+ All Categories
Home > Documents > WARDS All Chief Internal Auditor Internal Audit Quarterly...

WARDS All Chief Internal Auditor Internal Audit Quarterly...

Date post: 28-Jun-2020
Category:
Upload: others
View: 2 times
Download: 0 times
Share this document with a friend
65
30 November 2009 CONTRIBUTORS Chief Internal Auditor Subject Internal Audit Quarterly report for the period to 30 September 2009 WARDS All RECOMMENDATION: a) To note the contents of this report
Transcript
Page 1: WARDS All Chief Internal Auditor Internal Audit Quarterly ...democracy.lbhf.gov.uk/documents/s1897/Internal Audit Report.pdf · WARDS All RECOMMENDATION: a) To note the contents of

30 November 2009

CONTRIBUTORS

Chief Internal Auditor

Subject Internal Audit Quarterly report for the period to 30 September 2009

WARDS All

RECOMMENDATION: a) To note the contents of this report

Page 2: WARDS All Chief Internal Auditor Internal Audit Quarterly ...democracy.lbhf.gov.uk/documents/s1897/Internal Audit Report.pdf · WARDS All RECOMMENDATION: a) To note the contents of

CONTENTS

1. Introduction 1 2. Internal Audit Coverage 1 3. Internal Audit Service 4 4. 2009/10 Internal Audit Plan 5 Appendix A Audit reports issued 1 July to 30 September 2009 6 Appendix B Limited and No Assurance Final Audit Reports 8 Appendix C Internal Audit reports in issue more than two weeks 51 Appendix D Audit Recommendations outstanding 52

Page 3: WARDS All Chief Internal Auditor Internal Audit Quarterly ...democracy.lbhf.gov.uk/documents/s1897/Internal Audit Report.pdf · WARDS All RECOMMENDATION: a) To note the contents of

1

1. Introduction

1.1 This report summarises internal audit activity in respect of audit reports issued during the period 1 July to 30 September 2009 as well as reporting on the performance of the Internal Audit service.

2. Internal Audit Coverage

2.1 The primary objective of each audit is to arrive at an assurance opinion regarding the robustness of the internal controls within the financial or operational system under review. Where weaknesses are found internal audit will propose solutions to management to improve controls, thus reducing opportunities for error or fraud. In this respect, an audit is only effective if management agree audit recommendations and implement changes in a timely manner.

2.2 A total of 24 reports were finalised in the second quarter of the

2009/2010 year (see Appendix A), of which 1 was a follow-up report. Two audit reports issued in this period received Limited Assurance (PCN Processing and Locata). All 10 recommendations raised in the Locata report have been reported as implemented and a follow-up audit will therefore be carried out. Two of the 7 recommendations in the PCN Processing report has been reported as implemented. Three others will be implemented as part of the Joint parking Project with Kensington and Chelsea (about which a report is due to go to members in January 2010). The two remaining recommendations have past their agreed implementation date but have not yet been reported as implemented.

2.3 The audit report process allows for management to respond following

the issue of a draft report. Following agreement on findings and recommendations a final report is issued.

2.4 Two reports are maintained on an ongoing basis to which departments

(including directors and FSB reps) have access and which departmental Internal Audit reps help to maintain. The first of these is a schedule of draft audit reports that have been issued for which responses have not been received for more than two weeks. These are listed in Appendix C for information and total 7.

Finance & Corporate Services has 4 reports outstanding and Schools has 3. None of these reports will be over 6 months old at the time of the Committee meeting. We are very pleased to report that there are no reports outstanding for Children’s Services (non-schools), Community Services, Environment Services or Residents Services.

Page 4: WARDS All Chief Internal Auditor Internal Audit Quarterly ...democracy.lbhf.gov.uk/documents/s1897/Internal Audit Report.pdf · WARDS All RECOMMENDATION: a) To note the contents of

2

2.5 The second report is a table, a copy of which has been provided at Appendix D, that shows there are now 32 audit recommendations made since Deloitte commenced their contract in October 2004 where the target date for the implementation of the recommendation has passed and they have either not been fully implemented or where the auditee has not provided any information on their progress in implementing the recommendation. This compares to the 25 reported as outstanding at the end of the previous quarter and is a slight deterioration in the overall position. We continue to work with departments and HFBP to further reduce the numbers outstanding.

2.6 The breakdown between departments is as follows:

� Community Services – 1 � Environment Services Dept – 17 � Finance & Corporate Services Dept – 12

(of which 4 relate to IT) � Residents Services - 2

There are no outstanding recommendations to report in respect of Children’s Services (schools or non-schools).

Internal Audit recommendations outstandingas at 30 September 2009

Residents Services, 2Finance &

Corporate Services: non-

IT, 8

Finance & Corporate

Services: IT, 4

Environment Services, 17

Community Services, 1

2.7 Of the 32 recommendations listed 24 are at least six months past their

target date for implementation as at the date of the Committee meeting. 4 of these are over a year past their target date. All of the recommendations shown as over a year outstanding at the last meeting have now been reported as implemented.

2.8 1 of the outstanding recommendations relates to the 2006/7, 3 to

2007/8 year audit plan 28 to 2008/9 and 1 to 2009/10. The breakdown of recommendations implemented compared as a proportion of the total in each year can be seen below.

Page 5: WARDS All Chief Internal Auditor Internal Audit Quarterly ...democracy.lbhf.gov.uk/documents/s1897/Internal Audit Report.pdf · WARDS All RECOMMENDATION: a) To note the contents of

3

100% of recommendations made in 2004/5 and 2005/6 have been implemented Percentage of 2006/7 year audit recommendations past their date that have been implemented

99.76% 414 recommendations implemented out of a total of 4151

2006/7 Internal AuditRecommendations

Percentage of 2007/8 year audit recommendations past their date that have been implemented

99.49% 392 recommendations implemented out of a total of 394

2007/8 Internal AuditRecommendations

Percentage of 2008/9 year audit recommendations past their implementation date that have been implemented.

91.91% 318 recommendations implemented out of a total of 346

2008/9 Internal AuditRecommendations

Percentage of 2009/10 year audit recommendations past their implementation date that have been implemented.

85.71% 6 recommendations implemented out of a total of 7

2009/10 Internal AuditRecommendations

1 1 further recommendation (Priority 1) remains outstanding for 2006/7 but the agreed implementation date is 31 December 2009 and it is therefore not included in these figures. We will continue to report implementation of recommendations from this year until all priority 1 and 2 recommendations have been fully implemented.

Page 6: WARDS All Chief Internal Auditor Internal Audit Quarterly ...democracy.lbhf.gov.uk/documents/s1897/Internal Audit Report.pdf · WARDS All RECOMMENDATION: a) To note the contents of

4

3. Internal Audit Service

3.1 Since the last report to the Audit Committee, there has been no structural change to the operation of the internal audit service. The in-house team consists of the Chief Internal Auditor (CIA) and Audit Manager. Deloitte Public Sector Internal Audit Ltd supply the resources for carrying out individual audits and also periodically provide management information to support the reporting requirements of the in-house team

3.2 As part of the CIA’s function he is required to monitor the quality of

Deloitte work. Formal monthly meetings are held with the Deloitte Contract Manager and one of the agenda items is an update on progress and a review of performance against key performance indicators. The performance figures are provided for the period from 1 October to 31 December 2008.

Performance Indicators 2008/2009 & 2009/10

Ref Performance Indicator Target Pro rata target

YTD Performance Variance Comments

2008/09

1 % of deliverables completed (2008/09) N/A N/A 98% N/A

131 reports delivered out of a total plan of 134

The three remaining pieces of work will be issued and completed by the close of November.

2 % of planned audit days delivered (2008/09) N/A N/A 98% N/A

1,231 days delivered out of a total plan of 1,260 The remaining days will be completed by the close

of November. 2009/10

3 % of deliverables completed (2009/10) 95% 55% 23% -32%

30 reports delivered out of a total plan of 133

As at 30 October, a total of 43 reports, including draft audit reports and management letters had been produced. The Deloitte General Manager is now

working on site directly with the team to address the issues in respect of completing deliverables.

Performance will continue to progress to end of quarter 3.

4 % of planned audit days delivered (2009/10) 95% 50% 50% 0%

587 days delivered out of a total plan of 1,165

The intention is to ensure that delivery of days continues to progress in line with the schedule of days for the year. Any problems with delivery are to be escalated to the CIA as per the agreed protocol.

5 % of audit briefs issued no less than 10 working days before the start of the

audit 95% 95% 85% -10%

57 audit briefs out of 67 issued within PI requirement

Reasons for commencing work prior to the 10 working days from the issue of the brief to be

reported to the CIA. Any agreed exceptions to be reported.

6 % of Draft reports issued within 10 working days of

exit meeting 95% 95% 41% -54%

9 draft reports out of 22 issued within PI requirement

As at the end of October, 17 of 33 Draft Reports had been issued within 10 working days, increasing

performance to 52%. The Deloitte General Manager is working directly with the team on site to improve

performance in respect of report turnaround.

Page 7: WARDS All Chief Internal Auditor Internal Audit Quarterly ...democracy.lbhf.gov.uk/documents/s1897/Internal Audit Report.pdf · WARDS All RECOMMENDATION: a) To note the contents of

5

3.3 The table shows that Deloitte have not yet completed the 2008/09 plan, although we are aware that this is partially the result of issues arising from auditees. Progress towards the 2009/10 plan in terms of deliverables has been extremely disappointing, although 50% of the days required to be delivered in the year have been delivered in the first 6 months although there have been signs of some improvement since the end of September.

3.4 Meetings continue to be held with Deloitte at all levels and action plans

have been put in place to review progress and establish strategies to address the ongoing issues with the delivery of this service, and to continue to develop the effectiveness of the service and the value it offers to the Council.

4. 2009/10 Internal Audit Plan

4.1 The 2009/10 audit plan was approved by the Audit Committee at its meeting on 11 March 2009 and amendments were approved at the meetings on 29 June and 22 September. There are currently no further proposed amendments requiring the Committee’s approval.

LOCAL GOVERNMENT ACT 2000 LIST OF BACKGROUND PAPERS No. Description of

Background Papers Name/Ext. of Holder of

File/Copy Department/

Location 1. Full audit reports from

October 2004 to date Geoff Drake Ext. 2529

Finance and corporate Services, Internal Audit HTH Extension King Street Hammersmith W6 9JU

Page 8: WARDS All Chief Internal Auditor Internal Audit Quarterly ...democracy.lbhf.gov.uk/documents/s1897/Internal Audit Report.pdf · WARDS All RECOMMENDATION: a) To note the contents of

6

APPENDIX A Audit reports Issued 1 July to 30 September 2009

We have finalised a total of twenty four audit reports for the period to 30 September 2009. Three relate to the 2009/10 programme, nineteen relating to the 2008/09 programme and two 2007/09. We have also issued one follow-up report. Audit Reports We categorise our opinions according to our assessment of the controls in place and the level of compliance with these controls. Audit Reports finalised in the period:

No. Audit Plan Audit Title Director Audit Assurance

1 2009/10 Parks Constabulary Lyn Carpenter Substantial 2 2009/10 Academy Revenues and Benefits

Application (IT) Jane West Substantial 3 2009/10 The Bridge Academy Andrew Christie Substantial 4 2008/09 ICPS Nigel Pallace Substantial 5 2008/09 PCN Processing (ISA 315) Nigel Pallace Limited 6 2008/09 Confirm Application (IT) Nigel Pallace Substantial 7 2008/09 Construction (Design) Management

Regulations – Environment BTS Nigel Pallace Substantial 8 2008/09 Human Resources Arrangements Jane West Substantial 9 2008/09 Vertical Contract-Hammersmith Road Bridge

Phase 4 Nigel Pallace Substantial 10 2008/09 Vertical Contract - Highways Carriageway

Scheme Nigel Pallace Substantial 11 2008/09 Capital Budgeting & Accounting Jane West Substantial 12 2008/09 My h&f Applications Jane West Substantial 13 2008/09 SIMS Application Audit Andrew Christie Substantial 14 2008/09 Fulham Palace Road Establishment Audit Lyn Carpenter Substantial 15 2008/09 Creditors Additional Testing Jane West Substantial 16 2008/09 Business and Financial Planning Nigel Pallace Substantial 17 2008/09 3rd Sector Grants James Reilly Substantial 18 2008/09 Corporate Governance - HF Homes James Reilly Substantial 19 2008/09 Sickness Absence & Discretionary Leave Jane West Substantial 20 2008/09 Strategic Planning-MTFS Jane West Full 21 2008/09 Preparedness for Recession Jane West Substantial 22 2007/08 Locata James Reilly Limited 23 2007/08 Consol Jane West Substantial

Audit Reports

Full Assurance There is a sound system of control designed to achieve the system objectives and

the controls are being consistently applied. Substantial Assurance

While there is a basically sound system, there are weaknesses, which put some of the system objectives at risk, and/or there is evidence that the level of non-compliance with some of the controls may put some of the system objectives at risk.

