Internal Audit. Payroll. February 2017

Similar documents
Internal Audit. Absence Management. October 2016

Loch Lomond and The Trossachs National Park Authority. Key Controls Report

Internal Audit Report

EDUCATION SUPPORT OFFICER. GRADE FIVE Position Information Document

Loch Lomond and The Trossachs. National Park Authority. Review of Internal Controls 2015/16. Prepared for Loch Lomond and The Trossachs.

Double checking. What is the issue? What does it mean for me? What can I take away? 1 September 2016

Job Description. Finance Administrator (Job Share)

NATIONAL HEALTH SERVICE SCOTLAND REMUNERATION COMMITTEE SELF ASSESSMENT PACK

Audit Committee, 20 March Internal Audit Report Stakeholder Communications. Executive summary and recommendations.

Loch Lomond & The Trossachs National Park Authority. Annual internal audit report Year ended 31 March 2015

NHS Highland Internal Audit Report Managing Sickness Absence August 2011

Core HR March HR is at the heart of ESR because it contains all the core employee information used by other components of the system.

Human Resources Team People & Organisational Development. On-Call and Call out Policy

POSITION DESCRIPTION Financial Administrator. February 2017

Achieve. Performance objectives

Suicide Prevention Australia Inc. Position Description: Accounts Officer (part-time)

INFORMATION GOVERNANCE POLICY

FOUNDATIONS IN ACCOUNTANCY Paper FAU (UK) Foundations in Audit (United Kingdom)

JOB DESCRIPTION. Ref No: N003/02/2015 Date: 17 February Assistant Financial Accountant

ON ARM S LENGTH. 1. Introduction. 2. Background

Exit Procedure. Date: September Version number: 2. Emilie Gray, Senior HR Advisor. Review Date: September 2020

CHAPTER 5 INFORMATION TECHNOLOGY SERVICES CONTROLS

Charges to sponsored projects are classified as either non-salary or salary.

ABSENCE MANAGEMENT POLICY

BOARD CHARTER TOURISM HOLDINGS LIMITED

Special leave policy. Pay Policy. Pay policy, v1 April 2015 Page 1 of 12

Auditing of Swedish Enterprises and Organisations

Filey Town Council Council Offices 52A Queen Street Filey North Yorkshire YO14 9HE TEL:

Human Resources Policy

Pipelines Safety Regulations 1996

Capability health procedure for academic support staff

POLICY ON LEAVE OF ABSENCE FOR SENIOR MEDICAL STAFF.

2. Job Evaluation Requests Maintenance Procedure

Introduction to Employer Online

AUDIT UNDP COUNTRY OFFICE SOUTH AFRICA. Report No Issue Date: 22 September 2014 [REDACTED]

Fundamentals Level Skills Module, Paper F8 (IRL)

ANNUAL LEAVE AND BANK HOLIDAY POLICY

INDUCTION POLICY AND PROCEDURE

Finance Manager. 30,000 per annum (pro rata) Part time 20 hours

Information Note* for Candidates Industrial Relations Officers IMPACT and Lead Organiser Competitions. Dublin (November 2017) Competitions

Terms of Engagement SW London Collaborative Staff Bank

JOB DESCRIPTION. To provide a high quality payroll administration service for council employees, teachers and support staff in schools.

HR/Payroll Shared Services Service Level Agreement. December 1, 2017

AUDIT STATUS. Continuous Auditing Ideas and Priority Ranking Draft: 8/7/2012

POSITION DESCRIPTION

REPORT 2013/123. Audit of Managing for Systems, Resources and People System interfaces FINAL OVERALL RATING: PARTIALLY SATISFACTORY

Achieve. FPER Performance objectives

Pay Protection Policy V2.0

I write in response to your request for information in relation to staff employment in NHS Lothian.

