Cairngorms Nation­al Park Author­ity Intern­al Audit Report — Final: Payroll Administration

Octo­ber 2019

CAIRNGORMS NATION­AL PARK AUTHORITY Audit & Risk Com­mit­tee Paper I Annex I 06/12/19

BDO

Con­tents

• Exec­ut­ive Sum­mary — 3
• Detailed Find­ings and Recom­mend­a­tions — 10
• Obser­va­tions — 16
• Appen­dices:
  • I Staff Inter­viewed — 17
  • II Defin­i­tions — 18
  • III Terms of Ref­er­ence — 19

Report Status:

• Aud­it­ors: Gemma Macdonald
• Dates work per­formed: 1 July 2019 – 5 July 2019
• Draft report issued: 24 Septem­ber 2019
• Final report issued: 10 Octo­ber 2019

Dis­tri­bu­tion List:

• Dav­id Camer­on — Dir­ect­or of Cor­por­ate Services
• Mem­bers of the Audit Committee

Exec­ut­ive Summary

Level of Assur­ance (See Appendix II for Definitions)

	Design	Effect­ive­ness
Level of Assurance	Gen­er­ally a sound sys­tem of intern­al con­trol designed to achieve sys­tem object­ives with some exceptions.	Evid­ence of non-com­pli­ance with some con­trols, that may put some of the sys­tem object­ives at risk.

Sum­mary of Recom­mend­a­tions (See Appendix II)

Level	Num­ber of Recommendations
High	0
Medi­um	2
Low	4
Total	6

Over­view

Back­ground

In accord­ance with the 2019 – 20 Intern­al Audit Plan, it was agreed that Intern­al Audit would review the design and oper­at­ing effect­ive­ness of the con­trols in place at Cairngorms Nation­al Park Author­ity (“CNPA/​the Author­ity”) sur­round­ing payroll admin­is­tra­tion arrange­ments. The pur­pose of our review was to provide man­age­ment and the Audit Com­mit­tee with assur­ance that the Author­ity has appro­pri­ate arrange­ments in place in rela­tion to their payroll administration.

Payroll at CNPA is, for the most part, pro­cessed by the Payroll & Fin­ance Officer except on occa­sions of his absence, in which case the Fin­ance Officer would pro­cess it. In addi­tion to this, the Fin­ance Officer will pro­cess at least one month’s payroll in the year to main­tain famili­ar­ity with the process.

There is cur­rently no payroll policy or pro­ced­ure in place at CNPA, instead there is a set of ​“desk instruc­tions” used at the Author­ity which describe in detail the steps for pro­cessing payroll and the related journ­als. These instruc­tions were developed by the former Payroll Officer and are updated annu­ally at the end of each tax year. Recent not­able changes made to the instruc­tions include the addi­tion of the annu­al leave pur­chase scheme and also a change to the meth­od of issu­ing payslips which were pre­vi­ously emailed to staff but are now made avail­able on an online portal to increase secur­ity in response to the changes brought in by GDPR. Payroll doc­u­ments are kept in phys­ic­al form in folders for each four-month peri­od, each of these folders con­tains a phys­ic­al copy of the desk instruc­tions. The payroll files are stored securely in a locked cab­in­et on site.

Each month, a payroll amend­ment memor­andum is pre­pared by the Head of Organ­isa­tion­al Devel­op­ment which out­lines any changes to salar­ies in the month. Examples of such changes are starters and leav­ers, employ­ees chan­ging roles, changes to work­ing hours, absence due to sick­ness and mater­nity leave. The memo includes a cal­cu­la­tion of the salary fol­low­ing the change which will be checked by the Payroll & Fin­ance Officer pri­or to pro­cessing. Once the changes have been pro­cessed, the payroll run will be approved by the Dir­ect­or of Cor­por­ate Ser­vices and a signed copy is added to the payroll file. In addi­tion to this, a report is run which provides ana­lys­is of the employ­er deduc­tions broken down into four depart­ments, being core staff, park con­ven­ors, board mem­bers and pro­ject staff. The BACS run is com­pared to the payroll run to ensure there are no dis­crep­an­cies and is then author­ised for pay­ment by the Dir­ect­or of Cor­por­ate Ser­vices. Also included in the payroll file for each month is a P32 ana­lys­is of amounts owed to HMRC which is author­ised by the Dir­ect­or of Cor­por­ate Ser­vices and a nom­in­al link report which shows the amounts pos­ted to each nom­in­al code on the account­ing sys­tem from the salary journal.

