Anda di halaman 1dari 31

Payroll - Internal audit report

City of Marion
28 May 2008

28 May 2008 Kathy Jarrett Manager Governance The City of Marion 24 5 Sturt Road STURT SA 50 47

Dear Kathy

Payroll Int ernal audit report


In connection with the City of Marion Internal Audit Plan, we have completed the abovementioned internal audit project and are writing to report our findings. We acknowledge and appr eciate the assistance provided by Andrew Lindsay and Peter Bice in the performance of the review. This report covers processes and controls that were in effect during November 2007 February 2008 and fieldwork was performed during February 20 08. Please contact David Powell on 8417 1727 or Matthe w Beeby on 841 7 1756 if you have any que ries regarding this report. Yours sincerely

Ernst & Young

Liability limited by a scheme approved under Professional Standards Legislation

Contents
1. 2. 3. Execut ive summary........................................................................................... Detailed findings and recommendations ............................................................. Improvement recommendation ........................................................................ Risk rating criteria .......................................................................... Personn el consulted during the condu ct of this project ....................... .. 1 .. 8 .. 16 .. 18 22

Appendix A Appendix B

2008 Ernst & Young Australia. Liability limited by a scheme approved under Professional Standards Legislation.

1.
1.1

Executive summary
Background & objectives

In accordance with the Internal Audit Plan 2008, we have undertaken a review of the City of Marions Payroll functions . Accordingly, we have documented our recommendations regarding the appr opriateness of the City of Marions policy, procedures and records surrounding the Payroll processes to ensure the safegua rd of the Councils assets. The processing of payroll is a core function requiring effective internal controls to limit the opportunities for fraud or error. The capture of information, the control of data, appr oval mechanisms and transfer of funds are all key steps in the payroll process requiring effective internal controls. There is the potential for a lapse in communication between personnel involved in Human Resources and Payroll which needs to be managed to ensure information is correctly transferred. Whilst incorrect information resulting in employees receiving less salary than cont racted is unlikely, the risk exists that payroll is processed in excess of contractual arrangements with employees, resulting in losses to City of Marion. In addition, the re is inherently a risk associated with payroll due to fraudulent activity, resulting in financial loss to City of Marion. It is important that effective appr oval, monitoring and processing controls are in place to minimize the opportunity for City of Marion employee s to perpetuate fraud. Our review will take into consideration the adequacy of the payroll process and controls to minimize the risk of fraud. The main objective of the review was to identify gaps in control performance and recomm end process efficiencies that may be gained. The objectives of the review were to:

Review the payroll controls in place Consider the efficiency of processing and review the communication procedures between Human Resources and the payroll processing function Assess the procedures associated with the monitoring of payroll processing to enable City of Marion to comply with authority levels and appropriate segregation of duties.

Payroll - Internal audit repor t

1.2

Scope

The scope of this project was to exami ne the key controls over the following payroll processes: Our review will include a focus on the following areas :

Key reconciliations between systems including the recording of monthly accruals of employee entitlements; The reporting to business unit managers, as well as the process for appr oval of leave and variations, including overtime and allowances; The processes and reporting associated with job costing in relation to projects; Internal controls surrounding timesheet capture, data input and verification processes; Compliance with relevant legislation, awards and EBA regulations.

1.3

Approach
Phase 1 Phase 2 Identify and assess business risks Phase 3 Assess processes and control gaps Phase 4 Validate process measures and controls Phase 5

The app roach to this project followed the Internal Audit methodology developed by Ernst & Young. This approach is outlined in the phases below:

Understand the payroll process

Provide valueadded reporting

Payroll - Internal audit repor t

1.3.1

Understand City of Marions payroll policy and procedures

We have updated our understanding of the payroll processes through consultation with relevant employees and observation. Specifically, we:

Reviewed the current policies, procedures, awards, legislation and Enterpr ise Agreement in relation to payroll processing Understood the systems used to capture payroll data Discussed procedures in place to monitor payroll processing Understood what supporting documentation is retained to validate payroll processing.

1.3.2
We have:

Ass ess business and financial risks in the process

Identified business and financial risks in the process Sourced and prioritised risks as low, medium or high risk.

1.3.3
We have:

Ass ess process and control gaps

Assessed the process and identified control gaps that do not addr ess the identified risks Assessed whether the recommendations implemented addres s the identified risks Identified gaps between actual and desired/potential performance of these controls over risks.