POSITION DESCRIPTION. JOB TITLE: Director, Corporate Services STATUS: Permanent. LOCATION: Sydney HOURS: 35 hours per week

Internal Audit Charter

Internal Financial Controls (IFC) - An Overview

Financial Controller

Testing Services - D0046 Baseline Standards FY 2017

NHS Grampian. Volunteering Policy. Guidance for Staff and Volunteers

Daytime and On-Call Cover Remuneration Policy for Non Training Grade Medical Staff

Review of City's Bank Reconciliation and Deposit Procedures

REPORT 2016/099 INTERNAL AUDIT DIVISION. Audit of United Nations Office on Drugs and Crime operations in the Middle East and North Africa

FORDHAM UNIVERSITY INDEPENDENT CONTRACTOR POLICY & PROCEDURE

Devon and Cornwall Police May 2017

Finance and Administration Manager

Protection of Pay and Conditions of Service (As a Result of Organisational Change)

The Government Procurement Card

Audit Committee Annual Report. Report of the work of the Audit Committee during 2014/15

MyView User Guide Version 4

Payment of Salaries, Allowances and Rates of Pay STANDING ORDER 3/1. September 2014 Employee Relations Service Support: Human Resources

Discussion Paper on the Validation of Pharmacovigilance Software provided via SaaS

AUDIT OF KEY FINANCIAL PROCESSES AT MAINLAND NOVA SCOTIA FIELD UNIT FINAL REPORT PREPARED BY PROGESTIC INTERNATIONAL INC.

Enterprise Edition Payroll Master Files and Personnel Setup

Pay Policy Date approved & adopted 2 October 2014 Date of next review By 31 October annual y

PART 3.4 DEPARTMENT OF TRANSPORTATION AND WORKS USE OF GOVERNMENT VEHICLES

Internal audit report Follow-up of previous recommendations

Communications and Engagement Officer

HFTP Hospitality Financial and Technology Professionals

Company Monitoring Framework Risks, Strengths and Weaknesses Statement January 2017

Financial Manager(FM) Position Description Effective: Monday, 18 December 2017

Recruitment and Selection Procedure

Enhanced voluntary separation program guidelines

ABSENCE MANAGEMENT POLICY

RESOURCES DIRECTORATE Director Dave Burbage. Isle of Wight Council REDEPLOYMENT POLICY. January Redeployment Policy INTERNAL USE ONLY - POLICY

AUDIT OF EARNINGS LOSS

Additional Annual Leave Purchase Scheme V3.0

Sage Pastel Partner Add-On Modules Training

Research Advisory Group. Terms of Reference

General Guidelines. For. JobBridge. The National Internship Scheme (NIS)

Board Charter Z Energy Limited

Internal Audit Report Corporate Governance and Risk Management

Terms of Reference (TOR) Provision of consultancy services for payroll verification exercise

Volunteer Placement Scheme Policy

WAGE BULLETIN JULY 2014 Wages and Allowances

A: RMA offers the following COID benefits, which are exactly as legislated in the COID act:

AUDIT UNDP COUNTRY OFFICE INDONESIA. Report No Issue Date: 10 October 2014

Human Resource. Financial. Delegation Manual 2008

Contract and Procurement Fraud. Fraud in Procurement without Competition

Recording Financial Transactions (FA1) September 2017 to August 2018

AUSTRALIAN ENERGY MARKET OPERATOR INDEPENDENT ASSURANCE REPORT ON AEMO S COMPLIANCE WITH THE GAS SERVICES INFORMATION RULES AND GSI PROCEDURES

If you would like to discuss any matters raised in this report please do not hesitate to contact us.

SICKNESS ABSENCE POLICY & PROCEDURE

INTERNAL CONTROL HANDBOOK

Minnesota State Community and Technical College

Transcription:

February 2017 Report Assessment A G G A G G This report has been prepared solely for internal use as part of NHS Lothian s internal audit service. No part of this report should be made available, quoted or copied to any external party without Internal Audit s prior consent.

