Audit of Sundry Debtors - copeland.gov.uk

Audit of Sundry Debtors – 2017/18

Appendix A-3

1. Background

1.1. This report summarises the findings from the audit of Sundry Debtors. This was a planned audit assignment, undertaken in accordance with the

2017/18 Audit Plan.

1.2. Sundry Debtors is one of the key systems covered in the Audit Plan on a cyclical, triennial basis. The audit review of the Sundry Debtor system

incorporated an evaluation of management controls to prevent and detect fraud and to provide assurance on the arrangements for governance,

risk management and internal control.

2. Audit Approach

2.1. Audit Objectives and Methodology

2.1.1. Compliance with the mandatory Public Sector Internal Audit Standards requires that internal audit activity evaluate the exposures to risks

relating to the organisation’s governance, operations and information systems. A risk based audit approach has been applied which aligns to the

five key audit control objectives which are outlined in section 4; detailed findings and recommendations are reported within section 5 of this

report.

2.2. Audit Scope and Limitations

2.2.1. The Audit Scope was agreed with management prior to the commencement of this audit review. The Client Sponsor for this review was Fiona

Rooney (Director of Commercial and Corporate Resources and S151 Officer) and the agreed scope areas for consideration were identified as

follows:

Raising of invoices;

Allocating cash receipts to invoices;

Recovery of debt;

Write off procedures.


2.2.2. There were instances whereby the audit work undertaken was impaired by the availability of information and this may have had a bearing on the

audit findings. The areas affected were:

The cyberattack at the end of August 2017 has had a major impact on the Council’s financial management system, Total Finance:

o Access to the system itself was lost and the full functionality of the system is still being restored. There are ongoing problems with the

interfaces between the feeder systems (Sage, Civica cash receipting and Academy) and files are subject to daily review and manual

uploading;

o Payments received via the Civica cash receipting system were unable to be uploaded into Total Finance from September 2017, creating

a backlog which has only been cleared at the beginning of March 2018;

o This issue meant payments received were not allocated to individual Debtor accounts and so the normal recovery process for pursuing

outstanding debts (such as issuance of Reminder and Final Notice letters) was put on hold.

As such, it has been agreed with the Director of Commercial and Corporate Resources (S151 Officer) that Internal Audit will carry out further

testing on the recovery process once the systems have been fully restored and so provision will be included in the 2018/19 Internal Audit

Plan.

3. Assurance Opinion

3.1. Each audit review is given an assurance opinion and these are intended to assist Members and Officers in their assessment of the overall level of

control and potential impact of any identified system weaknesses. There are 4 levels of assurance opinion, which may be applied. The definition

for each level is explained in Appendix A.

3.2. From the areas examined and tested as part of this audit review, we consider the current controls operating within Sundry Debtors provide

PARTIAL assurance.

Note: as audit work is restricted by the areas identified in the Audit Scope and is primarily sample based, full coverage of the system and complete

assurance cannot be given to an audit area.


4. Summary of Recommendations, Audit Findings and Report Distribution

4.1. There are three levels of audit recommendation; the definition for each level is explained in Appendix B.

4.2. There are 5 audit recommendations are arising from this audit review and these can be summarised as follows:

4.3. Strengths: The following areas of good practice were identified during the course of the audit:

Responsibilities for the recovery of debts are clearly defined in the Financial Regulations and Financial Procedures Rules and the Debt

Recovery Handbook;

Although debt collection targets are not specifically set, performance is regularly monitored;

Under normal circumstances, levels of debt are regularly monitored and a Corporate bad debt provision is in place;

Access to the Total Finance system is restricted and specific access rights must be allocated for the Debtors module. User accounts are

reviewed on a regular basis;

Suspense items are reviewed and cleared regularly; and

Departmental Service Plans have been reviewed for 2017/18.

