AGENDA ITEM NO:

REPORT OF:
HEAD OF FINANCE & PROCUREMENT
AUTHOR:
GRAHAM FRIDAY
TELEPHONE:
01737 276556
E-MAIL:
[email protected]
TO:
OVERVIEW & SCRUNITY COMMITTEE
DATE:
27TH APRIL 2005
4
WARD(S) AFFECTED:
SUBJECT:
PURPOSE OF THE REPORT:
ALL
PROGRESS ON THE COMPLETION OF THE
2004/2005 AUDIT PROGRAMME
To provide Members with a progress report on the work
undertaken by Deloitte & Touche Public Sector Internal
Audit Ltd. under the Internal Audit contract during the
current financial year.
RECOMMENDATIONS:
1.
That Members note the contents of this report.
2.
That the Committee make any observations and/or recommendations to the
Executive.
Background
1.
It has been agreed within the contract that to promote internal control within
the Authority, D&T PSIA Ltd. would report to Committee on the following:
(a)
An overall summary of the control environment operating within the
Authority. This will look at the wider picture of all reviews to date, and
provide either assurance to Committee that the control systems are
working effectively and the interests of the Authority are protected; or
act as an early warning on any sectors of the Authority where the
control system is failing.
(b)
Report back on specific areas, which were given a limited, (or lower),
audit opinion at the time of the audit. Audit opinions are either full,
satisfactory, limited or none. This will allow Members to focus attention
on areas where Officer action is required.
(c)
Update Members on the current situation regarding limited areas
previously reported to Committee. This will inform Members of the
action taken by Officers to resolve internal audit issues.
2.

To date 16 audits have been completed with final reports being issued. The
table below summaries the assurance level given at the time of the audit and
the priority and number of recommendations made. Details are set out on
Annex 1
Area Reviewed – 2004/05
Cash & Banking
Council Tax
Creditors
Debtors
Benefits
Main Accounting System
NNDR
Payroll
Treasury Management
Business & Financial
Planning & Monitoring
Corporate Compliance
Framework
Risk Management
FPMS Pre-Application
Review
Network Security
Corporate Governance
Si-Dem Parking
Enforcement Application
Review
FPMS Application Review
Date
Report
Issued
Assurance
Level
08/02/05
08/02/05
11/03/05
03/03/05
22/02/05
03/03/05
22/02/05
04/03/05
11/03/05
07/03/05
Satisfactory
Full
Satisfactory
Full
Full
Full
Satisfactory
Satisfactory
Full
Full
Recommendations
implemented
/Management
Response
Agreed
N/a
Agreed
N/a
N/a
N/a
Agreed
Agreed
N/a
N/a
No. of Recommendations
Made
Priority Priority Priority
1
2
3
0
1
0
0
0
0
0
2
0
0
0
0
0
0
0
0
0
0
0
1
0
0
4
0
0
0
0
0
0
0
09/03/05
Satisfactory
Agreed
0
0
1
01/04/05
12/04/05
Satisfactory
Satisfactory
Agreed
Agreed
0
0
3
1
0
0
12/04/05
13/04/05
14/04/05
Satisfactory
Satisfactory
Satisfactory
Agreed
Agreed
Agreed
0
0
0
10
2
10
1
0
0
15/04/05
Satisfactory
Two
recommendations
have no actions
agreed for them
1
7
1
Key for recommendations:
Priority 1 – Major issues for the attention of Senior Management.
Priority 2 – Other recommendations for local management action.
Priority 3 – Minor issues that local management should consider, as points
of Best Practice.
3.
It should be noted that the assurance level is an illustration of the level of
control operational at the time of the audit. The Auditor will agree with
Management a number of recommendations, which when implemented will
result in a more secure system. Each recommendation is given an
implementation date, and these will be monitored on a regular basis by the
Internal Audit Team.
4.
This completes the audit programme for 04-05, except for reporting the
outcome of the standard annual ‘follow up’ audit. This report has been
completed, and is being considered by Management. It will be reported to the
Overview & Scrutiny Committee at its next meeting.
5.
In addition to the basic programme Internal Audit has been significantly
involved in providing Risk Management workshops to assist the Authority in
developing both departmental and corporate risk registers.
6.

