If you would like to discuss any matters raised in this report please do not hesitate to contact us.

Transcription

1 Constructive Report to Management for the year ended 30 June 2017

2 24 Anzac Parade Hamilton East Hamilton 3216 PO Box 17 Waikato Mail Centre Hamilton 3240 New Zealand 5 October 2017 Tel: Fax: lors Private Bag 7 TOKOROA Dear lors Constructive Report to Management for the year ended 30 June 2017 In accordance with our normal practice, we enclose our comments on certain internal controls and accounting practices which came to our attention during our audit of the financial statements of ( South Waikato DC ) for the year ended 30 June The matters raised in this report have been discussed and agreed with management of South Waikato DC and their comments have been included. We remind you that our audit was not designed to provide assurance as to the overall effectiveness of the controls operating within South Waikato DC, although we have reported to management any recommendations on controls that we identified during the course of our audit work. Recommendations for improvement should be assessed by you for their full commercial implications before they are implemented. This correspondence is part of our ongoing discussions as auditor in accordance with our engagement letter dated 19 May 2017 and as required by the Auditor-General auditing standards which incorporate the New Zealand auditing standards. This report includes only those matters that have come to our attention as a result of performing our audit procedures and which we believe are appropriate to communicate to the and management. The audit of the financial statements does not relieve management or the lors of their responsibilities. The ultimate responsibility for the financial statements and the design, implementation and maintenance of an appropriate internal control system to prevent and detect and fraud rests with the lors. We have prepared this report solely for the use of the and management and it would be inappropriate for this report to be made available to third parties and, if such a third party were to obtain a copy without our prior written consent, we would not accept responsibility for any reliance that they might place on it. We would like to take this opportunity to extend our appreciation to management and staff for their assistance and cooperation during the course of our audit. If you would like to discuss any matters raised in this report please do not hesitate to contact us. Yours sincerely DELOITTE Melissa Youngson, Partner for Deloitte Limited on behalf of the Auditor-General Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see for a detailed description of the legal structure of Deloitte Touche Tohmatsu Limited and its Member Firms. A member of Deloitte Touche Tohmatsu Limited

3 Observation Recommendation Management Audit-related findings Sensitive Expenditure Credit Cards During our testing of sensitive expenditure, the following item was found. A credit card was issued in the name of a former employee and was still being used under that employees name even though she is not an employee of during FY17. We recommend a change the name on the credit card to someone who is currently employed by South Waikato District and appropriate in the hierarchy. The credit card has now been cancelled and a new one issued. This was the card that had been used at the library. Claiming GST on expenses that do not have a valid Tax Invoice During our testing of Credit card expenditure, it was discovered that GST was being claimed by using receipts, and not tax invoices. We recommend that if South Waikato District is to claim GST for business expenses that a valid tax invoice should be obtained for every purchase. This was for accommodation booked through Expedia. The GST error had been discovered and corrected. New procedures are now in place to ensure this doesn't occur again. Mayor Expense Claims not appropriately authorised. We note that some mayor expense claims have been approved by CEO which is not the appropriate level of delegated authority. Although the expense claim has been authorised we recommend that all Mayor expense claims are authorised by either the Deputy mayor, or the Chairman of the Audit Committee following the one up authorising principal. This process has been revised. No independent one-up approval of payments During our testing of sensitive expenditure, it was discovered that one invoice was approved by a person who was one of the people benefiting from the expense. Although we acknowledge that the payment was approved by the appropriate one-up person who raised the payment, it is best practice to have an independent person approving payments and not be one of the people who is a beneficiary of the expense. This was an isolated instance where the person approving was in an Acting role, and had been part of the group of people who attended the training that was being authorised. Timely review of policies During review of policies it was noted that the telecommunications policy and delegations authority listing have not been reviewed in a timely manner. Policies should be reviewed at least every two years, and the delegations listing on a yearly basis to ensure it is kept up to date for employee changes. We recommend that policies are reviewed in a timely manner relative to the policy being due for review. Noted

4 Page 4 Observation Recommendation Management Review of KPI s only just achieved During review of KPI's included in the Statement of Service Performance, one instance of KPI data being reported incorrectly was noted. It was noted that this KPI was reported to have only just been achieved. The KPI related to pool water quality compliance and was reported as 91.96% compliance, whereas using the correct data gave a figure of 89.6% (the target is 90%). The target is still met when the figure is rounded. Purchase order controls As part of our work of understanding the controls in place over expenditure the following was noted that the monthly review of open purchase orders does not capture all purchase orders. A spreadsheet is maintained which lists all open Purchase Orders, this is supposed to be reviewed on a monthly basis and any outstanding Purchase Orders followed up with the requester. We sighted the Purchase Order spreadsheet for March 2017, noting that the majority of open Purchase Orders had no evidence of being followed up with the requester. IT-system related findings Deloitte recommends that for all KPI's which have been achieved with 2% of the target, the input data is reviewed by an SWDC staff member independent of the department that the performance measure relates to. This is to ensure data is not manipulated to make up the difference between nonachievement and achievement of a KPI. Additionally, the variance in the pool water quality compliance noted is outside the 2% tolerable threshold; it is recommended that the Statement of Service Performance is amended to reflect the correct data. We recommend that all open purchase orders are followed up by Management with the requester, and their comments documented. In future an annual audit will be done to ensure the measures are accurate. The Statement of Service Performance was amended for this. All open purchase orders are followed up on by first ing out the list to budget managers and asking for a response, and secondly the accounts payable officer physically visits anyone who has not responded to ensure that the list of open purchase orders is correct. Evidence of user access review During our review of the I.S, control environment it was noted that there is no formal log or audit trail to ensure that user access reviews have occurred for both NCS and Windows accounts. This raises the risk that there are accounts active for contractors or staff who are no longer employed by the council. We recommend that formal documentation is maintained of user access reviews, such as a document signed by the person who conducts the reviews noting the time date and any outcomes of the review. We recommend a review at least on an annual basis. Although a formal log or audit trial was not kept, user account access is regularly reviewed when changes to Active Directory account are required. In future we will strive to complete quarterly reviews of user access to improve our auditability.

5 Page 5 Observation Recommendation Management I.S Policies During our review of the information, systems control environment it was noted that the following key I.S documents were outdated or did not exist; Systems Strategic Plan or similar document Business Continuity Plan, Disaster Recovery Plan or similar Systems security design or review Internet security design or review Data models such as UML models or Entity Relationship Diagrams Process flow diagrams This raises the risk that appropriate measures have not been put in place to mitigate risks which may affect the council information system. We recommend that formal documents are completed for the fore mentioned documents to ensure appropriate planning has been made for risks that affect the I.S environment. Agreed that these documents need to be created. An Information Services Strategic Plan is currently being developed and should be complete by early Business Continuity Plans will be created once the organisation has determined its Risk Appetite, Recovery Point Objective, and Recovery Time Objective for critical business systems. We have engaged security consultant to review and optimise our security posture. We will begin to develop a CMDB during October Process flow diagrams will be created. No formal Audit trail for logging of NCS including the NCS Database Through our work performed, we noted that SWDC has NCS consultant to perform the logging of both NCS at an application level and a database level. However, there is no formal review of the work performed by NCS consultants to ensure that NCS logging is appropriate. This poses a risk that NCS logs are not reviewed on a regular basis, or that inappropriate changes are made by NCS. While we understand that a service organisation has been employees to perform the task we recommend a formal process is set in place where SWDC performs a high level review of the NCS logs at least on a monthly basis, and as part of this review a reconciliation is signed off to show the time and date of the review and who performed it. This will keep track of the times in the year where logging was performed. SWDC have a logwatch created daily that is ed to the Audit Mailbox. Root account password credentials During the review of the security requirements of the database access to the NCS application it was noted that the password ageing on the root account is disabled. This raises a risk that the root account password may be more susceptible to security breaches. We recommend that the ageing on the root account is enabled and aligned with the Windows requirements. Having the root password ageing would create major issues in our system as that user account performs many back ground tasks. We have requested guidance from Magiq

6 Page 6 Observation Recommendation Management software regarding how other councils manage an expiring root password. This will be investigated through the year. Windows updates and penetration testing During our testing of application and operating system security it was noted that Windows has not been updated user wide since 2014, including patches. This is a concern as major hacks have occurred in the UK in 2017 exposing a flaw in Windows which was addressed in the March 2017 windows update. As a result the flaw has caused numerous companies in UK computers to be held for ransom. In addition with updating windows user wide we further recommend performing penetration testing (The practice of Testing Networks and web based applications to the vulnerability of hackers). The lack of updates with the added network exposure arising from public Wi-Fi give bigger window for hackers to attack the SWDC To protect our systems from ransomware has deployed an advanced antimalware system that includes ransomware protection for servers. Windows Updates should be completed ASAP, but this will be very disruptive due to the large number of server reboots that are required. We plan to build new servers and migrate the existing server roles to the new servers once they have been patched, and then maintain a regular patching routine to optimise security and future minimise disruption to services.

7 Page 7 Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee ( DTTL ), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as Deloitte Global ) does not provide services to clients. Please see for a more detailed description of DTTL and its member firms. Deloitte provides audit, consulting, financial advisory, risk management, tax and related services to public and private clients spanning multiple industries. Deloitte serves four out of five Fortune Global 500 companies through a globally connected network of member firms in more than 150 countries bringing world-class capabilities, insights, and high-quality service to address clients most complex business challenges. To learn more about how Deloitte s approximately 245,000 professionals make an impact that matters, please connect with us on Facebook, LinkedIn, or Twitter. Deloitte New Zealand brings together more than 1200 specialist professionals providing audit, tax, technology and systems, strategy and performance improvement, risk management, corporate finance, business recovery, forensic and accounting services. Our people are based in Auckland, Hamilton, Rotorua, Wellington, Christchurch and Dunedin, serving clients that range from New Zealand s largest companies and public sector organisations to smaller businesses with ambition to grow. For more information about Deloitte in New Zealand, look to our website For information, contact Deloitte Touche Tohmatsu Limited.