230922AuCtteePaper2ExpenditureandCreditorsReport
Cairngorms National Park Authority
Internal Audit Report 2023⁄24
Expenditure and Creditors
August 2023
Page 1: (Image)
Page 2:
Cairngorms National Park Authority Internal Audit Report 2023⁄24 Expenditure and Creditors
- Executive Summary 1
- Management Action Plan 4
- Appendix A – Definitions 11
| Audit Sponsor | Key Contacts | Audit team |
|---|---|---|
| David Cameron, Deputy Chief Executive | Louise Allen, Head of Finance and Corporate Operations | Elizabeth Young, Chief Internal Auditor |
| Mark Tucker, Management Accountant | Stephanie Hume, Senior Audit Manager | |
| Amy Mackenzie, Management Accountant | Cameron Laurie, Internal Auditor | |
| Calum Guy, Graduate Trainee Accountant |
Page 3:
Executive Summary
Conclusion
Cairngorms National Park Authority (CNPA) has adequate controls in place over expenditure, with good practice being noted in the controls surrounding the validation of suppliers, the reconciliations undertaken between the purchase ledger and committed expenditure and the ongoing review of purchases to ensure prompt payment.
We have identified a small number of recommendations including the ability to evidence that segregation of duties has been employed throughout the process of committing expenditure, document control of internal procedures and the removal of inactive suppliers from the system.
Background and scope
In order to account completely and accurately for its use of resources and to ensure payments are made in accordance with national standards, CNPA needs to ensure that the processes and controls around expenditure and creditors are robust.
In accordance with the 2023/2024 Internal Audit Plan, we have reviewed the controls over the processing and monitoring of expenditure and creditor payments.
Page 4:
Control assessment
- There are clear policies, procedures and delegated authority levels in place and available to staff covering expenditure and creditor payments.
- Payments are made to valid and agreed creditors for goods and services confirmed as received, within the agreed timeframes.
- Payments made are consistent with expenditure commitment, adequately authorised and subject to review prior to release, with appropriate segregation of duties in place.
- Non-pay expenditure is accurately reflected in the financial ledger.
- The purchase ledger is reviewed regularly to minimise any disputed or overdue accounts.
(Image of a pie chart showing control assessment results)
Improvement actions by type and priority
(Image of a bar chart showing improvement actions by type and priority)
Three improvement actions have been identified from this review, all of which relate to the design of the controls in place. See Appendix A for definitions of colour coding.
Page 5:
Key findings
Good practice
- There is a clear Delegated Level of Authority in place, which provides comprehensive guidance for committing expenditure and authorisation of payment for goods and services.
- A new supplier form has been introduced as a means of documenting the verification process of new suppliers, with management confirming this form is also used for existing suppliers who have changed details.
- We confirmed via sample testing of 24 purchases that purchases are made only to valid and agreed creditors, after the receipt of goods, and all within 15 days of receipt.
- Our testing confirmed that regular reconciliations are undertaken between CNPA’s bank accounts, the data held within Sage, and the purchase and sales ledgers in order to ensure accurate reflection of expenditure.
- The status of invoices and purchases are monitored regularly to minimise overdue payments.
Areas for improvement
We have identified a small number of areas for improvement which, if addressed, would strengthen CNPA’s control framework. These include:
- Introducing document control on internal procedure documentation, in order to evidence that guidance is relevant and up to date.
- Considering the removal or re-verification of inactive supplier accounts on Sage.
- To formally document and standardise the purchasing process, in order to increase transparency and evidence the segregation of duties in place for purchases.
These are further discussed in the Management Action Plan below.
Impact on risk register
This review is linked to all financial risks from the Corporate Risk Register (as at February 2023).
The findings from this review do not raise significant concerns around the effectiveness of controls in place to manage these risks. Implementation of the findings identified in the Management Action Plan will strengthen the existing control environment in this area to better facilitate good practice and ensure guidelines are adhered to.
Acknowledgements
We would like to thank all staff consulted during this review for their assistance and co-operation.
Page 6:
Management Action Plan
Control Objective 1: There are clear policies, procedures, and delegated authority levels in place and available to staff covering expenditure and creditor payments. (Green)
1.1 Document control
We sought to confirm that sufficient policies and procedures, including the levels of delegated authority, are in place.
We were unable to confirm that policies and procedures related to the expenditure process have been subject to review and approval, with all procedure documents (with the exception of the Delegated Level of Authority dated in May 2023) undated. As such staff may find it hard to identify whether guidance is the most up to date and relevant to the processes to be undertaken.
Risk: There is a risk that, due to document control not being in place for several of the step-by-step procedures relevant to the process of committing expenditure, staff may follow out of date procedures potentially leading to error or confusion, particularly for potential new members of the department or anyone else unfamiliar with processes in applying the guidance set out in procedures.