Limited Assurance Weaknesses in the system of controls are such as to put the system objectives at risk, and/or the level of non-compliance puts the system objectives at risk.

No Assurance Control is generally weak, leaving the system open to significant error or abuse, and/or significant non-compliance with basic controls leaves the system open to error or abuse.

Page 9: WARDS All Chief Internal Auditor Internal Audit Quarterly ...democracy.lbhf.gov.uk/documents/s1897/Internal Audit Report.pdf · WARDS All RECOMMENDATION: a) To note the contents of

7

Other Reports

No.

Audit Plan Audit Title Director

Findings on recommandation implementation Fully

Implemented (or ongoing)

No longer Applicable Still outstanding Total

24 2008/09 ISO27001 Follow-up Letter Jane West 35 1 18 54

Page 10: WARDS All Chief Internal Auditor Internal Audit Quarterly ...democracy.lbhf.gov.uk/documents/s1897/Internal Audit Report.pdf · WARDS All RECOMMENDATION: a) To note the contents of

8

APPENDIX B

Limited and No Assurance Final Audit Reports In quarter two of 2009-10 we have issued two limited assurance final reports. These relate to PCN Processing and Locata.

London Borough of Hammersmith and Fulham Locata Application Final Internal Audit Report July 2009

This report and the work connected therewith are subject to the Terms and Conditions of the contract dated 01/10/04 between London Borough of Hammersmith and Fulham and Deloitte & Touche Public Sector Internal Audit Limited. The report is produced solely for the use of London Borough of Hammersmith and Fulham. Its contents should not be quoted or referred to in whole or in part without our prior written consent except as required by law. Deloitte & Touche Public Sector Internal Audit Limited will accept no responsibility to any third party, as the report has not been prepared, and is not intended for any other purpose.

Stage Officer Date Exit meeting Interim Assistant Director of Housing Options and Rehousing Manager 19/03/2008 Draft report issued to

Interim Assistant Director of Housing Options, Rehousing Manager, Assistant Director of Resources, Community Services, Director of Community Services, Head of IT Strategy and Director of Finance

03/04/2008

Reponses added by HFBP, 26/11/2008 26/11/2008 Approved by Director

Director of Community Services 22/06/2009

Final report issued to Interim Assistant Director of Housing Options, Rehousing Manager, Assistant Director of Resources, Community Services, Housing Opportunities Service Manager, Head of IT Strategy, Director of Finance, Director of Community Services

17/07/2009

Page 11: WARDS All Chief Internal Auditor Internal Audit Quarterly ...democracy.lbhf.gov.uk/documents/s1897/Internal Audit Report.pdf · WARDS All RECOMMENDATION: a) To note the contents of

Final Report Contents

Page

9

Executive Summary 10

Observations and Recommendations 12

Appendix 1 – Audit Framework 24

Statement of Responsibility 25

Page 12: WARDS All Chief Internal Auditor Internal Audit Quarterly ...democracy.lbhf.gov.uk/documents/s1897/Internal Audit Report.pdf · WARDS All RECOMMENDATION: a) To note the contents of

Final Report

10

Executive Summary Department: Community Services Report Distribution Audit: Locata Application Richard Kent, Rehousing Manager

Gareth Mead, Interim Assistant Director of Housing Options Caroline Wilkinson, Assistant Director of Resources, Community Services James Reilly, Director of Community Services Jane West, Director of Finance Jackie Hudson, Head of IT Strategy

Director: Interim Assistant Director of Housing Options

Auditee Rehousing Manager Reference: 7COM18 Audit Approach: System Date: July 2009

This report details the Internal Audit of the procedures and controls in place over the Locata Application and has been undertaken in accordance with the 2007/2008 Internal Audit Plan agreed with Hammersmith and Fulham Council. The Locata application is an IT allocations system used for choice-based lettings. The system was used by the London Boroughs of Brent, Ealing, Harrow, Hillingdon and Hounslow and three Registered Social Landlords (RSL’s). The London Borough of Hammersmith and Fulham joined this West London scheme in 2002. Since then, two Housing Associations, the Royal Borough of Kensington and Chelsea and four more RSL’s have also joined. Audit Assurance On the basis of our work undertaken we are able to offer a Limited Assurance opinion. Weaknesses in the system of controls are such as to put the system objectives at risk, and the level of non-compliance puts the system objectives at risk. There are no recommendations arising as a result of our work in the following areas:

• Output Control; and • Interfaces with Other Authorities – The Locata application is hosted on a server located in West

London, and the Council’s Housing Management application, iWorld, is held on a separate server. Those areas covered as requiring management consideration are detailed below: Access Control When set up on the application, users are issued with a default password. The system does not force users to change their default password upon their first log on to Locata. The user password tables are not encrypted and can be viewed in plain-text format by the Technical Team at Locata (Sector UK Ltd). There are three users of Locata in the Council who are assigned to all of the access privileges in Locata. Attempts to access Locata with an invalid password was allowed in excess of three attempts and a system lock is not applied. Furthermore, a log of security violation is not produced. Data Input Users with higher level access privileges (such as ‘Edit Properties and Members’) are able to make amendments to the data of Partner organisations. Similarly, it is possible for those users with the privileges in Partner organisations to amend the Council’s data. It was established that where users had made changes to the band of a member, the audit trail function in Locata had recorded the name of officers who had made the change to the band as those who were no longer employed by the Council. A recommendation was raised in the general audit of the Locata for a report to be produced showing band changes to be produced and authorised.

Page 13: WARDS All Chief Internal Auditor Internal Audit Quarterly ...democracy.lbhf.gov.uk/documents/s1897/Internal Audit Report.pdf · WARDS All RECOMMENDATION: a) To note the contents of

Final Report

11

Data Processing A daily update is run every morning, which uploads data from iWorld into Locata. In the event that a change needs to be made to a Property or Member, changes made in iWorld are not updated in Locata until the following day, following the upload. Therefore, some amendments are required to be made directly in Locata and therefore these are not reflected in iWorld, unless the user amends the data in both systems. Some users are able to make amendments to the Member and Property Codes in Locata. If this occurs, the daily update from iWorld to Locata creates a new record for that Property and / or Member, as the code is not able to be matched to an existing record for a Member and / or Property. Interface Controls The daily update run each morning from iWorld to Locata is not reconciled, therefore there is no mechanism in place in order to identify any discrepancies in the number of Properties and / or Members uploaded to Locata. Management Trail Discussion identified that a review of amendments made in the past to the bands allocated to members, found that the system indicated the changes had been made by staff who were no longer employed by the Council. This was unable to be verified by audit, however, a recommendation has been raised to address this. Support Arrangements There is a main point of contact in Council who is the first point of contact for support to Locata acting as a ‘gatekeeper’. Support is provided online 24 hours a day and 7 days a week in addition to telephone support on working days (Monday to Friday) from 08:00 to 17:00. However, it was unable to be established whether an agreed Service Level Agreement (SLA) was in place and any subsequent monitoring of the service provided. Escalation procedures and criteria by which the level of service being provided by Locata is monitored could not be evidenced. Acknowledgement We would like to take this opportunity to thank the management and staff of the Community Service Department (Housing Options), the Locata IT Team - Sector UK Limited, and the Application Support Team (Hammersmith and Fulham Bridge Partnership) for their assistance during the audit.

Page 14: WARDS All Chief Internal Auditor Internal Audit Quarterly ...democracy.lbhf.gov.uk/documents/s1897/Internal Audit Report.pdf · WARDS All RECOMMENDATION: a) To note the contents of

Final Report

12

Observations and Recommendations In order to assist management in using our reports: a) We categorise our opinions according to our assessment of the controls in place and the level of compliance with

these controls. Full Assurance There is a sound system of control designed to achieve the system objectives and the

controls are being consistently applied.

Satisfactory Assurance

While there is a basically sound system, there are weaknesses which put some of the system objectives at risk, and/or there is evidence that the level of non-compliance with some of the controls may put some of the system objectives at risk.

Limited Assurance Weaknesses in the system of controls are such as to put the system objectives at risk, and/or the level of non-compliance puts the system objectives at risk.

No Assurance Control is generally weak, leaving the system open to significant error or abuse, and/or significant non-compliance with basic controls leaves the system open to error or abuse.

b) We categorise our recommendations according to their level of priority.

Priority 1 Major issues for the attention of senior management. To be implemented immediately or within one month.

Priority 2 Other recommendations for local management action. To be implemented within two months.

Priority 3 Minor matters. To be implemented within 6 months. Staff Interviewed • Richard Kent – Rehousing Manager; • Maureen James – Rehousing Options Manager; • Chris Wilkinson – IT Project Manager (LBH&F Bridge Partnership); and • David Robertson – Technical Director (Sector UK Limited) – Locata.

Page 15: WARDS All Chief Internal Auditor Internal Audit Quarterly ...democracy.lbhf.gov.uk/documents/s1897/Internal Audit Report.pdf · WARDS All RECOMMENDATION: a) To note the contents of

Final Report

13

Access Controls 1. Forced Password Change (Priority 2) Recommendation Rationale Responsibility Management should consider discussing with the software vendor the possibility of the system being configured to force users to change the default system password on first login.

Forced change of password at first login will help to ensure that the users of Locata are not using the same, default system password. Our review of the logical access controls on the application identified that users are not forced to change their default password upon first login. It was also found that when users are notified that they have been set up as a user with their username and password, they are not reminded that their password should be changed upon their first login to Locata. Where users are not forced to change their passwords, there is a risk that the confidentiality of the data held on the system may be compromised through unauthorised access to data.

HFBP Chris Wilkinson

Management response Deadline Changes to the Locata system are implemented by the supplier. HFBP will request a response for this recommendation from the supplier (Sector UK Limited) and discuss the outcome and agree the next steps with business. Housing Opportunities Service Manager – May 2009 – This does now occur. On first log in all users are required to change their passwords. Password change requests are also automatic every 3 months, so staff have to change the password every three months.

31 January 2009

Page 16: WARDS All Chief Internal Auditor Internal Audit Quarterly ...democracy.lbhf.gov.uk/documents/s1897/Internal Audit Report.pdf · WARDS All RECOMMENDATION: a) To note the contents of

Final Report

14

2. Encryption of Password Tables (Priority 1) Recommendation Rationale Responsibility It is recommended that the Password Tables for the application are encrypted.

Encryption of the password tables would help to ensure that user passwords are illegible and therefore held in a secure format. It was found that the password tables are currently in plain-text and therefore system administrators are able to view the passwords of Locata's users. This was found to be a known problem however, at the time of audit, a solution had not yet been developed. Failure to encrypt user passwords could increase the risk of unauthorised access to the Locata.

HFBP Chris Wilkinson

Management response Deadline Changes to the Locata system are implemented by the supplier. HFBP will request a response for this recommendation from the supplier (Sector UK Limited) and discuss the outcome and agree the next steps with business. Chris Wilkinson, 03/06/2009: Informal response from Sector, December 2008: 25828 and 25829: Locata - it is recommended that the Password Tables for the application are encrypted. We’re working at the moment at implementing this.

31 December 2008

Page 17: WARDS All Chief Internal Auditor Internal Audit Quarterly ...democracy.lbhf.gov.uk/documents/s1897/Internal Audit Report.pdf · WARDS All RECOMMENDATION: a) To note the contents of

Final Report

15

3. Review of User Access Permissions (Priority 2) Recommendation Rationale Responsibility It is recommended that there is a review of the User Access Permissions for staff with access to Locata, with a view to ensure that there is a segregation of duties. This should include ensuring users who have system administrator user privileges are not also system users.