1.3.4
We have:

Validate process measures and controls

Developed a review plan based on risks identified Reviewed key controls identified as implemented Tested the key controls.

AUDIT PROGRAM :
W EIG T H RANK SCO RE

Payroll Processing: 1. Document the flow of documents through payroll processing 2. Payroll procedures should be reviewed for appropriate controls to ensure the accuracy of salary paym ents. Verify the following:
i) Signatures of em ployees preparing salary paym calculations and the officer ent reviewing the sam should be evidenced on the appropriate register. e ii) Ensure that file copies of Em ployee Statem ents of Earnings and Payroll Registers are m aintained in the custody of the Payroll Departm personnel. ent iii) Review all com puter/m anual payroll registers to ensure that the inform ation has been accurately entered and captured, and should sign the register and accounting entries to evidence review.
. 5 6 6 8 30 48

3. Select a sam ple of individuals from the last payroll register and perform the following:

56

i) Trace the pay rate and all deductions to properly authorized form in the s em ployees personnel file. ii) Agree departm ental classifications in payroll. iii) Registers with personnel records. iv) Trace any overtim pay to properly approved form If tim cards are used in the e s. e calculation of gross pay, determ that they have been properly calculated, approved, ine and filed. v) Recalculate all am ounts, including gross pay, deductions, stipends, and net pay. Trace elective deductions to signed authorization form and reference taxes to s appropriate sources. vi) Trace to appropriate disbursem to em ent ployee. vii) Trace total payroll am ounts to posting in the proper general ledger accounts.

4. Document controls for protection and distribution of payroll checks. Conclude on adequacy. 5. Utilized Form s
a) Obtain copies of all forms used by the department. b) Evaluate for adequacy and effectiveness.

72

36

56

6. Generated Reports
.

a) Obtain copies or exam ples of all reports generated for the personnel and payroll departm ents and determ their use and distribution. Include system reports, PC ine reports, and m anual reports. Ensure that the inform ation presented in these reports is tested or analyzed at som point in the audit program e

Tim Accounting: e 7. Select a sam of recently com ple pleted tim cards/time sheets and e verify the following:
i) The tim w e orked is properly recorded. ii) Reasons for absences, early departures and overtim are indicated and approved. e
8 8 64

iii) O vertim is properly calculated and reported. e iv) The tim card/tim sheet is signed by the em e e ployee and approved by the supervisor.

8. Document the operation of the tim ekeeping system Test as . necessary to ensure that the system is functioning as intended and that time is accurately recorded. 9. Absence Reporting
a) Interview m anagem and em ent ployees and review absence reports to evaluate the following: i) Daily records of attendance are m aintained. ii) Vacations are scheduled to ensure that efficient operations are m aintained. iii) A ttendance and tardiness guidelines are com unicated to all em m ployees. iv) All absences are reported in a tim and accurate m ely anner.

72

64

10. Review attendance records and check that appropriate disciplinary actions are evidenced for those em ployees showing abuse of attendance or tardiness guidelines. 11. Evaluate the Authoritys liability for unpaid vacation days. Consider issuing confirm ations to a sam of em ple ployees to verify accuracy of vacation balances and proper reporting of leave. Expense Control ;

63

72

12. Select a payroll register for testing and com pare it with input records subm itted for payroll processing. Determine the reasons for any differences in the inform ation and follow up any exceptions with management. 13. Scan salary expense am ounts for the prior 12 m onths. Follow up on

9 63

10

80

any unusual fluctuations noted. Or, com pare prior period salary expenses to current period expenses and current budget (by departm ent) and investigate significant variances. 14. Validate the payroll register by selecting a sam of em ple ployees and physically verifying their existence. 15. For payroll benefit expenditures and accruals, perform the following:
i) Com pare accruals for com pensated absences such as vacation and sick leave to prior period actual and current budget, and com pare the relation of am ounts to gross pay with the sam ratio for the prior period. e ii) Identify bonuses, stipends, PSAs, or other unusual com pensation, and inspect evidence of approval. iii) Evaluate reasonableness of accrual for payroll expenditures at the end of the period.

9 9

9 9

81 81

TAX DEDUCTIONS: 16. Review documentation of the payroll deductions for the employees to determ that: ine
i) The deduction is supported by a written agreem which is signed by the ent em ployee and an authorized organizations adm inistrator, specifies a dollar am ount or a percentage of com pensation, and is dated before the first day of the pay period in w hich the salary reduction com ences. m
8 7 56

ii) There is no m than one salary reduction agreem executed each calendar year. ore ent iii) The am ount of the deduction agrees w the am ith ount authorized by the

em ployee. iv) Docum entation supporting the calculation of contribution lim itations indicates that the calculations are correct and the deduction does not exceed the lim itation on elective deferrals.

17. Review the annuity contracts and documentation of custodial accounts to verify com pliance with IRS regulations, in particular that the tax-sheltered annuity is not transferable or forfeitable, and that there is no conflict with the distribution requirements. Reconciliations:

48

56

18. Obtain the reconciliations of all payroll-related deposit accounts and payroll-related liability accounts. Trace balances to the general ledger, bank statements, and supporting documentation. Test transactions as necessary. Verify the accuracy of the reconciliation and the propriety of any outstanding items. 19. Evaluate reconciliations to ensure that business standards are implemented, including:
i) Reconciliation is prepared w ithin thirty days of the end of the period. ii) The account title and account num bers are docum ented. iii) The general ledger date is docum ented. iv) The reconciliation balance ties to the general ledger ending balance. v) Signature of the preparer and the reviewer as w as the respective dates are ell docum ented.

54

vi) Descriptions of outstanding item are adequate and explicit. s vii) Origination dates of outstanding item are clearly docum s ented. viii) Reconciling item are cleared w s ithin sixty days. ix) Backup docum entation, including general ledger pages, reports, etc. are attached. x) The reconciliation is clear and able to be reasonably understood by individuals not involved in its preparation.

20. Examine in detail the contents of the m recent bank statement. ost Ensure that all checks carry the appropriate signatures and verify the propriety of the endorsem ent. Com pare dates on the deposit slips to the date the deposits were recorded by the bank to ensure that deposits are being promptly processed . Budget: 21. Obtain the Payroll Departm ents budget reports as of the m ost recent month-end. Review for significant overdrafts, serious fluctuations from initially budgeted figures, and unusual entries. 22. Testing a sample of transactions for accuracy, reasonableness, and adequacy of supporting docum entation. Custody of Payroll Records:

56

81

42

10

90

23. Ensure that access to payroll records is lim ited to authorized employees only. Determ whether files are consistently safeguarded ine during and after business hours. 24. Determine that blank check stock is adequately safeguarded.
9 9 81

1.3.5
We have:

Provide Value Added Recommendations

Identified opportunities to improve the payroll processes through finding solutions to mitigate any identified business or financial statement risks and any apparent inefficiencies Provided recommendations that add ress inherent risks, gaps and inefficiencies identified within the payroll process.

1.4

Positive Findings
All timesheets selected for testing were duly signed by both the employee and his/her line manager. In addition, the system controls used for submitt ing electronic timeshe ets app eared to be effective with no exceptions noted. It was also confirmed no staff were paid in cash Any pay adjustments processed by payroll are checked by the payroll clerk and a report is produced detailing those adjustments. The report is also initialled and dated by the payroll clerk to evidence who performed the adjustments No exceptions were noted of staff who had taken annual leave. The staff selected for annual leave testing had appropriately completed an annual leave form which was duly appr oved by an appr opriate delegated authority A sample of staff who had terminated their employment with the City of Marion were tested to ascertain whether payments continued subsequent to their final termination payment. No exceptions were found with regards to those selected for testing.

Based on the scope of this Internal Audit project, we noted the following positive aspects:

1.5

Summary of Issues

During the course of the audit, it was found that system controls were not reviewed. This finding was cons istent across BanksSA Online access and Authority access. Consequently, some forms of user access were unidentifiable which could lead to unauthorised access and unauthorised transactions. In addition, some standard reports that are commonly produced during the Payroll function were absent from the Payroll processes at the Council. These included leave, new employee, termination and mas ter file reports. These reports should be produced on a monthly basis and reviewed by someone independent of the Payroll functions. Clearing accounts particular to the Payroll process were being performed, but not cons istently nor on a regular basis. The preparation of these clearing accounts on a monthly basis are another means of identifying errors and potential fraud. These reconciliations, at a minimum, should be reviewed by an appr opriate delegate within the Finance Department.
Catastrophic Number of Issues reported 0 Extreme 0 Major 5 Moderate 9 Minor 0 Improvement idea 2

The following table provides a summary of the recommendations raised, which we have characterised as being:

Instances of non-compliance with existing processes and controls Opportunity to strengthen existing processes and controls Opportunities to introduce new processes or controls.

Ref

Issues

Process/Control Non-Compliance

Enhance Existing Process /Control

Introduce Additional Process/Control

Major risk issues


2.1.1 2.1.2 2.1.3 2.1.4 2.1.5 Bank SA Online EFT files. Unassigned administrator accounts in Authority. Cleari ng account reconciliations. Authority Security Prof iles. Payroll Master File reports X X X X X

Moderate risk issues


2.2.1 2.2.2 2.2.3 2.2.4 2.2.5 2.2.6 2.2.7 2.2.8 Manual timesheets. Bank SA Online users. Payroll checklist. Review of pay adjustments. RDO / TOIL policy. New employee reports Terminated Employee reports Leave policy and leave reports X X X X X X X X

Improvement Idea
3.1 3.2 Payroll induction process. Pay By Exception. X X

City of Marion Payroll - Internal audit repor t

Ernst & Young 6

Rating Definitions The risk ratings in this report are based on likelihood and impact assessments which have been agreed with the Audit Commi ttee based on the Risk Assessment Criteria. The likelihood and impact definitions are attached in Appendix A. For the purposes of internal audit, issues rated extreme and high are reported to the Audit Commi ttee while issues rated m oderate, low and improvement are lower risk issues for management attention.

1.6

Overall management comment

The internal audit undertaken to review the City of Marions Payroll functions present a number of observations and recommendations providing opportunities for improvement to payroll processes. Such recommendations will in some instances be capable of immediate implementation whilst others will require furthe r research to identify the full scope of activities and implementation costs. The remaining few observations and recommendations will need to be considered in light of alignment with the behaviors and intent of the preferred organisational Constructive Culture before cons ideration is given to implementation.

City of Marion Payroll - Internal audit repor t

Ernst & Young 7

2.
2.1

Detailed findings and recommendations


Major risk recommendations
Root cause Risk / implication Recommendation Management comments

Observation
2.1.2

Unassigned administrator accounts in Authority. No periodic review of Authority is conducted and user prof iles are inappropriately created. Users with privileges which enable them to self assign security settings may use one of the previously mentioned administrator accounts to access Authority functions and perform unauthorised transactions. These actions will only be traced to the user profile which is not an employee name. Unauthorised payments and postings may occur as a result and additional access permissions may be assigned. The following administrator accounts should be removed immediately: Given Name SurName Civica Administrator Civica Admin Given Name SurName Wacher Wacher Identified administrator accounts will be removed as a matter of priority.

There are five administrator accounts active in Authority which are not employee accounts, and they have full access to functions such as Accounts Payable, Accounts Receivable, General Ledger and payroll. The administrator account names are as follows; Given Name SurName Civica Administrator Civica Admin Given Name SurName Wacher Wacher

2.1.3

Cleari ng account reconciliations. Cleari ng account reconciliations have not been reviewed on a regular basis due to other finance tasks taking priority. Incorrect, duplicate or fictitious amounts are recorded in the main cleari ng account 355 0 and then disbursed subsequently to other sub accounts resulting in Payrun's are reconciled to the Authority cleari ng account 3550 which is to be reviewed and authorised by an appropriate level of management. The authorisers shou ld initial and date each report to identify the reviewer and to evidence the review was conducted in a A review of the Payroll cleari ng account reconciliation process is curre ntly being undertaken. A deployment flowchart is being drafted to identify responsibilities in this process. Other cleari ng accounts are reconciled on a regular basis with formal sign off at
Ernst & Young 8

Cleari ng accounts reconciliations pertaining to payroll are not reviewed in a timely manner. The accounts which have been reviewed are not initialled or dated by the preparer or reviewer, therefore there is no evidence that the review had taken place, nor who
City of Marion Payroll - Internal audit repor t

Observation
prepared and reviewed the clearing account reconciliations. Furthermore, from a review of the cleari ng account checklists, where was no initial from either preparer nor reviewer.

Root cause

Risk / implication
loss of funds to the Council and inaccurate recording of key financial data such as wages, superannuation and leave entitlements.

Recommendation
timely manner (e.g. monthly). All cleari ng accounts which have been reviewed must be dated and signed by the preparer and reviewer (or delegate). The clearing account checklist is to be reviewed, dated and signed by a Manager (not the preparer of the cleari ng account reviews) to evidence completeness of clearing account reconciliations. Cleari ng accounts identified on the checklist should be reconciled monthly.

Management comments
year end. Future prepara tion and review of these accounts will be evidenced by an initial.

2.1.4

Authority security prof iles. IT is unaware of the authority security profile levels. There is a risk that over time, users are granted additional access as their job rol es change and previous access is not removed. This creates "access creep" where employees have access to transactions that have a segregation of duties conflict, potentially creating the opportunity for an employee to perform unauthorised or unwarra nted activity based on their job role. The IT department should contact the Authority / Civica manufacturers / developers to identify the meaning of all security profile levels relating to Authority. This information must be formalised, published and made available to all IT staff that are required to work with Authority security task such as new user set up and periodic system reviews. The Authority IT security profile levels should be reviewed for all staff and where appropriate, access removed or altered. Periodic review of accounts should be performed by the business owner of the application on at minimum a quarterly basis. This should not be performed independently of administrators (who have access to create/modify/terminate user accounts and change configurable application level control s security, The existing Civica review of accounts report format is complex and not isolated to the Payroll business owner. Discussions will be undertaken with Civica to scope the work required to upgrade the system to allow the production of a Payroll business owner specific report. The security prof iles used to restrict user access on the system are known to the ICT Department. The system uses a combination of numbers which are set against Menu Items, these numbers are relative to the security setting for each individual user and determine the level of access. This risk has previously been identified within the ICT Department following an ICT Security Audit. As mentioned above, a project to review security settings within Authority is curre ntly underway.
Ernst & Young 9

The security prof iles used to restrict user access on the system are unknown to the IT department. The system uses a combination of numbers which are two digits, starting with the lowest access level 00 ranging up to 99 to identify privileged users. The system permissions for each of these profiles is unknown therefore users cannot be assigned appropriate access and system reviews cannot be conducted accurately.

City of Marion Payroll - Internal audit repor t

Observation

Root cause

Risk / implication

Recommendation
auditing etc). Access should be provisioned and reviewed on the basis of business requirements. It is recommended a review of transactions performed by Administrators be conducted on a regular basis.

Management comments
As an intermin step, the new dhelp Access Request process that has been introduced, will reduce the risk of employees having access to unwarra nted modules and security levels. Prior to and during this audit process, ICT Department have been in contact with Civica to gain further understanding of the security profile levels. During this contact it was recognised that a review of the existing security levels should be undertaken.

2.1.5

Payroll master file reports. (High) The system canno t curre ntly produce a Master File listing report. Unauthorised changes to the Master File may be undetected, resulting in financial loss. The Authority system be upgraded to allow the production of a Master File report. The Master File report should be produced each payrun. This report should be checked, initialled and dated by the Payroll Clerk to evidence who made the changes and that those changes have been checked in a timely manner. The Organisational Development Manager or appropriate delegate should review the Master File report and also initial and date to indicate who performed the review and that it was reviewed in a timely manner. Discussions will be undertaken with Civica to scope the work required to upgrade the system to allow the production of a Master File report.

Curre ntly, a Master File report listing all changes made to the Payroll system is not being produced. Consequently, there is no review by the Payroll Clerk or the Organsational Development Manager of changes made during the payrun.

2.2

Moderate risk recommendations


Root cause Risk / implication Recommendation Management comments

Observation
2.2.1 Manual timesheets

Timesheets are required to be completed and signed by all field staff, and then Submitted to a line manager for approval. Once approved timesheets may be submitted to payroll by the line manager or employee. It is therefore possible unauthorized changes can be made to timesheets without detection where those timesheets are returned back to the employee for forwarding to Payroll.
2.2.2 HBL Bank online users.

Timesheets can be submitted to payroll by employees.

Unauthorised changes can be made to field staff timesheets which may result in fictitious or duplicate payments

The payroll team are only to accept field staff timesheets which are submitted by line managers. Line managers may choose to scan all field staff timesheets and email them to payroll.

Line managers within City Services will be reminded of the requirement to not allow field staff to submit their timesheets. Additionally the option to scan all field staff timesheets and email them to payroll will be facilitated.

A total of 15 users have access to the HBL Bank Online users are Bank Online Application. Seven out of the not reviewed for 15 users have expired passwords which appropriateness. indicates the users have not used their accounts for a period of time. It is understood that back-up users are required so payruns can be appropriately authorised when there are any issues with staff availability. However, it is inapproapriate to have 15 users to authorise payment when only two are required for each payrun.

Unauthorised access to the application could be obtained, either by application administrators accessing the unused profiles or existing personnel using the user IDs of employees.

All HBL Bank Online users should be reviewed for appropriatness and all accounts which are not used or have expired passwords should be removed. These reviews should be conducted annually to ensure that access is apporpriate and up-to-date. Access to the Bank Online Application should be reduced from 15 to 6.

15 users are set up in Business Banking on-line. Four Organisation Development staff have authority roles for processing payroll EFTs. This gives sufficient coverage where authorising officers are unavailable. Six Finance staff have authority roles for processing creditor EFTs. It is agreed that one authority (Jeff Rittberger) could be removed as he has not been called upon to perform an authorising role for some time. Again, five signatories are necessary to cover periods where authorising officers are unavailable and to ensure that we meet our obligations to Suppliers. Five users have view only access three Accounts Payable, two Payroll. Payroll staff were

Observation

Root cause

Risk / implication

Recommendation

Management comments
given view only access to enable them to view the progress of the EFT file and be part of the process to ensure that payroll files were submitted and correctly dated. If this is no longer considered necessary, they can be removed from the user list. Confirmation will be sought from the OD Manager. Accounts Payable staff were given access to enable BSB search facilities to verify Creditors providing account numbers for EFT payment purposes. As the demand for this has reduced, they will be removed from the user list.

2.2.3 Payroll checklist.

The payroll checklist identifies all reports which are required to be attached and reviewed for each payrun. Currently payrun reports are not being reviewed or authorised appropriately because the payroll checklist is not being completed or attached to each payrun. For three out of 10 payruns tested the payroll checklist was not attached. There was one instance out of 10 payruns where the payroll checklist was attached to the payrun but it was not completed. From the testing conducted it became evident checklists are either attached to payruns or timesheets for that pay period. It is expected that the payroll checklist is attached to the payrun only. The following reports were not attached to the payruns tested:
City of Marion Payroll - Internal audit repor t

Payroll checklist is not being attached or checked against the payrun reports. The Payroll checklist is not being appropriately completed, reviewed and authorised

Payroll reports are not being appropriately reviewed and authorised which may lead to incorrect journal postings such as excessive wage payments, incorrect superannuation payments and leave accruals.

A Payroll Payrun Checklist must be . Payroll officers have been reminded of completed and attached to every payrun the requirement to produce and attach to verify all reports that should be Payrun Checklist and appropriate Payrun included have been appropriately reports to Payroll Payrun reviewed and authorised before the HBL Bank Online EFT process is complete. All appropriate payrun reports outlined on the Payroll Payrun Checklist must be produced and attached to each payrun. The payrun authorisers must determine all reports are produced and attached before they sign the banking cover sheet.

Ernst & Young 9

Observation

Root cause

Risk / implication

Recommendation

Management comments

Allowance Report one instance Deduction Report one Instance Superannuation Contribution List one Instance Tax Summary Report one Instances Costing Report two Instances, and Trial Balance three Instances.

2.2.4 Review of pay adjustments

There is no independent review of pay adjustments. From discussion and observation, pay adjustments are entered and reviewed by the same person, being the Payroll Clerk.

The pay adjustment process does not require pay adjustments to be reviewed.

Fictitious or erroneous pay adjustments are made resulting in financial loss to the Council.

All pay adjustments are to be reviewed and authorised by the Organisational Development Manager, or appropriate delegate, other than the Payroll Clerk, before adjustments are submitted

No action required. Audit trail currently exists through the completion of Pay Adjustment Sheets and other base authorisation documentation (e.g. emails from appropriate manager). All ad-hoc pay adjustments include relevant calculations, authorisations and other records as a part of the EFT authorisation process.

City of Marion Payroll - Internal audit repor t

2.2.5 RDO / TOIL policy.

Currently there is no policy to limit the amount of RDO or TOIL taken at any one time. Staff may therefore take accrued RDOs/TOIL rather than take accrued annual leave, thereby increasing the accrued annual leave balances

The current policy does not restrict the amount of RDO/TOIL taken at any one time

Staff abuse the privilege of RDO/TOIL and use this form of leave in lieu of annual leave resulting in the continued accumulation of annual leave.
.

To promote the Council as an Employer of Choice, RDO/TOIL continue to be used as a form of leave. However, restrictions on the maximum of continuous RDO/TOIL be placed to encourage staff to take annual leave. This would also facilitate the Councils strategic objective of Employer of Choice as it would encourage a more balanced approach to work/life.

Formulation of a policy for the management of excessive leave is currently underway. RDO/TOIL accrual is in line with Flexible Leave arrangements set out in the applicable industrial agreements.

Observation
2.2.6 New employee reports

Root cause

Risk / implication

Recommendation

Management comments

From discussion with the HR personnel, no report listing new employees joining the City of Marion is generated. However, a New Employees report can be generated from the Authority system.

The current process does not require the generation and review of New Employees by Management.

Fictitious employee details are forwarded to Payroll resulting in financial loss to the Council.

It is recommended that a New Employee Report be produced for each pay-run and reviewed by the Payroll Clerk and the OD Manager (or equivalent delegated authority). Each employee should be checked off the report, indicating that the employee has been matched to employees supporting documentation to verify that each employee exists. Both the preparer and reviewer of the report should sign and date the report to indicate such review has taken place.

New Employees report will be generated and reviewed with each Payrun as a part of the EFT authorisation process

2.2.7 Terminated employee reports..

From discussion and observation, there is no report produced to list terminated employees. However a Termination Report can be produced from the BI Query system. There was no evidence that terminated staff listed on the Pay Edit Listing report were checked off to indicate the termination payment was checked for accuracy. In addition, the Pay Edit Listing Report was not initialled, dated and signed by the Payroll Clerk to indicate who performed the check and when.

There is no report produced to list terminated employees. There is also lack of accountability on reviewing of terminated staff from the Payroll system

Deliberate and accidental oversights in the employee termination process resulting in continued payments to terminated employees post termination date and financial loss to the Council.

A termination report should be produced for every pay run and the payroll clerk should check each termination subsequent to the final termination to check terminated staff do not continue to be paid subsequent to their final termination payment. The Organisational Development Manager should also review this report and initial and date the report to indicate such review.

The Authority system generated Termination Report is a historical report containing all terminations since implementation of the system. Discussions will be undertaken with Civica to scope the work required to upgrade the system to allow production of a Payrun specific report.

2.2.8 Leave policy and leave reports

Currently there is no policy implemented which requires employees to take mandatory continuous annual leave Currently annual leave reports are not being produced or reviewed by the payroll / Organisation Development. Such a report will enable the business to identify which employees have significant accrued annual leave balances. Nor is a report produced and distributed to line managers detailing those staff with excessive accrued annual leave (greater than 40 days). A report detailing those staff who have not taken 10 days continuous leave is also not distributed to line managers.

The current leave policy does not require staff to take a minimum 10 days of continuous annual leave, nor does it require the production and analysis of leave reports

Fraud remaining undetected as staff who do not to take a reasonable amount of leave may do so to enable them to cover-up fraudulent activity. Cash flow implications due to excessive accumulation of accrued annual leave. OHS&W issues, high turnover, low morale, lower productivity due to failure to take annual leave.

A policy be implemented requiring all staff to take a minimum of 10 days of continuous annual leave per annum. Accrued annual leave reports are to be produced once a month, and reviewed, initialled and dated by the Organisational Development Manager. Annual leave reports detailing excessive annual leave accrued, (e.g. greater that 40 days), should be produced and distributed to line managers. Line managers should review the report, providing explanation to the Organisational Development Manager as to why their staff are listed. Where excessive annual leave is not resolved within three months, an escalation process should be initiated whereby the report is distributed to Executive for follow-up. Where accrued annual leave for staff is still not resolved after six months, the matter should be further escalated to the Audit Committee. A report should also be produced detailing staff who have not taken 10 days of continuous annual leave per year. This should be distributed to line managers for explanation. The same process as above regarding escalation to Executives should be followed where the matter has not been resolved within three months, with further escalation to the Audit Committee after six months

with existing organisational industrial arrangements supporting work life balance and flexible working arrangements. Formulation of a policy for the management of excessive leave is currently underway. This policy includes set parameters for levels of accrued leave. The existing BI Query system will be modified to allow leadership staff at all levels to access leave balances.

3. Improvement Recommendations
Observation Root cause Risk / implication Recommendation Management comments

3.1.1 Payroll induction process


Payroll staff currently perform an extensive induction process with each new employee to ensure all forms are completed correctly and the employee is aware of the payroll processes he/she is responsible for. To gain efficiencies through the prevention of errors and subsequent follow up of errors performed by new employees. Efficiencies may not actually be gained as the time used during induction may be greater than the potential time expenses if repairing possible errors. The current induction process be replaced by standard instructions. The instructions and forms can be provided to staff together with their contract of employment. The instructions include Payroll contact details should the new employee need further clarification. No action required. Existing induction process provides personal interaction with new employees and therefore higher level of quality customer interaction.

3.1.2 Pay by exception

A Pay By Exception process has been suggested whereby full time staff are paid a standard 38 hour week. Any additional hours worked in excess of 38 hours will be paid as an exception.

Improve efficiencies in the payroll processes

The employer doesnt record any hours of work that is deemed overtime, which is a requirement enforceable by law. Employees may choose to work additional hours, over and above the standard 38 hour week in order to accrue leave before they get written approval from their manager. This affects the employees work life balance, which is important in retaining the services of current employees and attracting new ones. Employees may not
Submit their request for

written approval for additional hours worked until long after the work has been performed. Due to potential time lags between additional hours worked and approval, it may be difficult for management to verify the legitimacy of those additional hours. There is a possibility of staff fraudulently creating a log book of additional hours worked and using this log book in a dispute with management.

Recommendations in addition to those proposed by Norman Waterhouse include: Employees signing a declaration upon commencement of employment stating any excess hours will be documented by way of timesheet and submitted to the council within one month of accruing additional time in excess of 38 hours per week. Failure to sign such a declaration will result in forfeiture of payment for additional hours. An approval form should be created to capture the request for additional hours to be performed which are in excess of the standard 38 hour week. This form must be filed with the employees records and it may be scanned and uploaded (file converted into a read only format) into the payroll directory, which should have restricted access. Approval for any additional hours performed should be submitted by the employee and authorised by the manager within two weeks of the day the additional hours were performed. The accrual and taking of RDOs will continue to be in accordance with the award and agreement, however the accrued balances should be monitored and reviewed by the Organisational Development team

Recommendations will be explored with Norman Waterhouse. Where other than standard 38 hour week is worked the employee will be required to submit an exception report using the electronic timesheet (including electronic authorisation by manager) or appropriate leave form. Monitoring and reviewing of accrual and taking of RDOs will be responsibility of line managers

Appendix A Risk rating criteria


Catastrophi c Serious control weakness requiring immediate Audit Committee/Board attention and senior management resolution.

Extreme

Serious control weakness requiring immediate Senior Management attention.

Major

Existing controls that need improvement for effectiveness, requiring managements attention.

Moderate

Minor control or efficiency issues

Minor

Minor control or efficiency issues.

Improvement Idea

An observation or Idea for management to consider to improve a process or control.

Likelihood Rating 5 Almost certain 4 Likely 3 Possible 2 Unlikely 1 clear

Description May occur at least several times a year May occur once in a year May occur at least once in a 5 year period May occur during the next 5 to 10 years Unlikely to occur in the next 10 years.

Consequence rating 5 Catastrophic

Description
High impact long-term issue with major political, reputation or stakeholders consequences requiring active Council management. Media coverage for an extended period (including international). Financial loss over $5M or high impact on sustainability Severe public or employee safety matter. Death / multiple injuries. Significant impact on Councils ability to deliver strategic outcomes. Major third party litigation . Long-term issue with major political, reputation or stakeholders impact requiring Council intervention. Media coverage for an extended period (including national). Financial loss between $1M and $5M. Significant public or employee safety issue. Major OH&S or liability incident/issue. Major impact on Council\s ability to deliver strategic outcomes. Serious third party litigation/dispute Long-term issue with moderate political, reputation or stakeholders impact requiring CEOs intervention. Sustained media coverage for short term period (state or local level). Financial loss between $100,000 and $1M. Significant OH&S or liability incident/issue impacting on public or employee safety. Moderate impact on Councils ability to deliver strategic outcomes. Limited impact third party litigation/dispute. Medium-term issue with minor political or stakeholders impact requiring Executive Management intervention. Short term media coverage (local level). Financial loss between $10,000 and $100,000. Minor OH&S incident/issue or minor public safety incident. Minor impact on Councils ability to deliver strategic outcomes. Threat of third party litigation Political or stakeholders incident requiring management intervention. Letter to the editor. Financial loss under $10,000. Insignificant public or employee safety or OH&S incident/issue. Insignificant impact on Councils ability to deliver strategic outcomes. Minor threat of third party litigation

Extreme

Major

Moderate

Minor

5 4 3 2 1
Mod Maj Maj Ext Ext Mod Mod

Likelihood
Minor Mod Maj Maj Maj Minor Minor Mod Mod Maj Minor Minor Mod Mod Maj

Maj Maj Ext

1 2 3 4 5

Consequence