that have found their way into Council Tax suspense from the commencement of Council Tax in April 1993. 32 items are DWP payments, which were received without sufficient information for the PARIS system to process, these items are currently being looked at by the Recovery team and will therefore remain in suspense for the time being. The balance (29) items will be written off from the Council Tax suspense account before the 31st March 2005. The Special Projects Officer is currently reviewing the wording of reminder notices. Implementation Date 31/3/2005 30/4/2005 5 AUDIT & RISK MANAGEMENT UNIT Committee Summary PART ONE X Directorate Children’s Services Subject PART TWO St Paul’s CE Primary (Cross Lane) Commencement March 2005 Date Issued Date Report Number 2582 April 2005 Scope Internal Audit audited the School and issued report reference 2582/EDU/04 on the 29th July 2004. A policy of Post Implementation Review has been formalised by Internal Audit. The review took the form of a follow-up visit, seeking to confirm that all the agreed recommendations from the previous audit have been implemented. Internal Auditor’s Opinion Seven out of the thirteen recommendations made in our original report have been implemented as agreed. However, the remaining six recommendations have not been satisfactorily implemented, including two higher priority matters requiring more urgent attention: The approval of the Governing Body for the Scheme of Financial Delegation has not been recorded in the minutes of the respective meeting The School inventory schedule is still incomplete and lacks the necessary detail required. Original Main Recommendations The school should create an inventory record which shows all items valued at over £100. The bank mandates should be reviewed and approved by the School Governors on an annual basis. The scheme of financial delegation should be reviewed and approved on an annual basis. Original Management Response Agreed Agreed Implementation Date End of the Spring term, 2004. Agreed End of the Autumn term, 2004. Agreed End of the Autumn term, 2004. Current Position Not fully implemented. The School has started to create a paper-based inventory, however it does not include all the required information. Implemented Not fully implemented The approval was not recorded in the minutes of the respective meeting. 6 AUDIT & RISK MANAGEMENT UNIT Committee Summary PART TWO PART ONE X Directorate Customer and Support Services Subject Payments and Receipts 2004/05 Commencement March 2005 Date Issued Date Report Number 2573 April 2005 Scope PARIS interfaces with the Council’s Financial Systems and automatically allocates inbound transactions to the correct funds, e.g. Saffron Rents, Council Tax / Benefits, and the SAP system. Items that are not recognised by PARIS as belonging to a known fund are held in a suspense file in PARIS and these require manual intervention to force processing. Internal Audit reviewed the Payments and Receipts system and issued a report, reference 2573/CS/04 on 16th August 2004. A policy of Post Implementation Review has been formalised by Internal Audit. A follow-up visit was undertaken seeking to confirm that all the agreed recommendations from the previous audit have been implemented. Internal Auditor’s Opinion The Post Implementation Review identified that three out of the four recommendations have been appropriately implemented. The remaining recommendation had not been implemented as recommended in the above audit report, however, satisfactory compensating controls are in place. Agreed Implementatio n Date Original Main Recommendations Original Management Response The notes on bills and invoices, describing the different methods of making payments, should be revised to advise customers to obtain and retain a receipt as evidence of payment. All stakeholders will be advised to amend their bills and invoices to reflect the message that customers should obtain a receipt at the time of payment. Immediate. A new vetting procedure at the recruitment stage is being introduced. However, it is not planned to include a criminal record check. It is recommended that the new recruitment vetting process be extended to include criminal record checks. This matter will be referred to Personnel as a matter of urgency for their consideration. (Personnel are currently reviewing similar changes to Benefits recruitment). Immediate Current Position Not implemented The Section Leader (Cashiers) has no direct control over bills / invoices issued. Recent e-mail sent to all Fund Managers requesting that they should include “obtain receipt as proof of payment” on all documentation. Note, when customer pays via Pay Point, the receipt advises the customer to retain the receipt for proof of payment. Discussions will be held with Alliance & Leicester (for Post Office Ltd) to see if “retain receipts as proof of payment” can be added. The current PARIS system allows staff to trace payments. Implemented 7 AUDIT & RISK MANAGEMENT UNIT Committee Summary PART ONE X Directorate Customer and Support Services Subject PART TWO Report Number Treasury and Cash Management Commencement January 2005 Date Issued Date 2690 February 2005 Scope On an annual basis, an audit review of the Treasury Management (Loans and Investments) process is undertaken by Internal Audit. The objective of the review is to provide management with an independent appraisal of the adequacy of controls in place over the key processes within the Treasury Management system. The review was undertaken using information and transactions specific to the financial year 2004/05. The agreed scope of the audit was to identify and evaluate the risks and controls associated with loans and investments. The key risks were identified as follows; Inappropriate borrowing; Incorrect repayments; Incorrect accounting treatment; Systems failure; Monitoring, review and reporting; Inappropriate investing; Loss of investment/interest income; Incorrect accounting. Internal Auditor’s Opinion The audit testing undertaken confirmed that the Treasury Management function is well controlled. All the controls that were tested were operating effectively and the key risks are adequately mitigated, as a result no audit recommendations are deemed necessary. Main Recommendations Management Response Implementation Date No recommendations made 8 AUDIT & RISK MANAGEMENT UNIT Committee Summary PART ONE X Directorate Children’s Services Subject All Souls RC Primary School Commencement March 2005 Date PART TWO Issued Date Report Number 2711 April 2005 Scope The standard objectives of a school audit are to provide an independent appraisal of the adequacy of controls in key functional processes that operate within the school: Financial Management; Financial Administration Asset Management Pupil Welfare Contracted/Traded Services. Internal Auditor’s Opinion The School is