Final. Internal Audit Report. Creditors System

(1)

This report is not for reproduction publication or disclosure by any means to unauthorised persons. Page 1

Final

Internal Audit

Report

Creditors System

Document Details: Reference: 1.2 / 2014-15

Senior Manager, Internal Audit & Assurance: David Jenkins ext 6567

(2)

Internal Audit Report – Creditors System

Page 2

www.worcestershire.gov.uk

1. EXECUTIVE SUMMARY

INTRODUCTION

As part of the 2014/2015 Internal Audit plan an audit of the Creditors System was carried out, with the points of focus being;

 Adherence to policies and procedures, and;

 Adequacy of controls over input to ensure that payments are authorised, complete, accurate, not previously paid and timely.

BACKGROUND

The Council's creditor (accounts payable) function is maintained by the Revenue Section within Financial Services. The Section is responsible for the processing of invoices and the payment of creditors for the Council using the SAP system. The Section also maintains the vendor master record including the creation of new vendors.

Due to the impending commissioning process the audit looked to ensure that the risks associated with the Creditors' function are identified and transferred where possible. Audit is also represented on the HR/Finance Steering Group and have been able to comment on risks and controls as the process progresses and have been involved during the writing of the contract and formulation of KPI's. The Creditor's service specification was also reviewed and no significant omissions were identified.

The figure for short term creditors shown in the Statement of Accounts at 31 March 2014 was £105.8m it is therefore important to have robust and effective controls.

The previous audit of the Creditors' system was carried out between January and June 2014 covering the 2013/14 financial year. The audit recognised that generally there are appropriate procedures in place; however, there were two areas regarding changes to supplier details (in particular bank details) which management needed to consider in light of the potential risk of fraud in this area.

The Revenue Section aim to pay 59% of their invoices within 10 days. This is an internal target used for performance management and is reported to the Chief Financial Officer on a quarterly basis. It was good to see that in quarter one of 2014/15 the Revenue Section had paid 66% of invoices within 10 days.

OVERALL OPINION

It is pleasing that the overall opinion of this review is ‘significant assurance’.

A sample of forty five Creditor invoices were reviewed with further testing carried out where required.

There are a number of areas of good practice within the Council which have led to the significant assurance opinion, including:

(3)

Page 3

 The controls around the level of checking undertaken on non-order invoices over £50,000.

 For all the invoices in the sample VAT had been properly accounted for when posted in SAP and they had all been authorised and goods receipted by an appropriate officer.

 All invoices in the sample had been incorporated into payment runs which had been carried out by a member of the Revenue Section who is not an authorising officer.

 Controls around Vendor creation were working well as were amendments to Vendors' bank details.

 All of the invoice payments had been correctly coded to the relevant expenditure heads and had been scanned where necessary.

However, we also identified a few areas for improvement during this audit.

 Checks on signatures are not carried out during the verification process to confirm that the invoice has been approved by a certifying officer, due to the lack of an up to date record of signatories. However, this is mitigated by the measures taken to reduce the number of non- SAP order invoices and a commitment to transfer these remaining payments to more secure and efficient processes.

 There are authorising officers in SAP that appear to have left the Council.

 Vendors with debit or credit balances have not been reviewed for some time.

 Invoices not being passed to the Revenue Section promptly in order to ensure that they are paid in a timely manner.

These and other matters that it is felt require attention, together with our recommendations are referred to in the detailed findings below.

Overall Audit Opinion

Full assurance Full assurance that the system of internal control meets the organisation’s objectives and controls are

consistently applied.

 Significant assurance

Significant assurance that there is a generally sound system of control designed to meet the organisation’s objectives. However, some weaknesses in the design or inconsistent

application of controls put the achievement of some objectives at some risk.

Limited assurance

Limited assurance as weaknesses in the design or inconsistent application of controls put the achievement of the organisation’s objectives at risk in some of the areas reviewed.

No assurance No assurance can be given on the system of internal control as weaknesses in the design and/or operation of key control could result or have resulted in failure(s) to achieve the organisation’s objectives in the area(s) reviewed.

