PAYMENTS SHARED SERVICES
Size: px
Start display at page:

Download "PAYMENTS SHARED SERVICES"

Transcription

1 INTRODUCTION In accordance with the 2014/15 annual audit plan, Internal Audit carried out an audit of BSO Payment Shared Service. Given the stage of development of Shared Services and the significance of the Payments Shared Service processes to all HSC organisations, the Payment Shared Service processes have been audited twice during 2014/15. The first audit was conducted during July to September 2014 and Internal Audit provided Limited assurance at that time. The second audit (this current audit) was conducted during January and February All customer organisation payments are now processed by Payments Shared Service (both POP and non-pop). During April 2014 to January 2015 non-pay expenditure was approximately 2.7 billion across all HSC organisations, broken down as follows: Organisation No of payments Total Expenditure ( ) processed BHSCT ,194, NHSCT ,463, SHSCT ,883, SEHSCT ,932, WHSCT ,605, NIAS ,526, NIBTS ,137, BSO 65, ,469, HSCB ,429, PHA ,704, NIGALA 917 5,194, NIMDTA , NISCC ,255, PCC ,588, NIPEC 603 1,651, RQIA ,343, Total ,685,482, LEVEL OF ASSURANCE SUBSTANTIAL SATISFACTORY LIMITED UNACCEPTABLE In relation solely to the scope of this audit and the work performed by audit staff, Internal Audit can provide Management with satisfactory assurance in relation to Payments Shared Service. Overall there is an adequate and effective system of governance, risk management and control. While there is some residual risk identified this should not significantly impact on the achievement of objectives. Some improvements are required to enhance the adequacy and/or effectiveness of governance, risk management and control. SUBSTANTIAL SATISFACTORY LIMITED UNACCEPTABLE In relation solely to the scope of this audit and the work performed by audit staff, Internal Audit can provide Management with limited assurance in relation controls surrounding Management of duplicate payments. There is an inadequate and/or ineffective system of governance, risk management and control in place. Therefore, there is significant risk that the system will fail to meet its objectives. Prompt action is required to improve the adequacy and/or effectiveness of governance, risk management and control. MANAGEMENT SUMMARY Internal Audit can provide satisfactory assurance on the system of internal control in BSO Payment Shared Service. However, Limited assurance is provided in relation to controls surrounding Management of Duplicate Payments within BSO Payment Shared Service. The process for review of duplicate payments on a regular basis has not been normalised and at the time of audit there was still a lack of clarity over the volume of potential and actual duplicate payments and the value of these. Internal Audit noted the following improvements since the time of the last audit: Roles and responsibilities have now been agreed with customer organisations. KPIs have been further developed and agreed for roll out in 2015/16. The backlog of invoices awaiting processing has now been cleared.

2 There are no significant delays within the scanning centre. The average scanning time for January was approximately 1 day. The introduction of a date stamp to accurately record invoice receipt dates for prompt payment purposes. The reasons behind delays are being regularly discussed with customers and payments shared services staff and have been discussed with some suppliers. The following priority 1 weaknesses were identified: At the time of audit the process for review of duplicate payments on a regular basis has not been normalised. Payments Shared Service has agreed with customer organisations that by the 31 March 2015, 95% of all potential duplicate payments will be reviewed and confirmed if recovery is required. At the time of audit there was still a lack of clarity over the volume of potential duplicate payments and the value of these. Recovery of amounts due is running in parallel with the investigation process with progress for each customer at varying stages. For one Trust, there are 92 confirmed duplicates with a transaction value of 1.9m, which had been recovered from suppliers. A further 152 potential duplicates with transaction value of approximately 1.1m had yet to be fully investigated to confirm if they were duplicate payments. The position for other organisations is not yet known. One of the main reasons for duplicate payments arising is the issue of duplicate supplier accounts on the system. At the time of audit approximately 800 duplicate supplier accounts had been identified. Work on cleansing these duplicate accounts has just commenced. Other reasons causing duplicate payments are: o Invoice number had scanned incorrectly. o Received into Payments Shared Services in two different forms (i.e. one manual and one non-pop). o Invoice reference numbers put on the system in two different ways. o The customer had billed to the wrong account so had to be credited off and put under another account. The VAT rate for 4 out of 34 sampled was found to be incorrect. 3 of these related to invoices that automatched within the system and 2 of these were as a result of how the vat on the invoice was picked up in the scanning process due to how VAT and non-vat items were separated on the invoice. 1 was incorrect due to how discount was accounted for and 1 was incorrectly processed by Payments Shared Services. The following priority 2 weaknesses were identified: The reported cumulative HSC prompt payment compliance performance for the period July 2014 to December 2014 is 81.82%, against the target of 95%. Of the 14 customers reported on up to December 2014, the 30 day target for prompt payment compliance was only being met for 2 customers (NIGALA and PCC). As at 3 February 2015 the total number of invoices received but not paid was approximately 38,000 with a value of 71.88m. Of these over 6,000, with a value of 11.5m, had dispute codes raised meaning they did not impact on prompt payment. The value of invoices outstanding for over 30 days by customer organisation ranged between 492 and 10.8m. The main reasons why invoices were not yet paid were as follows: o Awaiting approval on FPM 41% o Invoice does not match Purchase Order 17% o Purchase line unreceipted 10% o No reason given 9% o Rejected in FPM 8% Where an invoice is received into a customer organisation prior to receipt into Payments Shared Services, the date of receipt of the invoice in the customer organisation is not used for prompt payment purposes. It is recognised that this represents a small percentage of invoices being received. Roles and responsibilities for Payments Shared Services and customer organisations have only recently been clarified and agreed by both parties. It is recognised that many of these are already in place. As at 3 February 2015 there were a total of 3,101 invoices outstanding that had been rejected within FPM. These relate to 2012 (6 invoices), 2013 (106 invoices), 2014 (2187 invoices) and 2015 (802 invoices) Whilst dispute codes have been recorded against many of these which means there is no impact on prompt payment, there are also many of these which still impact on prompt payment. Instances were noted where there was no record of action being taken to resolve these. Responsibility for rejections was often unclear. 8.6m was coded to a suspense code across all sub-ledgers as at 24 February 2015 ( 8.1m related to January 2015 invoices). Values per customer organisation ranged between 2k and 3.3m. For 8 out of a sample of 30 of the older invoices received and coded to a suspense account, there was no evidence of recent action being taken to clear these invoices from the suspense code. In addition to the above from the sample of 300 invoices tested Internal Audit noted an instance where an invoice (value 20k plus VAT) approved within FPM was incorrectly coded. 2