Employ­ees of the Author­ity work on flexi-time and there­fore com­plete timesheets which are not used in the pro­cessing of payroll but to keep track of hours worked for the pur­poses of meas­ur­ing employ­ees’ flexi bal­ance and ensur­ing com­pli­ance with the Work­ing Time Dir­ect­ive. Each employ­ee main­tains their timesheet on a spread­sheet which is stored in their indi­vidu­al apprais­al folder on the share drive. Timesheets are to be signed by both the employ­ee and their line man­ager on a monthly basis and HR will do ran­dom spot checks of timesheets every three months.

Instruc­tions for the pro­cessing of both starters and leav­ers are included in the payroll desk instruc­tions. HR will provide payroll with an extract of the new starter form at which point the employ­ee will be set up on the payroll sys­tem. Details of the new starter and a cal­cu­la­tion of their first salary will also be included in the payroll amend­ments memo pre­pared by the Head of Organ­isa­tion­al Devel­op­ment. Leav­ers will have an exit inter­view with either the HR Officer or the Head of Organ­isa­tion­al Devel­op­ment and a ter­min­a­tion check­list will be com­pleted by the HR Officer. When the leav­er is pro­cessed on the payroll sys­tem (Sage 200), their record is auto­mat­ic­ally removed from the sys­tem, when they are pro­cessed on the HR sys­tem (Snow­drop) their record is retained but they are shown to be a leav­er. There is a leav­ers check­list to be com­pleted by HR on ter­min­a­tion of a con­tract which details the steps to be taken such as the cal­cu­la­tion of leave enti­tle­ment, the updat­ing of sys­tems and doc­u­ments, and the return of key fobs or id cards. Leav­ers are also included in the payroll amend­ments memo with a cal­cu­la­tion of their final salary. A starters and leav­ers report is provided from the HR Sys­tem and is author­ised and signed by the Dir­ect­or of Cor­por­ate Ser­vices before being filed in the payroll folder.

There are three monthly checks which are done to test for any errors or poten­tial fraud in the payroll, as follows:

1. Snow­drop Recon­cili­ation A report of the monthly salar­ies from Snow­drop is pro­duced by the HR Officer. This is then recon­ciled to the payroll report run from Sage 200 in order to identi­fy any unex­pec­ted dif­fer­ences. The Payroll & Fin­ance Officer per­forms the recon­cili­ation which is then checked and author­ised by the Dir­ect­or of Cor­por­ate Ser­vices or the Fin­ance Man­ager in his absence. Examples of com­mon recon­cil­ing items include an on-call allow­ance for IT staff, Board costs, an allow­ance for staff stay­ing with friends on work trips, any amend­ments and any pay increases.

2. Ran­dom Check by HR Each month the Head of Organ­isa­tion­al Devel­op­ment will per­form a payroll check on five ran­dom employ­ees to evid­ence that they have been pro­cessed cor­rectly. In choos­ing employ­ees for this check, she aims to choose a spread that rep­res­ents a true mix of grades in the organ­isa­tion. She will check the employ­ees’ salary on the HR sys­tem and ensure it cor­res­ponds with the payslip when any adjust­ments are taken into account. A cov­er sheet is com­pleted which notes the employ­ees whose salary has been tested and notes explain­ing any dif­fer­ences, both this sheet and the rel­ev­ant payslips are signed by the Head of Organ­isa­tion­al Devel­op­ment and placed in the payroll folder.

3. Com­par­is­on with Pre­vi­ous Month Each month the Payroll & Fin­ance Officer will per­form an inform­al check by which he com­pares each employee’s salary with that of the pre­vi­ous month as a sense check to identi­fy any unex­pec­ted differences.

Access to the payroll and HR sys­tems is restric­ted to author­ised users by being tied to their user account. Snow­drop users are the Head of Organ­isa­tion­al Devel­op­ment, the HR Officer and the Payroll & Fin­ance Officer. Users of Sage 200 are the Payroll & Fin­ance Officer and the Fin­ance Officer. Although the Payroll & Fin­ance Officer has access to Snow­drop, they noted that they do not use it and instead go through the HR Officer or Head of Organ­isa­tion­al Devel­op­ment for any HR inform­a­tion requests. The payroll sys­tem is only installed on the com­puters of these two users. Access to payroll and HR files on the share drive is also restric­ted and if an unau­thor­ised mem­ber of staff tries to access them, they are presen­ted with an error message.

Scope and Approach

The scope of our review was to assess whether:

• An adequate payroll policy and pro­ced­ure is in place;
• Payroll pay­ments are cor­rect and author­ised appropriately;
• Amend­ments are pro­cessed in a timely man­ner, not­ably in rela­tion to new starters and leavers;
• Appro­pri­ate excep­tion reports are pro­duced and reviewed pri­or to payroll being trans­mit­ted; and
• Access to human resources and payroll sys­tems are restric­ted appropriately.

