audit management letter - action plan - march 2018 revie · 2018-04-13 · audit management letter...
TRANSCRIPT
1 Actio
n Plan
– Aud
it Managem
ent Letter 2
016/17
– v2.0 – March 201
8
Berrigan
Shire Cou
ncil
Actio
n plan
– Aud
it Managem
ent Letter 2
016/17
Review
1 – M
arch 2018
Item Issue
Audit recom
men
datio
n Ac
tion
Respon
sibl
e Officer
Sche
duled
completion
Status
1.1
Und
erstatem
ent
of dep
reciation
expe
nse on
library boo
ks
We recommen
d that
Coun
cil con
duct a
compreh
ensive re
view
of existing library boo
ks
to ensure:
• annu
al dep
reciation
expe
nse is calculated
and recorded
correctly
• carrying
value
s for
library boo
ks is accurate.
1.1.1
Review
procedu
re/process fo
r the
additio
n, dispo
sal and
dep
reciation
of library collections
FM
June
201
8 Not yet com
men
ced
1.1.2
Und
ertake desktop
review
of
curren
t library collections and
write off any
boo
ks th
at have be
en
disposed
FM
June
201
8 Not yet com
men
ced
1.2
Unrecorde
d liabilities
We recommen
d that
Coun
cil improve
processes a
roun
d iden
tifying
and
recording cred
itors and
accruals at year e
nd to
en
sure all am
ounts d
ue
are captured
1.2.1
Review
existing proced
ure for
iden
tifying
and
recording cred
itors
and accruals
FM
April 201
8 Staff changes have meant
that th
is actio
n has b
een
delayed. Expected to be
complete in Ju
ne 201
8 for
this year’s accruals
1.2.2
Implem
ent a
ny re
quire
d changes in
the proced
ures
FM
April 201
8 Staff changes have meant
that th
is actio
n has b
een
delayed. Expected to be
complete in Ju
ne 201
8 for
this year’s accruals
Appendix "B"
2 Action Plan – Audit Management Letter 2016/17 – v2.0 – March 2018
Item Issue Audit recommendation Action Responsible Officer
Scheduled completion
Status
1.2.3 Instruct staff on the procedures once implemented
FM April 2018 Staff changes have meant that this action has been delayed. Expected to be complete in June 2018 for this year’s accruals
1.3 Review of payroll masterfile changes
We recommend that management reiterate to staff the importance of generating payroll masterfile changes report and its review by the Finance Manager
1.3.1 Review existing procedure for making payroll masterfile changes.
FM April 2018 Not yet commenced
1.3.2 Implement any required changes in the procedures
FM April 2018 Not yet commenced
1.3.3 Instruct staff on the procedures once implemented
FM April 2018 Not yet commenced
1.4 Payroll upload error
We recommend that Council review the error in detail to ensure that all necessary corrections to the payroll have occurred. We also recommend that the management reiterate to staff the importance of an appropriate review to prevent similar occurrence in the future.
1.4.1 Commission external review of payroll errors. Review to advise on corrections – if any – and recommend procedures to avoid recurrence.
DCS February 2018
External review to be conducted by the Council’s Auditors 9‐11 April 2018
1.4.2 Review any recommendations from the external review and make any required corrections
FM March 2018
Still waiting on external review to be completed
1.4.3 Develop and implement any new procedures
FM April 2018 Still waiting on external review to be completed
1.5 Cash payments to caretaker staff through
We recommend that Council ensures that all cash payments are
1.5.1 Instruct the Committee of Management in question to cease payments
DCS COMPLETE
Appendix "B"
3 Action Plan – Audit Management Letter 2016/17 – v2.0 – March 2018
Item Issue Audit recommendation Action Responsible Officer
Scheduled completion
Status
Committee of Management
ceased to comply with Council’s approved policies. If the Committee wishes to engage a caretaker, it should be done after following Council’s hiring processes
1.5.2 Appoint contract caretaker in line with Council’s standard processes
DCS COMPLETE
1.5.3 Remind all Committees of Management about the Council’s requirements for hiring staff as per the Volunteer Committee of Management manual.
DCS February 2018
COMPLETE
1.6 Supporting workpapers for asset revaluation
We recommend that management should perform an annual assessment to ensure the assets’ carrying values are materially consistent with their fair value. Management should also prepare adequate supporting workpapers that enables an efficient and effective internal review and external audit.