No. of recommendations

Control Objective High Medium Advisory

1. Management - achievement of the organisation’s strategic objectives achieved (see section 5.1.) 1 1 -

2. Regulatory - compliance with laws, regulations, policies, procedures and contracts (see section 5.2.) 1 1 -

3. Information - reliability and integrity of financial and operational information (see section 5.3) 1 - -

4. Security - safeguarding of assets - - -

5. Value - effectiveness and efficiency of operations and programmes - - -

Total Number of Recommendations 3 2 -


4.4. Areas for development: Improvements in the following areas are necessary in order to strengthen existing control arrangements:

4.4.1. High priority issues:

The Finance Business Continuity plan has not been reviewed since March 2014;

Sundry debts have not been written off in Total Finance since 2014;

Due to the impact of the cyberattack (see 2.2.2) and the problems with the feeder system interfaces and Total Finance, reconciliations

between the debtor system and income received are not up to date.

4.4.2. Medium priority issues:

The Debt Recovery Handbook was last reviewed 2015. Sample testing of Debtor Clerks also identified that they were unaware of the

handbook;

There is no clear guidance in place for the level of authorisation required for raising a debtor’s account, the cancellation of an invoice or the

refund of received payments.

4.4.3. Advisory issues:

No issues identified.

Comment from the Director of Commercial and Corporate Resources

I requested this audit as part of the risk assessment of the budget management system and processes. Sundry debt collection/write off is a key

financial procedure to collect income and there was a particular concern about write offs. The recommendations are helpful in steering the

Finance and Revenue Teams to improve business continuity and ensure join-up in relation to write-off of uncollectable debts.


5. Matters Arising / Agreed Action Plan

5.1. Management - achievement of the organisation’s strategic objectives.

● High priority

Audit finding Management response

(a) Finance Business Continuity Plan

The Finance Business Continuity plan has not been reviewed since March 2014.

At the outset of the cyberattack Internal Audit were present at a meeting where the Finance staff

were asked, by the then Finance Manager, to develop the necessary processes to allow for the

continuation of the Creditors process. This meeting did not reference the implementation of

existing business continuity arrangements, but the development of a new process. An interim

procedure was issued to staff on 08/09/17.

An additional risk has arisen with the resignation of the Strategic Finance Technician (SFT), as this

Officer had the technical knowledge of the Total Finance system including its administration,

system design and troubleshooting remedies. The Finance Manager stated that provisions are in

place, including a review of SFT responsibilities for Total Finance to incorporate additional support

from ICT and the software supplier.

It is unclear what training provision will be available after the departure of the SFT; however, there

are procedure documents available.

As part of the 2016/17 Cash Receipting Audit a priority 1 recommendation, AR-C&CR_011, stated

that “Management should ensure that sufficient business continuity arrangements are put in place

to allow for the continuity of the service [Cash Receipting] in the absence of key staff.” This

recommendation had an agreed due date of 30/09/17, but currently shows on Pentana

Performance as 75% implemented, with the last note added 17/10/17 - “Staff now in place, some

Agreed management action:

Recommendation AR-C&CR_011 was implemented

October 2017 but Pentana Performance has only

recently been updated to reflect this.

The close down of the 2017/18 accounts will be the

main priority for the Finance team. The business

continuity plan will be reviewed and integrated

with any ICT disaster recovery plan.


further staff training required, was due to take place 1st half of Sept 17. Has been delayed due to

effects of cyberattack. Outstanding.”

Recommendation 1:

Review the Finance Business Continuity Plan in full and incorporate succession planning and the

lessons learned by the recent cyberattack.

Risk exposure if not addressed:

The continuity arrangements do not reflect current working practices;

The continuity arrangements do not include succession planning for key staff;

Lessons learned from the recent cyber-attack are not incorporated for future reference.

Responsible manager for implementing:

Interim Finance Manager

Date to be implemented:

30/09/18

● Medium priority


(b) Debt Recovery Handbook

The Debt Recovery Handbook provides guidance to Officers to “ensure that corporately we all

approach sundry debt recovery in a consistent manner, that we all know who is doing what task

and why that person is doing it.”

However, the handbook was last reviewed 2015. Sample testing of 5 Debtor Clerks identified that

they were not aware of the Debt Recovery Handbook and had not received training in its

requirements. For example, to ensure that invoices are raised with adequate information to allow

for the legal pursuance of outstanding amounts.