Other work undertaken by Internal Audit in this period included an
investigation into an allegation received through the Council’s Anti-Fraud and
Corruption Strategy. A way forward is currently being agreed with the Head of
Finance & Procurement.
Factors for considerations
7.
With the exception of the items identified above there are no significant issues
that need to be drawn to Members attention at this time.
Corporate Plan Implications
8.
The five-year Internal Audit Strategic Plan was approved by the Resources
Sub- committee on the 29th November 2000. It was discussed with Officers
and linked in, where appropriate, to Council corporate initiatives such as Best
Value Service Reviews.
Conclusion
9.
From the work undertaken to date, no major issues or concerns were
identified and there was a positive response to recommendations from
Management. The level of probity in the authority’s financial and operational
systems audited was considered overall to be satisfactory.
Background Papers:
Planning Documents, Audit Files

ANNEX 1
AUDIT RECOMMENDATIONS FROM REPORTS ISSUED SINCE LAST AUDIT PROGRESS REPORT
Audit
Recommendation
Management Comment
Implementation
Date
Cash & Banking
(Priority 2)
Creditors
(Priority 2)
(Priority 2)
NNDR
(Priority 2)
Payroll
(Priority 2)
Accountable
Officer
Responsible
Officer
Procedure notes for bank
reconciliations should be updated
following the introduction of Agresso.
The update of procedure
notes is in the Agresso
implementation plan and will
be completed by deadline
date.
31/03/05
Financial
Information
Manager
Income &
Banking
Supervisor
A system reference number should
be entered on the Manual Cheque
Control register for each manual
payment.
Agreed. The transaction
number generated by
Agresso will be entered for
each manual cheque.
Immediate
Financial
Information
Manager
Purchasing
Team Leader
31/03/05
Financial
Information
Manager
Purchasing
Team Leader
31/09/05
Head of
Customer
Service
Local Taxation
Manager
Immediate
Head of
Personnel
&Support
Services
Personnel
Assistant
The final BACS report for each
Agreed. The final BACS report will
payment run should be signed off to
be signed off in future.
confirm that the number of payments
and the total amount paid were
correct.
All mandatory charitable relief cases
Regular reviews will now be
should have supporting
performed.
documentation to confirm periodic
checks of the organisations’
charitable status.
Each entry on the Workforce Input
Agreed.
schedules (for new starters, leavers
and amendments) should be initialled
to confirm that the correct details
have been entered on Workforce
Audit
Recommendation

Management Comment
Implementation
Date
Payroll (cont.)
(Priority 2)
(Priority 2)
(Priority 2)
Corporate
Compliance
Framework
(Priority 3)
Risk
Management
(Priority 2)
Accountable
Officer
Responsible
Officer
Monthly exception reports should be
signed off by the Payroll Supervisor
to confirm that they have been
reviewed.
Proof of identity should be obtained
and filed for each permanent new
starter.
Agreed.
Immediate
Financial
Information
Manager
Payroll
Supervisor
Agreed.
Immediate
Head of
Personnel
Personnel &
Officers
Support Services
The printouts from Payrite showing
changes in scale pay rates should be
signed off by the Payroll Supervisor
to confirm that they are correct.
Management should ensure that all
Committee reports are seen by the
Legal Team and include a paragraph
indicating that legal consideration has
been sought and taken into account
where appropriate.
Agreed.
Immediate
Financial
Information
Manager
Payroll
Supervisor
Agreed.
Immediate
Head of Legal &
Property
Services
Head of
Corporate
Development
Service
Managers
Service Managers should be
reminded of their responsibility to
complete operational risk registers by
end of April 2005 in accordance with
the current Risk Management
Strategy.
Agreed.
End of April
2005
Head of Finance
& Procurement
Service
Managers

Audit
Recommendation
Management Comment
Implementation
Date
Risk
Management
(Cont.)
FPMS PreApplication
Review
(Priority 2)
Responsible
Officer
Responsibility for risk management
should be incorporated into individual
job descriptions.
All staff will be made aware of June 2005
their individual responsibilities
through the induction process
and on job training.
Specific accountability for
effective management of
risks will be added to the
Directors, Head of Services
and M3 role profiles
Head of
Network
Personnel &
Manager
Support Services
Although Members are to receive risk
management training in April, the
CMT, in conjunction with Members,
need to agree the level of Member
involvement the process will include.
Management should undertake a
review to determine whether the
Accounts
payable
team
have
sufficient resources to enable supplier
masterfile and create payments
access to be segregated on the
Production Agresso system.
If sufficient resources do not exist
then the Council should ensure that
adequate controls are in place to
ensure payments are independently
authorised.
Agreed.
August 2005
Chief Executive
Network
Manager
Now the system is live the
duties of the responsible
officer team are being
reviewed and the appropriate
segregation will be put in
place within the constraints of
the team size
1st July 2005
Financial
Information
Manager
Network
Manager
(Priority 2)
(Priority 2)
Accountable
Officer
Audit
Recommendation