A review of users and their level of access to Locata will help to ensure that users with excessive access permissions are identified and these permissions are removed to establish a full segregation of duties. User access to Locata was found to be restricted to seven different levels of access (number of users shown in brackets) Partner Administration (4); Set Up and Edit Users (4); Make Bids (116); Edit Properties and Members (50); Make Offers (25); Record Offer Results (25); and Set Up and Edit Schemes (10). Examination of the list of current users of Locata found that there are 3 users who have access to all the functions in Locata. Discussions with the users with access to all functions of Locata found that one user uses Locata to view only and therefore no access privileges are required to be assigned. It was found that the other users require access in order to undertake the administration of Locata in addition to their day to day role in Housing Options. Without a segregation of duties in place, there is an increased risk that users could be set up on Locata and used for fraudulent purposes, namely bidding and making offers for properties that members have already bid for.

Responsibility of this should be with the business. So should be assigned to the person who represented the business at this audit.

Management response Deadline Housing Opportunities Service Manager – May 2009 – User Access Permission have been changed by Sector (the Locata IT Supplier) since October 2008. They have now assigned duties to particular roles therefore ensuring a role has very definitive access areas. Each user has an overall manager assigned to them who chooses a job role for the user, best fitting the job carried out by the user. The following are the roles and each role has different access permissions: Application Officer CRM (Client Record Management) LetStart Lettings Officer Locata Admin Locata staff Manager Mutual exchange

14 July 2009

Page 18: WARDS All Chief Internal Auditor Internal Audit Quarterly ...democracy.lbhf.gov.uk/documents/s1897/Internal Audit Report.pdf · WARDS All RECOMMENDATION: a) To note the contents of

Final Report

16

Non full partner Voids Officer Each role is offered automatic permissions to certain areas and has a manager allocated to them. For LBHF the overall Manager is Housing Opportunities Service Manager, who has a senior manager at Locata as his manager re access. There are a further two managers at LBHF, Anna Hall & Etiene Steyn. With regards to the audit report stating that system administrators should not also be users, a senior manager in Locata is the overall system administrator and Housing Opportunities Service Manager is the Administrator for LBHF, though also uses the system as his job role requires this.

Page 19: WARDS All Chief Internal Auditor Internal Audit Quarterly ...democracy.lbhf.gov.uk/documents/s1897/Internal Audit Report.pdf · WARDS All RECOMMENDATION: a) To note the contents of

Final Report

17

4. Restricted Number of Logons (Priority 2) Recommendation Rationale Responsibility It is recommended that the system is configured to apply a system lock following three consecutive login attempts. In addition, the system should be configured to produce a log of these attempts, which should be reviewed regularly.

Configuring the system to apply a system lock following three consecutive failed login attempts helps to limit the successful use of password hacking tools. Logging this activity and reviewing reports will help to identify potential unauthorised use of the system. It was identified that the system advises the user that their login has failed when they enter an incorrect password and / or username to access the application. However, a system lock is not applied. As a result of this there are also no logs generated to report on unauthorised login attempts. Failure to lock a user's account following three consecutive failed login attempts increases the risk that password hacking tools could be successfully used to gain access to the system.

HFBP Chris Wilkinson

Management response Deadline Changes to the Locata system are implemented by the supplier. HFBP will request a response for this recommendation from the supplier (Sector UK Limited) and discuss the outcome and agree the next steps with business. Housing Opportunities Service Manager – May 2009 – This has been partially implemented. Users are logged out after ten unsuccessful attempts to log into Locata.

31 January 2009

Page 20: WARDS All Chief Internal Auditor Internal Audit Quarterly ...democracy.lbhf.gov.uk/documents/s1897/Internal Audit Report.pdf · WARDS All RECOMMENDATION: a) To note the contents of

Final Report

18

Data Input 5. Amendments to Council Data (Priority 1) Recommendation Rationale Responsibility It is recommended that exception reports are produced from the system on a periodic basis, that list changes that have been made by non-Council personnel to the Council’s Properties, Members, Allocations and Shortlists. These should be reviewed and then signed, dated and maintained for an appropriate period of time as evidence of the review.

Exception reports from the system indicating where changes have been made to the Council's data will help to ensure that all changes to Council data have been made by authorised personnel. This also enables the council to monitor allocations of LBHF properties by other councils. It was found that Council personnel with the user access privilege 'Edit Properties and Members' are able to administer changes to data across the system which includes changes made to Partner organisation data. Failure to monitor exception reports showing changes made to the Council data (properties, members, allocations and shortlists) could increase the risk that unauthorised changes are made which are not detected, resulting in the unfair allocation of properties. Lack of review of changes made to the Council’s data can also increase the risk that the Council and its properties could be open to abuse and fraud by users of Locata in Partner organisations.

HFBP Chris Wilkinson

Management response Deadline Changes to the Locata system are implemented by the supplier. HFBP will request a response for this recommendation from the supplier (Sector UK Limited) and discuss the outcome and agree the next steps with business. Chris Wilkinson, 03/06/2009: Informal response from Sector, December 2008: 25832: Locata - It is recommended that exception reports are produced from the system on a periodic basis, that list changes that have been made by non-Council personnel to the Council's Properties, Members, Allocations and Shortlists. These should be reviewed and then signed, dated and maintained for an appropriate period of time as evidence of the review. Non Council personnel cannot change the Council’s properties, members, allocations or shortlists.

31 January 2009

Page 21: WARDS All Chief Internal Auditor Internal Audit Quarterly ...democracy.lbhf.gov.uk/documents/s1897/Internal Audit Report.pdf · WARDS All RECOMMENDATION: a) To note the contents of

Final Report

19

Data Processing 6. Review of Processing Schedule (Priority 2) Recommendation Rationale Responsibility It is recommended that management conduct a review of the current timetable for updates from iWorld to Locata with a view to increasing the number of data loads to suit business requirements.

A review of the daily jobs will help to identify whether additional updates are required for the data load from iWorld into Locata. There is currently a daily job which transfers relevant data from iWorld to Locata. There are instances where changes are required to be made to Properties or Members. If the changes were to be input into iWorld, these would not take effect until the following day - until the data load for that day has run. However, it was found that in the event a change is required to be made urgently and required to take effect in Locata, it must be done so in Locata directly. Users then also need to update iWorld to ensure that the same changes are reflected in the source system. Failure to schedule jobs adequately could increase the risk that information held in both iWorld and Locata does not correlate and therefore does not meet business requirements.

Responsibility of this should be with the business. So should be assigned to the person who represented the business at this audit.

Management response Deadline Once the business has identified the requirement and if the upload from iWorld is required to be run more frequently than daily, this can easily be implemented by HFBP Housing Opportunities Service Manager – May 2009 – Data download from I-World to Locata occurs on a daily basis every 24 hours. This is sufficient for the purposes of business. Also, as LBHF is part of the West London region who owns and use Locata, any change needs to be raised at that level. The enquiry was raised with West London Allocations Lettings Group (WLALG) and there was no agreement for increasing the current timetable. The business requirements generally do not require more than daily dataloads

14 July 2009

Page 22: WARDS All Chief Internal Auditor Internal Audit Quarterly ...democracy.lbhf.gov.uk/documents/s1897/Internal Audit Report.pdf · WARDS All RECOMMENDATION: a) To note the contents of

Final Report

20

7. Property and Member Code Amendments (Priority 2) Recommendation Rationale Responsibility It is recommended that consideration be given to locking the ability to edit Member and Property Codes in Locata. If implemented, this should be done in line with the review of the processing schedule to ensure that amendments made to Property and / or Member Codes are reflected in both applications.

Disabling the ability to edit the Member and / or Property Codes in Locata will help to ensure that additional records of Members and Properties are not held unnecessarily on Locata. It was found that those users with the User Access Privilege to 'Edit Properties and Members' (50 users) are able to make amendments to the Member and Property Codes in Locata. When changed in Locata, the daily update from iWorld to Locata will create a new record for that Property and / or Member, as the code is not able to be matched to an existing Member and / or Property record. Allowing the Member and Property Codes to be edited in Locata could increase the risk that duplicate records are created and held under differing Property and Member Codes. This could in turn increase the risk of an adverse impact on the performance of the system.

Responsibility of this should be with the business. So should be assigned to the person who represented the business at this audit.

Management response Deadline Housing Opportunities Service Manager – May 2009 – the ability to edit member (clients) and property details is present already. Different permissions are granted under the roles Application Officer CRM (Client Record Management) LetStart Lettings Officer Locata Admin Locata staff Manager Mutual exchange Non full partner Voids Officer Each role is offered automatic permissions to certain areas and the Manager has the ability to further deny certain areas such as editing members (clients) and properties. Non Council personnel cannot change the Council properties, members (clients) allocations or shortlists.

14 July 2009

Page 23: WARDS All Chief Internal Auditor Internal Audit Quarterly ...democracy.lbhf.gov.uk/documents/s1897/Internal Audit Report.pdf · WARDS All RECOMMENDATION: a) To note the contents of

Final Report

21

Interface Controls 8. Reconciliation of Data load from iWorld to Locata (Priority 1) Recommendation Rationale Responsibility It is recommended that there is a reconciliation conducted of the records transferred from iWorld to Locata. In addition to this, the officer(s) responsible for undertaking this should be identified and the process documented.

Conducting a reconciliation of the interface between iWorld and Locata will help to ensure that electronic data feeds are accurate and that errors are identified and dealt with on a timely basis. Identifying the officer(s) responsible will help to ensure that the task is completed on a regular basis. It was found that a reconciliation of the data load from iWorld to Locata is not conducted. There is a Data Load Count report from Locata which details the number of records from the source system and the number of records in Locata. It was established that whilst the function to obtain this report is available from Locata, staff were unaware of this. Failure to conduct a reconciliation of the interface could increase the risk that instances where the recipient system, Locata, fails to receive all data are not identified. This could lead to inadequate data held in Locata compromising the ability of Members to make bids for properties.

HFBP Chris Wilkinson

Management response Deadline HFBP run the daily extract from iWorld and file transfer to Locata, but do not have the ability to get information from Locata system to reconcile the data. HFBP will request a response for this recommendation from the supplier (Sector UK Limited) and discuss the outcome and agree the next steps with business. Housing Opportunities Service Manager – May 2009 – Locata have stated that there are a set of audit reports available from the report page that can provide the above information and that this is an internal issue for LBHF. Housing Opportunities Service Manager has arranged training for Managers for July/August 2009 re reports and how to obtain them through Sylvia James at Locata.

31 January 2009

Page 24: WARDS All Chief Internal Auditor Internal Audit Quarterly ...democracy.lbhf.gov.uk/documents/s1897/Internal Audit Report.pdf · WARDS All RECOMMENDATION: a) To note the contents of

Final Report

22

Management Trail 9. Investigation of Management Trail Function (Priority 2) Recommendation Rationale Responsibility It is recommended that Locata are instructed to undertake an investigation of the problem identified in the management trail of the system.

An investigation of the management trail function in Locata will help to ensure that the function is performing adequately and when amendments are made to data, the officer who has made the change is reflected accurately. Discussion with the Interim Assistant Director of Housing Options found that the Council has identified an issue with the audit trail function in Locata. A review of changes made to the banding level of some members showed that the amendment had been made by members of staff who were no longer employed by the Council, although evidence of this was not provided during the audit. Failure to conduct an investigation into the management trail in Locata could increase the risk that management trails / system logs of officers who have made changes to data in Locata are inaccurate, hindering the ability to establish the actual officer who has made a change to data in the system.

HFBP Chris Wilkinson

Management response Deadline HFBP will request a response for this recommendation from the supplier (Sector UK Limited) and discuss the outcome and agree the next steps with business. Chris Wilkinson, 03/06/2009: I had not heard of this issue until my meeting with Rashid on 12/05/2009. Please let me know the details of the case in question, and I will then liaise with Locata/Sector to investigate what happened.