Internal Audit testing has identified:

One invoice which did not follow the format suggested in the Debt Recovery Handbook, but

contained minimal information and a departmental reference to the specific works rather

than a detailed description;


The Billing and Recovery Team Leader will create a

new Sundry Debtors Handbook, which will replace

the existing Debt Recovery Handbook created in

2009 and reviewed in 2015.

As soon as the revised Handbook is complete and

agreed, the Billing and Recovery Team Leader will

train all Nominated Debt Officers on its

requirement. The training will be a joint project

between Finance and Recovery and so the Billing

and Recovery Team Leader will liaise with the new

Finance Manager.


One invoice which did not specify the location where the service was provided. The invoice

was sent to the head office of the company which was outside the Council’s area;

Sample testing of New Debtors request forms identified that 1/5 used an old style request

form. This form has been replaced because it does not specifically request a contact name

for Company debtors (although in this case it was a private debtor account rather than a

company). A further case, using the correct form, did not provide a contact name for the

Company, which was applicable.

Previously a Finance Officer held responsibility for the printing of debtor invoices, which they then

either posted to the customer or returned to the department when requested. This allowed for an

independent review of the invoice to ensure it contained sufficient information for the legal

pursuance of outstanding amounts. Although this continues in the majority of cases,

Neighbourhood Support Staff at Moresby Parks and staff at the Crematorium can now raise and

print their own invoices without the review by Finance, and so the adequate training of Debtor

Clerks is paramount.

Recommendation 2:

Debt Recovery Handbook should be reviewed and training provided to Debtors Clerks on the

responsibilities of their role.


The Debt Recovery Handbook does not reflect current working practices;

The Debt Recovery Handbook does not reflect current legal requirements or best practice;

Debtors Clerks are unaware of their responsibilities or the legal requirements needed when

raising invoices.


Billing and Recovery Team Leader


30/09/18


5.2. Regulatory - compliance with laws, regulations, policies, procedures and contracts.

● High priority


(a) Sundry Debt Write Offs

A review of the Total Finance Debtors module indicates that there have not been any Sundry Debts

written off since October 2014. However, from 2014-2017 there are 28 accounts with invoices

flagged as “Pending Write Off” and the overall value is £1,305.22.

The Revenue Budget – Period 9 Summary Financial Report 2015/16 (1 April 2015 to 31 December

2015) which went to Executive on 24/11/15, stated:

6. WRITE OFFS

“6.1 Debts totalling £86k have been put forward by the Revenues Service for Quarter 2. Having

discussed this with the Elected Mayor as the Portfolio Holder, the Section 151 Officer intends

to do a review of these more fully before submitting to Executive for write-off. This will ensure

the Council has done as much as it can to try and retrieve these debts before determining they

are no longer viable to collect.”

The Revenue Budget - 2016/17 Budget Monitoring Report as at Quarter 2 report, which went to

Executive 25/10/16, stated:

“5.1 A review of debt recovery and write-off policies is underway and an update will be

provided in the Quarter 3 report.”

However, no further comment was made in the Quarter 3 report or the 2016/17 Revenue Outturn

report, but the Statement of Accounts 2016-17 (Unaudited) shows that there have been write offs

for Council Tax £60k and NNDR £18k, totalling £78k. This indicates that there have not been any

Sundry Debt write offs.

The write off amounts included in the Statement of Accounts 2016-17 (Unaudited) do not appear


The Recovery Team has not actioned any write offs

this year, due to the Total system being unavailable

since August 2017.

The revised Handbook will incorporate writing off

debt and will therefore review the existing write

off procedure.

Any future write offs will be authorised accordingly

by the S151 Officer and reported to the Executive

accordingly.

Debts will not be authorised for write off unless

they are irrecoverable due to insolvency, deceased,

uneconomical to pursue or statute barred.


to have been included in the usual quarterly Revenue monitoring reports which go to the

Executive, which is a requirement of the Financial Regulations and Financial Procedure Rules.