(4)

Page 4

SUMMARY OF CONCLUSIONS

2.1 The conclusion for each control objective evaluated as part of this audit was as follows:

Control Objective Assurance

Full Significant Limited None

C01: Any matters arising from the previous audit have been addressed.

 



C02: Segregation of duties is adequate 



C03: Procedures ensure that payments are only made for properly authorised invoices.

 

C04: Payments to suppliers are made in accordance with the authority's payment procedures.

 

C05: Management exception reports are generated and reviewed and outputs checked for overall reasonableness.

 

CO6: Risks have been identified and, where appropriate, can be transferred to any new provider.



 

2.2 The recommendations arising from the review are ranked according to their level of priority as detailed at the end of the report within the detailed audit findings.

Recommendations are also colour coded according to their level of priority with the highest priorities highlighted in red, medium priorities in amber and lower priorities in green. In addition, the detailed audit findings include columns for the management response, the responsible officer and the time scale for implementation of all agreed recommendations.

2.3 Where high recommendations are made within this report it would be expected that they should be implemented within three months from the date of the report to ensure that the major areas of risk have either been resolved or that mitigating controls have been put in place and that medium and low recommendations will be implemented within six and nine months respectively.

3. LIMITATIONS REGARDING THE SCOPE OF THE AUDIT

The following areas did not form part of this audit:

 BACS and other payment procedures.  Write-off procedures

 HMRC Construction Industry Tax  SAP authorisation.

(5)

Page 5

 Reconciliations, suspense and control accounts.  Credit notes and cancelled payments.

 Testing in respect of the Control Objectives is limited to the 45 tested payments (15 SAP orders, 10 non SAP payments, 10 Framework Orders and 10 PR1 payments.

4. ACKNOWLEDGEMENTS

(6)

Page | 6

5. DETAILED AUDIT FINDINGS

Ref. Priority Findings Risk Arising/ Consequence

Recommendation Management Response Responsibility and Timescale

Recommendation Implemented (Officer & Date)

C02: Segregation of duties is adequate 1 Medium

There are 77 current users who appear to have

access to the transactions in SAP listed below but no longer appear on the email system or Lync system indicating that they are no longer eligible to have access to the following transactions:

 FB60 (Entering invoices),  Z:POCLKNEW

(SAP Purchase order raising role)  Z:PRAUTHNEW

(SAP Purchase order authorising role)

It should be acknowledged that the audit examined a sample of SAP

transactions and therefore the list of transactions is

Unauthorised transactions may be processed.

Consideration should be given to producing a SAP report once a month detailing

individual officer's SAP roles within the finance function. This should be reviewed by an

appropriate officer for them to confirm that the role is still required.

This issue has been raised with the S&CA Systems Support team with a view to requesting a change to the Leavers and Movers form to include a section on removal of SAP access.

AP

Officer/S&C A Systems Team March 2015

(7)

Page | 7

not comprehensive and there may be other instances.

C04: Payments to suppliers are made in accordance with the authority's payments procedures. 2 Low

From the sample of 10 non-SAP order invoices there were two examples of the coding slip not being completed correctly, with the calculations checked box not being signed.

Incorrect or

fraudulent invoices may be processed.

Where non-SAP order invoices are received, coding slips should be checked and if

incomplete, unsigned, or contain incorrect

amounts, they should be returned.

Agreed, the AP team are aware that these should be returned. Over the past 2 years we have reduced the number of non-order invoices

processed in this manner significantly. System changes to the non-order function in SAP are currently being

investigated that would lead to workflow approval for all non-order invoices.

AP Officer/ SAP team May 2015

3 Medium There is an agreed list of _{exceptions regarding which}

non-SAP order invoices can be processed, this appears to be complied with. However, it is recognised that there remains a weakness within this confined area

regarding lack of

authorised signatures. This

An unauthorised officer may certify invoices.

Fraudulent or incorrect invoices may be processed.

Only invoices that contain an authorised signature should be processed.