31 January 2009

Page 25: WARDS All Chief Internal Auditor Internal Audit Quarterly ...democracy.lbhf.gov.uk/documents/s1897/Internal Audit Report.pdf · WARDS All RECOMMENDATION: a) To note the contents of

Final Report

23

Support Arrangements 10. Monitoring of the Service Level Agreement (Priority 1) Recommendation Rationale Responsibility Management should ensure that as a member of the West London Allocations and Lettings Group (WLALG), the Service Level Agreement (SLA) between Locata and the Council should be located and monitored on a regular basis. Where underperformance is identified, corrective action should be undertaken.

A clear, up to date and signed support agreement helps to ensure that each party understands their support obligations under the contract. Easy accessibility to the SLA assists those who need to know the contractual obligations expected and delivered under the terms of the contract and furthermore helps in the management and maintenance of the SLA. A copy of the SLA was received from Locata, however, evidence of the SLA in the Council was unable to be established. This in turn indicated that the SLA is not monitored by the Council. There is a risk that the Council is unaware of the level of service they are entitled to if the SLA with Locata is not monitored.

Responsibility of this should be with the business. So should be assigned to the person who represented the business at this audit.

Management response Deadline Housing Opportunities Service Manager – May 2009 – Locata have been asked for an SLA and have failed to provide this. This now needs to be taken to the strategic Lettings Groups/Director level by senior managers.

30 September 2009

Page 26: WARDS All Chief Internal Auditor Internal Audit Quarterly ...democracy.lbhf.gov.uk/documents/s1897/Internal Audit Report.pdf · WARDS All RECOMMENDATION: a) To note the contents of

Final Report

24

Appendix 1 - Audit Framework Audit Objectives The audit was designed to establish whether management have implemented adequate and effective controls over the Locata Application.

Audit Approach and Methodology The audit approach was developed with reference to the agreed Method Statement and by an assessment of risks and management controls operating within each area of the scope. The following procedures were adopted: • identification of the role and objectives of each area; • identification of risks within the systems, and controls in existence to allow the control objectives to be achieved;

and • evaluation and testing of controls within the systems. From these procedures we have identified weaknesses in the systems of control, produced specific proposals to improve the control environment and have drawn an overall conclusion on the design and operation of the system.

Areas Covered Audit work was undertaken to cover the following areas: • Access Control; • Data Input; • Data Processing; • Output Control; • Interface Controls; • Interfaces with Other Authorities; • Back-up and Recovery; • Management Trail; and • Support Arrangements.

Page 27: WARDS All Chief Internal Auditor Internal Audit Quarterly ...democracy.lbhf.gov.uk/documents/s1897/Internal Audit Report.pdf · WARDS All RECOMMENDATION: a) To note the contents of

Final Report

25

Statement of Responsibility We take responsibility for this report which is prepared on the basis of the limitations set out below. The matters raised in this report are only those which came to our attention during the course of our internal audit work and are not necessarily a comprehensive statement of all the weaknesses that exist or all improvements that might be made. Recommendations for improvements should be assessed by you for their full impact before they are implemented. The performance of internal audit work is not and should not be taken as a substitute for management’s responsibilities for the application of sound management practices. We emphasise that the responsibility for a sound system of internal controls and the prevention and detection of fraud and other irregularities rests with management and work performed by internal audit should not be relied upon to identify all strengths and weaknesses in internal controls, nor relied upon to identify all circumstances of fraud or irregularity. Auditors, in conducting their work, are required to have regards to the possibility of fraud or irregularities. Even sound systems of internal control can only provide reasonable and not absolute assurance and may not be proof against collusive fraud. Internal audit procedures are designed to focus on areas as identified by management as being of greatest risk and significance and as such we rely on management to provide us full access to their accounting records and transactions for the purposes of our audit work and to ensure the authenticity of these documents. Effective and timely implementation of our recommendations by management is important for the maintenance of a reliable internal control system. The assurance level awarded in our internal audit report is not comparable with the International Standard on Assurance Engagements (ISAE 3000) issued by the International Audit and Assurance Standards Board. Deloitte & Touche Public Sector Internal Audit Limited St Albans July 2009 In this document references to Deloitte are references to Deloitte & Touche Public Sector Internal Audit Limited. Deloitte & Touche Public Sector Internal Audit Limited is a subsidiary of Deloitte LLP, which is the United Kingdom member firm of Deloitte Touche Tohmatsu. Deloitte Touche Tohmatsu is a Swiss Verein (association), and, as such, neither Deloitte Touche Tohmatsu nor any of it member firms has any liability for each other’s acts or omissions. Each of the member firms is a separate and independent legal entity operating under the names “Deloitte”, “Deloitte Touche Tohmatsu”, or other related names. Services are provided by the member firms or their subsidiaries or affiliates and not by the Deloitte Touche Tohmatsu Verein. ©2009 Deloitte & Touche Public Sector Internal Audit Limited. All rights reserved. Deloitte & Touche Public Sector Internal Audit Limited is registered in England

Page 28: WARDS All Chief Internal Auditor Internal Audit Quarterly ...democracy.lbhf.gov.uk/documents/s1897/Internal Audit Report.pdf · WARDS All RECOMMENDATION: a) To note the contents of

26

Final Internal Audit Report 2008/09 London Borough of Hammersmith &

Fulham Penalty Charge Notice (Parking)

Processing July 2009

This report has been prepared on the basis of the limitations set out on page 18

Page 29: WARDS All Chief Internal Auditor Internal Audit Quarterly ...democracy.lbhf.gov.uk/documents/s1897/Internal Audit Report.pdf · WARDS All RECOMMENDATION: a) To note the contents of

27

Contents Page No Executive Summary 28

Detailed Findings 30 Recommendations 36

Statement of Responsibility 44 Appendix A – Definition of Audit Opinions, Direction of Travel, Adequacy and Effectiveness 45 Appendix B – Audit Objectives & Scope 48 Appendix C – Audit Team & Staff Consulted 50 Appendix D – Audit Timetable 50 This report and the work connected therewith are subject to the Terms and Conditions of the Supply Agreement dated 25 April 2008 between London Borough of Hammersmith & Fulham and Deloitte & Touche Public Sector Internal Audit Limited. The report is produced solely for the use of London Borough of Hammersmith & Fulham. Its contents should not be quoted or referred to in whole or in part without our prior written consent except as required by law. Deloitte & Touche Public Sector Internal Audit Limited will accept no responsibility to any third party, as the report has not been prepared, and is not intended for any other purpose.

Page 30: WARDS All Chief Internal Auditor Internal Audit Quarterly ...democracy.lbhf.gov.uk/documents/s1897/Internal Audit Report.pdf · WARDS All RECOMMENDATION: a) To note the contents of

28

Executive Summary Introduction As part of the 2008/09 Internal Audit Plan, agreed by the Audit Committee on 12 March 2008, we

have undertaken an internal audit of Penalty Charge Notice (PCN Parking) Processing. This report sets out our findings from the internal audit and raises recommendations to address areas of control weakness and / or potential areas of improvement. The agreed objective and scope of our work is set out at Appendix B.

Audit Opinion (defined at Appendix A)

None Limited Substantial Full

Rationale Supporting Award of Opinion and Direction of Travel

The audit work carried out by Internal Audit (the scope of which is detailed in Appendix B) indicated that, weaknesses in the system of internal controls are such as to put the client’s objectives at risk and the level of non-compliance puts the client’s objectives at risk. Weaknesses in control were identified in relation to reconciling income recorded on the ICPS system with OLAS. Also, it was noted that policies and procedures that have been produced are not reviewed annually and therefore documents reviewed during the audit were found to be out of date. Also, reports on performance indicators established in the contract with Mouchel Traffic Support are not received and therefore the contractual right to impose fines on the contractor cannot be exercised. With regard to outstanding payments, the income recovery timetable is not followed as Charge Certificates cannot currently be produced by ICPS, an issue the contractor is currently dealing with. In addition, the following weaknesses were also identified: a write-off policy has not been produced and as a result non-recoverable charges since 1994 still appear outstanding; there was no evidence that the ICON suspense account is cleared regularly; and income collection rates are not monitored nor relevant targets have been established for the department. The Direction of Travel provides a comparison to the previous audit visit. In this case we have indicated, using the arrow above, that there has been no change compared to our previous audit, for which limited

L

Page 31: WARDS All Chief Internal Auditor Internal Audit Quarterly ...democracy.lbhf.gov.uk/documents/s1897/Internal Audit Report.pdf · WARDS All RECOMMENDATION: a) To note the contents of

29

assurance was given. Priority 1 Recommendations

We have raised two priority 1 recommendations as a result of this internal audit. These are as follows: • Monthly reconciliations between the ICPS and the OLAS systems should be conducted by

someone independent to the Parking Services team; • A write-offs policy should be established and approved by senior management. The policy should

describe the circumstances under which a debt can be written off, when it should be written off and who has to provide authorisation;

Page 32: WARDS All Chief Internal Auditor Internal Audit Quarterly ...democracy.lbhf.gov.uk/documents/s1897/Internal Audit Report.pdf · WARDS All RECOMMENDATION: a) To note the contents of

30

Detailed Findings Background

Parking attendants place parking tickets, known as ‘Penalty Charge Notice’ (PCN), on the vehicles contravening parking regulations and can, in appropriate cases, authorise the towing away or wheel clamping of the vehicles. This is a penalty imposed by the Local Authority, which decriminalises parking offences and transfers the responsibility from the Police to the Local Authority. PCNs can also be issued for offences caught on CCTV cameras. Drivers wishing to contest liability for a penalty charge may make representations to the local authority and if these are rejected, they may have grounds to appeal to independent adjudicators, whose decision is final. Penalty Charge Notice payments can be made by credit card, debit card, cheques, postal orders and online e-payments. Mouchel Traffic Support Ltd are responsible for the PCN processing system ICPS. The administration of postal payments and postal correspondence has been subcontracted to Donnelly Ltd.

Area Summary Area of Scope Adequacy of

Controls Effectiveness of Controls

Recommendations Raised Priority 1 Priority 2 Priority 3

Policies, Procedures and Legislation 0 1 0 Contract Management 0 2 0 Issue of PCNs 0 0 0 Reconciliations, Interfaces and Payments 1 1 0 Appeals 0 0 0 Monitoring of Income Collection – Debtors 1 0 0 Budgetary Control 0 0 0 Performance Management 0 1 0

Page 33: WARDS All Chief Internal Auditor Internal Audit Quarterly ...democracy.lbhf.gov.uk/documents/s1897/Internal Audit Report.pdf · WARDS All RECOMMENDATION: a) To note the contents of

31

Summary of Findings In this section we set out a summary of our findings under each area of scope. This is a balanced

summary where possible. Where weaknesses are identified, full details of these are included in the recommendations raised. Policies, Procedures and Legislation Since 2003, the Parking Services department has implemented a quality management system, which includes the production of procedure documents for all the operations of the department. It was verified that procedural documents are stored in the Quality Management Folder, which is shared with all members of staff. However, for a random sample of documents reviewed while accessing the Quality Management folder, it was noted that the last review date was in 2003. As a result, some documents included references to the previous IT system used. Therefore, a recommendation has been raised to ensure that policies and procedures are reviewed annually and updated as appropriate. In order to ensure effective risk management, risks relevant to Parking Services have been included in the Environment Services Risk Register. In addition a Service Area Continuity Plan has been produced to cover arrangement in the event of a major disruption or service breakdown. Contract Management The Council has a contract in place with Mouchel Traffic Support (originally signed with Traffic Support Ltd in 2006) for the provision of the ICPS system as well as the provision of technical support services. Also, the agreement includes the provision of payments and correspondence processing by an approved sub-contractor, originally Astron and now Donnelly. A copy of the contract was obtained and it was verified that it includes specific performance indicators for both activities and provisions for linking contractual payments to contractor’s performance. However, it was noted that the contactor has not been providing reports on performance indicators since initiation of the contract, therefore payments are not currently linked to performance in any way. A report with open calls with regard to the ICPS system is provided on a weekly basis but it includes no other information (such as time taken to deal with any given issue). This is an issue identified in the previous audit visit of the department in 2006/07 financial year and has been re-raised. Performance related issues are discussed in monthly performance meetings between the two parties. However, meetings have not been held regularly since the beginning of the financial year, mainly due to

