Accounts – Purchasing and Creditors Executive Summarymeetings.derrycityandstrabanedistrict.com/documents... · Accounts – Purchasing and Creditors Executive Summary 1 Introduction

Appendix 6 CODA Audit Reports Completed and Presented to CODA Assurance, Audit and Risk Committee

Accounts – Purchasing and CreditorsExecutive Summary

1 Introduction

Internal Audit has recently completed an audit of Purchase & Creditors at CODA Operations Ltd.

The purpose of this review was to provide senior management with an assurance about the adequacy and effectiveness of internal control. The objectives and scope for this review were agreed with the Finance and Administration Manager prior to the commencement of the audit.

The Audit work performed was as follows:

Establishing the system of controls. Evaluating the adequacy of the controls. Designing and completing the audit programme to test the effectiveness of

the controls. Reporting on the adequacy and effectiveness of the controls to achieve

system objectives.

2 Objectives

The objectives of the audit were:

To ensure that adequate controls are in place to allow suppliers to be paid within 60 days.

To ensure that adequate controls are in place to comply with purchasing / accounts procedures and all relevant legislation.

To ensure that payments are made in respect of bona fide purchases. To ensure that all sensitive data / documentation is held securely. To ensure that non-tendered / off tender buying is kept to a minimum. To ensure there is adequate awareness of community needs. To ensure the risk of theft and fraud is minimised. To ensure that third party service providers are managed effectively.

3 Scope

The audit encompassed a review of:

Payment of Suppliers; Adherence to Procurement Policy & Procedures; Non-tendered buying; Security of sensitive documentation & data; Awareness of Community Needs; Risk of theft / fraud; Compliance with legislation; and Third Party Service Providers.

4 Summary of Findings

From the testing carried out, Internal Audit found satisfactory controls over the purchasing and creditor systems. Some improvements are recommended to enhance the overall system of internal control. The key recommendations made relate to:

Review and update of the Procurement Policy and Procedure to include update of the specific points raised in this report and any other areas which may be relevant. Also to ensure training is given to all relevant staff on the updated processes.

Maintaining a register to record goods and hospitality both offered and / or received.

Changing the registration date of invoices on Exchequer to the date on which the invoices are received at CODA and not the date typewritten on the invoice.

Changing the goods receipt date on Exchequer to the date when it is confirmed by the manager of the area procuring the goods that the goods have actually been received.

Ensuring staff and management are reminded of the importance of the correct sequencing of procurement activities, recording of values on requisitions / purchase orders, and ensuring that purchase orders are created in all instances. The only exception should be when goods / services are required at short notice, out of normal office operating hours.

Improving controls over tendering, by maintaining a single corporate record of all CODA tenders, and ensuring this is communicated to all sections and used as a checklist to ensure all appropriate arrangements are made in time for tenders due for renewal.

Clarifying whether purchasing thresholds in the procurement policy are inclusive or exclusive of VAT.

Ensuring that all relevant quotation / tender summary information is forwarded to the Administration Officer responsible for purchasing at the same time as the purchase requisition, to allow a check to be undertaken to ensure compliance with procurement thresholds.

Ensuring that a robust audit trail exists, with appropriate levels of authorisation to justify the purchase of all proprietary items above the quotation thresholds.

Improving controls over supplier master data changes to include the development of a procedure, training staff in this procedure, and contacting key suppliers to advise of CODA changes in the arrangements for change of this data. Also improvements to the audit trail to confirm that appropriate checks have taken place in the process. A key element of the change in practice will be to ensure the Finance and Administration Manager authorises all changes prior to the change being made on Exchequer, and carries out a review promptly after the change, to ensure its accuracy. Also improving the checks over higher value invoices, prior to payment.

Confirming with HMRC information to be submitted in relation to the Construction Industry Scheme returns and ensuring supporting documentation is received and checked to support any labour charges paid to contractors.