in a deficit budget position. The agreed deficit for 2003/04 was reported as £11,358 and was originally forecasted to increase to £47,895 by the end of 2004/05. Tight control over expenditure has resulted in the latest projections anticipating a lower deficit of £19,248 at year-end, which suggests prudent financial management. We found that adequate controls were in place in most of the areas reviewed. The audit did highlight a number of areas requiring attention to enhance the control environment., which are noted below. Main Recommendations The Headteacher should carry out periodic spot-checks on the cash prepared for banking The Governing Body should approve the Scheme of Financial Delegation on an annual basis. The School should complete and maintain an inventory of all items greater than £100 in value. An independent person should annually audit the School Fund. The resultant audit report and a summary of income and expenditure should be presented to the Governing Body. The School should renew its data protection registration at the earliest opportunity. The School should complete a new bank mandate and the signatories should be approved by the Governing Body. The School's accounts should be formally reconciled on a monthly basis. The Secretary should be provided with training on the CIS and its requirements which impact upon her role in processing orders and invoices. When orders are processed, the order forms should be signed and dated by the authorising person e.g. the Headteacher or Deputy Headteacher. When invoices are processed for payment, cheque signatories should sign and date the invoice. The Headteacher should document her strategy to meet the budget and her reasoning for decisions taken. In order to ensure appropriate management of the budget, these details should be reviewed by the Governing Body or Finance Sub-Committee at each meeting. Management Response Agreed Implementati on Date 01/04/05 Agreed 01/11/2005 Agreed 01/09/2005 Agreed 21/06/2005 Agreed 18/03/2005 Agreed 01/11/2005 Agreed Agreed 01/06/2005 1/09/2005 Agreed 18/03/2005 Agreed 01/04/2005 9 AUDIT & RISK MANAGEMENT UNIT Committee Summary PART ONE X Directorate Customer and Support Services Subject Main Accounting System PART TWO Commencement February 2005 Date Issued Date Report Number 2684 April 2005 Scope The Main Accounting System at Salford City Council is run on the SAP system. To ensure all balances are accounted for within SAP, all other systems feed into SAP on a regular basis. At the end of each financial year, SAP is utilised to produce Salford City Council financial statements. The objective of the review is to provide management with an independent appraisal of the adequacy of the controls in place over the key processes within the Main Accounting System. The review was undertaken using information and transactions specific to the financial year 2004/05. The results of the review are also subject to external scrutiny by the Audit Commission. The Audit Commission also seek assurance that the key risks associated with the Main Accounting System are adequately controlled and functioning effectively. The agreed scope of the audit was to identify and evaluate the risks: Opening balances not in agreement with the audited accounts Inaccurate reflection of the Authority’s financial position Main accounting system not in balance Incomplete / inaccurate transactions from feeder systems Unauthorised / erroneous transactions Balances not accurately accounted for. Internal Auditor’s Opinion Overall, the audit testing undertaken confirmed that the Main Accounting System is well controlled. The majority of controls are operating effectively and the key risks identified are adequately controlled. However, a weakness was identified in the audit that related to payroll reconciliations being incomplete. In addition, weaknesses were identified via a review undertaken by Computer Audit of SAP Technical (Report ref 2646/CS/04), none of which were considered to present a high risk. Main Recommendations Management Response The outstanding payroll reconciliations should be completed and action taken on the unidentified items. Payroll control accounts were identified twelve months ago warranting further investigation. A dedicated resource was applied and reconciliations completed for most accounts. Of the remaining two, one is now complete and the other close to completion. Decisions on unidentified items are planned during final accounts process. Implementation Date 31/5/2005 10 AUDIT & RISK MANAGEMENT UNIT Committee Summary PART ONE X Directorate Children’s Services Subject PART TWO Report Number Brentnall Primary School Commencement April 2005 Date Issued Date 2727 April 2005 Scope To provide an independent appraisal of the existing controls in key functional processes operating within the school. Internal Auditor’s Opinion We are of the opinion that the school has adequate controls in place, which are generally operating effectively in most of the areas reviewed. However, the review did identify areas where improvements are needed to the control environment. The most significant areas identified are as follows: The requirement to establish a Register of Business Interests Approval of the Scheme of Financial Delegation Independent review of trip records. Main Recommendations The Governing Body should establish a Register of Business Interests, which should be completed for the Headteacher, all members of the Governing Body and their partners. Once a school trip has taken place the balance sheet on the Trips Check List should be fully completed for transparency. The Headteacher should sign the sheet to verify his review and approval. The Scheme of Financial Delegation should be approved by the Governing Body on an annual basis and this should be documented officially within the minutes of the Governing Body meeting. Management Response Agreed Implementation Date 14.6.2005 Agreed 30.4.2005 Agreed 18.4.2005 11 AUDIT & RISK MANAGEMENT UNIT Committee Summary PART ONE X Directorate Children’s Services Subject St Luke’s RC Primary School Commencement March 2005 Date PART TWO Report Number Issued Date 2702 May 2005 Scope The standard scope and objectives of schools’ audits have been determined to provide an independent appraisal of the adequacy of controls in key functional processes that operate within a school. These include financial management; financial administration; asset management; pupil welfare; and contracted/traded services. The School has experienced financial difficulties in recent years although savings have been made which have alleviated the situation. The School has recently received Head Room Funding, which has almost eliminated the budget deficit. Internal Auditor’s Opinion We are of the opinion that the School achieves a high standard of administration, despite recent difficulties in respect of staffing levels and has adequate measures in place to control the majority of risks within the key processes examined. Main Recommendations The need for the School to work closely with the Education Accountant to ensure that future budget projections are suitably devised and implemented. An improvement in arrangements regarding an independent review of trips and the introduction of a comprehensive costing sheet to be used at the conclusion of trips. The requirement to bring the School’s inventory record up-to-date and to ensure that all significant items are recorded and reviewed annually. Management Response Agreed Implementation Date 29 May 2005. Agreed 30 June 2005. Agreed 27 May 2005. 