Management Comment
Implementation
Date
Network
Security
(Priority 2)
Consideration should be given to
establishing an agreed corporate
network strategy, which can be
monitored for achievement. The
network strategy should be clearly
aligned to the delivery of corporate
business objectives and the IT
Strategy.
It is Recommended that the draft of the
new IT Security policy is amended
to include:
(Priority 2)


an awareness of spyware
risks;

clear guidance on RIPA
procedures; and
clear guidance on FOIA
procedures.
Accountable
Officer
Agreed. The document exists
in draft form and will be
finalised during March for
adoption by appropriate (yet
to be identified) group. CMT?
End of April
2005
Head of
Business
Solutions
Agreed.
March 2005
Head of
Personnel &
Support Services
Responsible
Officer
Network
Manager

Audit
Recommendation
Management Comment
Implementation
Date
Network
Security (Cont.)
(Priority 2)
(Priority 2)
(Priority 2)
Accountable
Officer
Responsible
Officer
It is recommended that consideration
is given to ensuring that appropriate
and up to date solutions are applied
to the risks of virus and spyware
threats as soon as possible.
Agreed. Epol orchestrator
has been upgraded as far as
possible on the current NT4
server. The necessary
upgraded server will be
procured in April and
implemented soon after (this
is in addition to this
recommendation). Anti-virus
V8 00i total defence suite is
being trialled 2nd March and
will be rolled out to all staff
during March.
End of march
2005
Head of
Business
Solutions
Network
Manager
It is recommended that management
should give consideration to
specifying formal IT activity report
requirements so that an appropriate
system monitoring framework can be
established to confirm compliance to
the new IT Security Policy.
Agreed. The configuration of
our existing Surf Control
Management and Reporting
System is being costed
during April and if approved
as being required, it will be
implemented Quarter 3 2005.
December 2005
Head of
Business
Solutions
Network
Manager
Implemented.
Head of
Business
Solutions
Network
Manager
It is recommended that consideration Agreed.
is given to establishing and applying
a secure and effective network device
configuration setting standard which
includes and appropriate welcome
banner for use within the network
Audit
Recommendation

Management Comment
Implementation
Date
It is recommended that formal
evaluation is given to the
benchmarking of effective network
trend analysis and vulnerability
assessment tools in the near future to
confirm that appropriate tools are
implemented within the network in the
near future.
It is It is recommended that consideration
is given to standardising the use of
logical access password controls
within the network so that they
conform to the best practice corporate
security settings applied to the
majority of network accounts.
Network
Security (Cont.)
(Priority 2)
(Priority 2)
Agreed Formal evaluation will
be done as recommended
but implementation will not
Quarter 1 –
2005/06
Agreed Current procedures
End of march
have not been complied with. 2005
This has been addressed and
the backlog will be resolved
by the end of March
Accountable
Officer
Responsible
Officer
Head of
Business
Solutions
Network
Manager
Head of
Business
Solutions
Network
Manager

Audit
Recommendation
Management Comment
Implementation
Date
Network
Security (Cont.)
(Priority 2)
It is recommended that consideration
is given to undertaking a review of:

the 15 user accounts with
supervisory rights to help
ensure that the number of
security equivalences to user
Admin (and to other user
objects that are security
equivalent to Admin) are kept
to a minimum;
the 179 accounts which have
not been used in the last 180
days to confirm they are still
required; and

the procedures used to
maintain and comply with
corporate user profile
standards.
It
is
recommended
that
a
housekeeping review of the 25 group
and role objects without members is
undertaken so that any redundant
groups can be identified for removal.
Accountable
Officer
Responsible
Officer
Agreed.
Mid March 2005
Head of
Business
Solutions
Network
Manager
Agreed.
End of March
2005
Head of
Business
Solutions
Network
Manager

(Priority 3)

Audit
Recommendation
Management Comment
Implementation
Date
Network
Security (Cont.)
(Priority 2)
(Priority 2)
Accountable
Officer
Responsible
Officer
Consideration should be given to
ensuring that Intruder Detection
Values are standardised throughout
the network.
Agreed.
End of March
2005
Head of
Business
Solutions
Network
Manager
It is recommended that consideration
is given to establishing and applying
a clearly defined:

Management trail requirement
specification for network
activities such as logon/off
deletions, changes to key
figuration files;