Recommendation: CNPA should implement version control information on internal policies and procedures relevant to the expenditure and creditors process.
Management Action: (Grade 1 (Design)) Procedures were updated in advance of the Interim External Audit carried out by Mazars in April/May 2023. The format of the documentation has been amended to include a review date. A process for regular review of documentation will be established as part of the year-end/rollover routine.
Action owner: Management Accountant
Due date: 31 March 2024
Page 7:
Control Objective 2: Payments are made to valid and agreed creditors for goods and services confirmed as received, within the agreed timeframes. (Green)
2.1 Inactive suppliers on the Sage system
New Suppliers: We selected a sample of 24 suppliers to confirm that supplier verification checks were undertaken at the point the supplier was created. Of the 24 suppliers we were only able to obtain evidence of the verification undertaken on three of these. We were advised by management that this was due CNPA only commencing utilisation of a New Supplier Form in January 2023. For suppliers that predate this, verification was not documented as the controls in place were to phone the supplier to confirm the bank details as correct as seen on the invoice. As such we are satisfied a formal, documented means of verifying suppliers is now in place and confirmed that for the new suppliers tested from January 2023 onwards the New Supplier Form was completed.
Dormant Supplier Accounts: As a result of our testing we noted a number of suppliers on the system which are dormant, with five of the 24 suppliers selected for testing not used for over three years. From discussions with management it is unclear whether it would be possible for the organisation to remove inactive suppliers or mark them as inactive to ensure that a new verification process was undertaken should the supplier be used again in the future.
Risk: There is a risk that inactive or dormant supplier accounts are kept on the Sage system longer than necessary increasing the risk of fraud with the potential for dormant account details being used to fraudulently facilitate payment from CNPA, resulting in financial loss.
Recommendation: We recommend that CNPA identify accounts that have had no purchasing activity for a predetermined period of time (e.g. greater than 12 months) and investigate the possibility of making them inactive or removing their details. If this is not possible, CNPA should consider undertaking the updated verification processes for any accounts that have not been used for a set period of time should the supplier be utilised again.
Page 8:
Management Action: (Grade 1 (Design)) We have reviewed supplier bank details held on our Bank of Scotland Corporate Banking Online facility and removed all those that are no longer needed — both suppliers and employees. It is not possible to remove supplier accounts from SAGE on which transactions have been recorded. SAGE does not give us the facility to de-activate used accounts, although we can hide them from view. We can also remove bank details. Re-verification would seem to be the most pragmatic approach; we will amend our procedures to include the instructions that:
- Supplier accounts on SAGE will be reviewed annually (as part of the year-end process) to identify any that haven’t been used in the previous 12 months. Bank details will be removed from these accounts.
- Bank account details for supplier accounts unused for 12 months or more will be confirmed using the new supplier form.
- Any unused purchase ledger accounts on SAGE will be deleted.
Action owner: Finance Manager
Due date: 31 March 2024
Page 9:
Control Objective 3: Payments made are consistent with expenditure commitment, adequately authorised and subject to review prior to release, with appropriate segregation of duties in place. (Yellow)
3.1 Segregation of duties
The Delegated Levels of Authority document states that: “The interaction of DFA (delegated financial authority) and DPA (delegated procurement authority) is designed such that no one individual can authorise expenditure all the way from procurement to payment. This approach protects the organisation from fraudulent or inappropriate use of resources, and importantly, it also protects individual staff members from accusations of fraud or inappropriate use.”
As such, CNPA have a responsibility of ensuring appropriate segregation of duties is undertaken from the creation of a requisition, through to payment.
For a sample of 21 purchases, we tested whether segregation of duties had been undertaken between those raising and authorising the requisition, receiving the goods/services and authorising payment. Of the 21 purchases we were able to readily identify that segregation of duties has occurred between those requesting the requisition, approving the requisition, receiving the goods and requesting payment for 12 (57%) transactions. The most common format of evidencing segregation of duties for each purchase is maintaining the following documentation:
- Invoice with stamped evidence of receipt.
- Requisition form raised and approved by two different members of staff.
- Email chain from the receiver asking for approval of payment; and
- Email by budget holder with relevant authority confirming approval for payment has been granted.
For the remaining nine transactions:
- For six (29%) purchases, we could not initially ascertain who undertook the responsibilities of a) raising, b) authorising the requisition, c) receiving the goods/services and d) authorising payment. From the documentation provided, it was not clear who was responsible for these four activities and as such we could not confirm that appropriate segregation of duties was maintained. Following completion of fieldwork additional evidence was provided by management to supplement the initial documentation received and provide clarity the segregation of duties in the purchasing process for five of the sample items, with one remaining unclear.