3 Where a refund is received from a supplier, this will be received in Income Shared Services. Payments Shared Services rely on Income Shared Services to notify them of any repayments. However, this is not a formalised process. Performance reporting is not yet taking place against 3 KPIs for 2014/15. The following was noted in respect of verification of a sample of 30 recent supplier amendments by Payment Shared Services: o Evidence of verification of changes is not routinely retained, as it is usually carried out via telephone. o The evidence provided to support 1 trader amendment was an from a supplier s accountant sent from a Hotmail address, which detailed the supplier s National Insurance Number and tax reference number. Whilst Key Performance Indicators for Payments Shared Services have been agreed and are being reported on, the Service Level Agreements between the BSO and 2 of the customer organisations have yet to be signed. A number of previous Internal Audit recommendations remain partially implemented at the time of this audit. 1 priority 3 weakness was identified. 3

4 SUMMARY OF AUDIT APPROACH AND RESULTS The overall objective of the assignment was to provide management with a level of assurance as to the operation of controls to manage key risks in the system. RISK/ SUMMARY OF AUDIT SCOPE AND TESTING RELATED AUDIT OBJECTIVES (designed to ensure key controls are in place) RISK 1: Failure to implement previous internal audit recommendations, potentially impacting on audit assurance. 1.1 To ensure all previous Internal Internal Audit confirmed (through substantive testing of across all customers) the status of Audit recommendations have implementation of recommendations from the mid-year 2014/15 Internal Audit of Payment been fully implemented. Shared Services. RISK 2: Inadequate control over non-pay expenditure may lead to inaccurate, duplicate or bogus payments being made. 2.1 To ensure that there is Internal Audit: appropriate control over system Obtained a report of user access to the system for all Payments Shared Services staff access within Payments Shared and reviewed for appropriateness in line with the individual s role. Services. Internal Audit confirmed that there was no system Superusers within Payments Shared Services. Considered whether there are any functions that allow users to bypass authorisation controls and ensured that this is appropriately restricted to senior staff. Tested what controls are in place to oversee any such instances and considered the appropriateness of these. No such functions were identified for Payments Shared Services staff during the course of testing. Internal Audit reviewed of Payments Shared Services staff within the system for appropriateness. It was noted that BSO Business Services Team is responsible for allocating user access on the system and user access beyond Payments Shared Services Staff was not considered as part of this review. 2.2 To ensure that appropriate Internal Audit considered all entry points for invoices received into the Shared Services arrangements are in place for Centre (i.e. , post). receipt of invoices into the Shared Services Centre and for Internal Audit reviewed and tested control processes to ensure that all invoices are captured processing of these on a timely and processed onto the system on a timely basis: basis. Identified what date is being captured as the invoice received date by the scanning centre and confirmed this through observation of staff in the postal section and scanning centre. Checked that invoices are being date stamped upon receipt into Payments Shared Services and confirmed that all invoices tested were date stamped upon receipt (see section 2.5). Ensured that the date being used for prompt payment purposes in the scanning centre is accurate. NUMBER OF FINDINGS 2 1 See 2.8 & 2.11 below See 2.1 & 2.10 below Internal Audit reviewed and tested control processes for receipt of invoices via 4