Internal Audit have also not currently been provided with supporting evidence to confirm that

these amounts were appropriately authorised.

Recommendation 3:

The level of historical aged debt is reviewed for Sundry Debtors and consideration given to writing

off those debts deemed unrecoverable or uneconomic to pursue. Any write offs should be

reported to the Executive.


Unrecoverable debts remain within the accounting system and continue to be reported in the

Statement of Accounts;

Departmental budgets do not accurately reflect the actual level of income received;

The adjustment of historical bad debts could dramatically impact departmental budgets if not

carried out periodically.



Billing and Recovery Team Leader


30/09/18

● Medium priority


(b) Scheme of Delegation for Sundry Debtors

There is no clear guidance in place for the level of authorisation required for raising a new debtor’s

account, the cancellation of an invoice or the refund of received payments.

Sample testing of cancellations/refunds found:

2/5 cancellation forms had been completed electronically and so do not show the

authorising persons signature. There were also no supporting emails held to confirm the

authorisation;


Clarification will be issued to Debtor Clerks and a

temporary Scheme of Delegation will be put in

place. A full review will take place as part of the

planned Corporate review of the Council’s

Constitution.


1/5 appears to have been authorised by the same person who raised the form and they are

an Administration Support Officer level;

2/5 although authorised by a different person, the authorising officers were in a similar role

and not of Management level;

3/4 refund forms did not record the name of person completing the form and they were

authorised by someone of a Senior Admin Support Officer level.

Neither the Financial Regulations and Financial Procedure Rules nor the Debt Recovery Handbook

specifically reference the level of authorisation needed. There is no clear guidance as to the

required level of authorisation and Finance Officers currently work to the Scheme of Delegation

which is outlined in the Financial Regulations for Creditors:

Ordering and paying for work, goods and services.

“4.45 The key controls for ordering and paying for work, goods and services are:

(a) All goods and services are ordered only by appropriate persons and are correctly

recorded. For this purpose the following Authorisation limits shall be used;

Orders up to £5,000 administrative support staff that currently have Authorisation

to raise orders;

Orders between £5,000 - £30,000 – identified budget holder;

Orders between £30,000 - £75,000 – head of service;

Over £75,000 – formal tender under Contract Standing Orders. Orders placed to be

authorised by director/head of paid service.”

The authorisation for the cancellation of an invoice and the refund of payments had previously

been required to be the budget holder, i.e. departmental Manager. However, the revision of the

Financial Regulations and Financial Procedure Rules in April 2015 has resulted in the current

position.

It is Finance Officers who carry out the amendments, requested by the completed forms and so


there are adequate separation of duties within the process.

Recommendation 4:

A Scheme of Delegation should be put in place for Sundry Debtors, which clearly defines the lines

of responsibility for raising new debtor accounts, the cancellation of invoices and the refund of

received payments.


Invoices are amended or cancelled without appropriate authorisation;

Refunds are made without appropriate authorisation.



Solicitor


30/09/18


5.3. Information - reliability and integrity of financial and operational information.

● High priority


(a) Bank Reconciliations and Feeder Systems

Reconciliations are usually carried out monthly between Total Finance and the different feeder

systems, including Sage (payroll), Civica (Cash Receipting) and Academy (Revenue and Benefits).

However, due to the impact of the cyberattack at the end of August 2017 (see 2.2.2),

reconciliations between the Total Finance debtor system and income received are not up to date.

Testing of the Accountancy Team Holding Account cost centre identified two debtor accounts

where payments were duplicated in error. These were erroneous postings of the same Civica cash

receipting data file on the 27/02/18 and 28/02/18. This was brought to the attention of the SFT

who corrected the posting. Internal Audit also identified a discrepancy where Civica cash

receipting data was not posted to Total Finance. Internal Audit queried whether all of the Civica

transactions had been loaded into Total Finance and the SFT stated that because of the problems

with the interfaces it would take a full bank reconciliation to identify missing or duplicated

postings. These issues may not be restricted to the Sundry Debtor system, but could possibly

impact the other feeder systems, including Academy Council Tax and Business Rates.