12 AUDIT & RISK MANAGEMENT UNIT Committee Summary PART ONE X Directorate Children’s Services Subject PART TWO Report Number St Paul’s C.E. Primary School Commencement April 2005 Date Issued Date 2728 May 2005 Scope The standard objectives of a school audit are to provide an independent appraisal of the adequacy of controls in key functional processes that operate within the school, such as: Financial Management Financial Administration Asset Management Pupil Welfare Contracted/Traded Services. Internal Auditor’s Opinion In our opinion the School is well run and receives strong support from its Governing Body. The majority of the risks are well managed and its management team have shown prudence in their financial planning and expenditure in order to manage the current budget deficit. However, our review found a number of areas where the control environment should be enhanced, the more significant of these were: The governance controls in place for the school fund are weak. The fund is not independently reviewed on an annual basis, and a statement of account, detailing income and expenditure, is not presented to the Governing Body The bank mandates for the School's two accounts are not up-to-date. Both include a former member of staff All schools are required to register with the Information Commissionaire as data controllers, however the School is not currently registered. Main Recommendations The school fund should be formally reconciled at least quarterly and independently audited on an annual basis. In addition, a statement of the fund's income and expenditure should be provided to, and reviewed by, the Governing Body annually. The School's bank mandates should be updated. The Governing Body should review and approve the changes. The School should compete its registration with the Information Commissioner at the earliest possible opportunity. Management Response Agreed Implementation Date 01/07/2005 Agreed 01/06/2005 Agreed 01/06/2005 13 AUDIT & RISK MANAGEMENT UNIT Committee Summary PART TWO PART ONE X Directorate Children’s Services Subject Report Number Wentworth High School Commencement April 2005 Date Issued Date 2585 May 2005 Scope A policy of Post Implementation Review has been formalised by Internal Audit. The review took the form of a follow-up visit, seeking to confirm that all the agreed recommendations from the audit have been implemented. Internal Auditor’s Opinion Our Post Implementation Review found that the majority of the recommendations made in our original report had been fully implemented. Only those recommendations relating to the inventory record have not yet been fully implemented, although significant progress has been made in this area and the improvements achieved are in line with the timescale previously determined. Original Main Recommendations An exercise should be undertaken to bring the School’s inventory records up-to-date, along with an improved system to ensure that loaned items are appropriately signed back upon their return. Staff should be vigilant to ensure that the door to the main entrance is kept firmly closed. Original Management Response Agreed. Agreed Implementation Date Agreed. Immediate. End of summer term 2004. Current Position On schedule for implementation. Implemented 14 AUDIT & RISK MANAGEMENT UNIT Committee Summary PART ONE X Directorate Children’s Services Subject St Luke’s CE Primary School Commencement March 2005 Date PART TWO Report Number Issued Date 2703 May 2005 Scope The standard scope and objectives of school’s audits have been determined to provide an independent appraisal of the adequacy of controls in key functional processes that operate within a school. These include financial management; financial administration; asset management; pupil welfare, and contracted/traded services. The current Headteacher will be retiring at the end of the summer term 2005, after more than 20 year’s service at the School. Internal Auditor’s Opinion We are of the opinion that the School achieves a high standard of administration, and has adequate measures in place to control the majority of risks within the key processes examined. Main Recommendations The school should determine an improvement to the security of the School’s funds whilst participating in trips, by finding an alternative to the use of presigned cheques to pay for activities. The need to undertake a review of the records held in the STAR system to ensure that records held are comprehensive and up-to-date. The requirement to ensure that the inventory record is accurate and up-to-date by undertaking an annual review. The need for the Headteacher to ensure that the Register of Interests is completed promptly and retained on file for reference. Management Response Agreed. Implementation Date 10 June 2005. Agreed. Already implemented. Agreed. 01 July 2005. Agreed. 16 May 2005. 15 AUDIT & RISK MANAGEMENT UNIT Committee Summary PART ONE X Directorate Environmental Services Subject PART TWO Report Number Waste Arisings Commencement February 2005 Date Issued Date 2716 May 2005 Scope The agreed scope of the review was to: Ascertain how waste from other sources is accounted for. This includes waste from the Highways Department, New Prospect Housing, and other contractors. Benchmark Salford City Council with councils of a similar nature. Check the accuracy of the data from Greater Manchester Waste Disposal Authority. Ensure that all waste is categorised as Household Waste Arisings. Internal Auditor’s Opinion Our review of the data provided by GMWDA highlighted a number of control weaknesses that need to be addressed by management. We are concerned that the City Council could not reconcile the recycled waste to the claim, or the domestic waste arisings to the schedule of waste arisings provided by GMWDA. Invoices for chargeable waste (Grounds Maintenance etc.) that do not reconcile to the tonnage charged are paid without query. Due to the number of anomalies within the system, we did not feel that it was appropriate to benchmark the figures to other councils. The reason for the increase in domestic waste arisings is difficult to ascertain due to the weaknesses in the control environment .Based on the