5 RISK/ RELATED AUDIT OBJECTIVES (designed to ensure key controls are in place) SUMMARY OF AUDIT SCOPE AND TESTING Checked that the date of receipt of the is being used for prompt payment purposes and confirmed this through observation of staff. Ensured that the date used for prompt payment purposes is accurate. NUMBER OF FINDINGS To ensure that there is appropriate control over who invoices are routed to for approval. The accuracy of the date used for prompt payment purposes was tested within Audit objective 2.5. Internal Audit: Confirmed that Finance Process Manager (FPM) approval lists (i.e. knowledge shares) are being kept up to date with customer authorisation frameworks / delegated limits and that there is regular communication with customers and formal processes in place to reflect changes in staffing in customer organisations and also that contact details for managers who approve invoices are being kept up to date. (The operation of this was tested under 2.5 for a sample of non-pop invoices). Considered what action is being taken to prevent re-occurrence where invoices are directed to the wrong approver. Confirmed the process for monitoring the number of rejected invoices for each customer through FPM. Confirmed the number of rejected invoices for each customer. Confirmed the process for following up on rejected invoices. Internal Audit carried out an analysis of all rejected invoices sitting on the register as at February 2015 and considered action taken to resolve these. Tested a sample of 30 rejected invoices and confirmed that these have been followed up and resolved on a timely basis. The operation of FPM was tested for the sample of 300 invoices selected under

6 RISK/ RELATED AUDIT OBJECTIVES (designed to ensure key controls are in place) 2.4 To ensure that there is appropriate control over prompt payment. 2.5 To ensure that payments are accurately processed on a timely basis. SUMMARY OF AUDIT SCOPE AND TESTING Internal Audit: Reviewed the most recent prompt payment cumulative compliance figures for adherence to the prompt payment policy for all customers. Determined what management processes are in place to monitor and improve compliance with prompt payment and, where applicable, determined reasons for any dip in prompt payment performance. Reviewed the report of invoices received not yet paid and considered the extent of these. Identified and tested what action has been taken by management to resolve these. Reviewed the report of outstanding invoices awaiting approval in FPM and ensured that there are appropriate processes in place for reporting to customers and to address any issues. The accuracy of prompt payment was tested for all 300 invoices sampled and reasons for delays documented within 2.5 Internal Audit confirmed if Payments Shared Services have mapped out all different payment types and identified controls in place in respect of each. Internal Audit reviewed processes in place to ensure invoices are accurately coded by BSO Payments Shared Services staff. Considered arrangements for coding of invoices which have not been coded within FPM and for reporting of these. Quantified the extent of invoices coded to suspense codes un-coded invoices for each customer and checked for a sample of 30 older invoices that appropriate action is being taken to address these on a timely basis. Internal Audit selected a sample of 300 invoices/payments (across all customer organisations, including manual payments) and confirmed the following: The invoice/payment was accurately processed and agreed to the buying order or other supporting documentation. Where applicable, the invoice was appropriately approved within FPM on a timely basis. Considered whether the invoice was directed to the correct FPM approver in the first instance. Where this was not the case, checked that appropriate action was taken to ensure accuracy of approval lists. Considered if the correct date of receipt was recorded for prompt payment purposes, taking account of how and where the invoice was received, delays in the scanning centre etc. Ensured that there is transparency over the date the invoice was first received into any HSC organisation and that this had been captured. Considered if payment was made within prompt payment terms. Clarified responsibility 6 NUMBER OF FINDINGS

7 RISK/ RELATED AUDIT OBJECTIVES (designed to ensure key controls are in place) 2.6 To ensure that self-authorisation credits are being appropriately managed. 2.7 To ensure that that invoices are being processed as BACS payments or that there is an appropriate reason for use of cheques. 2.8 To ensure that duplicate payments are reviewed on a timely basis and appropriate action taken. SUMMARY OF AUDIT SCOPE AND TESTING (i.e. through PowerPad) for any delays i.e. delays by BSO in issue for approval, issue of invoice to incorrect approvers or delays in the approval process within customer organisations. Ensured that the invoice was accurately coded (at account code, cost centre and also correct customer sub ledger). Where the invoice/payment was a manual payment and was processed via FPM, considered the appropriateness of this. Ensured that the VAT element was correctly coded. Internal Audit discussed and reviewed the process for authorising credits and ensured that this is appropriate. Using BOXI, Internal Audit obtained a report on credit notes for all customers, selected a sample of 25 credit notes and confirmed: That the credit was appropriate and that this was evidenced by supporting documentation and agreed to the original payment. That the credit was appropriately authorised. Internal Audit identified the methods of making payment to suppliers. Confirmed that suppliers are paid by BACS where possible and what steps have been taken to ensure that this takes place. Considered the reasons that a supplier may be paid by cheque (either a manual cheque or payable order). Internal Audit confirmed responsibility for processing of cheque payments and checked that this had been agreed. Internal Audit reviewed controls in place to ensure the accuracy of the payment before signing of the cheque. Tested this in operation where possible. Internal Audit: Ensured that duplicate payments reports are being run for BSO and all customer organisations of the Shared Service Centre. Considered the completeness of the duplicate payment reports and whether or not these are capturing all duplicate payments. Used Business Objects (BOXI) software to export payments data from FPL Accounts Payable to IDEA software for all customers and carried out an analysis of potential duplicate payments: o Selected a sample of potential duplicate payments from the IDEA report and confirmed that these were captured within BSO Payments Shared Services 7 NUMBER OF FINDINGS