- Two (10%) requisitions were not placed, as these purchases were made as part of a shared service agreement with the supplier and invoices are treated as a continuous supply.
- One (4%) requisition was not placed as the payment was on the basis of a claim form specific to a historical project. In this case the amount noted was the amount remaining in the claimant’s budget in the project pot, and payment was made against the items claimed in the form.
We noted that there is no agreement as to the standard documentation that should be retained to evidence segregation of duties, nor is this reflected in policies and procedures. This is the root cause of the issues noted in our testing.
Risk: There is a risk that, due to the lack of formalised, documented and standardised method of filing and retaining documentation pertaining to purchases, that the segregation of duties in purchasing cannot be evidenced. This could lead to issues in segregation of duties going unidentified, and result in fraudulent or inappropriate use of expenditure.
Recommendation: CNPA should promote the importance of the standardisation of documentation kept for each purchase, and require that for each commitment of expenditure the following should be documented and maintained:
- Requisition form — with a different signature for creation and approval.
- Invoice — with stamped evidence of receipt of goods/services
- Evidence of approval — this could be in the method of an email chain from a member with appropriate authority (as per the delegated levels of authority)
Page 10:
Management Action: (Grade 2 (Design)) We will reinforce with colleagues the importance of maintaining segregation of duties and of evidencing this within the trail of documentation – we are planning to deliver a set of workshops for the wider staff group to discuss procedures and will cover these matters at these events. Finance staff processing invoices will ensure that a standard set of documents is kept in support of each transaction. Where there is any deviation from standard procedure, this will be documented on the invoice. A review of expenditure on continuing services will be performed before the commencement of each financial year, and requisitions will be re-authorised to confirm the appropriateness of continuing with the existing business arrangement.
Action owner: Finance Manager
Due date: 31 March 2024
Page 11:
Control Objective 4: Non-pay expenditure is accurately reflected in the financial ledger. (Green)
No weaknesses identified
Daily reconciliations are carried out to ensure records held on Sage and within the purchase ledger match with committed expenditure detailed within the CNPA bank accounts, reconciling account debits in the previous day, into the Sage system and purchase ledger.
In addition to the daily checks undertaken, monthly, documented reconciliations are carried out for CNPA bank accounts. Reconciliations are carried out between the bank account statement, the purchase ledger and against the sales ledger. Reconciliations are signed off and for any items that do not reconcile, investigation narrative and explanation is sought.
We selected a sample of three months within the last year and observed that reconciliations had been undertaken for CNPA’s bank accounts against the purchase and sales ledgers. For any items that did not reconcile, we confirmed that an investigation had been undertaken and an explanation was provided.
Page 12:
Control Objective 5: The purchase ledger is reviewed regularly to minimise any disputed or overdue accounts. (Green)
No weaknesses identified
An invoice register is kept as a means of monitoring the status of purchase invoices. The invoice register provides a real-time method of monitoring the status of purchase invoices, in order to identify and mitigate disputed or overdue accounts before risk is realised. For each invoice, the register outlines:
- Date received
- Supplier
- Invoice date
- Invoice number
- Value
- The email of the staff member who provided approval
- Date the email requesting approval was sent
- When approval was returned
Management noted that overdue accounts or payments rarely happen, and when they do it is mostly due to approval for payment not being returned. In order to ensure this is minimised the invoice register is regularly reviewed, and approval is chased by members of the management accounting team. We have been able to observe the invoice register utilised in day-to-day work for the accounting staff, and we were able to observe that when accounts/payments are approaching being overdue, these are promptly chased up.
Page 13:
Appendix A – Definitions
Control assessments
| Code | Description |
|---|---|
| R | Fundamental absence or failure of key controls. |
| A | Control objective not achieved — controls are inadequate or ineffective. |
| Y | Control objective achieved — no major weaknesses but scope for improvement. |
| G | Control objective achieved — controls are adequate, effective and efficient. |
Management action grades
| Grade | Description |
|---|---|
| 4 | Very high risk exposure — major concerns requiring immediate senior attention that create fundamental risks within the organisation. |
| 3 | High risk exposure — absence / failure of key controls that create significant risks within the organisation. |
| 2 | Moderate risk exposure — controls are not working effectively and efficiently and may create moderate risks within the organisation. |
| 1 | Limited risk exposure — controls are working effectively, but could be strengthened to prevent the creation of minor risks or address general house-keeping issues. |
Page 14:
© Azets 2023. All rights reserved. Azets refers to Azets Audit Services Limited. Registered in England & Wales Registered No. 09652677. VAT Registration No. 219 0608 22.
Registered to carry on audit work in the UK and regulated for a range of investment business activities by the Institute of Chartered Accountants in England and Wales.