findings of the audit there is every possibility that the errors highlighted are duplicated in the domestic waste arising figures that are not controlled. Main Recommendations Internal Audit made 6 recommendations that were considered to be high priority. Management have accepted the findings and have agreed to action them immediately. Management Response All Agreed Implementation Date April 2005 16 AUDIT & RISK MANAGEMENT UNIT Committee Summary PART ONE X Directorate Children’s Services Subject Lewis Street Primary School Commencement April 2005 Date PART TWO Report Number Issued Date 2717 May 2005 Scope The standard scope and objectives of school’s audits have been determined to provide an independent appraisal of the adequacy of controls in key functional processes that operate within a school. These include financial management; financial administration; asset management; pupil welfare, and contracted/traded services. Falling rolls at the School have resulted in the threat of closure or the potential amalgamation with a neighbouring School, Christ Church CE, although a final decision has not yet been taken. The current Headteacher will be retiring at the end of the summer term 2005, and arrangements are in hand to appoint an Acting Head until such time as a formal appointment is made in respect of a permanent replacement. Internal Auditor’s Opinion We are of the opinion that the School achieves a high standard of administration, and has adequate measures in place to control the majority of risks within the key processes examined. Main Recommendations The need for the School to agree and implement suitable recovery plans to reduce and eliminate the budget deficit within a specified timescale. The requirement to reintroduce and appropriately complete the official LEA Finance Stamp and ensure that orders are appropriately authorised. The requirement to bring the School’s inventory record up-to-date and to ensure that all significant items are recorded appropriately. Management Response Agreed. Implementation Date 16 May 2005. Agreed. 16 May 2005. Agreed. 31 October 2005. 17 Committee Summary PART ONE X Directorate Education and Leisure Subject Salford Community Leisure Commencement April 2005 Date PART TWO Report Number Issued Date 2708 May 2005 Scope Salford Community Leisure (SCL), on behalf of Salford City Council (SCC), provides and manages sports and leisure services. Currently, a management agreement is in place between SCL and the Directorate of Education and Leisure. However, this is expected to change in September 2005 and the Directorate of Community Health & Social Care is expected to take over the management agreement with SCL. The review sought to ensure appropriate monitoring arrangements are in place and that SCL are providing a value for money service. The key risks were identified as: Management agreement is not authorised, monitored, and reported on a regular basis Quality of service and performance is not monitored and reported on a regular basis Inaccurate reflection of the Salford Community Leisure financial position. Internal Auditor’s Opinion Overall, the audit review undertaken confirmed that the monitoring arrangements between SCL and SCC are well controlled. Two issues were identified, these were: Directorate of Community Health & Social Care will assume responsibility for the monitoring of the management agreement with SCL in September 2005, and it is essential that a proper handover period is planned. The current performance indicators in place do not enable SCL and SCC to measure accurately if they are meeting their strategic aims. Implementation Main Recommendations Management Response Date The Directorate of Community The recruitment process for an Assistant 01/09/2005 Health and Social Care should Director for Culture and Sport is about to ensure a member of staff is commence, with the intention of having a new appointed prior to the handover, in appointment in place by September 2005. If order to familiarise themselves with this is not achieved other arrangements will the systems utilised by the current be made to ensure a smooth transition of the Directorate. This will ensure that monitoring responsibility for SCL to the there is a smooth handover and that Community, Health and Social Care controls are retained when Directorate. monitoring the service and performance of SCL. The current working group should The Audit Commission is currently reviewing 01/08/2005 ensure that the performance the BVPIs for cultural services as part of its indicators are designed to enable work on CPA 2005 and is expected to make SCC and SCL to measure the impact final decisions on the BVPIs for culture and activities are having on particular sport by July 2005. SCC proposes to use the targets and if SCC and SCL are PIs introduced by the Audit Commission as meeting their strategic aims and part of the suite of PIs it will utilise for the goals. performance management of SCL and will add to these some local indicators, which the working group is currently preparing. 18 AUDIT & RISK MANAGEMENT UNIT Committee Summary PART ONE X Directorate Children’s Services Subject PART TWO Report Number St George’s CE Primary School Commencement April 2005 Date Issued Date 2747 May 2005 Scope The standard scope and objectives of schools’ audits have been determined to provide an independent appraisal of the adequacy of controls in key functional processes that operate within a school. These include: Financial management Financial administration Asset management Pupil welfare Contracted services. Internal Auditor’s Opinion The School maintains a high standard of administration although there is a recurring theme in that checks undertaken are not always evidenced and therefore cannot be substantiated. Main Recommendations The Governing Body should approve the Scheme of Financial Delegation. Information in relation to pupils held on SIMS.net should be kept up-to-date and reviewed periodically. Management Response Agreed Implementation Date 29.6.05 Agreed 7.5.05 19 AUDIT & RISK MANAGEMENT UNIT Committee Summary PART ONE X Directorate Community, Health and Social Care Subject PART TWO Strategy for care first (and related systems) Commencement October 2004 Date Issued Date Report Number 2660 February 2005 Scope The aim of the audit was to determine the degree of control over the following risk areas: Development/ maintenance of the strategy Delivery of the strategy Meeting business needs Internal Auditor’s Opinion The audit has concluded that there was substantial awareness of the key risks likely to affect the development and delivery of a strategy for Care First and related systems. Controls were already in place and Directorate and System Support Unit (SSU) management have recognised that these require enhancing, to manage the effects of the Authority re-structure and the technological