1.6.1 Review and document procedure for assessing and reviewing value of infrastructure assets, including timelines
FM November 2018
Not yet commenced
1.6.2 Implement revised procedures FM March 2019
Not yet commenced
1.7 Non‐IT staff have inappropriate access to directly modify
We recommend that Council review its existing list of assigned IT access privileges for each staff member
1.7.1 Review access to the Council’s computer network for each user and remove unnecessary access privileges.
ITO February 2018
Review underway. Large scale staff changes have delayed the process. Scheduled for completion May 2018
Appendix "B"
4 Action Plan – Audit Management Letter 2016/17 – v2.0 – March 2018
Item Issue Audit recommendation Action Responsible Officer
Scheduled completion
Status
financial data outside of the application
against their current role to ensure their access level assigned remains current and appropriate, taking corrective action, as necessary. Access to directly modify the Practical database should be restricted to relevant IT staff only. For those Council staff assigned with ‘super user’/ administrator IT access privileges we recommend Council consider the following controls: • Practical privileged access audit logs are reviewed regularly by a suitably independent and qualified individual, with appropriate action taken when required or; • Standing Practical privileged access is
1.7.2 Review access to the Council’s Practical system for each user and remove unnecessary access privileges.
ITO February 2018
Review underway. Large scale staff changes have delayed the process. Scheduled for completion May 2018
1.7.3 Develop and implement procedure for granting and removing network and Practical access privileges for staff
ITO March 2018
Not yet commenced
1.7.4 Develop a set of approved Practical access privileges for each position.
ITO/FM/DCS
October 2018
Not yet commenced
1.7.5 Restrict access to the PCSADMIN account to the Finance Manager and the Information Technology Officer
FM COMPLETED
1.7.6 Document the approved users and functions of the PCSADMIN account
FM March 2018
Not yet commenced
Appendix "B"
5 Action Plan – Audit Management Letter 2016/17 – v2.0 – March 2018
Item Issue Audit recommendation Action Responsible Officer
Scheduled completion
Status
removed and only granted on a temporary basis when required
1.7.7 Investigate how to undertake an effective review of a log of actions by the PCSADMIN account.
DCS October 2018
Not yet commenced
1.8 Sharing of high privilege user accounts
We recommend Council consider the following controls: • Users with high privileged access should have individual user accounts to perform their normal duties • Standing Practical privileged access is removed and only granted on a temporary basis when required
1.8.1 Ensure users with PCSADMIN access use their individual user account to perform their normal duties
FM DONE
1.8.2 Develop and implement procedure for granting and removing network and Practical access privileges for staff (see 1.7.3)
ITO March 2018
Not yet commenced
Appendix "B"
6 Action Plan – Audit Management Letter 2016/17 – v2.0 – March 2018
Item Issue Audit recommendation Action Responsible Officer
Scheduled completion
Status
• Practical privileged access audit logs are reviewed regularly by a suitably independent and qualified individual, with appropriate action taken when required • User access privileges should be regularly reviewed to ensure they remain commensurate with each individual’s role and any segregation of duties defined by management
1.8.3 Investigate how to undertake an effective review of a log of actions by the PCSADMIN account. (see 1.7.7)
DCS October 2018
Advice has been sought from Civica. At this stage, it does not appear the software is capable of delivering this functionality
1.9 Audit logs of privileged access activities are not reviewed
For those Council staff assigned with ‘super user’/ administrator IT access privileges we recommend Council consider the following controls:
1.9.1 Develop and implement procedure for granting and removing network and Practical access privileges for staff (see 1.7.3)
ITO March 2018
Not yet commenced
Appendix "B"
7 Action Plan – Audit Management Letter 2016/17 – v2.0 – March 2018
Item Issue Audit recommendation Action Responsible Officer
Scheduled completion
Status
• Practical privileged access audit logs are reviewed regularly by a suitably independent and qualified individual, with appropriate action taken when required or; • Standing Practical privileged access is removed and only granted on a temporary basis when required
1.9.2 Investigate how to undertake an effective review of a log of actions by the PCSADMIN account. (see 1.7.7)
DCS October 2018
Advice has been sought from Civica. At this stage, it does not appear the software is capable of delivering this functionality
Appendix "B"