8 RISK/ RELATED AUDIT OBJECTIVES (designed to ensure key controls are in place) 2.9 To ensure that performance information reported to Shared Services customers is complete and accurate. SUMMARY OF AUDIT SCOPE AND TESTING duplicate payments reports. Internal Audit considered the extent to which the Payments Shared Services reports are capturing potential duplicate payments. o Considered any management action to ensure completeness of BSO Payments Shared Services Duplicate Payments reports. o Considered the additional work undertaken to identify and investigate potential duplicate payments. Ensured that responsibilities for checking of duplicate payment reports have been clarified and agreed, and that checking is being carried out as agreed. Confirmed that there is evidence that Payments staff are reviewing prompt payment reports and evidence that potential duplicates are being investigated, actioned and recovered on a timely basis. Internal Audit sought to quantify the number and value of all identified duplicate payments across all customer organisations and how much of this has been recovered. Selected a sample of 30 duplicate payments (for all customers) from the last report run and established the reason that the duplicate had occurred and responsibility for this. Reviewed the process by which customers are notified of any duplicate payments and of any amounts recovered. Ensured that there are appropriate lines of communication between Income Shared Services and Payments Shared Services in respect of any amounts recovered. Reviewed arrangements for providing performance information in respect of Payments Shared Services and considered for appropriateness. Obtained the most recent performance report for all customer organisations substantively tested the accuracy of the information reported to source systems, considering the accuracy of the source information. In respect of prompt payment, Internal Audit considered the following: The accuracy of recording scanning centre performance and how this feeds into prompt payment figures. How the system calculates performance against prompt payment, including the accuracy of the invoice received date used for calculation of prompt payment and: o What types of payments are included in the target; o How delays in the scanning centre are accounted for; o How the invoice received date for invoices received in customer organisations is recorded; o How any backlogs of invoices are accounted for. It was noted that at the time of audit no mechanisms were in place for reporting of rates for auto-matching. This target however is not currently being met. NUMBER OF FINDINGS

9 RISK/ RELATED AUDIT OBJECTIVES (designed to ensure key controls are in place) 2.10 To ensure that there is appropriate control over the handling of trader changes within Payments Shared Services Use IDEA to interrogate data to ensure that payments are appropriate. SUMMARY OF AUDIT SCOPE AND TESTING Internal Audit confirmed that the processes for verification of supplier changes are documented within Procedures and that responsibilities have been clearly defined. Ensured that these have taken account of DHSSPS Circular HSC (F) 49/2013: Confirmed that all staff in Payments Shared Services involved in dealing with any changes to supplier details are familiar with procedures and that they have been made aware of Circular HSC (F) 49/2013. Considered if staff have been advised that they must be careful about the information they give out to callers regarding the organisation s payment processes and any unique supplier identifiers etc. which may be held. Internal Audit selected a sample of 30 trader additions/changes (and included changes to bank details) during the last 6 months for which Payments Shared Services have responsibility for, confirming the accuracy of the change and checked the following: That there was appropriate supporting documentation and the change was in line with this. That as part of standard procedures, suppliers were independently contacted to verify that any change of bank details or contact details was genuine. This should not have been made using the document/letter which was received requesting the change (which may contain false contact information) but should have been done using existing contact details held on file or information obtained from directory enquiries. Considered how contact details are established i.e. use of the Internet. That changes to bank details were verified with the relevant bank and that evidence of this has been retained. That the change request was appropriately approved within Payments Shared Services. Internal Audit used Business Objects (BOXI) software to export payments data from FPL Accounts Payable to IDEA software for all customers. Extracted reports to allow testing in the following subject areas: Potential Duplicate Payments Input VAT Benford s Law Outliers (which highlights outliers based on the expected frequency distribution for first digits) For each report produced from IDEA, Internal Audit reviewed for reasonableness and: See above for testing in respect of Duplicate Payments. Reviewed a sample of 34 payments across all customers where the VAT rate applied was not charged at the standard rate and confirm these were charged at the appropriate rate. Examined a sample of exceptional payments as identified in Benford s Law testing across all customers and confirmed these are valid payments. 9 NUMBER OF FINDINGS

10 RISK/ RELATED AUDIT OBJECTIVES (designed to ensure key controls are in place) 2.12 To ensure that roles and responsibilities have been agreed are operational and staff have received appropriate training on the operation of the efinancials System relevant to their job. SUMMARY OF AUDIT SCOPE AND TESTING Internal Audit confirmed that roles and responsibilities for both Payments Shared Services and customer organisations have been agreed and considered if these are operational. Internal Audit identified any new staff within Payments Shared Services since the time of the last audit and discussed training received. Considered whether staff were in receipt of appropriate training in relation to their role within Payments Shared Services. NUMBER OF FINDINGS Note: We have reported by exception only, and where no issues and recommendations are made, the result of our work indicates that the key objectives and risks are being managed and that procedures are being adequately adhered to. Limitations of scope: The parameters for inclusion of invoices in prompt payment performance are set by the Business Services Team and were not subject to review as part of this audit. It was noted that BSO Business Services Team is responsible for allocating user access on the system and user access beyond Payments Shared Services Staff was not considered as part of this review. 10