changes arising from the need for practitioners to operate within a corporate, regional and national framework. They also recognise that the controls will need to be established within the context of the drive to align all systems and services with one or more of the Council’s seven pledges. It should be noted that some controls were intended rather than actual, e.g. the proposals for a Care First programme board, and considerable effort will be needed over the coming months, to ensure that good overall and IT governance processes are applied and then sustained. Main Recommendations A Care First strategy document should be developed, for use by the proposed Care First Programme Board. This could be an extract from the overall ICT Strategy, but should be in an appropriate format for the Board to use in overseeing the development of Care First. The governance processes for controlling the strategy should be embedded within it or links should be made into processes already incorporated within the overall ICT strategy. Management Response Agreed. Implementation Date April 2006 A Care First strategy document will be presented to the Care First programme board. A recommendation will be made to the Care First Programme board to review this strategy to ensure that the appropriate links are made with the following ICT strategies: 20 The Housing Services Directorate The Children’s Services Directorate The Community Health and Social Care Directorate The strategy will be developed cognoscente of the list of items contained within the appendix The SSU and Principle Officer (MI and Performance) should carefully monitor ongoing developments relating to corporate records management policies and systems. The AGMA consultant to the DPA/FOI Steering Group has highlighted a number of particular risks relating to the development of electronic records management systems (ERMS) and electronic document management systems (EDMS) potentially affecting AGMA authorities in general. These should be borne in mind, when creating the strategy for Care First. Those risks which may be of most relevance are as follows: i) Care First specialists may interpret specific terms e.g. “archiving”, differently to records management specialists ii) Corporate systems procured may fail to take into account existing or proposed systems for ERMS and EDMS related to Care First. Conversely, Directorate systems could become out of line with corporate systems iii) There may be differing interpretations of various records management standards, e.g. BS15489 Records Management, E-Government meta-data standard (E-GMS) and the National Archives functional specification for ERMS/EDMS iv) New systems and modules may be implemented that have no records management functionality or cannot integrate with corporate ERMS/EDMS systems. The Principal Officer (MI & Performance) performs the Caldicott Guardian role and heads the Caldicott steering group and is also the Directorate lead officer for Freedom of Information. SSU also have a representative on this group and this forum will provide the framework for monitoring ongoing developments relating to corporate records management policies and systems. Ongoing 21 AUDIT & RISK MANAGEMENT UNIT Committee Summary PART ONE Directorate Subject X PART TWO Children’s Services SIMS/EMS Data Management Commencement November 2004 Date Issued Date Report Number 2675 March 2005 Scope The aim of the audit was to determine the degree of control over the following risk areas: Security and backup of SIMS*/EMS data Impact of legislative, regulatory and policy requirements on the management of SIMS*/EMS data, e.g. those arising from the Freedom of Information and Data Protection Acts (FOIA and DPA respectively) *In respect of SIMS, the audit only covered data once transferred from the schools to the Directorate’s Storage Area Network (SAN) drive R, prior to import into EMS. The audit focussed on the management of EMS data, but it is acknowledged that many of the current legislative and policy requirements impacting on LEAs also affect data not recorded on EMS. It should also be noted that the IT Net Desktop Services Unit administer the SAN drives used by the Directorate, e.g. in terms of user/system access, but a full review of their involvement was outside of the audit scope It is likely that further audit work will be undertaken in respect of EMS data management issues as part of the 2005/2006 audit plan. Internal Auditor’s Opinion The audit has concluded that the risks relating to the security and backup of SIMS import/EMS data are reasonably well controlled. However, for greater assurance, the EMS Co-ordinator needs to establish that the access levels on the various administration user accounts are reasonable, including those enjoyed by Desktop Services. There is also a need to enhance the user procedures relating to leavers and job transfers. Regarding legislation and policies impacting on the management of SIMS/EMS data, much work is being done in Strategic Support to manage the issues relating to legal compliance and policy adoption. However, there will need to be greater senior management buy-in within the Directorate, in terms of providing resources and sponsoring working groups, if the regulations and policies are to be properly embedded within the context of such drivers as the E-Government targets, collaborative working, best value, customer relationship management initiatives and the seven pledges and sub pledges. 22 Main Recommendations A review should be undertaken of user accounts with access to the EMS-related folders on the SAN R: drive and the SAN E: drive containing the EMS database. The review should establish for each account: i) If it is needed or whether the same functions can be undertaken using another account ii) Whether the access permissions within the account are set at the right level for routine administration functions, e.g. does “allow” need to be switched on for Full Control, Modify, Read & Execute, etc. * iii) Whether Desktop Services access is appropriate Management Response This review is currently underway and the points noted will be incorporated into that review. The result will be a procedure for assessing the appropriate access rights for individuals and new users. Implementation Date June 2005 for implementation before the next school year. The issue of desktop services access will be reviewed separately under discussion with Corporate IT. iii) That default passwords have been changed for default accounts such as System and Domain Admins. *System administrators often reduce their own access levels on certain user accounts, in order to limit the amount of damage an unauthorised user could cause. A formalised system should be introduced for identifying and administering EMS users who leave the Directorate or transfer jobs within the Directorate. Work is ongoing with Corporate IT to be included in the loop for closedown of email and computer access. April 2005 Managers of each unit should be asked which staff have a need to access the EMS system and which modules they should be using. As a complementary control, the emailing function built into the EMS user detail screens could be exploited, e.g. users could be asked to confirm their post and section/unit. Where no response is received within a pre-determined period, the user should be de-activated. It is hoped to include this user directory function as part of the above review (F1) June 2005 An Intranet-based access administration system for starters and leavers is being considered for inclusion within the corporate Employee Portal, which is under development within the E-Government programme. This should be borne in mind when devising a more formal system for Noted. Ongoing 23 EMS or, for example, EMS could be used as a pilot system. The number of failed password attempts allowed at EMS log-on should be reduced from ten to three. Strategic Support should investigate the options for obtaining appropriate knowledge and/or advice in respect of the legislation, e.g. Learning and Skills Act, Education Act, Health Authorities Act, etc., impacting on the sharing of data between the LEA and its partners. In the first instance this will be reduced to 5 with a review later. Discussions with corporate Legal team are to be arranged with a view to assessing the implications of legislation on data sharing and storage within the current systems and structures. February 2005 March 2006 Possible options are: i) Formally establishing whether there is a representative within the Authority’s legal team, already specialising in these areas, who could be periodically consulted Opportunities for sharing information with other directorates will be explored. ii) Establishing the level of knowledge within the Community, Health and Social Care directorate. A small jointworking group could be set up to examine the key issues, which could be a sub-group of an existing group, e.g. one of those already meeting to deal with Authority re-structure issues iii) Investigating the possibility of using an area approach to the issue, e.g. an AGMA-funded consultant, or of using existing legal services provided under the AGMA Joint Services Delivery initiative Note: Recommendation F4 is offered to provide independent support for any ongoing actions in this area. The resources situation should be reviewed in respect of the workload of the Data Validation Group and the following factors taken into account: i) New controls/procedures will need to be embedded, to sustain the integrity of EMS data, once the existing data has been cleansed, in order that credible management information can be produced from EMS ii) New EMS modules are due to be Whilst it is appreciated that the EMS team is under resourced and that the validation of the data and the roll out of new modules is being delayed, it needs to be understood that the directorate is in a September 2005 24 implemented, leading to an increase in the amount of data recorded on EMS, potentially adding to the existing reliability problems iii) Implementation of the Capita B2B module will mean greater integration between SIMS and EMS, but could bring new data integrity risks. iv) Priorities are changing in respect of the management of EMS data, e.g. the need to ensure data integrity is becoming more pressing, as the extent of data sharing initiatives widens. A working group should be set up within the Directorate (or an existing one identified), to oversee compliance with corporate policies/legislation, e.g. the FOIA, appertaining to non-personal EMS data. Regarding the specific issue of retention and destruction schedules for EMS data, consideration should be given to drawing up schedules, pending the introduction of a working group. Note: To ensure consistency, such a working group would also need to tackle the issues for data not recorded on EMS. The Strategic Support Unit should carefully monitor ongoing developments relating to corporate records management policies, including the introduction of electronic records management systems (ERMS). Risks likely to be of relevance to EMS are as follows: i) IT and Education specialists may interpret the term “archiving” differently to records management specialists ii) Directorate systems procured, e.g. EMS modules, may be out of line with Corporate systems procured for ERMS iii) Directorate policies/standards relating to EMS may become out of line with various records management standards, e.g. ISO 15489, E-Government meta-data standard (E-GMS) and the National Archives functional specification for ERMS. If a working group was set up or identified, as recommended in F6, then the group should manage the above risks. state of change. These considerations will be taken into account and will be addressed along with the overall reorganisation. A strategy Group will be set up with AD representation and Senior Managers from within the Directorate. They will oversee the compliance stated but will also look at the wider strategic implications of EMS (and SIMS) April 2005 The Strategic group above will be supported by a working group that will be made up of users and ‘champions’ of the system. September 2005 These issues will be raised in both these forums and with help from the partnership information officer and contacts with the corporate FOI and DP teams the issues will be addressed. 25 AUDIT & RISK MANAGEMENT UNIT Committee Summary PART ONE X Directorate Community & Social services Subject PART TWO Report Number NHS NET Commencement January 2005 Date Issued Date 2679 April 2005 Scope The audit will assess the degree of control over the key risks threatening the management of NHS Net, in relation to the following aspects: Access Controls Data Security Availability of data Security and reliability of data transported Internal Auditor’s Opinion Access controls were adequate, but there was some question over whether they complied with NHS requirements, investigation revealed that the NHS position was shifting. There was an issue concerning the maintenance of the access of leavers and movers. A project was outstanding to implement a new server to monitor firewall activity. Non-disclosure agreements were issued, but procedures in place did not ensure they were completed and returned prior to access being granted. There are single points of failure, in that if a communications line into a building fails then NHS systems will not be accessible. Users are required to use a number of methods / products to access email messages. Stronger change control procedures are needed to meet NHS requirements. There was a question about the security of email messages coming in from the NHS to SCC staff. Main Recommendations Management Response To ensure access to NHSnet