Agenda item

To receive management action plans in relation to financial key controls limited assurance audits.

Lizzie Watkin, Director of Finance and Procurement (S151), introduced the item, explaining that there had been 5 limited assurance audits since the last meeting, and the Committee would now get an update on the weaknesses identified and actions agreed. This item covered the 3 financial key controls audits, which were:

·       Main accounting – post Oracle go live

·       Accounts payable – post Oracle go live and

·       Accounts receivable – post Oracle go live

These areas were key financial controls as they ensured the accounts were not exposed to error, misstatement or fraud, so it was very important.

Main accounting – post Oracle go live

Sally Self, Chief Accountant, presented the slides for the main accounting audit, which were also included in the agenda, starting on page 39. These detailed the findings of the audit, the actions planned in response, and progress against those actions.

Following the presentation Members had the opportunity to ask questions. A summary of topics covered, and points raised is below.

·       Finding 1: Bank reconciliations

In response to a question the officer clarified that bank reconciliation took place monthly. The officer explained that she had reviewed the reconciliation, however had not signed it off as was unhappy with what was presented. In response to further questions regarding this, the officer explained that she had been reviewing the reconciliation and signing it off under the old system (SAP). Following the move to Oracle, she had performed the review but had questions regarding some of the data and there was an unreconciled amount, which is why she did not sign it off. The issues had now been identified, so she could sign it off.

·       Finding 2: Monitoring of Civica cash receipting system

In response to a question, it was explained that when going live with a new Enterprise Resource Planning (ERP) system, there was exposure to the way data transferred between systems. Civica cash receiving into Oracle did not post correctly and there were no controls in place to identify that it was not posting correctly. So, there was risk in the early days of implementing the new system. However, it was identified, and new processes were being put in place. There was still a way to go as it was a massive task.

·       Finding 3: Suspense Accounts

Members expressed concerns as they felt that suspense accounts should be cleared frequently. Officers stated that there was a team working on clearing the suspense account on a daily basis, however, there were about 7000 items a day, so it was quite a task. There were performance targets, and performance was reviewed at Performance Outcome Groups (POGs) and Boards (POBs). The suspense account did not always get zeroed every day.

·       Finding 4: There is no Finance Manual in place

Officers explained that not everyone in the council had finance responsibility, but there were quite a lot of devolved systems in many different services, which is why a central manual for anyone that required it would be useful. There were many different guides, however these were not all contained in one place. So, most of the content existed, it just needed to be pulled together. Updates were also required due to transferring to Oracle. It was anticipated that a first draft would be available by the end of the year.

In relation to this, as Oracle had now been in place for nearly a year, Members queried whether processes were developed in conjunction with Oracle and these had guides which were scattered in more than one place, or whether the processes and guidance was being developed retrospectively. Officers stated that they were there on the whole but scattered. There were user manuals for Oracle. Some processes had to be redeveloped following go live and some processes were outside the system, so it all needed to be brought together and be accessible to anyone. Members queried the non-compliance, and officers stated that really this was a technicality. All the documentation was there, it just needed to be brought together.

·       Finding 5: Inadequate User Access Roles for Users on Oracle

Members queried segregation of duty, authorisation limits and dual authorisation for payments and certain tasks. Officers explained that this finding referred to being able to run processes on Oracle, and that nothing untoward had been found. Accounts payable did have inherent system controls based on position, management level et cetera.

·       Finding 6 - No appropriate processes and records for the Direct Debits the Council has agreed to accept

In response to questions officers clarified that this referred to payments out. Some suppliers would only accept direct debits. The council had experienced issues with a bank processing direct debits where they did not have a signatory on the direct debit. If that happened, it would get refunded immediately. This highlighted why reconciliation was so important.

·       Finding 7- Inconsistent format for the Journal Control Checks report

In response to questions officers clarified that individual services could not raise journals. That responsibility sat with finance. Issues had been more about the style of the reports in Oracle as they looked different to previously. Members felt that it did not matter whether we were using SAP or Oracle, this had been discussed before at the Committee and there should be a system of control in place for all journals. Officers explained that there was a consistent approach and documentation in Oracle. Only experienced finance staff processed journals. There was also now a 2 stage process to approve journals. This is what had been discussed in the past at the Committee.

·       Finding 8- Reconciliation between the Civica system and the Civica Suspense Account for the year end on 31st March 2024.

This related to the timing of files running on Civica. It was slightly tricker in Oracle to identify outstanding items. Issues had now been resolved.

Accounts payable – post Oracle go live

Sally Self presented the slides for the accounts payable audit which were also contained in the agenda from page 51.