Management monitoring
framework e.g. review of out of
hours activity, and;

Archive retention and retrieval
policy for activity logs.
Agreed.
Quarter 3 –
2005/06
Head of
Business
Solutions
Network
Manager

Audit
Recommendation
Management Comment
Implementation
Date
Corporate
Governance
(Priority 2)
(Priority 2)
A protocol should be developed
documenting the relationship
between the Local Strategic
Partnership and the Council.
This recommendation was raised and
agreed in the previous year’s audit
and has not been implemented.
The Contract Procedure rules should be
updated, and responsibility for their
future maintenance should be
assigned to a specific officer.
This recommendation was raised in
the previous year’s audit and has not
yet been implemented.
Accountable
Officer
Responsible
Officer
The LSP has a Constitution
and Terms of Reference that
sets out the role of individual
members of the LSP. The
Partnership has developed
clear responsibilities for each
of the actions and targets in
the Plan. The LSP is
planning a development day
in June/July at which these
roles will be reviewed
Completed
Head of
Corporate
Development
Community
Liaison Officer
The Council is working on
establishing a corporate
“Procurement” toolkit, part of
the implementation of the
toolkit will be to review the
Contract Procedure Rules,
the timing of the review will
have to tie in with a wide
revision of the Council’s
Constitution
March 2006
Head of Finance
& Procurement
Procurement
Officer

Audit
Recommendation
Management Comment
Implementation
Date
Si-Dem Parking
Enforcement
Application
Review
(Priority 2)
We recommend that the as part of a
good password policy the following
password controls should be put in
place:
 Minimum length of a password
should be at least 6 characters
long;

The password should be a
mixture of alpha and numeric
characters and where possible
enforced
by
the
system/application;

Re-use
of
previous
passwords over period of time
should not be allowed;

Default passwords should be
forced changed on first entry;
and;

Passwords should
to be changed after
period of time, for
between a period of
days.
be forced
a certain
example,
30 to 90
We have already
implemented these
Recommendations through
Spur.
Completed
Accountable
Officer
Head of
Engineering
Services
Responsible
Officer
Parking &
Markets
Manager

Audit
Recommendation
Management Comment
Implementation
Date
Si-Dem Parking
Enforcement
Application
Review (Cont.)
(Priority 2)
We recommend that in line with Best
Practice standards that after three
unsuccessful logon attempts, the
user account is locked and only
reinstated
by
the
systems
administrator and the password reset
to minimise the risk of unauthorised
access.
We have requested Spur to
provide this facility.
May 2005
Accountable
Officer
Head of
Engineering
Services
Responsible
Officer
Parking &
Markets
Manager

Audit
Recommendation
Management Comment
Implementation
Date
Si-Dem Parking
Enforcement
Application
Review (Cont.)
(Priority 2)
We recommend that there should be We will provide procedure
a
formal
documented
user notes
administration process in place.
User
administration
procedures
should be prepared, approved and
widely distributed to ensure that
appropriate level of access is
granted. The procedures should
include the following process for:
 Creating new users;

Amending user rights following
changes in job role;

Security
administrators
are
advised of any users who leave
so that user ID's are disabled or
removed immediately following
their departure;

Periodic review of user rights;
and

Users that have left
department or the Council.
the
July 2005
Accountable
Officer
Head of
Engineering
Services
Responsible
Officer
Parking &
Markets
Manager

Audit
Recommendation
Management Comment
Implementation
Date
Si-Dem Parking
Enforcement
Application
Review (Cont.)
(Priority 2)
(Priority 2)
(Priority 2)
Accountable
Officer
Responsible
Officer
We recommend that a process
should be developed and procedure
documented to be followed for any
updates or amendments to static
data. The procedure should include a
process where the data is reviewed
and validated by someone other than
the person entering/amending the
data.
Procedure Notes will be
provided
July 2005
Head of
Engineering
Services
Parking &
Markets
Manager
We recommend that reports should
be generated and reviewed to
reconcile refunds being made and
tickets being cancelled. Someone
other than the person who processed
the refund or cancellation should
perform the review independently.
To be implemented.
Mid May 2005
Head of
Engineering
Services
Parking &
Markets
Manager
We
recommend
that
a
full
Management
Trail
should
be
implemented. Once implemented,
regular independent review of the
logs should be performed and the
records retained.
Requested Spur to implement May 2005
as soon as possible
Head of
Engineering
Services
Parking &
Markets
Manager