Due to the impact of the cyberattack, reconciliations have only been completed up to July 2017.

External Audit’s “Audit Findings - Year ended 31 March 2017” report, which was reported to Audit

and Governance Committee on 21/03/18, included the finding:

“Our review of control account reconciliations identified that the format of some of the

reconciliations could be improved to clearly show the nature of the outstanding balance and

the individual transactions which accounted for the difference between the ledger balance and

the sub-system balance. Monthly reconciliations were produced throughout 2016/17 (and in

2017/18 but not since the cyber-attack in August 2017) but there was insufficient evidence of


Work is ongoing as a priority to resolve the

problems with the feeder system interfaces and

Total Finance, as this will need to be resolved for

the production of the Statement of Accounts

2017/18.


the timeliness of these reconciliations, or that they had been subject to senior officer review. “

A high priority recommendation was raised, with the target implementation date of April 2018 and

the assigned responsibility to the Finance Manager and Financial Management Technician:

“Ensure that there is a clear timetable in place for the production and review of control account

reconciliations. The format of reconciliations should enable the nature and validity of

reconciling items to be determined, and senior officer review should be properly evidenced.”

As such, Internal Audit will not raise a recommendation in relation to the bank reconciliations, but

will raise a recommendation on the requirement to ensure the interfaces between the feeder

systems and Total Finance are working efficiently.

Recommendation 5:

Management should confirm and test whether the problems with the feeder systems interfaces

with Total Finance are resolved and work efficiently.


Data from the feeder systems are not entered into the Total Finance system;

Duplicate / missing payments are not identified;

Payments, which have been made and are shown in the Civica cash receipting system, have not

been posted to Total Finance.

Reputational damage to the Council if debts are pursued as outstanding even though payments

have been made within the required timescales.




31/05/18


Audit Assurance Opinions

There are four levels of assurance used; these are defined as follows:

Definition: Rating Reason

Substantial There is a sound system of internal control designed to achieve the system objectives and this minimises risk.

The controls tested are being consistently applied and no weaknesses were identified. Recommendations, if any, are of an advisory nature in context of the systems and operating controls & management of risks.

Reasonable There is a reasonable system of internal control in place which should ensure that system objectives are generally achieved, but some issues have been raised which may result in a degree of risk exposure beyond that which is considered acceptable.

Generally good systems of internal control are found to be in place but there are some areas where controls are not effectively applied and/or not sufficiently developed. Recommendations are no greater than medium priority.

Partial The system of internal control designed to achieve the system objectives is not sufficient. Some areas are satisfactory but there are an unacceptable number of weaknesses which have been identified and the level of non-compliance and / or weaknesses in the system of internal control puts the system objectives at risk.

There is an unsatisfactory level of internal control in place as controls are not being operated effectively and consistently; this is likely to be evidenced by a significant level of error being identified. Recommendations may include high and medium priority matters for

address.

Limited / None Fundamental weaknesses have been identified in the system of

internal control resulting in the control environment being

unacceptably weak and this exposes the system objectives to an

unacceptable level of risk.

Significant non-compliance with basic controls which leaves the system open to error and/or abuse. Control is generally weak/does not exist. Recommendations will include

high priority matters for address. Some medium priority matters may

also be present.

Grading of Audit Recommendations

Audit recommendations are graded in terms of their priority and risk exposure if the issue identified was to remain unaddressed. There are three levels of audit

recommendations used; high, medium and advisory, the definitions of which are explained below.

Definition:

High ● Significant risk exposure identified arising from a fundamental weakness in the system of internal control

Medium ● Some risk exposure identified from a weakness in the system of internal control

Advisory ● Minor risk exposure / suggested improvement to enhance the system of control

Recommendation Follow Up Arrangements:

High priority recommendations will be formally followed up by Internal Audit and reported within the defined follow up timescales. This follow up

work may include additional audit verification and testing to ensure the agreed actions have been effectively implemented.

Medium priority recommendations will be followed with the responsible officer within the defined timescales.

Advisory issues are for management consideration.

Documents

Audit of Sundry Debtors - copeland.gov.uk