Page 34: WARDS All Chief Internal Auditor Internal Audit Quarterly ...democracy.lbhf.gov.uk/documents/s1897/Internal Audit Report.pdf · WARDS All RECOMMENDATION: a) To note the contents of

32

the absence of key personnel on behalf of the contractor. A recommendation has been raised regarding this. Issue of PCNs PCNs are issued on the street by Civil Enforcement Officers (CEOs). The Borough has been divided into 26 controlled parking zones which are inspected during specific hours. Civil Enforcement Officers are provided with a map when they report for duty and this process was observed during the audit. Moreover, in order to ensure that CEOs possess the required knowledge of offences, they are provided with training which is recorded in a training log. PCNs issued during a specific day are automatically uploaded on the ICPS system through the handheld computers used by the officers. A dummy PCN created during testing was uploaded and it was verified that it was immediately available on the ICPS system. PCNs can also be issued when offences are captured on CCTV cameras. The ticket is issued after information on the owner is received by DVLA. A request file is sent on a daily basis and information had been received for a sample of 20 CCTV PCNs tested. The actual ticket is issued automatically by the system, after the manager on duty has processed the relevant file. In order to ensure that enough evidence is retained, in case the issue of a ticket is disputed and also so that cases can be independently reviewed by the correspondence team (who deal with complaints and representations), photographs of the offence are taken and uploaded on ICPS. The images are allocated to every case by software that matches the time of the issue of a PCN and the time the picture was taken. For a sample of twenty cases tested, no image had been uploaded on the system for one case. However, a recommendation has not been raised, as the system appears to be operating and this has been raised verbally with management. Reconciliations, Interfaces and Payments ICPS receives information on payments via two sources: a file from Donnelly (which also includes images of cheques received and correspondence) and a report from ICON. The two files are processed every morning by the manager on duty and the process was observed during the audit. It is entirely automated and all the manager needs to do is log the actions in a sheet, including the amounts uploaded. For a sample of ten dates, the log-sheet had been completed for both Donnelly and ICON payments. However, due to system incompatibilities, ICPS payments are not currently reconciled to the General Ledger system of the Council, OLAS. Therefore there is currently no way of verifying that what has been recorded on ICPS has actually reached the Council’s accounts. The main problems are faced with ICON and a project is currently underway to upgrade the system. The specific issue is a recommendation

Page 35: WARDS All Chief Internal Auditor Internal Audit Quarterly ...democracy.lbhf.gov.uk/documents/s1897/Internal Audit Report.pdf · WARDS All RECOMMENDATION: a) To note the contents of

33

raised in the previous audit visit of the department in 2006/07 financial year and since it remains outstanding, it has been raised again. Any cases that cannot be assigned to a specific case during the upload of the two files are transferred into the relevant suspense account. Subsequently, there are two suspense accounts that need to be cleared on a regular basis (one for the Donnelly file and one for ICON). Unallocated payments from the Donnelly file are recorded on a separate spreadsheet and there was evidence that this is reviewed regularly and payments are transferred from suspense whenever possible. ICON unallocated payments are captured by a report produced from the ICPS system but they had not been produced regularly and the last one that could be provided was from February 2008 and a recommendation has been raised. Once the payments are uploaded on the system, any discount to be given and outstanding amounts are calculated automatically by the system and the calculation was correct for a sample of twenty cases tested. When cheques are not honoured by the issuer, the finance department is notified and they then send the cheques to Parking Services. Once cheques are received, the payments need to be reversed on the system and this had been conducted appropriately for a sample of ten cases tested. Appeals An Appeals procedure document has been produced as part of the quality management system. Parts of the appeal procedure that are relevant for clients are communicated over the Council’s internet site and information is included in the ‘Rejection of Representation’ letter sent out to the client before they reach the point to file an appeal. Appeals are heard by an independent adjudicator, the Parking and Transport Appeals Service (PATAS). Whenever an appeal application is received, a copy is forwarded to the Council together with the date the appeal will be examined and the deadline for sending supporting evidence back to PATAS. Cases to be actioned are recorded in a spreadsheet created for every week and a deadline for action is set usually two weeks after the appeal was received. Spreadsheets for the year to date were scan checked and they had been produced for all weeks. Also, for a sample of ten cases tested, it was verified that sufficient information had been sent back to the independent adjudicators. Sometimes, following the review of available evidence appeals officers make the decision to withdraw from the case. The Manager of Unit 6 (Appeals) reviews a sample of decisions during monthly quality checks and evidence was provided that all checks had been conducted for the year to date. Monitoring of Income Collection – Debtors The income collection process is described in an overall timetable that has been produced, however, this

Page 36: WARDS All Chief Internal Auditor Internal Audit Quarterly ...democracy.lbhf.gov.uk/documents/s1897/Internal Audit Report.pdf · WARDS All RECOMMENDATION: a) To note the contents of

34

has not been reviewed since it was produced in 2003. A recommendation with regard to reviewing policies and procedures has been raised in Area 01 – Policies, Procedures and Legislation. Actions included in the timetable are taken automatically by the ICPS system, which records the date the Notice to Owner and the Charge Certificate are to be sent. The manager on duty has to process the relevant file which is then printed and mailed to the clients. However, for a sample of 20 cases tested it was noted that recovery actions had not been taken as per the recovery timetable for 11 of the cases. The reason for the delay was that due to recent changes in legislation, the letters sent out to clients need to be amended and the contractor failed to produce them and incorporate them in the system on time. As a result, Notice to Owners started being processed in July and Charge Certificates are still not ready. Since the recovery process cannot be completed under the current conditions, there are no write-offs of unrecoverable debt. However, a query on the system revealed that there are outstanding PCNs since 1994. All PCNs issued before the beginning of 2006 cannot be collected due to a court judgment on the legal validity of the text on them therefore they should be written off. These issues can be dealt with if a write-off policy is produced and a recommendation has been raised. The same recommendation was raised in the 2006/07 audit visit of the department and it remains outstanding. Apart from write-offs of uncollectible debt, a PCN can be cancelled by the correspondence team if correspondence received by the client proves that its issue is not justified. Cancellations of PCNs are reviewed by the Unit 2 (Correspondence) Manager on a monthly basis and it was verified that all the necessary reviews had taken place appropriately for the year to date. Budgetary Control The responsibility for producing budget reports lies with the Environment Services Finance Department. The responsible management accountant uses information on OLAS as well as data from the ICPS system and previous year’s information with regard to PCN issued and the recovery rate in order to produce the budget reports and the year end forecast. All the budget reports had been properly produced for the year to date. Any projected variances are identified and discussed in monthly budget meetings with the Head of Parking Services and action points are produced. Meetings take place regularly when pressures are identified and actions points from the last one in September were provided. Finally, information from the budget report is included in the overall Environment Services report to senior management, where it is presented in a different format and with explanatory notes.

Page 37: WARDS All Chief Internal Auditor Internal Audit Quarterly ...democracy.lbhf.gov.uk/documents/s1897/Internal Audit Report.pdf · WARDS All RECOMMENDATION: a) To note the contents of

35

Performance Management Performance of the department is monitored through a number of performance indicators that cover the operations of all Units. Specific targets with regard to performance indicators have been set and the results are included in a spreadsheet stored in the Quality Management folder. A copy of the spreadsheet was provided and it was verified that it is kept up-to-date. Auditors also observed that information on performance indicators for the call centre is communicated to the team real time through two screens installed in the call centre at Bagley’s Lane. Performance of the department is discussed in monthly managers meetings as well as during quarterly quality management meetings. Minutes are produced and stored in the Quality Management folder, as was verified during the audit. Though performance indicators have been established, it was noted that collection rates are not monitored and they are not included as a performance indicator. The rate used by the finance department in order to produce forecast for the following periods is approximately 41%, a figure based on the previous year’s performance. Improving the collection rate can assist the department with income collection and with dealing with the projected shortfall on income collection of £1,264,043. With the issues identified with following the recovery timetable, it is currently difficult to set specific targets and closely monitor collection rates however a recommendation has been raised to ensure that such targets are established for the service in the future.

Acknowledgement

We would like to thank the management and staff of Parking Services for their time and co-operation during the course of the internal audit. All staff consulted are included at Appendix C.

Page 38: WARDS All Chief Internal Auditor Internal Audit Quarterly ...democracy.lbhf.gov.uk/documents/s1897/Internal Audit Report.pdf · WARDS All RECOMMENDATION: a) To note the contents of

36

Recommendations Policies, Procedures and Legislation 1. Policies and Procedures reviewed annually (Priority 2) Recommendation Rationale Procedure documents should be reviewed and updated now, and subsequently annually by the responsible manager. The date of the review should be recorded on the document.

Reviewing policies and procedures on an annual basis can help ensure that any changes in practices or in legislation are captured and therefore the documents are kept up-to-date. A number of policies that was examined during the audit were found to be out-of-date, referring to a system used prior to the implementation of the ICPS system. There is currently no requirement for regular review of the documents that have been produced as part of the quality management system, though some are updated when major changes take place. When policies and procedures are not reviewed annually there is an increased risk that the documents will not be up-to-date and therefore employees will not have a reliable source of information when in doubt about a process. Errors and inconsistent practices are therefore likely to arise.

Management Response Agreed

Responsibility Principal Parking Officer Deadline 31/03/09

Page 39: WARDS All Chief Internal Auditor Internal Audit Quarterly ...democracy.lbhf.gov.uk/documents/s1897/Internal Audit Report.pdf · WARDS All RECOMMENDATION: a) To note the contents of

37

Contract Monitoring 2. Monthly reports on KPIs (Priority 2) Recommendation Rationale The contractor should be requested to report monthly on the performance indicators that were included in the contract and that cover all services provided.

The provision of monthly performance reports from the contractor can help ensure that their performance is appropriately monitored. Also, penalty charges can be applied, according to Schedule 7 of the contract. Currently, Mouchel Traffic Support are required to provide weekly reports on new calls logged with regard to ICPS system support. They do not provide information with regard to specific performance indicators nor is there any form of calculation on behalf of the council. Also, no evidence of monitoring performance of the subcontractor, Donnelly, or of fines being imposed could be provided during the audit. When monthly reports of KPIs included in the contract are not provided there is an increased risk that poor contractor performance will not be identified and subsequently corrective action can not be taken. Therefore, the Council may not be receiving value for money for a prolonged period of time.

Management Response Agreed

Responsibility Principal Parking Control Officer Deadline 31/01/09

Page 40: WARDS All Chief Internal Auditor Internal Audit Quarterly ...democracy.lbhf.gov.uk/documents/s1897/Internal Audit Report.pdf · WARDS All RECOMMENDATION: a) To note the contents of

38

3. Monthly Contract Meetings (Priority 2) Recommendation Rationale Support meetings between the main contractor, Mouchel Traffic Support and representatives from the Council should take place in order to discuss the contractor's performance against the established KPIs. Where poor performance has been identified, action plans should be agreed during the monthly meetings and followed up.

Monthly contract meetings can help ensure that there are open communication channels between the Council and the contractor and that their performance is discussed. This can help ensure that corrective actions are agreed when poor performance is identified. Monthly meetings with the contractor used to take place regularly, however they have not occurred in the recent past and the latest copy of minutes that could be provided during the audit was from February 2008. Meetings are about to start happening again but no action has been taken to date. When monthly meetings between the Council and the main contractor do not take place there is an increased risk that poor performance will not be discussed and therefore it will not be rectified. The Council may receive a service of a low standard while at the same time incurring the same cost.

Management Response Agreed

Responsibility Project Manager (HFBP) and Head of Parking Services, LBHF

Deadline 31/01/09

Page 41: WARDS All Chief Internal Auditor Internal Audit Quarterly ...democracy.lbhf.gov.uk/documents/s1897/Internal Audit Report.pdf · WARDS All RECOMMENDATION: a) To note the contents of

39

Reconciliations, Interfaces and Payments 4. Monthly Reconciliations between ICPS and OLAS (Priority 1) Recommendation Rationale Monthly reconciliations between the ICPS and the OLAS systems should be conducted from as soon as feasibly possible by someone independent to the Parking Services team.