5 Limitation of Scope

No Limitations

6 Overall Conclusion and Opinion

On the basis of the audit work carried out the controls in place over Purchase & Creditors provide satisfactory assurance that the system objectives will be achieved.

Payroll - Executive Summary

1. Introduction

Internal Audit has recently completed an audit of Payroll at CODA Operations Ltd.



Establishing the system of controls. Evaluating the adequacy of the controls. Designing and completing the audit programme to test the effectiveness of the

controls. Reporting on the adequacy and effectiveness of the controls to achieve system

objectives.

2. Objectives

The objectives of the audit are:

To ensure the risk of fraud and corruption is minimised; To ensure payments are made to bona fide employees in accordance with

contracts of employment; To ensure deductions made are accurate, authorised and are paid over on a

timely manner to third parties; To ensure that salaries and wages are correctly recorded; To ensure that all amendments to standing data are made completely and

accurately; and To ensure that all overtime, sick leave, acting up allowances are correctly paid (in

accordance with handbook terms and conditions of employment) and adequately monitored.

3. Scope


Procedures; Segregation of Duties; Access to Payroll System; Timesheets; Rates of Pay; Calculations; New Starts; Leavers;

Amendments to Standing Data; Special Payments; Voluntary Deductions; Statutory Returns; Reconciliations; Overtime Payments; and Sickness Payments.

The audit also included a review of the progress made in implementing recommendations made within the previous internal audit report on payroll issued in March 2014.

4 Limitation of ScopeNo Limitations


From the testing carried out, Internal Audit is satisfied that a strong system of internal control is in place. However Internal Audit have made a number of recommendations, which if implemented, will improve the overall control environment.

The key recommendations relate to:

Considering restricting the Payroll Officers level of access to the payroll system.

Reformatting of timesheets to allow both the employee and authorising officer to date the timesheet, and to ensure that the format allows times taken for breaks to be recorded.

Developing and communicating to staff a formal written policy for toil and ensuring that all toil records including shop and security staff are forwarded to the Payroll Advisor for checking together with timesheets, prior to the payroll run.

Ensuring all authorisation to offer employment forms are appropriately authorised by the Contracts Director.

Reminder issued to all staff to complete an amendment form if they require changes to be made to their personal details. In future payroll staff should only action changes if this form has been received from the employee

Any changes to standing data on the payroll system should be checked and countersigned by the Finance and Administration Manager on a timely basis.

Consideration of whether any unique allowances should in the future be referred to the Board for approval.

The authorisation to pay additional allowances should always explicitly state whether or not the allowance will increase with any pay award granted.

Ensuring a digipass to process bacs payments is received in the names of the persons who are processing the payments.

Contact should be made with the new supplier of the payroll system to confirm the arrangements for this year’s major upgrade.


On the basis of the audit work carried out the controls in place over Payroll provide satisfactory assurance that the system objectives will be achieved.

Bank, Cash and Treasury Management- Executive Summary

1 Introduction

Internal Audit has recently completed an audit of Bank, Cash & Treasury Management at CODA Operations Ltd.





system objectives.

2 Objectives


To ensure that Cash Handling procedures are adequate and operating effectively;

To ensure that all income received is properly recorded and appropriately accounted for;

To ensure that the risk of fraud and misappropriation is minimised; To ensure that CODA’s cash flow is managed to maximise investment

income.

3 Scope


Procedures; Receipts, Income; Payments Received; Postal Income; Daily Reconciliations; Cashiers’ Float; Bank Statements; Lodgements; Insurance Arrangements; Credit Card Transactions; Safes; Cash Flow Forecasting; Investment Returns; Bank Reconciliations.



From the testing carried out, Internal Audit found satisfactory controls over the bank and cash systems. However, some improvements are recommended to enhance the overall system of internal control. The key recommendations made relate to:

Update of the ‘Cash Handling Procedures’ to include all elements of cash handling, including the checks and lodgements undertaken by Finance staff.