Audit
Recommendation
Management Comment
Implementation
Date
Si-Dem Parking
Enforcement
Application
Review (Cont.)
Consideration should be given to Will give consideration to this
enhancing the Disaster Recovery when resources allow.
(DR) Plan to include details such as:
 Names or persons responsible
for
invocation
of
disaster
recovery procedures;
(Priority 2)

Those responsible for tasks and
actions in the event of a disaster;

Contact names and telephone
number of key members of staff,
suppliers, vendors, utilities etc;

Insurance cover and details of
cover etc.; and

Frequency of testing to be
undertaken to test the plan or
systems.
The above list for enhancement is
not exhaustive and therefore when
reviewing the plan, consideration
should be given to other details
which may provide added value in
recovering the SPUR application.
September
2005
Accountable
Officer
Head of
Engineering
Services
Responsible
Officer
Parking &
Markets
Manager

Audit
Recommendation
Management Comment
Implementation
Date
Si-Dem Parking
Enforcement
Application
Review (Cont.)
(Priority 2)
(Priority 2)
We recommend that the daily
backup tapes should be stored at an
off site location away from the Town
Hall. It is also recommended that
backup tapes should be regularly
tested to ensure that data on them
can be restored.
We have an ambition to do
this. However it is not
possible until a suitable
remote server room is
available. This is currently in
the planning stages and we
expect implementation in 12
to 18 months. When this is
available all backups will be
taken at the other site.
December 2006
We recommend that management
should ensure that an appropriate
Support Agreement is in place. The
agreement should be up to date,
signed and clearly specify the
contractual
obligations
of
the
organisation and supplier.
Already in place
Immediate
Accountable
Officer
Head of
Engineering
Services
Responsible
Officer
Parking &
Markets
Manager
Technical
Development
Manager
Head of
Engineering
Services
Parking &
Markets
Manager

Audit
Recommendation
Management Comment
Implementation
Date
Si-Dem Parking
Enforcement
Application
Review (Cont.)
(Priority 2)
We
recommend
that
the
responsibilities for the administration
of the SPUR Parking application
should be documented to formally
identify who is responsible for
administration routines such as: 
User Administration

Database Administration

Back up

User system support

Server Administration
It has been agreed with Audit
that the document being
drawn up by Karen McMullen
for the split of responsibilities
for SX3 administration will be
used as a template for all
systems. Both SJT and BW
to be responsible
July 2005
Accountable
Officer
Head of
Engineering
Services
Responsible
Officer
Parking &
Markets
Manager
Technical
Development
Manager

Audit
Recommendation
Management Comment
Implementation
Date
FPMS
Application
Review
(Priority 2)
User
administration
procedures
should be prepared, approved and
distributed to ensure that appropriate
level of access is granted. The
procedures should include the
following processes for:
 creating
new
users.
e.g.
authorisation and approval, use of
standard forms;

amending user rights following
changes in job role;

The procedure for the removal of
leavers; and
 periodic review of user rights.
It is accepted documenting the
procedures is part of the deliverable
of the project and the project will not
be signed off until this is delivered.
Agreed. However as the last
Service Unit went live only on
23rd March 2005, the formal
process for changes has not yet
been finalised.
30th June 2005
Accountable
Officer
Financial
Information
Manager
Responsible
Officer
Systems
Accountant

Audit
Recommendation
Management Comment
Implementation
Date
FPMS
Application
Review (Cont.)
(Priority 2)
As part of a good password policy, it
is recommended that:
 passwords should be constructed
of a mixture of alpha and numeric
characters; and

default passwords should not
be the same as the user id.
Agree in part. The original
default passwords for going
live were the same as user
id because it would have
been impossible to set up
200+ passwords and give
them to people individually
over going live.
However now that all
Services are live (23rd
March) we have now
switched this default off.
We do not consider it
necessary to enforce
passwords to be a mixture of
alpha and numeric
characters. This encourages
staff to write them down. We
do however recommend it.
Therefore no action agreed
on this part of the
recommendation
Completed
Accountable
Officer
Financial
Information
Manager
Responsible
Officer
Assistant
Systems
Accountant