systems, funding must be obtained to implement strong two-factor authentication. Accepted, however recent advice from the GMSHA Deputy CIO is that authentication requirement is now at application level. Funding will be sought to address the authentication requirements of the Registration Authority. Discussions have taken place with the Directorates HR team. A process of identifying leavers and movers should be put in place and a process developed to ensure Implementation Date 9 Months 3 Months August 2005 26 that access is maintained in a timely manner. It is recognized that a corporate solution is being developed although no delivery timescale has been agreed. The implementation of the firewall monitoring server should be completed as soon as possible. Procedures should also be put in place to ensure that appropriate analysis is applied to the logs generated. Consideration should be given to introducing an Intrusion Detection System on the SCC network to give a greater strength in depth against the possibility of unauthorised access. Procedures should be developed to ensure that the confidentiality and non-disclosure forms are signed and returned before access to systems is allowed. Agreed that a report will be commissioned from the system supplier to meet this requirement. Authorised previously by this Directorate. We will continue to liase with the IT services team to completion. Discussions will be held with relevant parties to determine the most effective analysis is applied to the logs generated. We have been advised by IT Services that this recommendation is “Already part of other Audit reports and as agreed with Audit, can be consolidated into 1 recommendation covering several audits”. Accepted. Discussions will be held with relevant parties to determine most effective procedure. A business impact analysis should be carried out to Network resilience is considered determine if the lack of resilience for the NHSnet link as part of the ongoing exposes the organization to significant risk. implementation of the link. It is accepted that a business impact analysis should be undertaken. Action will be taken accordingly. A review of the NHSnet connection configuration Agreed should be carried out, on at least annual basis to A review process will also ensure that SCC remains compliant with the code of determine the appropriate review connection. period (minimum annually) In accordance with guidelines from NHSIA the Head A process for approving changes of Social Services or a nominated deputy should to the NHSnet connection approve changes to NHSnet connection configuration has been agreed. configuration. Discussions should be entered into with NHS partners regarding strengthening the security of data Discussions have already taken emailed from NHS to SCC. Options include: place and are continuing with NHS Routing traffic down the secure line partners and SCC Corporate services regarding strengthening Encrypting emails email security. Additionally, SCC staff working from NHS premises should be periodically reminded not to send confidential e-mails / attachments from NHS equipment to SCC due to the risk that the email may be routed through the Internet. 2 Months 3 months / August 2005 4 months 2 months Done 3 Months Agreed. Periodic reminders will be given to staff regarding the Corporate Information Security Policy. 27 AUDIT & RISK MANAGEMENT UNIT Committee Summary PART ONE X Directorate Customer and Support Services Subject Sx3 (Council Tax and Benefits replacement system) Readiness. Phase two. UAT Commencement April 2005 Date PART TWO Issued Date Report Number 2732 May 2005 Scope The aim of our review was to ascertain the level of readiness for go-live and to identify any potential issues or risks that may prevent or delay the successful implementation of Sx3. In order to produce timely reports and manageable work packages, we adopted a phased approach. This summary refers to phase two of the work, which provides an opinion upon the adequacy of the user acceptance testing. (UAT) Internal Auditor’s Opinion The UAT processes have been well designed and managed but the bulk of the business process testing was carried out in August 2004 using early versions of the software and before many of the bespoke services and reports had been delivered. Sx3 functionality has been proven through its use by other councils and therefore the main risks lie with the bespoke interface work and reports. User testing is continuing via weekly, half day familiarisation sessions and modular tests of the bespoke work delivered but this cannot provide the end-to end assurance of a full UAT using the latest version of the software and all the related interfaces, batch schedules and reports. In their response to this audit, management have confirmed that all key areas will be tested before go live. This is planned for week commencing 6th June 2005 with go live following on 20th June which leaves only one week to resolve and retest any issues. Main Recommendations The project board should arrange for a full end-to-end test prior to go-live. The project board should assess and agree the responsibilities for the ownership, security / integrity and maintenance of the existing council tax and benefits applications, following Sx3 go-live. This could be considered as part of the related work on systems management. (Audit report 2729/CSS/2005.) Management Response End to end testing is covered in part by the system testing task which links in with the testing of the batch schedule. As individual testing of interfaces, reports and documents are completed they will be included in these tests. All individual items may not be included in the system testing due to time constraints. S. Fryer has had preliminary discussions with I.T. Services about the on-going use of the in-house system and future discussions will include these issues. Implementation Date Batch schedule testing started April 18th System testing was due to commence May 9th but will now only run for one week w/c June 6th. Complete 28 Committee Summary PART ONE X Directorate Customer and Support Services Subject Sx3 (Council Tax and Benefits replacement system) Readiness. Phase one. Status Commencement Date PART TWO April 2005 Issued Date Report Number 2721 May 2005 Scope The aim of our review was to ascertain the level of readiness for go-live and to identify any potential issues or risks that may prevent or delay the successful implementation of Sx3. In order to produce timely reports and manageable work packages, we adopted a phased approach. This summary refers to phase one of the work, which provides an overview of the current status of the development. Phase two will cover the user acceptance testing and phase three the data migration and cutover. Internal Auditor’s Opinion The audit has concluded that the risks relating to SX3 readiness are reasonably