Ensuring that any receipts issued for the Business Lounge are official documents of CODA.

Introduction of ‘blind counts’ by Terminal Services staff when reconciling car parking monies received.

Internal Audit re-iterate the previous recommendation to develop a policy for the use of credit cards and a policy on the acceptance of gifts and hospitality. These should be approved by the Board of Directors and communicated to all staff.

Review and update of the ‘Business Expenses Policy and Procedure’.

Explore the potential of introducing treasury management activities by engaging in overnight investments, in periods when bank balances are high.


On the basis of the audit work carried out, the controls in place over Bank, Cash & Treasury Management provide satisfactory assurance that the system objectives will be achieved.

Shop – Income Collection and Stock Control Executive Summary

1 Introduction

Internal Audit has recently completed an audit of the Airport Shop: Income Collection and Stock Control at CODA Operations Ltd.

The Airport shop had previously been managed via Blackpool airport but since November 2014 has become the direct responsibility of CODA Operations Limited. The Commercial and Marketing Manager advised that CODA continued with practices that were operational when the shop was Blackpool responsibility.

Therefore this is the first time that a shop audit has been undertaken at CODA by Internal Audit.

The purpose of this review was to provide senior management with an assurance about the adequacy and effectiveness of internal control. The objectives and scope for this review were agreed with the Commercial and Marketing Manager prior to the commencement of the audit.




system objectives.

2 Objectives

The objectives of the audit were:

To ensure that Cash Handling procedures are adequate and operating effectively.

To ensure that all income received is properly recorded and appropriately accounted for.

To ensure that the risk of fraud and misappropriation is minimised. To ensure that there are adequate stock control procedures and processes

are in place.

3 Scope


Income collection Stock Control


As a result of the audit, some control weaknesses were identified. Internal Audit have made a number of recommendations, which if implemented, should enhance the overall system of control.

The key recommendations relate to:

Documenting written procedures to cover all key areas of the shop including income and stock control.

The new procedures should clearly document what is expected in the following key areas and the recommendations made in this report should be implemented in the following areas:

- Roles and responsibilities- Access control to the EPOS system / audit trail- Floats- Voids and refunds- Blind counts- Debit / credit card – merchant copy of receipts- Recording of business lounge sales- Stock procedures

Physical controls are improved through the relocation of shop tills, shop safe, creation of safe registers, securing shop floats and improving detection systems for counterfeit cash.

Improvements are made to the processes for the reconciliation of income including improvements to the process for review of discrepancies and review of voids and refunds

A robust inventory and stock control system is introduced. In particular recommendations have been made in relation to:

- Stock procedures- Storage of stock- Changes to Master stock data on the EPOS system- Implementation of a control framework over stock counts- Procurement of shop supplies


No Limitations


On the basis of the audit work carried out the controls in place over Income Collection and Stock Control within the Airport Shop provide limited assurance that the system objectives will be achieved.

Ground Handling - Executive Summary

1 Introduction

Internal Audit has recently completed an audit of Ground Handling at CODA Operations Ltd.

The purpose of this review was to provide senior management with an assurance about the adequacy and effectiveness of internal control. The objectives and scope for this review were agreed with the Finance and Administration Manager and the Customer Services Manager prior to the commencement of the audit.




system objectives.

2 Objectives

The objective of the audit is to ensure that adequate and effective controls are in place over Ground Handling at CODA Operations Ltd.

3 Scope

The audit encompassed a review of the following:

Income; Security Documentation; Check in / Ticket Desk; and Boarding Gate.



From the testing carried out, Internal Audit is satisfied that a strong system of internal control is in place and no recommendations have been made at this time.


On the basis of the audit work carried out, the controls in place over Ground Handling provide substantial assurance that the system objectives will be achieved.

Turnaround Times - Executive Summary

1 Introduction

Internal Audit has recently completed an audit of ‘Turnaround Times’ within CODA Operations Ltd.





system objectives.