11 PRIORITY ONE AUDIT FINDINGS AND RECOMMENDATIONS 1.1 DUPLICATE PAYMENTS RELATED AUDIT OBJECTIVE: 2.8 At the time of audit the process for review of duplicate payments on a regular basis has not been normalised. Payments Shared Services has agreed with customer organisations that by the 31 March 2015, 95% of all potential duplicate payments will be reviewed and confirmed if recovery is required. The process for the identification and recovery of these payments had been shared with customer organisations. Work continues to identify all duplicates and appropriately recover any monies due, however, at the time of audit there was still a lack of clarity over the volume of potential duplicate payments and the value of these. Payments Shared Services are currently concentrating on recovering amounts up to the end of December 2014 for all customers before starting work on possible duplicates from January 2015 on. Recovery of amounts due is running in parallel with the investigation process with progress for each customer at varying stages. Internal Audit noted that for 1 Trust 92 confirmed duplicates have been identified with a transaction value of 1.9m, which had been recovered from suppliers. This figure relates to all duplicate payments from the inception of efinancials in October A further 152 potential duplicates with transaction value of approximately 1.1m had yet to be fully investigated to confirm if they were duplicate payments. Management has advised that these figures will include duplicates which will already have been identified and recovered, however, e Financials has yet to be updated to reflect this. A new process is to be rolled out for coding of duplicate payments within efinancials which will identify the status of follow up of these and when they have been recovered. Similar information has not been presented to other customers as work is ongoing to collate this information, however, management has that advised other customers have either received a summary report on the process to be followed or an update on progress. One of the main reasons for duplicate payments arising is the issue of duplicate supplier accounts on the system. At the time of audit approximately 800 duplicate supplier accounts had been identified, this includes duplicate accounts which may already have been cleansed as part of daily processes. Work on cleansing these 800 duplicate accounts has only just commenced. Internal Audit reviewed a sample of duplicates and the following further reasons were noted where duplicate payments have arisen: Invoice number had scanned incorrectly. Received into Payments Shared Services in two different forms (i.e. one manual and one non-pop). Invoice reference numbers put on the system in two different ways. The customer had billed to the wrong account so had to be credited off and put under another account. A similar finding was reported in the previous audit of this area. IMPLICATION All duplicate payments may not be identified by 31 March There is a risk that if appropriate system controls are not in place or working effectively duplicate payments will occur. There is an increased risk of duplicate payments where duplicate supplier accounts exist on the system. 11

12 RECOMMENDATIONS MANAGEMENT COMMENT RESPONSIBLE MANAGER IMPLEMENTATION DATE Payments Shared Services should ensure work continues for each customer to ensure all duplicates are accurately identified by 31 March 2015 and the recovery process commenced. All customers have received their completed final reports for duplicate payments including debtors information for inclusion in annual accounts. Head of Payments Fully Implemented As reported in the previous Internal Audit report, details of duplicate payments should be shared with customers. This should include reasons for any duplicates and the recovery of amounts due. A detailed report on the status of progress towards identification and recovery of duplicate payments should be presented to all customers. Following completion of current work on identifying all duplicate payments due for recovery up to 31 March 2015, cumulative duplicate payment reports should be run and reviewed on a monthly basis. Reporting on the outcome of duplicate payments identified and recovered should be reported to customers as part of the monthly performance report and should be incorporated in BSO Assurance Reports. The process of coding duplicate invoices to identified progress against recovery of these should be rolled out as soon as possible As reported in the previous Internal Audit report, the data cleansing exercise to reduce the number of duplicate accounts on the system should continue to be progressed. Each month our customers will receive an updated summary position with new duplicates highlighted and recovery progress detailed on their customer performance report. The root cause analysis or raw data will be made available to customers as requested. Each month our customers will receive an updated summary position with new duplicates highlighted and recovery progress detailed on their customer performance report. The root cause analysis or raw data will be made available to customers as requested. This process will be rolled out by April to improve monitoring and reporting capabilities. Data Cleansing Project is on target to complete by 30 June Head of Payments 30 May 2015 Head of Payments 30 May 2015 Head of Payments 30 April 2015 Head of BST 30 June

13 PRIORITY ONE AUDIT FINDINGS AND RECOMMENDATIONS 1.2 VAT RELATED AUDIT OBJECTIVE: 2.5 Internal Audit examined a sample of 34 occurrences where the VAT rate charged was not the normal rate. The VAT rate for 4 out of 34 sampled was found to be incorrect, with a total overpayment and over reclaim of VAT (not overpayment to supplier) of of these related to invoices that automatched within the system. A similar finding was reported within the mid-year Internal Audit Report 2014/15. IMPLICATION Correct VAT rates are not consistently captured and applied in these instances. Incorrect coding of VAT may result in claims for VAT reimbursement being inaccurate. RECOMMENDATION Payments Shared Services should investigate the instances where the VAT has been incorrectly captured/processed and consider if there is a wider issue. Action should be taken as appropriate to address any issues. MANAGEMENT COMMENT The issue has been investigated and attributed to the scanning template of one particular supplier. This contributed to the majority of occurrences. The template will be reviewed and amended to close this issue. RESPONSIBLE IMPLEMENTATION MANAGER DATE Head of Payments 30 April