Audit
Recommendation
Management Comment
Implementation
Date
FPMS
Application
Review (Cont.)
(Priority 1)
We recommend that authorisation
controls should be enforced that
prevents a user who cancels an
invoice or issuing a credit note from
authorising
their
own
input.
Reconciliation of cancelled invoices
and credit notes should be performed
independently of the Debtors section.
Receivables -We do not
cancel
any
invoices.
Credit notes are raised.
These form part of the
monthly
reconciliation,
which will be signed off in
future by the Financial
Information Manager.
Payables – Direct Posting
The controls surrounding the use of
the Direct Posting facility should be
enhanced to ensure that payments
processed by this method are the
exception to the rule and that any
payment made by this facility is
checked by someone other than the
person creating the input or that
reports are available which are
reviewed by independently.
Agreed. This facility was
used for the Interim Process,
but is not in use since the last
Service went live. The
procedures will ensure that if
it is used in future there is a
control as suggested
31st May 2005
Accountable
Officer
Responsible
Officer
Finance
Information
Manager
Debt Recovery
Officer
Purchasing
Team Leader

Audit
Recommendation
Management Comment
Implementation
Date
FPMS
Application
Review (Cont).
(Priority 2)
We recommend that validation and
input checks are improved to ensure
that fields that are essential for the
processing of data are made
mandatory and that incorrect details
are not accepted when data is
entered.
Receivables - No invoices
can be produced without a
valid address because the
output report is checked to
ensure the invoices are
complete.
Payables - The system does
Additionally, it is recommended that not allow you to save a line
procedures be enhanced to improve with a value of 0.00.
Therefore no actions agreed
the checking process.
on this recommendation.
N/a
Accountable
Officer
Responsible
Officer
Finance
Information
Manager
Debt Recovery
Officer
Purchasing
Team Leader

Audit
Recommendation
Management Comment
Implementation
Date
FPMS
Application
Review (Cont).
(Priority 2)
We recommend that quality checks or
reconciliation of input into the
Agresso application should be
undertaken.
Agree in Principle that
quality
checks
are
important.
However we
feel there are sufficient in
the areas covered by this
recommendation.
Receivables
Debt
Recovery staff check their
input before they record the
transaction reference on
the invoice request form.
There is no need for an
independent check at this
point.
The extra control is being
introduced. Emails will be
sent to the requesting
department confirming that
the invoice has been raised
as requested.
Payables - We consider
random checking, as part of
normal supervision is an
adequate control for this.
April 2005
Accountable
Officer
Financial
Information
Manager
Responsible
Officer
Debt Recovery
Officer
Audit
Recommendation

Management Comment
Implementation
Date
FPMS
Application
Review (Cont).
(Priority 3)
We recommend that a maintenance Agree in Principle, - that
procedure be developed to periodically
master
files
need
review the database holding the debtor,
maintenance.
supplier and product information to
ensure that there are no duplicates and Supplier Master File
any redundant data is deleted.
Annual reviews of suppliers
were made under the old
system, and before copying
supplier master file from old
system; therefore there is no
need for a review at this point
in time. However Agresso
does not allow the deletion of
masterfile records where
transactions exist, and we are
planning to hold more than 1
year of data.
N/a
Accountable
Officer
Financial
Information
Manager
Responsible
Officer

Audit
Recommendation
Management Comment
Implementation
Date
FPMS
Application
Review (Cont).
(Priority 2)
We recommend that updates or
amendments to master data should
be reviewed and validated by
someone other than the person
entering the data. Additionally,
procedures should be developed to
ensure that this process is followed.
Agree in Principle that
controls are needed over
input to master files.
Receivables - Amendments
to the Debtors master file
are carried out as part of
the Debt Recovery process
e.g.
contact
telephone
numbers. Staff could not
do
their
job
without
inputting
this
data
accurately.
Additional
controls would serve no
purpose on the Receivables
side.
Payables - Random checks
are carried out by the
Purchasing Team Leader
as part of the normal
supervisory duties. It is not
practical
to
have
an
independent check of every
change made to the master
file.
Therefore no action agreed.
N/a
Accountable
Officer
Financial
Information
Manager
Responsible
Officer
Audit
Recommendation

Management Comment
Implementation
Date
FPMS
Application
Review (Cont).
(Priority 2)
(Priority2)
We recommend that the ability of the
same person to prepare and review
invoices for payment as well as
generate jobs to create payment
instructions and review the payments
being made should be separated
Agreed. However this is the
same recommendation as
appears in the Finance &
Performance Management
System – Pre-Application
Review dated April 2005.
We recommend that the daily backup Agreed. We have an ambition
tapes should be stored at an off site to do this. However it is not
location away from the Town Hall.
possible until a suitable
remote server room is
available. This is currently in
the planning stages and we
expect implementation in 12
to 18 months. When this is
available all backups will be
taken at the other
Accountable
Officer
1st July 2005
Financial
Information
Manager
December 2006
Financial
Information
Manager
Responsible
Officer
Technical
Development
Manager