Members stated that the actions all looked like improvements to controls and queried whether there were any actual discrepancies or fraud uncovered.

Lizzie Watkin explained that the audit had found weaknesses in the controls or controls not in place that should be. No instances of fraudulent activity were uncovered.  Furthermore, it was high risk going to a new ERP. There had been some confusion in the early days, and then there were bits of the system that did not work as expected. This was all about the additional controls to ensure the council had all the checks and balances in place, the officer gave assurance that nothing concerning was found.

In response to a question as to what Redwood was, it was explained that this was the user interface when you log into oracle.

Accounts receivable – post Oracle go live

Sally Self presented the slides for the accounts receivable audit which were contained in the agenda from page 61, highlighting that the processes were very different in Oracle to how it had been in SAP.

Members questioned whether the issues that had been identified were just since Oracle has been implemented, or whether this had possibly been missed by internal audit previously. Furthermore, they questioned whether there had been more focus on the IT implementation of Oracle than on basic financial controls.

Lizzie Watkin explained that the change of ERP had highlighted some issues. People were previously very familiar with the process, how they did things, and what was expected. The change of ERP had changed everything, the data looked different, the flow was different, and people were caught off guard in relation to key financial controls and why they undertook certain processes. These audits had purposefully looked at these areas. It had been a learning process for everyone. Did people understand why they did what they did? The answer was not consistently across the board.

Becky Brook, SWAP stated that they have a process of continuous audit, so this had been looked at quarterly. The additional areas identified since the implementation of Oracle pushed the outcome of this audit to a limited opinion. However, some of the issues had been in existence previously. Officers would have been given management actions, even if it was not reported as a limited assurance audit. SWAP also explained the timeline and thought process in relation to this audit.

Members noted that many of the management actions were related to improving process and policy and highlighted that many of the findings were related to people. They queried whether there were any actions related to training and if so whether there was the capacity to deliver it. Officers confirmed that teams were working through providing documents and training, particularly in relation to accounts receivable. The change of ERP highlighted the need for not just systems training but also training on principals and core fundamentals. A lot of work had been undertaken around the Chartered Institute of Public Finance and Accountancy (CIPFA) framework and competencies, so that staff know what is expected. Officers were also working with training colleagues and speaking to HR about core expectations for managers. Members requested that updates on how the training was going be brought to future meetings.

The lack of a finance manual was discussed in further detail, with SWAP explaining that this had been flagged previously, with an action related to that since 2018/19. It had been thought that swapping to the new ERP would solve this as new documentation would need to go with the new ERP. However, it had been nearly a year since the implementation of the new ERP and this action had not yet been completed, which is why SWAP were flagging it now. Lizzie Watkin stated that they had been aware of this for some time, however due to the upcoming implementation of Oracle, it did not make sense to compile all the information until that had been rolled out. Risks were mitigated for. However, at this point, it should be in place. The officer needed to focus on the here and now and on how best to use her resources. It was a risk, but not as significant as some of the other risks being presented today. This Committee must have oversight and hold officers to account to ensure that they were mitigating risks and addressing issues. This was part of the process and the value that could be gained from internal audit.

Members raised concerns regarding debt recovery and queried when the Corporate Debt Recovery Policy was last reviewed. Officers thought that this was in 2015. It would be reviewed as part of bringing together the finance manual. Members questioned whether there was a log for policies and how the council ensured that they were kept up to date. Officers explained that the finance manual should refer to all the additional policies. The organisation did not change significantly in terms of its business, although the environment it was operating in could. Officers felt that they should commit to review polices every 2 years. Members hoped that it would be possible to look at the policy review process at a future meeting, and requested it be added to the Forward Work Plan for the Committee.

Some Members congratulated officers for what they were doing and felt that they were doing the best they could in a difficult situation. They felt there were capacity issues and not enough resources.

Cllr Nick Botterill, Cabinet Member for Finance and a non-voting Member of the Committee, was in attendance virtually. He highlighted the free and frank discussion which had taken place, and the importance of shining a light in these areas. He also stressed the monumental task which migrating to Oracle was. The process had caused issues as some councils and had even been a factor in Birmingham City Council issuing a section 114 notice. However, the council did have to upgrade systems. The fact that they had got to the business-as-usual stage was a reflection of the quality of the senior leadership and teams that were working on this. The audit process was helpful and helped us to pull everything together.

Members discussed a proposal, and following proposal by the Chairman, seconded by Cllr Martin Smith, it was,

Resolved:

·       To note the presentation and management action plans in relation to the financial key controls limited assurance audits, and

·       To request the Committee receive an update from officers in relation to the training programme being rolled out associated with these financial key controls limited assurance audits.