Contents Introduction... 1 Executive Summary... 2 Management Action Plan... 4 Appendix 1 - Definition of Ratings... 12

Introduction uses the electronic e system (which is the national NHS Scotland system) to process salaries, with payments being processed monthly and weekly. The Department process payments for around 24,000 members of staff who are paid monthly, and a further 9,000 paid weekly. In the period December 2015 - November 2016, NHS Lothian made payments to staff of over 622 million, excluding superannuation and tax costs. Source: Downloads from system from December 2015-November 2016 The Scottish Standard Time System (SSTS) processes time and attendance information across NHS Lothian, including recording overtime. Overtime payments information is exported to e both weekly and monthly so that staff receive their additional payments in a timely manner. The eexpenses system is used by staff to record expenses, and then have them authorised by their line manager. Payment information is then exported to e weekly and monthly. Changes to staff members standing data, e.g. pay grade or department, are communicated by their line manager to by paper documentation. Changes to employees personal data, e.g. a change of home address, are communicated by employees themselves. Scope The objective of the audit was to evaluate the adequacy and effectiveness of the key internal controls over payroll processing. Acknowledgements We would like to thank all staff consulted during this review for their assistance and cooperation. 1

Executive Summary Conclusion There are appropriate controls in place within the Department, which include the requirement that all claims for expenses and other additional payments must be approved by each staff member s line manager. In addition, there are checks by to confirm that all changes to staff members standing data have been correctly processed. However, two significant, two important, and two minor control issues were noted which if addressed would further strengthen arrangements. The implementation of these recommendations will provide greater confidence that payments made by are complete, accurate, and timely. Summary of Findings The table below summarises our assessment of the adequacy and effectiveness of the controls in place to meet each of the objectives agreed for this audit. Definitions of the ratings applied to each action are set out in Appendix 1. No. Control Objective Control objective assessment Number of actions by action rating Critical Significant Important Minor 1 2 3 4 5 6 Employee standing data is complete and accurate. Changes to employee standing data are authorised, and an audit trail is maintained. Payments to employees are complete and timely. Additional payments to employees, including overtime payments, are accurate and authorised. Reconciliations are performed for data transfers from SSTS and eexpenses to e. Travel and subsistence payments are all made in line with NHS Lothian policies and procedures. Green 1 Amber 1 1 Green Green Green 1 Amber 1 1 2

Control Objective Ratings Action Ratings Definition Red Fundamental absence or failure of controls requiring immediate attention (60 points and above) Amber Control objective not achieved - controls in place are inadequate or ineffective (21 59 points) Green Control objective achieved no major weaknesses in controls but may be scope for improvement (20 points or less) Main findings We noted a number of areas of good practice during the review. After each weekly and monthly payroll run the Department generates a report which is a list of all staff members whose overall payment has increased or decreased by more than 25% from their previous payment. staff will then review each item on the list to confirm that the payment was valid. Where staff members claim for additional payments, e.g. for expenses or overtime, their claims must be authorised by their line manager before they are submitted to for payment. We identified two significant issues for improvement during the review: For all significant changes to employees standing data the Department team leads will check that the changes have been made correctly in the e electronic system and will place a note in the system that they have performed the checks. However, taking a sample of significant changes which were made during 2016 showed that new starts were only checked 84% of the time, hours management 68%, pay details 27%, and terminations 94% expense claims made through eexpenses were not always checked by the Expenses Department in line with the current procedures. Further details of these points, two important points, and two minor points are set out in the Management Action Plan. 3

Management Action Plan Control objective 1: Employee standing data is complete and accurate. 1.1: There are no procedures in place for the Department Important Observation and Risk: Written procedures allow departments to set out how they will achieve their objectives, and specifically state what controls should be in place and how they will operate. Procedures help to guide existing staff and in particular can help with the training of new staff. Finally, stating the review date for procedures means that they continue to reflect best practice. However, there are no procedures in place for the Department. Managers agreed that up to date Procedures are important to a department. Procedures could increase the likelihood of the Department s objectives being achieved through the operation of effective controls. Recommendation: The Manager should create procedures for the Department. Specifically, these should include a list of all checks to be performed by team leads and managers, and when they should be performed. Management Response: It is acknowledged that the department does not have a standard set of procedures for all tasks within the department. Management Action: Written procedures will be introduced for the Department. Responsibility: Manager Target date: 30 th September 2017 4