Monthly reconciliation between ICPS and OLAS can help ensure that the amount recorded as paid on the ICPS system is the same as that which reaches the Council's bank account and that any differences are identified, researched and rectified. There is currently no reconciliation between the ICPS system and OLAS to ensure that the General Ledger System is accurate. This recommendation was raised in the previous PCN report from 2006/07 but had not been implemented by the agreed implementation date. When reconciliations between the ICPS system and OLAS are not undertaken on a regular basis there is an increased risk that irregularities and errors will not be identified or investigated and this can lead to mis-statements in the Council's accounts.

Management Response Agreed

Responsibility AD Finance & Resources Deadline 31/12/09

Page 42: WARDS All Chief Internal Auditor Internal Audit Quarterly ...democracy.lbhf.gov.uk/documents/s1897/Internal Audit Report.pdf · WARDS All RECOMMENDATION: a) To note the contents of

40

5. Unallocated Cash Payments reports cleared regularly (Priority 2) Recommendation Rationale The Unallocated Cash Payments report should be produced and cleared on a monthly basis. When amounts can not be allocated to specific cases, a note should be made against each case so that they can be identified in subsequent reports.

Clearing the unallocated cash payments reports on a regular basis can help ensure that payments reach the appropriate accounts and therefore the income collection process is not continued, thus reducing incurred costs. Though unallocated cash reports should be cleared on a monthly basis, the latest copy of a cleared report that could be provided referred to February 2008. For the period 01/07/08 to 31/08/08 there was £2,190 in unallocated payments. When unallocated cash payments reports are not cleared on a regular basis there is an increased risk that the amounts received will not reach the correct accounts. This can cause complaints from clients which will continue to receive notifications to pay, even after they have made their payment. The Council is likely to incur financial loss due to increased costs incurred.

Management Response Agreed

Responsibility Principal Control Officer Deadline 31/03/09

Page 43: WARDS All Chief Internal Auditor Internal Audit Quarterly ...democracy.lbhf.gov.uk/documents/s1897/Internal Audit Report.pdf · WARDS All RECOMMENDATION: a) To note the contents of

41

Monitoring of Income Collection - Debtors 6. Write-offs policy (Priority 1) Recommendation Rationale A write-offs policy should be established and approved by senior management and then circulated to staff. The policy should describe the circumstances under which a debt can be written off, when it should be written off and who has to provide authorisation. Management should monitor write-offs to help ensure no unauthorised write-offs are processed An exercise should also be conducted to calculate the amount recorded in the system accounted for as income which is not collectable. This should be used to feed into the year end accrual process.

A write-off policy can help ensure that only unrecoverable debt is written off and that the decision is made by someone with the necessary authority. Moreover, it can help ensure that debt is written off appropriately and on a timely basis in order not to be included in the Council's annual accounts. At the time of the audit, no write-offs policy had been established. Write-offs were conducted but were not reviewed and authorised by an appropriate manager. Also, there is a large number of PCNs issued before 2006 that are uncollectible due to a recent court decision, which however still appear as outstanding on the system. This recommendation was raised in the 2006/07 PCN audit but had not been implemented by the agreed implementation date. When a write-off policy has not been established there is an increased risk that collectable debt will be written off and thus the Council will incur financial loss. Also, there is a risk that debt that can not be collected will not be written off and as a result the accounts may be incorrect.

Page 44: WARDS All Chief Internal Auditor Internal Audit Quarterly ...democracy.lbhf.gov.uk/documents/s1897/Internal Audit Report.pdf · WARDS All RECOMMENDATION: a) To note the contents of

42

Management Response Agreed. David Taylor, Head of Parking Services comment: We will be formalising a policy through our QMS that identifies the cases to closed or "written off" as those where there is little or no chance of recovery. This may be for legal reasons or inability to trace the owner within a reasonable timescale etc. There is a reluctance to prematurely close the latter category of cases as, on occasions, the responsible person is identified a long time after the event. Suggest end of July 2009 as the timescale. David McNamara, AD Finance and Resources comment: Agreed and implemented it feeding into the accruals process for year-end accounting Responsibility AD Finance and Resources Deadline 31 July 2009

Page 45: WARDS All Chief Internal Auditor Internal Audit Quarterly ...democracy.lbhf.gov.uk/documents/s1897/Internal Audit Report.pdf · WARDS All RECOMMENDATION: a) To note the contents of

43

Performance Management 7. Targets with regard to PCN income collection rates (Priority 2) Recommendation Rationale Specific targets should be established with regard to the income collection rates (value of PCNs issued compared to amounts received). Rates should be calculated monthly and corrective action should be taken when underperformance is identified.

Establishing targets with regard to income collection rates can help ensure that the department as a whole is motivated to improve income collection. Therefore, the Council may improve general income from PCNs and traffic offenders may be further discouraged from breaking the relevant legislation. Though the level of service provided to the public through the Parking Services department is monitored through a number of performance indicators, collection of income with regard to value of PCNs issued is not currently monitored or reported upon. The rate used in budget forecasting, based on the previous year's results, is approximately 40%. When targets with regard to income collection rates have not been established, there is an increased risk that the poor collection rates will not be identified or there will be no effort to improve. The Council's financial planning may therefore be affected due to inability to achieve budgeted income.

Management Response Agreed. There has been a lot of debate about methodology but no general agreement. We are currently trying to develop an agreed standard approach with RBKC so that we can at least compare rates using the same methodology. There is a lot of current work on joint KPIs with RBKC's parking service so I would have hoped that the methodology would be documented and be being reported on by the end of July 2009. Responsibility Head of Parking Services Deadline 31 July 2009

Page 46: WARDS All Chief Internal Auditor Internal Audit Quarterly ...democracy.lbhf.gov.uk/documents/s1897/Internal Audit Report.pdf · WARDS All RECOMMENDATION: a) To note the contents of

44

Statement of Responsibility We take responsibility for this report which is prepared on the basis of the limitations set out below. The matters raised in this report are only those which came to our attention during the course of our internal audit work and are not necessarily a comprehensive statement of all the weaknesses that exist or all improvements that might be made. Recommendations for improvements should be assessed by you for their full impact before they are implemented. The performance of internal audit work is not and should not be taken as a substitute for management’s responsibilities for the application of sound management practices. We emphasise that the responsibility for a sound system of internal controls and the prevention and detection of fraud and other irregularities rests with management and work performed by internal audit should not be relied upon to identify all strengths and weaknesses in internal controls, nor relied upon to identify all circumstances of fraud or irregularity. Auditors, in conducting their work, are required to have regards to the possibility of fraud or irregularities. Even sound systems of internal control can only provide reasonable and not absolute assurance and may not be proof against collusive fraud. Internal audit procedures are designed to focus on areas as identified by management as being of greatest risk and significance and as such we rely on management to provide us full access to their accounting records and transactions for the purposes of our audit work and to ensure the authenticity of these documents. Effective and timely implementation of our recommendations by management is important for the maintenance of a reliable internal control system. The assurance level awarded in our internal audit report is not comparable with the International Standard on Assurance Engagements (ISAE 3000) issued by the International Audit and Assurance Standards Board. Deloitte & Touche Public Sector Internal Audit Limited St Albans July 2009 In this document references to Deloitte are references to Deloitte & Touche Public Sector Internal Audit Limited. Deloitte & Touche Public Sector Internal Audit Limited is a subsidiary of Deloitte LLP, which is the United Kingdom member firm of Deloitte Touche Tohmatsu. Deloitte Touche Tohmatsu is a Swiss Verein (association), and, as such, neither Deloitte Touche Tohmatsu nor any of it member firms has any liability for each other’s acts or omissions. Each of the member firms is a separate and independent legal entity operating under the names “Deloitte”, “Deloitte Touche Tohmatsu”, or other related names. Services are provided by the member firms or their subsidiaries or affiliates and not by the Deloitte Touche Tohmatsu Verein. ©2009 Deloitte & Touche Public Sector Internal Audit Limited. All rights reserved. Deloitte & Touche Public Sector Internal Audit Limited is registered in England and Wales with registered number 4585162. Registered office: Hill House, 1 Little New Street, London EC4A 3TR

Page 47: WARDS All Chief Internal Auditor Internal Audit Quarterly ...democracy.lbhf.gov.uk/documents/s1897/Internal Audit Report.pdf · WARDS All RECOMMENDATION: a) To note the contents of

45

Appendix A – Definition of Audit Opinions, Direction of Travel, Adequacy and Effectiveness Assessments, and Recommendation Priorities Audit Opinions We have four categories by which we classify internal audit assurance over the processes we examine, and these are defined as follows: Full There is a sound system of internal control designed to achieve the client’s objectives.

The control processes tested are being consistently applied. Substantial While there is a basically sound system of internal control, there are weaknesses, which put some of

the client’s objectives at risk. There is evidence that the level of non-compliance with some of the control processes may put some of the client’s objectives at risk.

Limited Weaknesses in the system of internal controls are such as to put the client’s objectives at risk. The level of non-compliance puts the client’s objectives at risk.

None Control processes are generally weak leaving the processes/systems open to significant error or abuse. Significant non-compliance with basic control processes leaves the processes/systems open to error or abuse.

The assurance gradings provided above are not comparable with the International Standard on Assurance Engagements (ISAE 3000) issued by the International Audit and Assurance Standards Board and as such the grading of ‘Full Assurance’ does not imply that there are no risks to the stated objectives.

Page 48: WARDS All Chief Internal Auditor Internal Audit Quarterly ...democracy.lbhf.gov.uk/documents/s1897/Internal Audit Report.pdf · WARDS All RECOMMENDATION: a) To note the contents of

46

Direction of Travel The Direction of Travel assessment provides a comparison between the current assurance opinion and that of any previous internal audit for which the scope and objectives of the work were the same. Improved since the last audit visit. Position of the arrow indicates previous status.

Deteriorated since the last audit visit. Position of the arrow indicates previous status.

Unchanged since the last audit report.

No arrow Not previously visited by Internal Audit.

Page 49: WARDS All Chief Internal Auditor Internal Audit Quarterly ...democracy.lbhf.gov.uk/documents/s1897/Internal Audit Report.pdf · WARDS All RECOMMENDATION: a) To note the contents of

47

Adequacy and Effectiveness Assessments Please note that adequacy and effectiveness are not connected. The adequacy assessment is made prior to the control effectiveness being tested. The controls may be adequate but not operating effectively, or they may be partly adequate / inadequate and yet those that are in place may be operating effectively. In general, partly adequate / inadequate controls can be considered to be of greater significance than when adequate controls are in place but not operating fully effectively, i.e. control gaps are a bigger issue than controls not being fully complied with. Adequacy Effectiveness Existing controls are adequate to manage the risks in

this area Operation of existing controls is effective

Existing controls are partly adequate to manage the risks in this area

Operation of existing controls is partly effective Existing controls are inadequate to manage the risks

in this area Operation of existing controls is ineffective

Recommendation Priorities In order to assist management in using out internal audit reports, we categorise our recommendations according to their level of priority as follows: Priority 1 Major issues for the attention of senior management and the audit committee. Priority 2 Important issues to be addressed by management in their areas of responsibility. Priority 3 Minor issues resolved on site with local management.

Page 50: WARDS All Chief Internal Auditor Internal Audit Quarterly ...democracy.lbhf.gov.uk/documents/s1897/Internal Audit Report.pdf · WARDS All RECOMMENDATION: a) To note the contents of

48

Appendix B – Audit Objectives & Scope Internal Audit Objective and Scope

The overall objective of this internal audit was to provide the Members, the Chief Executive and other officers with reasonable, but not absolute, assurance as to the adequacy and effectiveness of the key controls relating to the following management objectives: Policies, Procedures and Legislation To ensure that the policies and procedures in place are adequate, approved and available to staff. Contract Management To ensure that arrangements with 3rd party contractors are in place and monitored regularly. Issue of PCNs To ensure that PCNs are issued on a timely basis and in accordance with Council policy. Reconciliations, Interfaces and Payments To ensure that PCNs issued by Parking Attendants are regularly / accurately interfaced to the ICPS system. To ensure the validity of PCN payments and that they are processed securely and on a timely basis. Appeals Process for appeals is in place. Appeals are logged on to the system and adjudicated timely. Cancellations are adequately justified/authorised. Monitoring of Income Collection – Debtors To ensure that debtors details are established accurately and appropriate procedures are in place for recovery of unpaid debts. Budgetary Control To ensure that budget monitoring takes place and actions are taken to address significant over/under spends. Performance Management To ensure that SMART performance targets have been established, monitored and reported to senior management. To ensure that underperformance is promptly identified and effectively addressed.

Page 51: WARDS All Chief Internal Auditor Internal Audit Quarterly ...democracy.lbhf.gov.uk/documents/s1897/Internal Audit Report.pdf · WARDS All RECOMMENDATION: a) To note the contents of

49

Internal Audit Approach and Methodology

The internal audit approach is developed through an assessment of risks and management controls operating within the agreed scope. The following procedures were adopted: • Identification of the role and objectives of each area; • Identification of risks within each area which threaten the achievement of objectives; • Identification of controls in existence within each area to manage the risks identified; • Assessment of the adequacy of controls in existence to manage the risks and identification of

additional proposed controls where appropriate; and • Testing of the effectiveness of key controls in existence within each area. Management should be aware that our internal audit work was performed in accordance with the CIPFA Code of Practice for Internal Audit in Local Government in the United Kingdom 2006 standards which are different from audits performed in accordance with International Standards on Auditing (UK and Ireland) issued by the Auditing Practices Board. Similarly, the assurance gradings provided in our internal audit report are not comparable with the International Standard on Assurance Engagements (ISAE 3000) issued by the International Audit and Assurance Standards Board. Our internal audit testing was performed on a judgemental sample basis and focused on the key controls mitigating risks. Internal audit testing was designed to assess the adequacy and effectiveness of key controls in operation at the time of the audit. Please note that, in relation to the agreed scope, whilst our internal audit assessed the efficiency and effectiveness of key controls from an operational perspective, it was not within our remit as internal auditors to assess the efficiency and effectiveness of policy decisions.

Page 52: WARDS All Chief Internal Auditor Internal Audit Quarterly ...democracy.lbhf.gov.uk/documents/s1897/Internal Audit Report.pdf · WARDS All RECOMMENDATION: a) To note the contents of

50

Appendix C – Audit Team & Staff Consulted AUDIT TEAM STAFF CONSULTED General Manager Head of Parking Services Deputy Sector Manager Principal Officer, Parking Services Senior Auditor Principal Officer, Parking Services Principal Officer, Parking Services Principal Officer, Parking Services Management Accountant, Environment Services Finance Contact Details: ℡ Ext 2550 ℡ Ext 2590

Appendix D – Audit Timetable DATES Planning Meeting 17/07/08 Fieldwork Start 11/09/08 Exit Meeting 19/09/08 Draft report issued 30/10/08; revised 15/07/09 Final report issued 24/07/09

Page 53: WARDS All Chief Internal Auditor Internal Audit Quarterly ...democracy.lbhf.gov.uk/documents/s1897/Internal Audit Report.pdf · WARDS All RECOMMENDATION: a) To note the contents of

51

APPENDIX C

Internal Audit reports in issue more than two weeks as at 30 September 2009

Audit

Year Department Responsible Director Audit Title Assurance Draft report issued on

Target date for responses

Awaiting Response From

1 2009/10 School Andrew Christie Avonmore Primary School Substantial 10/07/2009 24/07/2009 Auditee and Director

2 2009/10 School Andrew Christie St Stephens CE Primary School Substantial 10/07/2009 24/07/2009 Auditee and Director

3 2009/10 School Andrew Christie Greenside Primary School Substantial 20/07/2009 03/08/2009 Auditee and Director

4 2009/10 Finance & Corporate Services (IT) Jane West EDMS Application

Audit Substantial 03/07/2009 17/07/2009 Auditee and Director 5 2009/10 Finance & Corporate

Services (IT) Jane West IT Service Desk Substantial 19/07/2009 02/08/2009 Auditee and Director

6 2009/10 Finance & Corporate Services (IT) Jane West

Laptop and Mobile Asset Management and Security Audit

Substantial 30/07/2009 13/08/2009 Auditee and Director

7 2009/10 Finance & Corporate Services Jane West Register of Gifts and

Hospitality Limited 04/08/2009 18/08/2009 Auditee and Director

Page 54: WARDS All Chief Internal Auditor Internal Audit Quarterly ...democracy.lbhf.gov.uk/documents/s1897/Internal Audit Report.pdf · WARDS All RECOMMENDATION: a) To note the contents of

52

APPENDIX D Audit Recommendations Outstanding

This is a schedule of all recommendations where the target date for implementation has passed and either the recommendation has not been fully implemented, or the auditee has failed to provide information on whether it has been implemented.

Ref Audit year Department Audit Name Assurance Recommendation Priority

(1/2/3) Agreed Target date

Responsible Officer Status/ Comments

1 2008/09 Community Services

3rd Sector Grants Substantial

There should be a written policy and procedure to cover the process of

monitoring that organisations are using their grant in accordance with the terms of

their agreement. 1 30/04/2009

Head of Community Liaison

In development

2 2008/09 Environment CAPs Uniform Substantial

Management should liaise with IDOX Group to ensure the following logical access controls are configured on the application: Passwords should be a

minimum of six characters; Passwords should be constructed of a mixture of alpha and numeric characters; Passwords should be forced to change every 60-90 days; Passwords should be forced to change upon first login; Passwords should not be able to be re-used; and Passwords should

be deleted if there is no activity.

2 28/02/2009 Executive Lead -

Application Services Manager

27/01/2009. Two options - Invoke BS7799 security standards or Invoke pass-through

login. Require client to agree option.

3 2008/09 Environment CAPs Uniform Substantial

Management should liaise with IDOX Group to ensure the system is configured to apply a system lock following three consecutive failed login attempts. In

addition, a process should be developed for the review of audit logs generated from

the failed login attempts.

2 28/02/2009 Executive Lead -

Application Services Manager

27/01/2009. Two options - Invoke BS7799 security standards or Invoke pass-through

login. Require client to agree option.

Page 55: WARDS All Chief Internal Auditor Internal Audit Quarterly ...democracy.lbhf.gov.uk/documents/s1897/Internal Audit Report.pdf · WARDS All RECOMMENDATION: a) To note the contents of

53

Ref Audit year Department Audit Name Assurance Recommendation Priority

(1/2/3) Agreed Target date

Responsible Officer Status/ Comments

4 2008/09 Environment (IT) CAPs Uniform Substantial

Management should liaise with IDOX Group to ensure there are effective data validation controls implemented within the

CAPs Uniform Environmental Health Application. Where it is not

financially/practically viable to implement the data validation controls, management

should ensure that there are formal documented procedures in place to ensure that data input is checked for accuracy and

quality.

2 28/02/2009 Executive Lead -

Application Services Manager

27/01/2009. The supplier have informed us that there are no immediate plans to introduce such validation capability in Uniform but that such a proposal would receive consideration under the supplier's RFC (Request for Change) process. A

specification will be drawn up and submitted to the supplier in the near future

in order to address this requirement.

5 2008/09 Environment (IT) CAPs Uniform Substantial

Management should liaise with the users of the application to determine the

necessary mandatory fields required in the application. Subsequently, the mandatory fields identified should be implemented on the CAPs Uniform Environmental Health

application.

2 31/12/2008 Executive Lead -

Application Services Manager

27/01/2009. Use of mandatory and prompted fields to reduce or obviate incomplete data entry should be

considered in conjunction with a general review of data entry requirements as part

of the imminent Uniform upgrade.

Page 56: WARDS All Chief Internal Auditor Internal Audit Quarterly ...democracy.lbhf.gov.uk/documents/s1897/Internal Audit Report.pdf · WARDS All RECOMMENDATION: a) To note the contents of

54

Ref Audit year Department Audit Name Assurance Recommendation Priority

(1/2/3) Agreed Target date

Responsible Officer Status/ Comments

6 2008/09 Environment (IT) Confirm Application Substantial

We recommended that the following password controls should be enforced on the Confirm application in line with the Hammersmith & Fulham Corporate IT

Policy: • password length should be a minimum of

6 characters; and • passwords are force changed every 60-

90 days. The possibility to configure the Confirm application to be able to enforce the following controls should also be investigated with the supplier:

• password combination of alphabetic and numeric characters;

• password history to be maintained to ensure that passwords are not recycled; • default passwords are force changed on

first entry; and • idle time should be configured.

2 31/03/2009 Application Services Manager

7 2008/09 Environment (IT) Confirm Application Substantial

We recommend that the maximum login attempts for the Confirm system should be set to 3. Once set, a procedure should be

put in place to assist in the regular reporting and review of the log of violation attempts by the system administrators, e.g. by filtering the log to report exceptions or unusual events such as, unsuccessful attempts at accessing the system.

2 31/03/2009 Application Services Manager

Page 57: WARDS All Chief Internal Auditor Internal Audit Quarterly ...democracy.lbhf.gov.uk/documents/s1897/Internal Audit Report.pdf · WARDS All RECOMMENDATION: a) To note the contents of

55

Ref Audit year Department Audit Name Assurance Recommendation Priority

(1/2/3) Agreed Target date

Responsible Officer Status/ Comments

8 2008/09 Environment (IT) Confirm Application Substantial

It is recommended that a process should be investigated with the suppliers for the timely maintenance of handheld devices. User login and authentication options

should also be investigated and implemented on the handhelds used for uploading data onto the Confirm system.

2 30/04/2009 Parking

Control Group Officer

9 2008/09 Environment (IT) Confirm Application Substantial

It is recommended that management review the configuration of input data

formatting and consider establishing the following specific controls on the Confirm application system to help improve data

quality:

• Make the 'Location' field mandatory and introduce a drop down for the title field for the input screen on the Graffiti module;

and • Make the 'Location', 'description' and 'SOR item quantity' fields’ mandatory on the Highways and Plan Maintenance

modules.

2 31/03/2009 Gordon Pragnell

10 2008/09 Environment (IT) Confirm Application Substantial

It is recommended that HFBP should investigate with the supplier the ability to

enable the auditing function on the Confirm system to be able to report changes to

user details and to master data. A process should then be established to periodically report and review any changes to user

profiles and master data.

2 31/03/2009 Gordon Pragnell

Page 58: WARDS All Chief Internal Auditor Internal Audit Quarterly ...democracy.lbhf.gov.uk/documents/s1897/Internal Audit Report.pdf · WARDS All RECOMMENDATION: a) To note the contents of

56

Ref Audit year Department Audit Name Assurance Recommendation Priority

(1/2/3) Agreed Target date

Responsible Officer Status/ Comments

11 2008/09 Environment (IT) ICPS Application Substantial

It is recommended that a periodic review of the user accounts and permissions on the ICPS application be performed to ensure that all users are active and current and that their access is allocated in line with their job role. A process should also be established for the authorisation of

changes to user permissions.

2 31/07/2008

Parking Control Group Officer and Principal Parking

Control Officer

Agreed: Will investigate with MTS for the possibility of reporting users and their current permission levels and to review thereafter. Other Councils might have reported this to MTS before. In the

absence of a solution by MTS, it will take long for individual users to be reviewed

manually. To investigate by the end of July 2008

12 2008/09 Environment (IT) ICPS Application Substantial

The user administration process should be amended to include the following: the

completion and authorisation of the access permissions to be granted to users; the establishment of a formal process for the

completion and authorisation of amendment to user permissions on the ICPS system; and the periodic review of user accounts and group permissions. HR should also notify leavers to the system

administrator for their prompt removal from the ICPS system.

2 31/08/2008 Parking

Control Group Officer

Agreed: A form will be designed for line managers to authorise the access level to be granted to new users. Will explore the leaver process with the head of IT and HR and to explore the current Council wide

process to see possibilities of implementing this recommendation.