Our approach was to con­duct inter­views to estab­lish the con­trols in oper­a­tion for each area of audit work. We then sought doc­u­ment­ary evid­ence that these con­trols were designed as described. We then eval­u­ated these con­trols to identi­fy wheth­er they com­pletely address the risks. We then sought to gain evid­ence of the sat­is­fact­ory oper­a­tion of the con­trols to veri­fy the effect­ive­ness of the con­trol through use of a range of tools and tech­niques. Dur­ing the course of our test­ing we kept man­age­ment informed of any issues which arose as a res­ult of our testing.

Key Find­ings

Our review high­lighted a num­ber of gaps with­in the payroll admin­is­tra­tion con­trols, which are sum­mar­ised below:

• Payroll policies and pro­ced­ures: There are a set of ​“desk instruc­tions” cre­ated by the former Payroll Officer which sets out the pro­ced­ure for payroll admin­is­tra­tion but this did not go through any form­al approv­al pro­cess or peer review.
• Access to sys­tems: The Payroll & Fin­ance Officer cur­rently has access to both the payroll and the HR sys­tem which could cre­ate an oppor­tun­ity for fraud.
• Amend­ments approv­al: The Head of Organ­isa­tion­al Devel­op­ment pre­pares a payroll amend­ment memo each month which con­tains details of any changes to salar­ies and a cal­cu­la­tion of the res­ult­ant salary, the memo is checked and pro­cessed by the Payroll & Fin­ance Officer. Amend­ments should be author­ised by anoth­er mem­ber of staff who is not involved in pro­cessing payroll.
• Post pay­ment report: There is no post pay­ment report run or reviewed to ensure that no changes have been made to payroll after the BACS report is run.
• Con­fid­en­ti­al­ity agree­ment: Staff involved in the payroll pro­cess are not required to sign a con­fid­en­ti­al­ity agreement.
• Auto­mat­ic excep­tion report­ing: The monthly recon­cili­ations which are cur­rently car­ried out are done manu­ally, auto­mat­ic excep­tion reports gen­er­ated by the payroll sys­tem would provide a more reli­able report.

Con­clu­sion

At this stage, we can provide mod­er­ate assur­ance over the design and oper­a­tion­al effect­ive­ness of the con­trols in place in rela­tion to payroll admin­is­tra­tion. We recom­mend man­age­ment imple­ment the noted con­trol improve­ments to devel­op the cur­rent arrange­ments, and ensure they oper­ate con­sist­ently across the Authority.

Risks Reviewed Giv­ing Rise to No Find­ings of a High or Medi­um Significance

• An adequate payroll and expense policy and pro­ced­ure has not been developed
• Amend­ments are not pro­cessed in a timely man­ner, not­ably in rela­tion to new starters and leavers
• Inad­equate excep­tion report­ing and super­vis­ory con­trols may be in place, lead­ing to fail­ure to detect fraud or error
• Unau­thor­ised access to the human resources and payroll sys­tem may lead to cor­rup­tion of inform­a­tion or data theft

Areas for Improvement

Ref.	Sig.	Find­ing Sum­mary	Recom­mend­a­tion
1		It is import­ant that there is segreg­a­tion of duties between payroll and HR to min­im­ise the poten­tial for fraud; no employ­ee should be able to amend employ­ee details on the HR sys­tem and also pro­cess payroll.	We acknow­ledge that while the Payroll & Fin­ance Officer has access to the HR sys­tem, they do not use it. How­ever, it is our recom­mend­a­tion that the Payroll & Fin­ance Officers access rights to the HR sys­tem be removed.
2		It is import­ant that amend­ments to the payroll are prop­erly approved to ensure that only accur­ate and author­ised changes are processed.	It is our recom­mend­a­tion that a third party with appro­pri­ate level of author­ity reviews and approves the monthly payroll amend­ment memo pre­pared by the Head of Organ­isa­tion­al Development.

Detailed Find­ings and Recommendations

Risk: Incor­rect or unau­thor­ised pay­ments may be made

Ref.	Find­ing	Sig.	Recom­mend­a­tion
1	It is import­ant that there is segreg­a­tion of duties between payroll and HR to min­im­ise the poten­tial for fraud; no employ­ee should be able to amend employ­ee details on the HR sys­tem and also pro­cess payroll.		We acknow­ledge that while the Payroll & Fin­ance Officer has access to the HR sys­tem, they do not use it, how­ever, it is our recom­mend­a­tion that the Payroll & Fin­ance Officers access rights to the HR Sys­tem be removed.
2	It is import­ant that amend­ments to the payroll are prop­erly approved to ensure that only accur­ate and author­ised changes are processed.		It is our recom­mend­a­tion that a review of the monthly payroll adjust­ment memo and spot check of changes is incor­por­ated into the Dir­ect­or of Cor­por­ate Ser­vices review and author­isa­tion of monthly payroll and the monthly payroll amend­ment memo pre­pared by the Head of Organ­isa­tion­al Development.
3	It is import­ant that there is suf­fi­cient review and author­isa­tion of the payroll at each stage of the pro­cess to ensure that pay­ments made are accurate.		We recom­mend that in addi­tion to the payroll report and BACS reports run each month, CNPA pro­duce a post-pay­ment report which should be reviewed and signed by the Dir­ect­or of Cor­por­ate Services.

Risk: An adequate payroll and expense policy and pro­ced­ure has not been developed

Ref.	Find­ing	Sig.	Recom­mend­a­tion
4	It is import­ant that there is a clear policy and pro­ced­ures in place regard­ing payroll admin­is­tra­tion to provide employ­ees with guid­ance on the pro­cess to be followed.		We recom­mend that CNPA con­duct a reg­u­lar peer review of the desk instruc­tions to ensure that they remain accur­ate and up to date. Evid­ence of the review should be seen on the instruc­tions with ver­sion con­trol and the date reviewed noted.
5	It is import­ant that, due to the sens­it­ive nature of inform­a­tion held by staff involved in the payroll pro­cess, con­fid­en­ti­al­ity is maintained.		We recom­mend that all staff with access to payroll inform­a­tion are required to sign a con­fid­en­ti­al­ity agreement.

Risk: Inad­equate excep­tion report­ing and super­vis­ory con­trols may be in place, lead­ing to fail­ure to detect fraud or error

Ref.	Find­ing	Sig.	Recom­mend­a­tion
6	It is import­ant that excep­tion report­ing is used to identi­fy any unex­pec­ted dis­crep­an­cies in the payroll. Many payroll sys­tems per­form auto­mat­ic excep­tion report­ing which will identi­fy any changes to salar­ies from the pre­vi­ous month.		It is our recom­mend­a­tion that the Author­ity invest­ig­ate the poten­tial for mak­ing use of auto­mat­ic excep­tion report­ing. This may be with­in the cap­ab­il­it­ies of the cur­rent payroll sys­tem; a report would be gen­er­ated of all the dif­fer­ences from the pre­vi­ous months payroll which could be reviewed and authorised.

Obser­va­tions

1. Dur­ing our review we found that while timesheets are required to be signed by both the employ­ee and their line man­ager, this is done incon­sist­ently. Timesheets do not form part of the payroll pro­cess but are used to keep track of employ­ees’ TOIL from work­ing flexi-time and mon­it­or com­pli­ance with the Work­ing Time Dir­ect­ive. Giv­en that this did not impact on the payroll pro­cess, it has fallen out of the scope of the review, how­ever, we would recom­mend that employ­ees are reminded of the import­ance of hav­ing their timesheet appro­pri­ately approved to veri­fy their hours worked. We would also recom­mend that HR per­form reg­u­lar spot checks on timesheets and return them to employ­ees if not appro­pri­ately authorised.

Appendix I — Staff Interviewed

Name	Job Title
Mark Tuck­er	Payroll & Fin­ance Officer
Kate Christie	Head of Organ­isa­tion­al Development
Pip Mack­ie	HR Officer
Sandy Allan	IT Ser­vice Manager

BDO LLP appre­ci­ates the time provided by all the indi­vidu­als involved in this review and would like to thank them for their assist­ance and cooperation.

Appendix II — Definitions

Design of Intern­al Con­trol Framework

Oper­a­tion­al Effect­ive­ness of Intern­al Controls

Level of Assur­ance	Find­ings from Review	Design Opin­ion	Find­ings from Review	Effect­ive­ness Opinion
Sub­stan­tial	Appro­pri­ate pro­ced­ures and con­trols in place to mit­ig­ate the key risks.	There is a sound sys­tem of intern­al con­trol designed to achieve sys­tem objectives.	No, or only minor, excep­tions found in test­ing of the pro­ced­ures and controls.	The con­trols that are in place are being con­sist­ently applied.
Mod­er­ate	In the main there are appro­pri­ate pro­ced­ures and con­trols in place to mit­ig­ate the key risks reviewed albeit with some that are not fully effective.	Gen­er­ally a sound sys­tem of intern­al con­trol designed to achieve sys­tem object­ives with some exceptions.	A small num­ber of excep­tions found in test­ing of the pro­ced­ures and controls.	Evid­ence of non-com­pli­ance with some con­trols, that may put some of the sys­tem object­ives at risk.
Lim­ited	A num­ber of sig­ni­fic­ant gaps iden­ti­fied in the pro­ced­ures and con­trols in key areas. Where prac­tic­al, efforts should be made to address in-year.	Sys­tem of intern­al con­trols is weakened with sys­tem object­ives at risk of not being achieved.	A num­ber of reoc­cur­ring excep­tions found in test­ing of the pro­ced­ures and con­trols. Where prac­tic­al, efforts should be made to address in-year.	Non-com­pli­ance with key pro­ced­ures and con­trols places the sys­tem object­ives at risk.
No	For all risk areas there are sig­ni­fic­ant gaps in the pro­ced­ures and con­trols. Fail­ure to address in-year affects the qual­ity of the organisation’s over­all intern­al con­trol framework.	Poor sys­tem of intern­al control.	Due to absence of effect­ive con­trols and pro­ced­ures, no reli­ance can be placed on their oper­a­tion. Fail­ure to address in-year affects the qual­ity of the organisation’s over­all intern­al con­trol framework.	Non-com­pli­ance and/​or com­pli­ance with inad­equate controls.

Recom­mend­a­tion Significance

• High: A weak­ness where there is sub­stan­tial risk of loss, fraud, impro­pri­ety, poor value for money, or fail­ure to achieve organ­isa­tion­al object­ives. Such risk could lead to an adverse impact on the busi­ness. Remedi­al action must be taken urgently.
• Medi­um: A weak­ness in con­trol which, although not fun­da­ment­al, relates to short­com­ings which expose indi­vidu­al busi­ness sys­tems to a less imme­di­ate level of threat­en­ing risk or poor value for money. Such a risk could impact on oper­a­tion­al object­ives and should be of con­cern to seni­or man­age­ment and requires prompt spe­cif­ic action.
• Low: Areas that indi­vidu­ally have no sig­ni­fic­ant impact, but where man­age­ment would bene­fit from improved con­trols and/​or have the oppor­tun­ity to achieve great­er effect­ive­ness and/​or efficiency.

Appendix III — Terms of Reference

Back­ground

In accord­ance with the 2019 – 20 Intern­al Audit Plan, it was agreed that Intern­al Audit would review the design and oper­at­ing effect­ive­ness of the con­trols in place at Cairngorms Nation­al Park Author­ity sur­round­ing payroll admin­is­tra­tion arrangements.

Pur­pose of Review

The pur­pose of this review is to provide man­age­ment and the Audit & Risk Com­mit­tee with assur­ance that Cairngorms Nation­al Park Author­ity has well-designed, effect­ive con­trols in place in rela­tion to their payroll administration.

Key Risks

Based upon the risk assess­ment under­taken dur­ing the devel­op­ment of the intern­al audit oper­a­tion­al plan, through dis­cus­sions with man­age­ment, and our col­lect­ive audit know­ledge and under­stand­ing, the key risks asso­ci­ated with the area under review are:

• An adequate payroll policy and pro­ced­ure has not been developed;
• Incor­rect or unau­thor­ised payroll pay­ments may be made;
• Amend­ments are not pro­cessed in a timely man­ner, not­ably in rela­tion to new starters and leavers;
• Inad­equate excep­tion report­ing and super­vis­ory con­trols may be in place, lead­ing to fail­ure to detect fraud or error; and
• Unau­thor­ised access to the human resources and payroll sys­tem may lead to cor­rup­tion of inform­a­tion or data theft.

BDO LLP Footer

BDO LLP, a UK lim­ited liab­il­ity part­ner­ship registered in Eng­land and Wales under num­ber OC305127, is a mem­ber of BDO Inter­na­tion­al Lim­ited, a UK com­pany lim­ited by guar­an­tee, and forms part of the inter­na­tion­al BDO net­work of inde­pend­ent mem­ber firms. A list of mem­bers’ names is open to inspec­tion at our registered office, 55 Baker Street, Lon­don W1U 7EU. BDO LLP is author­ised and reg­u­lated by the Fin­an­cial Con­duct Author­ity to con­duct invest­ment busi­ness. BDO is the brand name for the BDO net­work and for each of the BDO Mem­ber Firms. BDO North­ern Ire­land, a part­ner­ship formed in and under the laws of North­ern Ire­land, is licensed to oper­ate with­in the inter­na­tion­al BDO net­work of inde­pend­ent mem­ber firms. Copy­right ©2019 BDO LLP. All rights reserved. www​.bdo​.co​.uk