2 Objectives


To ensure that CODA staff are aware of a clear definition and the standard for turnarounds.

To ensure that appropriate systems are in place to capture, monitor and report turnaround times.

To ensure that turnaround performance is monitored and compared to other airports and action taken to improve turnarounds if required.

3 Scope


Definition of a turnaround; Turnaround standards; Arrangements for the capture, monitoring and reporting of ‘turnaround times’

at CODA Turnaround performance at CODA (including KPI’s / benchmarking

arrangements, review of complaints regarding turnaround, if applicable).


No Limitations


From the testing carried out, Internal Audit found satisfactory controls in operation. However, some improvements are recommended to enhance the overall system of internal control. The key recommendations made relate to:

Assurances around the reliability and integrity of information of ‘chalks off’ time and hence the overall turnaround time.

Consideration of capital spend to reduce the time taken to unload / load Persons with Reduced Mobility (PRM’s);

Review the current level of information captured on ‘Turnaround Times’ to reduce duplication;

Improve the monitoring process by performing trend analysis on the data over time and by checking the accuracy of information presented on ‘Turnaround times’ by the airline;

Present information on ‘Turnaround times’ to the Senior Management Team and the Board.


On the basis of the audit work carried out, the controls in place over ‘Turnaround Times’ provide satisfactory assurance that the system objectives will be achieved.

Sales and Debtors Executive Summary

1 Introduction

Internal Audit has recently completed an audit of Sales and Debtors at CODA Operations Ltd.



Establishing the system of controls. Evaluating the adequacy of the controls. Designing and completing the audit programme to test the effectiveness of the

controls. Reporting on the adequacy and effectiveness of the controls to achieve system

objectives.

2 Objectives


To ensure that all income due to CODA Operations Ltd is collected in a timely manner;

To ensure that accurate invoices are raised for bona fide services rendered; To ensure that invoices and receipts are correctly recorded; To ensure that the risk of theft and misappropriation is minimised; To ensure that appropriate action is taken in relation to outstanding debts; To ensure that bad debts are dealt with appropriately; To ensure that the appropriate procedure is followed when writing off bad debts.

3 Scope


Procedures; Raising of Accounts; Periodic Income; Invoices Held; System Access; Recording of Payments; Amendments to Accounts; Outstanding Debts; Bad Debts; Write Offs.


No Limitations


From the testing carried out, Internal Audit found satisfactory controls over the sales and debtors system. However, some improvements are recommended to enhance the overall system of internal control. The key recommendations made relate to:

Update of the ‘Credit Control Procedures’ to incorporate the issues identified in this report and the communication of the updated procedures to staff.

The importance that the check of invoices by the Finance and Administration Manager should take place prior to issue of the invoice.

Reminding staff of the importance of completing the credit memo and ensuring they obtain authorisation to perform the credit, prior to actioning this on Exchequer.

Improvements over debt management such as:- ensuring the Aged Debtors Report is printed and reviewed on a regular

monthly basis,- ensuring that hard copy evidence is retained showing an audit trail of

action taken for each debt,- ensuring that any action identified to progress recovery of the debt is

undertaken promptly. - ensuring that all Administration Officers involved in invoicing customers

are given a copy of the black list

Ensuring that debt which is considered to be irrecoverable is written off as soon as possible and the bad debt provision reversed accordingly.


On the basis of the audit work carried out the controls in place over Sales and Debtors provide satisfactory assurance that the system objectives will be achieved.

ICT - Executive Summary

1 Introduction

Internal Audit has recently completed an audit of ICT (Information and Communication Technology) at CODA Operations Ltd.





system objectives.

2 Objectives


To ensure the conditions of the Contract between DCSDC and CODA for the provision of IT Service Support is clearly defined, agreed, and being regularly monitored and complied with.

To ensure that controls and measures are in place to reduce the cyber risk.