An authorised signature list should be updated and maintained and should hold the individual cost centre numbers that the

As above, the proposed system change would see the authorisation of non-order invoices using the sap authorisation tree as purchase order

invoices, eliminating the need for an external signature list to be kept.

AP Officer/ SAP team May 2015

(8)

Page | 8

is mitigated by the

measures taken to reduce the number of non- SAP order invoices and a commitment to transfer these remaining payments to more secure and

efficient processes.

signatory can authorise.

4 Medium For 6 out of 20 invoices examined, it was found that the invoices were dated before the purchase order had been raised.

Non-compliance with procedures. Formal

authorisation from the budget holder hasn't been given prior to the

commitment.

A purchase order should be raised prior to the receipt of the invoice.

We are currently working with all directorates to improve the current processes. AP will be introducing a NO PO No pay policy & aiming to introduce this in April 2015.

Along side this new policy – AP will be working closely with all SAP trainers to support users who are raising purchase orders after the invoice date.

A new monthly report will be run by the AP team which will highlight the areas which aren't

AP Officer June 2015

(9)

Page | 9

following the correct procedures

C05: Management exception reports are generated and reviewed and outputs checked for overall reasonableness.

5 Medium

Purchase orders with debit or credit balances have not been up dated for some time. There are procedures in place to ensure that unmatched invoice receipt and goods receipt items are investigated i.e. a report is sent out by the Accounting Technician to enable directorates to investigate. However, it appears that this is not always carried out in a timely manner, with a significant number over 1 year old i.e. 338 items totalling £120,698 at the 26th September 2014. Transaction MRBR which details blocked and rejected invoices shows there appear to be items going back 12 months to the beginning of 2014

Issues resulting in vendors with debit and credit balances will not be addressed meaning the amount could continue to increase in the future due to lack of investigation.

Where a vendor account has a debit or credit balance which is over 2 months old, the

Directorate that raised the order should

investigate the situation and take the necessary action required.

As described a monthly report is issued to Directorate Finance teams on GR/IR

balances over 6 months old. Directorate teams have been reminded of the need to review and clear these transactions on a regular basis.

Finance Manager completed

(10)

Page | 10

which total 4.9% of the transactions.

6 Medium

From the sample of 25 invoices paid by the Accounts Payable team, 19 were paid within 30 days of the invoice date; however, payment of 6 of the invoices exceeded 30 days with the most

significant delays being:

 159 Days

 54 Days

 53 Days

Comparing the invoice date and the dates stamped as received in Financial Services it appears that the Revenue Section does not always receive invoices promptly making it impossible to achieve payment within 30 days.

Failure to meet performance targets.

It is important that all invoices are processed for payment promptly in order to ensure that invoices are paid in a timely manner.

Directorates should be written to again to remind them to pass invoices to the Revenue Section as soon as possible.

Whilst performance in most cases is strong with the average time to pay is under 20 days in each quarter to date this year and over 60% paid in 10 days, there are

exceptions which exceed the 30 day target.

The introduction of a No PO No Pay policy is expected to lead to significant improvement in invoice processing efficiency. AP Officer June 2015

(11)

Page | 11

Whilst accepting that delays are outside of the control of the Revenue Section it was agreed following the previous audit that individual directorates would be written to

reminding them of the need to process invoices in a timely manner as per Revenue's performance indicator.

From the sample of 25 invoices 2 invoices had not been paid within the

Revenue Section's Target of 10 days from the date the invoice was input to the date the invoice was

stamped in the Revenue Section.

(12)

Page | 12

Key to Priorities:

High This is essential to provide satisfactory control of serious risk(s)

Medium This is important to provide satisfactory control of risk

Low This will improve internal control

Limitations relating to the Internal Auditor's work

The matters raised in this report are limited to those that came to our attention, from the relevant sample selected, during the course of our audit and to the extent that every system is subject to inherent weaknesses such as human error or the deliberate circumvention of controls. Our assessment of the controls which are developed and maintained by management is also limited to the time of the audit work and cannot take account of future changes in the control environment.