Control objective 2: Changes to employee standing data are authorised, and an audit trail is maintained. 2.1: Significant changes to employees standing data are not always checked by Significant Observation and Risk: The Department process changes to staff members standing data, which can include events such as new starts, terminations, a change to working hours, or a change of home address or bank account details. For all significant changes, Department team leads will check that the change has been made correctly in the e electronic system and will place a note in the system that they have performed the check. Significant changes are classed by managers as being within the following four categories: new starts, terminations, a change to working hours, or a change to pay details. However, a sample of significant changes which were made during 2016 showed that new starts were checked 84% of the time, hours management 68%, pay details 27%, and terminations 94%. In addition, team leads do not review e logs to confirm that they have checked the processing for all significant items. If team leads do not check all significant changes to employees standing data there is an increased risk that changes have not been made correctly, resulting in incorrect payments. Recommendation: The Deputy Managers should instruct team leads to check all significant changes to staff members standing data, specifically new starts, terminations, changes to hours worked, and pay details changes. In addition, the Deputy Managers should instruct the team leads to regularly check e to confirm that all significant changes have been reviewed. Management Response: All changes that have an impact on an employee s salary payments should be checked by a Team Leader. As part of the Procedure exercise Managers will review what changes that require to be checked and advise Team Leaders. Management Action: Team Leaders will be reminded that they are required to check all changes that have an impact on an employee s salary. Responsibility: Deputy Managers Target date: 31 st March 2017 5

2.2: No periodic checks are performed to confirm that users should continue to have access to electronic systems Important Observation and Risk: The three electronic systems e, eexpenses, and SSTS each have lists of users who have advanced access rights, e.g. system administrators. These lists should be regularly reviewed to ensure that staff who have left the organisation have their rights revoked, and that staff have access rights limited to what is required for their job. However, a review of the list of users with advanced access rights for e, eexpenses, and SSTS showed that they included one member of staff who had not required those access rights for over a year. Limiting advanced access to electronic systems reduces the likelihood that system information is accessed inappropriately. Recommendation: The Deputy Managers should review the lists of advanced users of the electronic systems e, eexpenses, and SSTS every three months to confirm these staff members only have the access they require for their jobs. Management Response: To a large extent we are reliant on departments notifying us if an individual employee no longer requires access to the payroll system. However, this is not a robust process and the department will undertake a six month user review. Management Action: Bi-annual review to be undertaken. Responsibility: Deputy Managers Target date: 30 th June 2017 6

Control objective 3: Payments to employees are complete and timely. We identified no significant issues in relation to this control objective. Each year the Deputy Managers agree the timing of both the weekly and monthly payroll runs with Atos. In addition, Department staff inform line managers of the cutoff dates for the submission of both SSTS and eexpenses claims relating to additional payments to staff. We used IDEA software, a computer aided audit technique, to conduct a range of tests, including: duplicate amounts paid at time and a half to one employee duplicate amounts paid at double time to one employee duplicate excess pay duplicate values in the same period duplicate descriptions in the same period. No errors were identified as part of this testing. Control objective 4: Additional payments to employees, including overtime payments, are accurate and authorised. We identified no significant issues in relation to this control objective. Where staff members claim for additional payments, e.g. for expenses or overtime, their claims must be authorised by their line manager before they are submitted to for payment. After each weekly and monthly payroll run the Department run a report which is a list of all staff members whose overall payment has increased / decreased by more than 25% from their previous payment. staff will then review each item on the list to confirm that the payment was valid. 7

Control objective 5: Reconciliations are performed for data transfers from SSTS and eexpenses to e. 5.1: Issues noted on interface reports are not always marked as having been dealt with Minor Observation and Risk: Prior to each weekly and monthly payroll run, payment information is transferred to e from SSTS and eexpenses respectively. e then generates an interface report which lists any items which have not transferred from SSTS and eexpenses, which is then checked by Administrators and each item dealt with. However, a sample of 4 interface reports between SSTS and e showed that of the 632 items, 17 (3%) were not marked on e as having been reviewed and dealt with by Administrators. The Deputy Managers stated that these items will have been dealt with but they simply had not been marked off on the system. If all items on interface reports are not dealt with then there is an increased risk that staff do not receive all payments. Recommendation: The Deputy Managers should remind Administrators to check all interface report entries and mark each entry as having been reviewed. Management Response: These checks are undertaken as routine tasks. However, Administrators will be reminded of the requirement to mark each entry as having been reviewed. Management Action: Reminder to be issued to Administrators. Responsibility: Deputy Managers Target date: 31 st March 2017 8