13 2008/09 Environment ICPS Application Substantial

It is recommended that a unique user-id and password should be used for the 2 supervisors who are able to switch from admin mode to user mode on the ICPS

handheld device. 2 31/08/2008

Parking Control Group

Officer

Agreed, however, the ICPS handheld system runs on Windows C which only

supports one admin account that is used to change the mode. We are limited in the level of sophistication built into the

handheld to perform this change. The only possibility will be to reset the admin

passwords on all 80 handhelds every 90 days.

14 2008/09 Environment Construction Design and Management Regulations

Substantial Work Instructions should be reviewed and updated to include the CDM Regulations 2007. This should be formally approved

and disseminated to staff 2 31/12/2008

Head of Highways and Engineering

Review of the procedures has commenced and 2/3rd complete. Documentations have been prepared and are in draft form to be

finalised shortly.

Page 59: WARDS All Chief Internal Auditor Internal Audit Quarterly ...democracy.lbhf.gov.uk/documents/s1897/Internal Audit Report.pdf · WARDS All RECOMMENDATION: a) To note the contents of

57

Ref Audit year Department Audit Name Assurance Recommendation Priority

(1/2/3) Agreed Target date

Responsible Officer Status/ Comments

15 2008/09 Environment Construction Design and Management Regulations

Substantial It is recommended that the health and

safety file maintained covering the period of the term contract is documented as

being an accepted method by the Health & Safety Executive.

2 31/12/2008 Head of

Highways and Engineering

H&S file format has been agreed with the contractor and a test document has been uploaded on Confirm which then needs to be linked to the Asset register on eGIS. Awaiting IT services (Bridge Partnership) to provide this link between Confirm and

eGIS.

16 2008/09 Environment PCN Processing (ISA 315) Limited

Support meetings between the main contractor, Mouchel Traffic Support and representatives from the Council should

take place in order to discuss the contractor's performance against the

established KPIs. Where poor performance has been identified, action plans should be agreed during the monthly meetings and

followed up.

2 31/01/2009 Head of Parking Services

17 2008/09 Environment PCN Processing (ISA 315) Limited

The Unallocated Cash Payments report should be produced and cleared on a

monthly basis. When amounts can not be allocated to specific cases, a note should be made against each case so that they can be identified in subsequent reports.

2 31/03/2009 Principal Control Officer

18 2006/07 Environment Public Control Licensing Satisfactory

Reconciliations between payments received on the licensing computer system and the amount recorded on the general ledger should be undertaken on a monthly basis. The reconciliation should be signed by the officer performing the task and

independently reviewed.

2 31/08/2009 Quality

Standards Manager

Reconciliation held up due to problems in implementation at cashiers.

19 2008/09 Finance & Corporate Services

Cheque Production Application

Substantial

Management should ensure that the Service Level Agreement (SLA) with Bottom line is monitored against

performance indicators on a regular basis and where underperformance is identified,

corrective action should be taken.

2 31/10/2008 Finance Systems Support Manager

HFBP will provide this data to the clients - h&f to specify report frequency and HFBP will schedule the delivery, magic WO

already raised.

Page 60: WARDS All Chief Internal Auditor Internal Audit Quarterly ...democracy.lbhf.gov.uk/documents/s1897/Internal Audit Report.pdf · WARDS All RECOMMENDATION: a) To note the contents of

58

Ref Audit year Department Audit Name Assurance Recommendation Priority

(1/2/3) Agreed Target date

Responsible Officer Status/ Comments

20 2008/09 Finance & Corporate Services

Project Management : Cleaner Greener Programme

Substantial Contingency plans should be produced for all key risks listed in the Risk Register, particularly where they will affect timely service deliveries and have knock-on

effects on other projects. 2 31/12/2008

Residents' Direct

Programme Manager

21 2008/09 Finance & Corporate Services

Project Management : Cleaner Greener Programme

Substantial A Project Initiation Document should be produced for all future projects to outline the key aims and objectives of them and the roles and responsibilities of team

members. 2 31/12/2008

Residents' Direct

Programme Manager

22 2008/09 Finance & Corporate

Services (IT) Unix Operating

System Substantial

Management should ensure I-World server documentation is updated to appropriately support Solaris 10 and establish minimum

configuration standards. This activity should be completed prior to closure of the data centre migration project. Furthermore, all I-World servers should be reviewed to

ensure they conform to build documentation and are consistent with management intentions. This includes

obtaining comfort over actions performed by third parties. Requirements to update system documentation should be included in project plans and post-implementation reviews. This documentation should also

be subjected to periodic review by management to ensure it is kept up to

date.

2 29/12/2008 Senior Unix Systems Analyst

Agreed – Database server was built to spec with consideration of leading practice standards. Sever documentation will be updated prior to completion of the data centre project. Part of this process will include a review of the configuration of

each I-World UNIX server to ensure builds are consistent.

RK13 – 25/11/2008. The update of the Solaris build document to reflect the

requirements for Solaris 10 is in progress and will be completed 29/12/2008. A work

order has been issued to RK13 to complete this work. WO25716

Page 61: WARDS All Chief Internal Auditor Internal Audit Quarterly ...democracy.lbhf.gov.uk/documents/s1897/Internal Audit Report.pdf · WARDS All RECOMMENDATION: a) To note the contents of

59

Ref Audit year Department Audit Name Assurance Recommendation Priority

(1/2/3) Agreed Target date

Responsible Officer Status/ Comments

23 2008/09 Finance & Corporate

Services (IT) Unix Operating

System Substantial

Files and directories with world writeable permissions should be assessed and, where deemed necessary, those

permissions modified. As Unix permission changes have been known to affect system or application availability, they should be performed under controlled conditions with all changes approved,

recorded and tested before implementation. The system should be backed up before changes are made.

2 29/12/2008 Senior Unix Systems Analyst

Agreed – Directories and files with world-writable permissions will be reviewed and modified or removed from the system where appropriate. This activity will be performed via HFBP change control

standards. Files under /backup/flash/ora10g have had

the permissions changed. Files under /.cpan/build have been

removed. Files under /home/cts/ have been

corrected. /usr/oasys/tmp/TERRLOG is part of the SUNWfac package and its permissions

can not be changed. The files owned by root are system

contract files and the permissions cannot be changed.

/spp needs further investigation

RK13 The review of world writable files in /spp has been referred to Applications Support as they manage the files in this directory. WO 25717 has been issue for

this with a completion deadline of 29/12/2008

Page 62: WARDS All Chief Internal Auditor Internal Audit Quarterly ...democracy.lbhf.gov.uk/documents/s1897/Internal Audit Report.pdf · WARDS All RECOMMENDATION: a) To note the contents of

60

Ref Audit year Department Audit Name Assurance Recommendation Priority

(1/2/3) Agreed Target date

Responsible Officer Status/ Comments

24 2008/09 Finance & Corporate Services

Project Redefine- Post Implementation

Review Substantial

The service should identify responsibility for completion of a post implementation review of the Redefine Project and programme it to be undertaken on

completion of the 2008/09 accounts close down. The post implementation review should bring together those elements

already covered including:• Identification of the original planned outcomes of the

project and statement of the extent of the actual achievement of each objective

identifying any variances;• Identification of the original and any revised budgets with explanations for variations and actual out-turn; and• Summary of any lessons learnt and actions agreed to be undertaken to influence the delivery of future projects. It should also cover, but not be limited to, the following: • Summary of Change Requests raised as a result of the Redefine Project, with reasons for raising of the requests and

the costs of resolution.

2 31/08/2009 Deputy

Director of Finance

25 2008/09 Finance & Corporate Services

LAA Targets Substantial Departmental performance officers should sign off or send a covering email certifying their review of an indicator’s calculation

before passing it to Strategy and Performance

2 30/06/2009 Principal

Strategy and Performance

Officer

Work to achieve the implementation of this target is ongoing (Tom Conniffe - 17 July

2009).

Page 63: WARDS All Chief Internal Auditor Internal Audit Quarterly ...democracy.lbhf.gov.uk/documents/s1897/Internal Audit Report.pdf · WARDS All RECOMMENDATION: a) To note the contents of

61

Ref Audit year Department Audit Name Assurance Recommendation Priority

(1/2/3) Agreed Target date

Responsible Officer Status/ Comments

26 2008/09 Finance & Corporate Services

Communications Audit Substantial

The Corporate Communications Manager should discuss with Finance whether it

would be possible to obtain reports on the external printing ledger codes to review on a regular basis for consistency with the approved suppliers list. An authorisation

process for the review for the report should be established with responsibilities clearly delegated to appropriate members of staff.

2 13/06/2009 Corporate

Communications Manager

Communications Manager is "in the process of scoping this recommendation to determine whether it is viable".(30 March

2009)

27 2008/09 Finance & Corporate Services

Creditors Additional Testing

Substantial

The administrator rights for different systems should not be assigned to the

same system administrator. Where there are insufficient resources to achieve this then compensating controls

should be in place as follows: • Use of unique user-id and password; • Audit trails that cannot be accessed by

system administrators; and • Regular review of the system

administrator’s work.

2 30/04/2009

Team Leader, HFB

Application Services; Deputy

Director of Finance

28 2008/09 Finance & Corporate Services

Preparedness for Recession Substantial

The Community Services and Children’s Services departmental risk registers should be revisited to determine whether they need updating for risks in relation to the

current recession. 2 30/09/2009 Divisional Ads

and at DMT

29 2007/08 Finance & Corporate

Services (IT) Application Reviews: CONSOL

Satisfactory It is recommended that the Unix password controls are strengthened to enable the use of alpha and numeric characters for

the construction of passwords. 2 31/01/2009

HFBP, UNIX System Support Analyst

Policy for 3 attempts at the password before locking users out have been

implemented

Page 64: WARDS All Chief Internal Auditor Internal Audit Quarterly ...democracy.lbhf.gov.uk/documents/s1897/Internal Audit Report.pdf · WARDS All RECOMMENDATION: a) To note the contents of

62

Ref Audit year Department Audit Name Assurance Recommendation Priority

(1/2/3) Agreed Target date

Responsible Officer Status/ Comments

30 2007/08 Finance & Corporate

Services (IT) Application Reviews: CONSOL

Satisfactory

IT is recommended that the monthly reconciliation of income performed by

accountancy is reviewed and signed off by a senior individual or someone equivalent who is different to the person preparing the

reconciliation.

2 30/06/2009 Principal Revenue Accountant

17/11/08. To be referred to software supplier

23/04/09. There is no need for an interface with payroll as the staff are now all

salaried. They use to have bonus related pay and spreadsheets needed to be sent over to payroll but this doesn't happen

anymore.

31 2009/10 Residents Services

Parks Constabulary Substantial

A Business Unit Risk Register should be developed and regularly updated for Parks

Constabulary Further, current Risk Assessments for

Parks Constabulary should be consistent with the pro forma.

1 30/09/2009 Head of Operations

Page 65: WARDS All Chief Internal Auditor Internal Audit Quarterly ...democracy.lbhf.gov.uk/documents/s1897/Internal Audit Report.pdf · WARDS All RECOMMENDATION: a) To note the contents of

63

Ref Audit year Department Audit Name Assurance Recommendation Priority

(1/2/3) Agreed Target date

Responsible Officer Status/ Comments

32 2008/09 Residents Services

Libraries - cash and banking Limited

Up to two officers should be named responsible for performing cash checks

twice during each day. The named officers should be independent of those

responsible for receiving income directly from users of the library to ensure segregation of duties is maintained.

1 01/07/2009

Three Library Managers –at Shepherds Bush/Askew Rd Libraries, Hammersmith/Barons Court Libraries and Fulham /Sands End Libraries

and the weekend

manager team.

FOLLOW-UP FINDING: Partly implemented. The Head of Libraries and the Library Manager informed us that it is not feasible to appoint two designated

officers who perform the cash count during the day. The staff members rotate between two libraries, Hammersmith and Baron’s Court; between eight and 10 Managers and Assistant Managers can receive income from users and count the cash during the day. In the smaller libraries there are only three staff members at a

time.

UPDATE: This is subject to the addition within the new customer service assistant job description to verify cash. At present

cash handling is restricted to the requirement is to take fines and other

monies and handle change. The risk is low – this is a second person check on the

counting of the first person – and that first person varies from day to day.

Implementation date changed by IA Manager to 1/7/09 as per Follow-up report from original target date of

11/8/208.


Recommended