well controlled by the project manager but we are concerned that there is little assurance, at project board level, that the outstanding developments, issues, risks, interfaces etc will be completed and solutions to problems found, in time for the “go live”. This was an interim report that has been prepared to flag up key risks in time for the 21st April project board meeting. Some of our recommendations are made to provide guidance and advice in areas that are still under review and others are made in order to obtain confirmation that any potential showstoppers have been identified and are being managed. Main Recommendations The project board should ensure that all outstanding tasks, issues and risks are prioritised, given owners, resource requirements and achievable completion dates. Implementati on Date Complete Management Response Agreed The project board should assess the status of each reconciliation and the likelihood of achieving a balance. A decision should be taken as to which reconciliations are vital prior to go live. Where reconciliation is unlikely to be achieved they should assess the risks of accepting the SX3 balance in favour of the existing totals. Agreed. The errors in Cut 5 cannot be corrected and tested before go live so the system will go live with known reconciliation failures. These will be investigated and corrected in the live system. The project board should assess the status of data cleansing and Low risk the potential effects upon the integrity of SX3 should cleansing not No significant issues with be completed prior to go live. data cleansing The project board should ensure that all interfaces are signed off This will be arranged for all as accepted at an appropriate management level within the out feeds. partner/stakeholder area. The project manager should agree the priority levels allocated to Agreed each interface to ensure that every vital interface will be available at go live. The project board should identify all outstanding testing and ensure Superseded by UAT report that this can be effectively completed before go live? (2732/CSS/05) One week of end-end testing planned for W/C 6th June The project board should identify the resource and skill Ongoing. SH, SF and MV requirements from now up until the backlog has been cleared and meet regularly to monitor identify and action any potential conflicts for resources or progress and issues bottlenecks of work. 29 10 June 05 Complete 30 May 05 Complete 10 June 05 Complete AUDIT & RISK MANAGEMENT UNIT Committee Summary PART ONE X Directorate CUSTOMER & SUPPORT SERVICES Subject PART TWO Report Number FREEDOM OF INFORMATION ACT PIR Commencement January 2005 Date Issued Date 2686 May 2005 Scope The aim of the original audit was to determine the degree of control over the following risk areas: Implementation and maintenance of the FOI Publication Scheme Receipt and processing of information requests Records management. The aim of this post implementation review (PIR) was to ascertain progress on the recommendations made in the audit report (ref. 2593/CS/04), issued in September 2004, and to comment on current issues relating to the implementation of the FOIA at Salford. Internal Auditor’s Opinion The PIR has determined that the majority of the recommendations highlighted by the original audit have been carried out and the level of effective control over risks has been improved. It is acknowledged that progress has been made to improve the overall management of the project through the introduction of some of the principles of PRINCE 2. However, the lack of the use of formal risk/issues logs may affect the continuity/reliability of the project in the event of key personnel being absent for a protracted period or leaving the employ of the Authority. There is also a possibility that some risks and issues will be missed or not managed properly. Three new recommendations have been made relating to; the gathering and retention of information in respect of credit/debit card payments; consideration as to whether or not the Authority charges dispersement fees for information; and the development of a corporate records management policy. Main Recommendations Assurance must be given that the information gathered for the purpose of enabling credit/debit card payments to be made, is obtained and retained being cognisant of the principles of the Data Protection Act and credit card companies’ requirements e.g. the Payment Card Industry (PCI) standard. Audit recommends that advice on the Implementation Date An e-mail was sent to the SG which Actioned included the following instruction. This issue was also discussed at the SG meeting 12.04.05. Management Response “Please note, if you take any card details for processing payments, you must retain ownership of the details and shred immediately, once the payment has been processed. Do 30 performing of a risk assessment in this area should be sought from the Authority’s Corporate Information Security Manager not leave details with payment clerks. Please do not delay in the processing of these details and do not leave details unattended at any time”. This instruction has subsequently been superceded by the following instruction, ‘Accepting Payments for FOI Charges’, stating that the method of payment for information is (in order of preference) debit card; credit card; cheque. Payment by cash is not to be offered or encouraged but can be accommodated if absolutely necessary. Enquirers are to be referred onto Customer Services cashiers who will deal with payments by debit/credit cards. RFICs should not take any card details. Cheques should be sent by post and RFICs should not take receipt of cheques. Applicants must make an appointment with a named officer from the Cashier Team if they wish to make payment by cash. RFIC’s must not take cash payments. The Authority should consider establishing a policy whereby dispersement fees below a threshold of £100, for example, are waived. The development of the Corporate Records Management Policy should be regarded as a high priority and the IO should do what she feels is necessary to ensure the policy is formulated expeditiously. This may include more involvement on the part of the Head of Law and Administration to encourage directorates to comply with relevant deadlines set by the IO. Audit considers a prompt appointment of a records manager/archivist (as detailed in F6 above) will also provide the necessary help and extra resource required in this area. Already considered. It is thought that charges of above £10 would discourage frivolous requests. This is within the parameters of the other GM authorities To re-consider if necessary. A report is being prepared for Directors Team re the appointment of a records manager. It is anticipated that a records manager will be in place by the end of September 2005. Actioned September 2005. 31