Control objective 6: Travel and subsistence payments are all made in line with NHS Lothian policies and procedures. 6.1: Checks on expense claims are not always performed Significant Observation and Risk: When staff claim for expenses they can submit them electronically through eexpenses or complete a paper form. The staff member s line manager then approves the claim, either by signing the paper form or by approving on eexpenses, before it is passed to the Expenses Department for payment. For paper claims Expenses will check the form before approving the payment, but for claims through eexpenses they will perform retrospective checking after payment has been made through e. These checks are stated in the Expenses Department procedures. From December 2015 - November 2016, employees were reimbursed for expenses totalling almost 3.5 million, with the vast majority (99%) paid to monthly paid employees. Source: Downloads from system from December 2015-November 2016 The Expense Department procedures outline a number of checks that should be performed on expense claims. These include checks on 20% of expenses made by monthly-paid staff, and checks performed on 100% of claims made by weekly-paid staff. However, a review of the retrospective checking of claims made through eexpenses showed the following: 20% check of claims from monthly-paid staff - these were not performed for February and March 2016, and July to November 2016. In addition, the checks for April to June 2016 were only partially performed 100% check of claims from weekly-paid staff for a sample of 7 weeks during 2016, 2 of the weeks (29%) were not marked as having been checked. However, the Expenses Administrator stated that they had been checked Limited evidence of checks performed to ensure the correct treatment of tax on un- 9

receipted claims. Within our sample for weekly paid staff, for 6 of the 7 weeks there were no checks performed (86%) and for the other 1 only about half of them had been checked. For monthly paid staff there was no evidence of checks performed for 5 of the 8 months. If checks are not performed by Expenses Department staff of expenses claims made there is an increased risk that claims are false or that errors are undetected. Recommendation: Expenses Department staff should perform all checks on expense claims as stated in the Expenses Department procedures. Management Response: This occurred during a period of staff storage due to long term absence and it was essential to prioritise re-imbursement of expenses to staff. The staffing levels are now stable and all checks are being undertaken. In addition, we are also undertaking backdated checks that are referred to in this audit point. Management Action: We will continue to monitor the level of checks that are undertaken. Responsibility: Manager Target date: Immediate 10

6.2: The procedure used by Expenses staff has not been recently reviewed and does not reflect current practice Minor Observation and Risk: The Expenses Department procedure sets out the checks that Expenses staff will perform relating to claims submitted by NHS Lothian staff. However, the procedure has not been reviewed since October 2010. In addition, the Expenses Administrator has stated that one of the checks stated in the procedure is no longer performed. Revising the procedure would increase the likelihood that the Expenses Department s objectives are being achieved through the operation of effective controls. Recommendation: The Expenses Administrator should revise the Expenses Department procedure to ensure that it reflects current practice within the department. The procedure should then be approved by the Manager. Management Response: The current expenses procedures will be reviewed to ensure they are appropriate and up to date. Management Action: Review expenses procedures. Responsibility: Manager Target date: 30 th June 2017 11

Appendix 1 - Definition of Ratings Management Action Ratings Action Ratings Definition Critical The issue has a material effect upon the wider organisation 60 points Significant The issue is material for the subject under review 20 points Important The issue is relevant for the subject under review 10 points Minor This issue is a housekeeping point for the subject under review 5 points Control Objective Ratings Action Ratings Definition Red Fundamental absence or failure of controls requiring immediate attention (60 points and above) Amber Control objective not achieved - controls in place are inadequate or ineffective (21 59 points) Green Control objective achieved no major weaknesses in controls but may be scope for improvement (20 points or less) 12

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback