Skip to content
Please be aware the content below has been generated by an AI model from a source PDF.

230621AuCtteePaper1CNPAPayrollandExpenses

Cairngorms Nation­al Park Authority

Intern­al Audit Report 202223

Payroll and Expenses

March 2023

Page 2
Audit Spon­sorKey Con­tactsAudit team
Dav­id Camer­on, Dir­ect­or of Cor­por­ate Ser­vices and Deputy CEOMark Tuck­er, Man­age­ment AccountantEliza­beth Young, Chief Intern­al Auditor
Elly Mil­ne, Payroll and Fin­ance OfficerStephanie Hume, Seni­or Audit Manager
Pip Mack­ie, HR ManagerLauren MacLean, Seni­or Intern­al Auditor

Page 3

Exec­ut­ive Summary

Con­clu­sion

Although Cairngorms Nation­al Park Author­ity (CNPA) has adequate con­trols over the accur­ate and timely pro­cessing of payroll and expenses, we found there to be a lack of segreg­a­tion of duties through­out the pro­cess includ­ing over changes to stand­ing payroll data. We have raised recom­mend­a­tions aimed at redu­cing the poten­tial for fraud or error with­in payroll through such changes and the bet­ter main­ten­ance of audit trails.

We have also made a num­ber of recom­mend­a­tions relat­ing to clar­ity with­in policy and pro­ced­ure, changes to payroll data and test­ing of sys­tem back ups.

Back­ground and scope

In the annu­al accounts for the year ended March 2021, CNPA repor­ted an annu­al mean of 78 whole time equi­val­ent staff mem­bers, with staff costs totalling £3,411,000 and £49,000 of expenses (Board and Staff Costs). It is there­fore essen­tial that the payroll and expenses func­tion is sub­ject to robust con­trols to ensure staff are remu­ner­ated appro­pri­ately, laws and reg­u­la­tions com­plied with and CNPA funds are safeguarded.

In accord­ance with the 202223 Intern­al Audit Plan, we reviewed the policies and pro­ced­ures in place for payroll and expenses as well as util­ising data ana­lyt­ics to identi­fy pat­terns and areas for fur­ther review.

Data Ana­lyt­ics

We obtained the employ­ee mas­ter­file con­tain­ing inform­a­tion of employ­ees includ­ing payroll num­bers, addresses and bank details for 130 employ­ee records relat­ing to 130 unique employ­ees. We also obtained monthly payroll trans­ac­tions for the peri­od from Novem­ber 2021 to Novem­ber 2022 with pay­ments to 159 employ­ees. The graphs below show the total payroll value – estim­ated using the earn­ings with­in the payroll trans­ac­tions data­set for monthly payrolls. We used data ana­lyt­ics to inform our test­ing where pos­sible through­out the audit.

(Insert graph here)

Page 4

Con­trol assessment

  1. There are clear policies and pro­ced­ures in place for payroll and expenses.
  2. Payroll and expenses pay­ments are made to val­id employ­ees only, at the cor­rect and author­ised rate.
  3. Changes to payroll stand­ing data (includ­ing addi­tion of starters, remov­al of leav­ers and pro­cesses of salary changes) are author­ised and pro­cessed on a timely basis.
  4. Payroll and expenses pay­ments are appro­pri­ately reviewed and approved pri­or to release and are recon­ciled for accur­acy on a timely basis.
  5. Payroll and expenses data is held securely and unau­thor­ised access is prevented.

(Insert graph here)

Nine improve­ment actions have been iden­ti­fied from this review, three of which relate to com­pli­ance with exist­ing pro­ced­ures, rather than the design of con­trols them­selves. See Appendix A for defin­i­tions of col­our coding.

Page 5

Key find­ings

Good prac­tice

  • We con­firmed through sample test­ing that employ­ees have been paid as expec­ted and in line with their con­tract. We also reviewed a sample of employ­ees who had been on sick leave and con­firmed they had been paid cor­rectly dur­ing that time, includ­ing where any manu­al adjust­ments to the payroll sys­tem were required.
  • We tested a sample of pay runs and con­firmed that they were car­ried out in line with agreed dates (with staff being paid on the 28th of each month).
  • CNPA have an up-to-date expenses policy in place, which was last reviewed in August 2022.
  • Pay run sum­mar­ies, BACS sched­ules and excep­tion reports are run on a monthly basis and issued to the Man­age­ment Account­ant and the Dir­ect­or of Cor­por­ate Ser­vices & Deputy CEO for review and approval.
  • Access to the payroll sys­tem is lim­ited to those who require it for their role and pro­tec­ted by unique user­names and passwords.

Areas for improvement

We have iden­ti­fied a num­ber of areas for improve­ment, which if imple­men­ted would strengthen CNPA’s con­trol frame­work. These include:

  • Ensur­ing roles and respons­ib­il­it­ies of staff are clearly out­lined with­in policies and guidance.
  • Imple­ment­ing a require­ment for back-up evid­ence to be included with changes required to payroll data. In addi­tion determ­in­ing, giv­en the small team, wheth­er segreg­a­tion of duties is achiev­able when input­ting data into the HR and payroll systems.
  • Ensur­ing CNPA receive reg­u­lar assur­ance over con­tinu­ity and recov­ery arrange­ments of the Access’ payroll system.

These are fur­ther dis­cussed, along with more minor find­ings in the Man­age­ment Action Plan below.

Impact on risk register

The Cairngorms Nation­al Park Author­ity cor­por­ate risk register (dated Decem­ber 2022) included the fol­low­ing risks rel­ev­ant to this review:

A1: Resources: pub­lic sec­tor fin­ances con­strain capa­city to alloc­ate suf­fi­cient resources to deliv­er cor­por­ate plan.

A22: Tech­nic­al: Busi­ness Con­tinu­ity Plans (BCP) are inad­equate to deal with sig­ni­fic­ant impacts to nor­mal work­ing arrange­ments and res­ult in ser­vice failure.

In gen­er­al, the find­ings from this review do not raise sig­ni­fic­ant con­cerns around the effect­ive­ness of con­trols in place to man­age these risks. How­ever, with the payroll sys­tem back-ups being out­sourced, man­age­ment should con­sider the impact on busi­ness con­tinu­ity plans.

Page 6

Acknow­ledge­ments

We would like to thank all staff con­sul­ted dur­ing this review for their assist­ance and co-operation.

Page 7

Man­age­ment Action Plan

Con­trol Object­ive 1: There are clear policies and pro­ced­ures in place for payroll and expenses.

1.1 Payroll desk instructions

CNPA’s monthly payroll pro­cessing desk instruc­tions set out the pro­cess for mak­ing amend­ments to payroll, such as starters and leav­ers, as well as how to run the payroll reports and com­plete recon­cili­ations. We noted that not all roles and respons­ib­il­it­ies are clearly set out, for example who is respons­ible for author­ising fol­low­ing pro­cessing. We also noted that there is a sec­tion with­in the doc­u­ment to record approv­al by the Dir­ect­or of Cor­por­ate Ser­vices, as con­firm­a­tion they are an accur­ate reflec­tion on the expec­ted pro­cess, but this was left blank.

Risk: There is a risk that staff are unclear on their respons­ib­il­it­ies for payroll pro­cessing, as this the desk instruc­tions are not com­pre­hens­ive, which may res­ult in incor­rect pay­ments and risk of repu­ta­tion­al damage.

Recom­mend­a­tion: Man­age­ment should update the desk instruc­tions to cap­ture the end-to-end pro­cess roles and respons­ib­il­it­ies and provide an out­line timeline (without dates). In addi­tion, where form­al sign off is required an audit trail of this should be maintained.

(Man­age­ment Action Table)

Page 8

Con­trol Object­ive 2: Payroll and expenses pay­ments are made to val­id employ­ees only, at the cor­rect author­ised rate.

2.1 Payr­un reconciliation

The major­ity of payroll cal­cu­la­tions are pro­cessed auto­mat­ic­ally by the payroll sys­tem Access’, with those cal­cu­la­tions based on the inform­a­tion input for each employ­ee for example, salary, hours, tax code etc. Manu­al adjust­ments are required for the cycle to work scheme, pur­chase of addi­tion­al annu­al leave and stat­utory sick pay. We reviewed the pro­cess for manu­al adjust­ments and noted that it does not include a sec­ond­ary check by a sep­ar­ate mem­ber of staff to ensure the cal­cu­la­tion is cor­rect. We note that the monthly payr­un is recon­ciled against the fin­ance sys­tem, SAGE, to ensure the cal­cu­la­tions are cor­rect fol­low­ing pro­cessing. We tested three months’ recon­cili­ations and noted that in one of those months a vari­ance of £579.23 between the sys­tems was iden­ti­fied. Staff were unable to explain reas­on for this dur­ing fieldwork.

Risk: There is a risk that employ­ees are not paid the cor­rect value as Access payr­uns do not fully recon­cile to SAGE fin­ance reports, lead­ing to fin­an­cial loss, incor­rect accounts and repu­ta­tion­al damage.

Recom­mend­a­tion: We recom­mend that CNPA invest­ig­ate the vari­ance to con­firm if there has been an error in either of the sys­tems or if a manu­al adjust­ments has been made. CNPA should also cla­ri­fy the cir­cum­stances in which manu­al adjust­ments are made and agree a pro­cess for sec­ond­ary checks before run­ning the payroll.

(Man­age­ment Action Table)

2.2 HR bank details

We obtained the Employ­ee Mas­ter file from the HR Sys­tem to con­firm that there were no duplic­ate employ­ees and that unique bank details were held for each indi­vidu­al. We found that bank details were miss­ing for four employ­ees. Man­age­ment con­firmed that as the Payroll and HR sys­tems are sep­ar­ate and do not link in any way there is no require­ment for this inform­a­tion to be held on the HR sys­tem. There­fore it is unclear why CNPA are hold­ing all staff bank details on the HR sys­tem if not required for pro­cessing the data, con­sid­er­ing GPDR regulations.

Risk: There is a risk of payroll data being held in HR sys­tems, as the need has not adequately con­sidered, res­ult­ing the data being uncon­trolled, incon­sist­ent and increas­ing the like­li­hood of con­tra­ven­ing the Data Pro­tec­tion Act.

Recom­mend­a­tion: We recom­mend that CNPA review the inform­a­tion held on both HR and payroll sys­tems to con­firm what inform­a­tion is duplic­ated and that only neces­sary inform­a­tion is held with­in each sys­tem. If iden­ti­fied as unne­ces­sary, the data should be removed from the system.

(Man­age­ment Action Table)

Page 10

Con­trol Object­ive 3: Change to payroll stand­ing data (includ­ing addi­tion of starters, remov­al of leav­ers and pro­cesses of salary changes) are author­ised and pro­cessed on a timely basis

3.1 Changes to payroll data

New starts: When a new employ­ee joins CNPA they are required to fill in a range of new start forms. These forms are returned to HR who review for any miss­ing inform­a­tion. Once com­plete, either the HR Man­ager or HR Officer input the inform­a­tion into the People HR’ sys­tem. We note there is no sec­ond­ary check to ensure the accur­acy of the data input. Sim­il­arly there is no back up’ doc­u­ment­a­tion provided or segreg­a­tion of duties when the Payroll and Fin­ance Officer cre­ates a new start on the payroll sys­tem, increas­ing the risk of ghost employ­ees being cre­ated and paid fraudulently.

Leav­ers: CNPA does not require leav­ers forms to be com­pleted when an employ­ee is leav­ing the organ­isa­tion. Instead leav­ers send their let­ter of resig­na­tion to the HR inbox, copy­ing in their line man­ager. In some cases, employ­ee con­tracts will have a fixed end date, and, in these cir­cum­stances, HR will issue the employ­ee with a let­ter to noti­fy them that their con­tract is end­ing (linked to MAP 3.3). Once noti­fic­a­tion is received, the HR Man­ager or HR Officer will access the employee’s record and use the leav­er wiz­ard’ to input rel­ev­ant inform­a­tion such as their last day of employ­ment and last work­ing day. The wiz­ard will then cal­cu­late their last pay, includ­ing any out­stand­ing annu­al leave enti­tle­ment. There are no sec­ond­ary checks or segreg­a­tion of duties when pro­cessing the leav­er on the HR sys­tem. Leav­ers are included on the list giv­en to Payroll and although this is signed off by the Head of Organ­isa­tion­al Devel­op­ment, no sup­port­ing doc­u­ment­a­tion is provided. Based on the enti­tle­ment for the year, the Payroll and Fin­ance Officer will cal­cu­late their out­stand­ing leave manu­ally and check against what has already been taken but oth­er­wise no addi­tion­al checks are under­taken and there is no segreg­a­tion of duties when input­ting into the payroll system.

Amend­ments: As with leav­ers, no forms are used to record changes needed to an employee’s payroll data. While we note HR will often be aware of a change as they will have been involved in the pro­cess e.g. a change to pay as a res­ult of pro­mo­tion or change of hours, this is not always the case as there is no form­al pro­cess for how they are noti­fied of changes to an employee’s record and what evid­ence is required to sup­port (see MAP 3.4). We did note that requests to amend bank details are received by the payroll inbox and the Payroll Officer will use the con­tact num­ber saved in the employee’s record to call and veri­fy the change. Changes are made to People HR by the HR Man­ager or HR Officer without any segreg­a­tion of duties. Any changes to an employee’s data with­in the month are included on the payroll memo passed to the Payroll team to be pro­cessed. Payroll will manu­ally enter the required changes, veri­fy­ing with HR if the change appears unusu­al but oth­er­wise no back up doc­u­ment­a­tion is provided or sec­ond­ary checks for accur­acy undertaken.

Risk: There is a risk that employ­ees are fic­ti­tiously entered into the payroll sys­tem or incor­rect details are input as there is lim­ited back up doc­u­ment­a­tion provided and no sec­ond­ary checks when input­ting to the HR or payroll sys­tems. Res­ult­ing in poten­tial fraud­u­lent pay­ments or employ­ees not being paid correctly.

Recom­mend­a­tion: Man­age­ment should determ­ine, giv­en the small team, wheth­er segreg­a­tion of duties is achiev­able when input­ting data into the HR and payroll sys­tems. Where this is not the case man­age­ment should determ­ine if any addi­tion­al con­trols are required, e.g. lim­ited peri­od­ic sample testing.

(Man­age­ment Action Table)

3.2 Integ­rity of sys­tem data

We car­ried out ana­lyt­ics to com­pare new starts first pay with their start date, to con­firm that they received that on a timely basis. We found 16 of the 43 starters reviewed (37%) received their first pay more than 44 days after their start date. We selec­ted a sample of the three of these indi­vidu­als and were able to con­firm in all instances the start date or pay date on the sys­tem was not reflect­ive of the when the staff mem­ber com­menced post or was paid. In each case we con­firmed the staff mem­ber was paid with­in one month of start­ing. In some instances, it appeared the start date had been input in an Amer­ic­an date format (i.e. MM/DD/YYY), but the pay date in Brit­ish date format (i.e. DD/MM/YYY), appear­ing to cause a lag, how­ever in oth­er instances we were unable to determ­ine from our review why the dates entered were dif­fer­ent. In addi­tion, our data ana­lyt­ics iden­ti­fied that 32 of the 34 leav­ers reviewed (94%) received their last pay in a timely man­ner. We reviewed the remain­ing two instances and con­firmed that pay­ment had been received in a timely man­ner and the final day of employ­ment as recor­ded in the sys­tem was incor­rect. There­fore no adjust­ment to pay was required.

Risk: There is there­fore issues with the accur­ate record­ing of data across some staff records. There is a risk of incor­rect or incon­sist­ent data being held on the sys­tem is inform­a­tion is not input cor­rectly, lead­ing to inac­cur­ate report­ing or erro­neous pay­ments being made to employees.

Recom­mend­a­tion: Man­age­ment should also invest­ig­ate the reas­ons for the sys­tem reports not being reflect­ive of start and leave dates for staff. Fur­ther, staff across the HR and payroll teams should agree a form­al date format to be used across sys­tems to ensure con­sist­ency of information.

(Man­age­ment Action Table)

3.3 End of con­tract notification

When employ­ee con­tracts have a fixed end date HR issue the employ­ee with a let­ter to noti­fy them that their con­tract is end­ing. We reviewed a sample of five leav­ers of this type and found that in one case, although HR were able to demon­strate that the employ­ee had been pro­cessed as a leav­er in a timely man­ner, we were unable to obtain the let­ter issued noti­fy­ing the employ­ee that their con­tract was due to end.

Risk: There is a risk that employ­ees on fixed term con­tracts are not pro­cessed as leav­ers in a timely man­ner as HR have not issued an end of con­tract let­ter to the employ­ee, res­ult­ing in a short-term fin­an­cial impact on the accounts.

Recom­mend­a­tion: HR should invest­ig­ate wheth­er the HR sys­tem is able to record and report on when leav­er let­ters are issued. In the absence of this man­age­ment should con­sider wheth­er using Out­look remind­ers or actions to flag when action is required for fixed terms contracts.

(Man­age­ment Action Table)

3.4 Aware­ness of amend­ments required

There are a num­ber of reas­ons a change may be required to an employee’s payroll data, e.g. change in hours, pro­mo­tion, career breaks or changes to bank details (which has an appro­pri­ate check­ing pro­cess in place). Across four sep­ar­ate months we selec­ted one amend­ment for review. In one of the four instances, HR did not have sup­port­ing doc­u­ment­a­tion avail­able, as the change related to a board mem­ber and HR do not have advance over­sight of board dis­cus­sion and appoint­ments. As stand­ard forms are not used to com­mu­nic­ate payroll changes for Board mem­bers, staff noted that that it can be dif­fi­cult to keep on top of the changes required and often changes are being made ret­ro­spect­ively lead­ing to adjust­ments to payroll being backdated.

Risk: There is a risk that Board mem­bers receive incor­rect pay­ments, as payroll are not noti­fied of the change in a timely man­ner, res­ult­ing in short term fin­an­cial impact on the accounts and the mem­ber of staff.

Recom­mend­a­tion: Man­age­ment should devel­op and encour­age the use of tem­plate forms for amend­ment of data for Board mem­bers which impacts payroll, which are sup­por­ted by the rel­ev­ant evidence.

(Man­age­ment Action Table)

Page 13

Con­trol Object­ive 4: Payroll and expenses pay­ments are appro­pri­ately reviewed and approved pri­or to release and are recon­ciled for accur­acy on a timely basis.

4.1 Expenses

The CNPA expenses policy sets out that: Where staff are claim­ing fuel costs, car park­ing charges, bridge toll charges, bus, under­ground or taxi fares the appro­pri­ate receipts, used tick­ets or tick­et stubs should be attached to the claim form. If a receipt or used tick­et is not attached, then the reas­on for this should be noted on the claim form. Reim­burse­ment may have to be refused if receipts are not attached.’ We tested a sample of 17 expenses claimed between Novem­ber 2021 and Novem­ber 2022 to con­firm receipts had been provided and found that in:

  • two cases (12%), evid­ence was retained for part of the claim but not the full value.
  • six cases (35%), the expense claim related to fuel costs, but no receipt had been retained nor an explan­a­tion as to why no receipt was submitted.

The policy also states that employ­ees should sub­mit their expenses claims reg­u­larly to their line man­ager and with­in three months of being incurred. The Author­ity reserves the right to refuse to pay expenses claims sub­mit­ted after three months from the date they were incurred and delays over this time risks the capa­city of line man­agers to appro­pri­ately veri­fy the busi­ness reas­ons for the expenses being incurred. How­ever, our test­ing iden­ti­fied one instance where an employ­ee was paid a lump sum of expenses incurred between April and August 2021 with no rationale provided. Line man­agers are required to approve all expense claims by either sign­ing off the expense claim form or sub­mit­ting to the Fin­ance team inbox with an email trail stat­ing that they approve of the expenses. Our sample test­ing iden­ti­fied one which had not been approved by sig­na­ture or email trail. Lastly, we assessed wheth­er expense claims had been paid out in a timely man­ner. The expenses policy does not spe­cify a time frame; there­fore we used 30 days as a reas­on­able peri­od for reim­burse­ment to be made. We found that one claim had not been paid out with­in 30 days (60 days) after the claim was submitted.

Risk: There is a risk that expenses paid to employ­ees are not value for money or fraud­u­lent, as evid­ence is not obtained, claims are not approved and the policy is unclear on appro­pri­ate expenses, res­ult­ing in inef­fect­ive use of fin­an­cial resources and lead­ing to repu­ta­tion­al damage.

Recom­mend­a­tion: Man­age­ment should determ­ine an appro­pri­ate time frame for expenses pro­cessing and doc­u­ment this with­in the expenses policy (MAP 1.2), this is in line with good prac­tice. Employ­ees should be reminded of the need to sub­mit evid­ence along with their expenses claim and obtain their line man­agers approv­al, includ­ing jus­ti­fic­a­tion and approv­al for those over 90 days. In addi­tion Fin­ance staff should not pro­cess expense claims where the line man­ager has not signed off the expense form or provided approv­al via email.

(Man­age­ment Action Table)

Page 15

Con­trol Object­ive 5: Payroll and expenses data is held securely, and unau­thor­ised access is prevented.

5.1 Data back-up

CNPA use a third-party soft­ware pro­vider for their payroll sys­tem, Access. We under­stand that Access is a cloud-based sys­tem and that back-ups of payroll data are auto­mat­ic­ally taken each night and stored on the cloud. We attemp­ted to con­firm that data was being backed up as inten­ded and that test and restore pro­cesses would work effect­ively in the event of an incid­ent, how­ever, were unable to evid­ence this dur­ing the audit as staff were unsure how these backups would be accessed.

Risk: There is a risk that payroll data is not access­ible as con­tinu­ity arrange­ments are not in place or tested, res­ult­ing in an inab­il­ity to run payroll and pay employ­ees on a timely basis.

Recom­mend­a­tion: Man­age­ment should con­firm that the arrange­ments in place for the back-up of payroll data remain val­id and that they receive reg­u­lar assur­ance over con­tinu­ity and recov­ery arrange­ments. CNPA should also peri­od­ic­ally arrange to par­ti­cip­ate in access and recov­ery tests.

(Man­age­ment Action Table)

Page 16

Appendix A – Definitions

Con­trol assessments

  • R: Fun­da­ment­al absence or fail­ure of key controls.
  • A: Con­trol object­ive not achieved — con­trols are inad­equate or ineffective.
  • Y: Con­trol object­ive achieved — no major weak­nesses but scope for improvement.
  • G: Con­trol object­ive achieved — con­trols are adequate, effect­ive and efficient.

Man­age­ment action grades

  • 4: Very high risk expos­ure — major con­cerns requir­ing imme­di­ate seni­or atten­tion that cre­ate fun­da­ment­al risks with­in the organisation.
  • 3: High risk expos­ure — absence / fail­ure of key con­trols that cre­ate sig­ni­fic­ant risks with­in the organisation.
  • 2: Mod­er­ate risk expos­ure — con­trols are not work­ing effect­ively and effi­ciently and may cre­ate mod­er­ate risks with­in the organisation.
  • 1: Lim­ited risk expos­ure — con­trols are work­ing effect­ively, but could be strengthened to pre­vent the cre­ation of minor risks or address gen­er­al house-keep­ing issues.

Page 17

(Copy­right and regis­tra­tion information)

This mark­down doc­u­ment rep­res­ents the text extrac­ted from the provided images. It may not be per­fectly format­ted, and any tables or graphs will need to be manu­ally recreated.

×

We want your feedback

Thank you for visiting our new website. We'd appreciate any feedback using our quick feedback form. Your thoughts make a big difference.

Thank you!

Give feedback