14 PRIORITY ONE AUDIT FINDINGS AND RECOMMENDATIONS 2.1 PROMPT PAYMENT RELATED AUDIT OBJECTIVE: 2.4 The reported cumulative HSC prompt payment compliance performance for the period July 2014 to December 2014 is 81.82%, against the target of 95%. Of the 14 customers reported on up to December 2014, the 30 day target for prompt payment compliance was only being met for 2 customers (NIGALA and PCC), however, it was noted that there is generally an upward trend in prompt payment compliance. Internal Audit undertook an analysis of invoices received by Payments Shared Services but not yet paid. As at 3 February 2015 the total number of invoices received but not paid was approximately 38k with a value of 71.88m. Of these, approximately 20k were less than 30 days old with a value of approximately 34m and over 6k, with a value of 11.5m, had dispute codes raised meaning they did not impact on prompt payment. Invoices received not paid by customer organisation is broken down as follows: The main reasons why invoices were not yet paid were as follows: Awaiting approval on FPM 41% (15,749 invoices) Invoice does not match Purchase Order 17% (6,670 invoices) Purchase line unreceipted 10% (3,825 invoices) No reason given 9% (3,493 invoices) Rejected in FPM 8% (3,101 invoices) Internal Audit appreciates that weekly reminders are sent to FPM approvers re outstanding invoices awaiting approval and requisitioners regarding unreceipted lines. The date to be used for prompt payment purposes is the date of first receipt of the invoice into any HSC organisation or the date of receiving the goods/services, whichever is later. Internal Audit noted during the course of testing that where an invoice is received into a customer organisation prior to receipt on Payments Shared Services, the date of receipt of the invoice in the customer organisation is not used for prompt payment purposes. It is recognised that this represents a small percentage of invoices being received. IMPLICATIONS Non compliance with DHSSPS Prompt payment targets. There is a reputational risk with suppliers and clients where payments are not processed in a timely manner. Interest charges may be incurred for late payment. Prompt payment is not consistently being recorded accurately to reflect the first date of receipt within HSC. 14

15 RECOMMENDATIONS Payments Shared Services should continue to take action along with customer organisations to ensure invoices are paid as quickly as possible. This action should focus on particular problematic areas such as approval on FPM, invoice not matching the purchase order and purchase lines being unreceipted. Payments Shared Services should ensure all supplier and customers are aware that all invoices should be sent to the Shared Services Centre only. MANAGEMENT COMMENT APSS will continue to work with suppliers and customers to address these bottlenecks. An escalation process to customers will come into effect in June 2015 to target FPM and unreceipted purchase lines. Furthermore a working group has been established with PaLS and first meeting is scheduled for May 2015 to review the persistent low level of auto-matching. Management has received continued support from our customers to ensure all invoices are sent to APSS in the first instance where viable. APSS will issue a mail shot to remind customers that invoices should be sent to shared services centre only. RESPONSIBLE MANAGER IMPLEMENTATION DATE Head of Payments 30 June 2015 Head of Payments 30 May

16 PRIORITY ONE AUDIT FINDINGS AND RECOMMENDATIONS 2.2 ROLES AND RESPONSIBILITIES RELATED AUDIT OBJECTIVE: 2.12 Roles and responsibilities for Payments Shared Services and customer organisations, including controls, have only recently been clarified and agreed by both parties. Whilst many of these are already in place, some processes now need implemented. IMPLICATIONS Payment processing may not be as efficient as possible where both parties do not meet their responsibilities. RECOMMENDATION Payments shared services should ensure that roles and responsibilities, including for controls, are implemented as agreed where these are not already in place. MANAGEMENT COMMENT Roles and responsibilities will be agreed before the implementation of any new processes to ensure an efficient payments process. An escalation process to customers will come into effect in June 2015 to target FPM and unreceipted purchase lines. RESPONSIBLE IMPLEMENTATION MANAGER DATE Head of Payments 30 June

17 PRIORITY TWO AUDIT FINDINGS AND RECOMMENDATIONS 2.3 REJECTED INVOICES RELATED AUDIT OBJECTIVE: 2.1 As at 3 February 2015 there were a total of 3,101 invoices outstanding that had been rejected within FPM. The following was noted in respect of these outstanding invoices: invoices all relating to inter-indebtedness with no impact on prompt payment invoices o 77 relate to supplier error, 38 of which have had a credit note requested. Dispute codes have been raised against these which mean there is no impact on prompt payment. o 29 have dispute codes recorded against them. 16 of these relate to inter-indebtedness, however the others still impact on prompt payment invoices o 1538 have dispute codes recorded which mean there is no impact on prompt payment. For 552 of these credit notes have been requested. o 649 have dispute codes recorded but still impact on prompt payment. 21 have had action taken, including 3 credit note requests, however 342 have a dispute code recorded as FPM reject and no further action is recorded against these invoices o 162 have dispute codes recorded which mean there is no impact on prompt payment. 67 of these have had action taken including 56 credit note requests. o 640 have dispute codes recorded but still impact on prompt payment. 590 have a dispute code recorded as FPM reject and no further action is recorded against these. Internal Audit reviewed a random sample of 30 rejected invoices as at February 2015 and noted that responsibility for rejections was often unclear. This issue was highlighted in the last audit of this area. Management has advised that since January 2015 a register report, including rejected invoices, is run on a weekly basis to examine at the weekly team leaders meeting. IMPLICATION Without timely action on rejected invoices this could affect the customer s prompt payment compliance. 17

