Financial Ledger FINAL INTERNAL AUDIT REPORT 2015/16. Hywel Dda University Health Board. NHS Wales Shared Services Partnership

Transcription

1 Attachment 20i Financial Ledger FINAL INTERNAL AUDIT REPORT 2015/16 NHS Wales Shared Services Partnership Audit and Assurance Services Assurance Rating REASONABLE Assurance Previous Rating: SUBSTANTIAL Assurance

2 Report Contents CONTENTS Page 1. Introduction and Background 3 2. Scope and Objectives 3 3. Associated Risks 3 Opinion and key findings 4. Overall Assurance Opinion 4 5. Assurance Summary 4 6. Summary of Audit Findings 6 Conclusion and Recommendations 7. Summary of Recommendations 9 Appendix A Appendix B Management Action Plan Assurance opinion and action plan risk rating Review reference: HDUHB1512 Report status: Final Report Fieldwork commencement: 7 th December 2015 Fieldwork completion: 28 th January 2016 Draft report issued: 5 th February 2016 Amended Draft report issued: 1 st March 2016 Management response received: 15 th Feb 2016/1 st March 2016 Final report issued: 1 st March 2016 Auditor: Caroline Powell Executive sign off Distribution Committee Karen Miles Director of Finance, Planning & Performance Stephen Forster: Assistant Director of Finance Jean Reynolds: Head of Financial Accounting Carwen Jarman: Head of Management Accounting Sandra Hewitt: Assistant Head of Management Accounting - Systems Audit & Risk Assurance Committee ACKNOWLEDGEMENT NHS Wales Audit & Assurance Services would like to acknowledge the time and co-operation given by management and staff during the course of this review. Please note: This audit report has been prepared for internal use only. Audit & Assurance Services reports are prepared, in accordance with the Service Strategy and Terms of Reference, approved by the Audit & Risk Assurance Committee. Audit reports are prepared by the staff of the NHS Wales Shared Services Partnership Audit and Assurance Services, and addressed to Independent Members or officers including those designated as Accountable Officer. They are prepared for the sole use of the and no responsibility is taken by the Audit and Assurance Services Internal Auditors to any director or officer in their individual capacity, or to any third party. NHS Wales Audit & Assurance Services Page 2

3 Internal Audit Report 1. Introduction and Background The review of the Financial Ledger system has been completed in line with the agreed Internal Audit Plan for 2015/16; the subsequent report will be submitted to the Director of Finance, Planning & Performance and the Audit and Risk Assurance Committee. The relevant lead Executive Director for the assignment is the Director of Finance, Planning & Performance. 2. Scope and Objectives The overall objective of the audit is to give assurance that the Health Board maintains records of all financial transactions and ensures their completeness and integrity, with the aim of providing the basic data from which management accounts, final accounts and financial returns can be prepared. The financial ledger relies upon data from a number of feeder systems. This review includes the interface with those systems but does not include the testing of controls within the individual feeder systems. 3. Associated Risks The approach to audit assignments is risk based, where the risks are identified with the lead manager. The risks considered in this review are as follows: - All transactions of the organisation are not recorded. - All transactions from sources may not be entered or received before monthly close down with the result that the management account may portray a misleading or incomplete financial position. - Opening balances are not correctly brought forward. - Failure to effectively control journals could result in inappropriate processing. - Unauthorised access to the General Ledger. - Should the ledger not be backed up, it may not be possible to recover from system failure. - Unauthorised or improper additions to the chart of accounts can compromise the quality of financial information. NHS Wales Audit & Assurance Services Page 3

4 Reasonable Assurance Financial Ledger Internal Audit Report OPINION AND KEY FINDINGS 4. Overall Assurance Opinion We are required to provide an opinion as to the adequacy and effectiveness of the system of internal control under review. The opinion is based on the work performed as set out in the scope and objectives within this report. An overall assurance rating is provided describing the effectiveness of the system of internal control in place to manage the identified risks associated with the objectives covered in this review. The level of assurance given as to the effectiveness of the system of internal control in place to manage the risks associated with the Financial Ledger system is REASONABLE Assurance. RATING INDICATOR DEFINITION The Board can take reasonable assurance that arrangements to secure governance, risk management and internal control, within those areas under review, are suitably designed and applied effectively. Some matters require management attention in control design or compliance with low to moderate impact on residual risk exposure until resolved. The overall level of assurance that can be assigned to a review is dependent on the severity of the findings as applied against the specific review objectives and should therefore be considered in that context. 5. Assurance Summary The summary of assurance given against the individual risks is described in the table below: Assurance Summary* Audit Risk 1 All transactions of the organisation are not recorded. NHS Wales Audit & Assurance Services Page 4

5 Internal Audit Report 2 All transactions from sources may not be entered or received before monthly close down with the result that the management account may portray a misleading or incomplete financial position. 3 Opening balances are not correctly brought forward. 4 Failure to effectively control journals could result in inappropriate processing. 5 Unauthorised access to the General Ledger. 6 Should the ledger not be backed up, it may not be possible to recover from system failure. 7 Unauthorised or improper additions to the chart of accounts can compromise the quality of financial information. * The above ratings are not necessarily given equal weighting when generating the audit opinion. Design of Systems/Controls (D) The findings from the review have highlighted no issues that are classified as weakness in the system control/design of the Financial Ledger system. Operation of System/Controls (O) The findings from the review have highlighted two issues that are classified as weakness in the operation of the designed system/control of the Financial Ledger system. These are identified in the Management Action Plan as (O). NHS Wales Audit & Assurance Services Page 5

6 Internal Audit Report 6. Summary of Audit Findings The financial ledger records all financial transactions of the organisation and provides the basic information for the preparation of management accounts, final accounts and financial returns. In order to maintain proper financial control, it is essential that adequate accounting routines operate to protect the integrity of the ledger and that those routines are implemented in practice. Internal Audit reviewed the recommendations made in the previous report on the Financial Ledger system (HDUHB1414), and is pleased to report that both recommendations had been implemented, as agreed. The key findings from this review, by the individual risks, are reported in the section below with full details in the Management Action Plan: Risk 1: All transactions of the organisation are not recorded. Discussions with the Assistant Head of Management Accounting (Systems), confirmed that feeder systems cover all known types of income and expenditure in the management and financial accounts. Internal Audit selected a random sample of 15 feeds posted to the ledger for Month 7 (October 2015) from the Posting Control Spreadsheet. It is pleasing to note that each feed was successfully traced to source documentation. Risk 2: All transactions from sources may not be entered or received before monthly close down with the result that the management account may portray a misleading or incomplete financial position. A monthly processing timetable is produced, which identifies the timeliness of feeder systems to be posted to the ledger. The Assistant Head of Management Accounting (Systems) provided Internal Audit with a copy of the most recent Monthly Processing Timetable (month 7). Internal Audit reviewed the timetable, and checked 5 entries to the time stamp function on Oracle to ensure they had been processed in a timely manner. Testing proved to be satisfactory. Internal Audit reviewed the reconciliations for Payroll (Net Pay), Payroll NI ERS, Accounts Payable and Pharmacy, to ensure timely preparation and authorisation. The latest reconciliations were re-performed to ensure accuracy. NHS Wales Audit & Assurance Services Page 6

7 Internal Audit Report Testing identified the following issues: - Delayed authorisation for the months of June, July, August, September and October 2015 for Payroll Net Pay Reconciliations, Payroll NI ERS Reconciliations and all Pharmacy reconciliations. - No date recorded upon the performance of the August 2015 Bronglais Pharmacy Reconciliation. A recommendation relating to the above is contained in Appendix A. Payroll codes are the only codes which can be rejected by the Oracle system. Oracle prevents the input of any incorrect codes into the non-pay system. Internal Audit selected a random sample of 15 rejected codes from the file of forms maintained within the Management Accounts department. The sample was tested to ensure that the existing code was invalid and the code had been appropriately amended. It is pleasing to note that testing proved to be satisfactory. Risk 3: Opening balances are not correctly brought forward. It is pleasing to note that all items on the Annual Accounts Balance Sheet, for Revenue and Charitable Funds, agreed to the closing and opening balances. Risk 4: Failure to effectively control journals could result in inappropriate processing. Journals can be input by the majority of Finance staff, with the exception of Creditors staff and Performance Management staff. There are two ways by which journals are input on Oracle: - Staff may manually type a journal onto the system this can be manually posted, or automatically posted at the automated times; or - A journal may be entered on a spreadsheet and uploaded onto the ledger via the ADI programme. Internal Audit selected a sample of 30 journals at random from the Posting Control Sheet; each journal was scrutinised in Oracle to ensure: - Sufficient narrative had been recorded; and - The journal s originator was identifiable. NHS Wales Audit & Assurance Services Page 7

8 Internal Audit Report It is pleasing to note that testing proved to be satisfactory. Risk 5: Unauthorised access to the General Ledger. Access to the Oracle system is only permitted through Oracle System Administrators. When a user leaves the Health Board, their access to Oracle is suspended, but they will remain on the system, as deletions from the system are not permitted. This ensures a thorough audit trail is maintained. The Oracle system forces a password change every 60 days. The number of days was previously 30, but in line with the rest of Wales, and with agreement by the WAO, this has been increased to 60 days. Internal Audit selected a random sample 20 Oracle users from the HDT SA User Audit list. The sample was reviewed to ensure: - Password reset days were set to 60 days, as per policy; and - Users with no end date attached to their account were current Health Board employees. It is pleasing to note that testing proved to be satisfactory. Risk 6: Should the ledger not be backed up, it may not be possible to recover from system failure. Discussions with the Assistant Head of Management Accounting (Systems) and the Central Business Manager (Central Team ebusiness Services) confirmed that back-ups are performed automatically, on a daily basis (Monday Friday) by the Central Team for ebusiness Services. The backups are securely stored by the Central Team. Disaster Recovery (DR) testing is undertaken on an annual basis. The most recent DR testing was undertaken on 21 st and 22 nd November Internal Audit found the back up and disaster recovery procedures in place to be satisfactory. NHS Wales Audit & Assurance Services Page 8

9 Internal Audit Report Risk 7: Unauthorised or improper additions to the chart of accounts can compromise the quality of financial information. When an addition, deletion or amendment to the chart of accounts is required, a Chart of Accounts Maintenance Request form must be completed, authorised and forwarded to the Systems team. Internal Audit selected a random sample of 15 code amendments from the electronically maintained Chart of Accounts Maintenance Request forms. The sample was subjected to testing to ensure that: - Forms had been completed fully and accurately; - Each amendment had been requested and authorised by different officers; and - Each amendment had been made, as appropriate, on the ledger. Testing identified the following issue: - One instance where the identification of the requester had not been recorded on the form. A recommendation relating to the above is contained in Appendix A. 7. Summary of Recommendations The audit findings and recommendations are detailed in Appendix A together with the management action plan and implementation timetable. A summary of these recommendations by priority is outlined below: Priority H M L Total Number of recommendations NHS Wales Audit & Assurance Services Page 9

10 Action Plan Finding 1: All transactions from sources may not be entered or received before monthly close down with the result that the management account may portray a misleading or incomplete financial position. (O) Reconciliations: The authorisation of a number of reconciliations was not undertaken in a timely manner. The preparation date was omitted from the August 2015 Bronglais Pharmacy Reconciliation. Recommendation 1 Reconciliations should be performed and reviewed in a timely manner. Reconciliations should be signed and dated upon performance and review. Risk Financial accounts may portray a misleading or incomplete financial position. Priority level LOW Management Response 1 Reconciliations have been performed and signed off in a timely manner, however due to the fact that there has been a senior post vacant for over a year in Financial Accounting the review of the reconciliations has been delayed. By the end of the year these reviews will be complete, however without adequate resource in Financial Accounting it will be impossible to maintain this. Responsible Officer/ Deadline Jean Reynolds On-going NHS Wales Audit & Assurance Services Appendix A

11 Action Plan Finding 2: Unauthorised or improper additions to the chart of accounts can compromise the quality of financial information. (O) Sample testing on Chart of Accounts Maintenance Request forms identified one instance where the identification of the requester had not been recorded on the form. Risk The code set up may be inaccurate or incomplete, and may compromise the quality of financial information. Recommendation 2 Chart of Accounts Maintenance Request forms should be fully completed, and signed and dated by the requester and approver. Priority level LOW Management Response 2 Acknowledge the name of the requestor was not recorded on the form, but in terms of risk we are satisfied that one name of the departmental requester/approver (one and the same in this case) and the name of the systems administrator is sufficient and appropriate to ensure segregation of duties and that only proper additions are made to the chart of accounts. Responsible Officer/ Deadline Sandra Hewitt Actioned 1 st March 2016 We have updated our chart of accounts maintenance request form to reflect this, as follows: Section: Name of person making request in Sections A to D no change NHS Wales Audit & Assurance Services Appendix A

12 Action Plan Section: Request approved by (requestor s line manager) removed Section: To be completed by Systems Admin Team added Request approved & actioned by and name of system administrator is to be recorded here. NHS Wales Audit & Assurance Services Appendix A

13 2015/16 Audit Assurance Ratings Substantial assurance - The Board can take substantial assurance that arrangements to secure governance, risk management and internal control, within those areas under review, are suitably designed and applied effectively. Few matters require attention and are compliance or advisory in nature with low impact on residual risk exposure. Reasonable assurance - The Board can take reasonable assurance that arrangements to secure governance, risk management and internal control, within those areas under review, are suitably designed and applied effectively. Some matters require management attention in control design or compliance with low to moderate impact on residual risk exposure until resolved. Limited assurance - The Board can take limited assurance that arrangements to secure governance, risk management and internal control, within those areas under review, are suitably designed and applied effectively. More significant matters require management attention with moderate impact on residual risk exposure until resolved. No Assurance - The Board has no assurance that arrangements to secure governance, risk management and internal control, within those areas under review, are suitably designed and applied effectively. Action is required to address the whole control framework in this area with high impact on residual risk exposure until resolved. Prioritisation of Recommendations In order to assist management in using our reports, we categorise our recommendations according to their level of priority as follows: Priority Level Explanation Management action High Medium Low Poor key control design OR widespread non-compliance with key controls. PLUS Significant risk to achievement of a system objective OR evidence present of material loss, error or misstatement. Minor weakness in control design OR limited noncompliance with established controls. PLUS Some risk to achievement of a system objective. Potential to enhance system design to improve efficiency or effectiveness of controls. These are generally issues of good practice for management consideration. Immediate* Within One Month* Within Three Months* * Unless a more appropriate timescale is identified/agreed at the assignment. NHS Wales Audit & Assurance Services Appendix B

14 Office details: St Brides St David s Park Carmarthen Carmarthenshire SA31 3HB Contact details: NHS Wales Audit & Assurance Services