To ensure that responsibility for emergency planning, disaster recovery and contingency planning has been designated and clearly defined.

To ensure that adequate procedures are in place for emergency planning, disaster recovery and business continuity.

To ensure that appropriate training has been provided to all staff.

To ensure that risk management reviews at CODA include the risks associated with ICT.

To ensure that all plans are regularly tested.

To ensure that all emergency contact information is readily available and easily accessible.

To ensure that adequate backup power supply arrangements are in place and standby offices are ready for immediate occupation.

3 Scope

ICT is a broad term that is concerned with managing and processing information. It affects an organisation's strategy, structure, marketing and operations and due to the continual change and new technologies, the risks are constantly changing.

As such ICT is a huge auditable area and so it is important that the scope of this particular audit is clearly defined.

This audit will focus solely upon the infrastructure, support agreement between DCSDC and CODA and Disaster recovery / Business continuity measures in place. It will also encompass a high level overview of the adequacy of controls and measures in place to reduce the cyber risk.

4 Limitation of ScopeThe audit will exclude a detailed review of information security, data management, IT governance and System development / implementation. In particular Internal Audit are aware that CODA will in the near future be moving towards ‘cloud computing’. However this audit will focus upon the system as is currently operational. A further review may be required and included within a future CODA Audit Plan when Cloud Computing is operational.

Social media will also be excluded from this audit as it will be encompassed within the Marketing and Social Media audit.


From the testing carried out, Internal Audit found satisfactory controls over the ICT system. However, some improvements are recommended to enhance the overall system of internal control. The key recommendations made relate to:

a) Contract between CODA and DCSDC

The development of a formal documented contract between CODA and DCSDC for the provision of ICT Support, and ongoing monitoring of performance against this contract.

b) Improvements to ICT Infrastructure

Improvements to ICT Infrastructure to include:

Improvements to ICT registration and de-registration procedures, to include the creation of a formal inventory of ICT equipment at CODA and the creation of a planned programme for updating ICT equipment;

Confirmation by CODA of the current approach to patch management;

Development of an ICT Strategy;

Written confirmation from the service providers for AFIDS (Airport Flight Information Display) and Exchequer (financial system) for the backup and contingency arrangements in place, and detailed recovery procedures for these systems.

c) Cyber Security Policy

Development of a Cyber Security Policy to clarify the ownership of cyber risks and controls, to identify a tolerance level of Cyber risk for CODA, and to assess the risks associated with loss and theft. Also development of a response plan to deal with Cyber incidents.

d) Cyber security training

Training on cyber risks. This would include training on the new Cyber Security Policy when it is developed and the delivery of security awareness briefings on a regular basis.

e) Data and information security

Update of the data protection section of the Employee Handbook to provide advice and guidance on all aspects of data and information security (not just that relating to employee information).

f) Clarification of roles and responsibility re cyber risk

Clarification of roles and responsibilities in relation to Cyber Risk to include the responsibility for reporting cyber incidents and their impact to the Senior Management Team and / or the Board.

g) Board decisions on cyber risk

Board and senior management to consider how they are going to manage Cyber risk going forward, and the sources of assurance that they need. For example, consideration of a Cyber Risk insurance policy.

h) Improvements to Disaster Recovery and Contingency Planning

Improvements to Disaster Recovery and Contingency Planning to include:

Identification by the Board of the senior officer who has ultimate responsibility for all Emergency Planning, Disaster Recovery and Contingency Planning.

Consideration of the purchase of a new Main Generator, given the opinion of the AGL Engineer on the remaining useful life of the current generator

Confirmation from DCSDC if office space could be made available to CODA in the event of an emergency situation.


On the basis of the audit work carried out the controls in place over ICT provide satisfactory assurance that the system objectives will be achieved.

Documents

Accounts – Purchasing and Creditors Executive Summarymeetings.derrycityandstrabanedistrict.com/documents... · Accounts – Purchasing and Creditors Executive Summary 1 Introduction