18 RECOMMENDATION As previously reported, Payments Shared Services staff should follow up on rejected invoices on a regular and timely basis and should maintain a clear audit trail of follow up of these. This should include regular and timely follow up with both customer organisations and suppliers. Timely action should take place to address those longer term rejected invoices. MANAGEMENT COMMENT Team performance is monitored and shared with all team members on a weekly basis. We have seen improvements in the overall rejected items due to the additional focus. Furthermore, a proposal has been submitted to the regional AD forum on the 24 th March 2015 for the reclassification of CIS suppliers to allow processing without rejection being part of the process. This will significantly reduce the volume of rejected items. RESPONSIBLE IMPLEMENTATION MANAGER DATE Head of Payments 30 July

19 PRIORITY TWO AUDIT FINDINGS AND RECOMMENDATIONS 2.4 CODING OF INVOICES RELATED AUDIT OBJECTIVE: 2.5 When an invoice is scanned onto FPL it is temporarily allocated to a suspense code. Invoices are subsequently coded prior to posting on FPL prior to routing to the customer for authorisation. The time delay between scanning and coding results in an accumulation at month end of invoices held in the suspense account. Other reasons for this are e.g. where a purchase order is not detailed on the invoice or where there is an invoice error or query and a credit is required. In order to accurately report financial information the invoices in the suspense account have to be reviewed by the customer and non-pop expenditure allocated accordingly for the purposes of month end creditors. 8.6m was coded to the suspense code across all sub-ledgers as at 24 February 2015 (although 8.1m related to January 2015 invoices). Responsibility for clearing these items rests with Payments Shared Services. The following was noted in respect of invoices coded to this suspense code: 2 related to invoices received in Payments Shared Services in 2013 (value 2k). 518 related to invoices received in Payments Shared Services in 2014 (value 500k). 3,119 related to invoices received in Payments Shared Services in January 2015 (value 8.1m). Of these, 2,870 invoices (value 7.5m) were within 30 days of receipt. Internal Audit reviewed a sample of 30 of the older invoices received and noted that for 8 of these there was no evidence of recent action being taken to clear these invoices from the suspense code. Internal Audit notes that monitoring of rejected invoices forms part of performance monitoring for staff. In addition to the above from the sample of 300 invoices tested Internal Audit noted an instance where an invoice (value 20k plus VAT) approved within FPM was incorrectly coded. The invoice did not match to the order and was issued for approval via FPM. The invoice was coded to 650B4250 (Management Consultancy), however the invoice related to building works. Whilst the invoice was incorrectly coded within Payments Shared Services, the incorrect coding was not picked up by the approver. IMPLICATION Regular and timely action may not be taken to clear invoices coded to suspense code. RECOMMENDATIONS Payments Shared Services should ensure that regular and timely action is taken to clear invoices coded to suspense codes. MANAGEMENT COMMENT This will be monitored via a KPI in the monthly customer performance report. RESPONSIBLE IMPLEMENTATION MANAGER DATE Head of Payments 30 May

20 RECOMMENDATIONS Management should ensure that all staff are appropriately trained on the coding of invoices. Staff should check the accuracy of both cost centres and account codes prior to processing of invoices for payment. An instruction should be issued to FPM approvers to remind them of the need to check the accuracy of coding on invoices as part of the process for approval of these for payment. MANAGEMENT COMMENT Team performance is monitored and shared with all team members on a weekly basis and discussed at management meeting. A reminder will be issued in line with audit recommendation. After communication with customers is completed an instruction will be issued to FPM approvers to remind them of their responsibilities. RESPONSIBLE MANAGER IMPLEMENTATION DATE Head of Payments 30 April 2015 Head of Payments 30 April

21 PRIORITY TWO AUDIT FINDINGS AND RECOMMENDATIONS 2.5 RECOVERY OF OVERPAYMENTS RELATED AUDIT OBJECTIVE: 2.8 Recovery of overpayments in respect of duplicate payments may take place either via a credit note or a refund from the supplier. Where a refund is received from a supplier, this will be received in Income Shared Services. Payments Shared Services rely on Income Shared Services to notify them of any repayments. However, this is not a formalised process. Payments Shared Services periodically submit a spreadsheet of overpayments to income requesting that they note on this any amounts that have been received from suppliers in respect of these. IMPLICATIONS Payments Shared Services may not be aware of when refunds of duplicate payments are made by suppliers. Payments shared Services records may not be updated to reflect refunds made. RECOMMENDATION A more formal process should be established for regular and timely communication between Income Shared Services and Payments Shared Services regarding receipt of refunds from suppliers, in respect of duplicate payments. MANAGEMENT COMMENT A meeting will be scheduled to discuss pathway to facilitate efficient communication. The outcome of which should be the agreement of a process of refunds from supplier. RESPONSIBLE IMPLEMENTATION MANAGER DATE Head of Payments 30 May

22 PRIORITY TWO AUDIT FINDINGS AND RECOMMENDATIONS 2.6 PERFORMANCE INFORMATION RELATED AUDIT OBJECTIVE: 2.9 Internal Audit noted that Performance reporting is not yet taking place against the following KPIs for 2014/15: First Pass Match Rates of PO and Invoices no reporting mechanism in place. Internal Audit understands that the target is not being met for this KPI. Creditors Management - Unpaid Invoices over 30 days currently no information reported. Average time from invoice being scanned until entered into workflow no reporting mechanism currently available. It was noted that these are included for 2015/16 and that KPIs have been further developed for 2015/16. IMPLICATION Lack of assurance over performance against KPIs where reporting mechanisms are not in place and where reporting on these does not take place. RECOMMENDATION Management should ensure that there are appropriate mechanisms in place for capturing and reporting on performance against all KPIs in 2015/16. MANAGEMENT COMMENT Creditors Management and Workflow information will be available in KPIs RESPONSIBLE IMPLEMENTATION MANAGER DATE Head of Payments 30 April

23 PRIORITY TWO AUDIT FINDINGS AND RECOMMENDATIONS 2.7 SUPPLIER AMENDMENTS RELATED AUDIT OBJECTIVE: 2.10 DHSSPS Circular HSC (F) 49/2013 reiterates previous guidance issued to HSC in relation to false requests to change supplier s bank details. The circular outlines the fraud risk associated with not correctly verifying requests to amend suppliers bank details which can lead to the diversion of payments into incorrect / false bank accounts. Designated Payments Shared Services staff send supplier amendments/creations to the Business Services Team for action. It is currently the responsibility of Payments to ensure appropriate checks have been carried out on the validity of any proposed amendments. Internal Audit selected a sample of 30 recent supplier amendments and noted the following: Whilst management has advised that independent verification of changes takes place, including using Payments Shared Services information and not that of correspondence received, evidence of this is not routinely retained, as it is usually carried out via telephone. The evidence provided to support 1 trader amendment was an from a supplier s accountant sent from a Hotmail address, which detailed the supplier s National Insurance Number and tax reference number. This request had not been fully actioned by the BST Team at the time of audit. It was noted that staff were however familiar with the need to undertake independent checks with suppliers to confirm the accuracy of any changes and that contact with the supplier should be made using contact details within Payments SS or a sources other than that on which the request for change was received. Internal Audit acknowledges that it is proposed in 2015/16 that the role of checking the validity of requests will be the responsibility of the Business Services Team. Work is currently ongoing to review and agree this process. IMPLICATION Sufficient evidence of checks carried out by Payments Shared Services is not retained. RECOMMENDATION Management should ensure that there is appropriate checking of the validity of supplier amendments including verification of bank details with the supplier using a source other than that on which the request is received. A proforma should be established to evidence checks carried out and this should be retained. MANAGEMENT COMMENT All supplier amendments are checked for validity. Staff will be instructed to retain evidence supporting their validation. RESPONSIBLE IMPLEMENTATION MANAGER DATE Head of Payments 30 June

24 PRIORITY TWO AUDIT FINDINGS AND RECOMMENDATIONS 2.8 SERVICE LEVEL AGREEMENTS RELATED AUDIT OBJECTIVE: 2.10 Whilst Key Performance Indicators for Payments Shared Services have been agreed and are being reported on, the Service Level Agreements between the BSO and one of the customer organisations have yet to be signed. A similar issue was highlighted in the last audit of this area. IMPLICATION There may be a lack of clarity over the roles and responsibilities of both the Accounts Payable Shared Service Centre and customer organisations where these are not agreed. RECOMMENDATION MANAGEMENT COMMENT RESPONSIBLE MANAGER IMPLEMENTATION DATE As previously reported, Service Level Agreements should be formalised, agreed and signed by each of the Shared Services customers as soon as possible. A small number of HSC Trusts delayed signing their 2014/15 SLAs until the costs for providing Shared Services were agreed. Shared services costs have been agreed however one signed SLA from SHSCT remains outstanding. Head of Shared Services. Revised Implementation Date: 30 September /16 SLAS have been reviewed and agreed by shared services clients and will be signed off as part of overall BSO SLA process. 24

25 PRIORITY ONE AUDIT FINDINGS AND RECOMMENDATIONS 2.9 PREVIOUS RECOMMENDATIONS RELATED AUDIT OBJECTIVE: 1.1 The implementation of a number of recommendations reported in previous audits remains outstanding at the time of audit. These are as follows: Supplier statements are not being reconciled (2013/14). The audit trail feature has not been activated within the system (2013/14). Electronic request forms have yet to be developed and implemented (2013/14). An incidents log has not been fully rolled out (2013/14). Payments Shared Services should issue invoices for approval in FPM on a timely basis. KPIs have been established for 2015/16 with a target date of 6 days. Reporting against this will be taken forward in 2015/16. Appraisal objectives aligned to the objectives for the Payments Shared Service function and the wider BSO have yet to be set up for each member of staff. Progress against these recommendations has been reported separately in the year-end report on the follow up of outstanding audit recommendations. RECOMMENDATION See 2013/14 and first 2014/15 Payment Shared Service report for related recommendations. Progress against these recommendations has been reported separately in the year-end report on the follow up of outstanding audit recommendations and revised implementation dates. 25

Similar documents
2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback