Cleveland Police Authority Corporate Credit Cards

Internal Audit Report (10.2011/12) April 2012

Overall Opinion

Cleveland Police Authority

Corporate Credit Cards (10.2011/12)

CONTENTS
Section Executive Summary Action Plan Findings and Recommendations Page 1 4 7

Debrief meeting Draft report issued Responses received Final report issued

21 February 2012 28 February 2012 11 April 2012 11 April 2012

Auditors

Ian Wallace, Director Sue Turner, Senior Manager Claire Wood, Senior Auditor Matt Elcock, Assistant Investigator

Client sponsor

Stuart Pudney, Chief Executive Michael Porter, Treasurer

Distribution

Michael Porter, Treasurer

This review has been performed using RSM Tenons bespoke internal audit methodology, i-RIS.

The matters raised in this report are only those which came to our attention during our internal audit work and are not necessarily a comprehensive statement of all the weaknesses that exist, or of all the improvements that may be required. Whilst every care has been taken to ensure that the information provided in this report is as accurate as possible, based on the information provided and documentation reviewed, no complete guarantee or warranty can be given with regard to the advice and information contained herein. Our work does not provide absolute assurance that material errors, loss or fraud do not exist. This report is prepared solely for the use of Board and senior management of Cleveland Police Authority. Details may be made available to specified external agencies, including external auditors, but otherwise the report should not be quoted or referred to in whole or in part without prior consent. No responsibility to any third party is accepted as the report has not been prepared, and is not intended for any other purpose. 2010 RSM Tenon Limited RSM Tenon Limited is a member of RSM Tenon Group RSM Tenon Limited is an independent member firm of RSM International an affiliation of independent accounting and consulting firms. RSM International is the name given to a network of independent accounting and consulting firms each of which practices in its own right. RSM International does not exist in any jurisdiction as a separate legal entity. RSM Tenon Limited (No 4066924) is registered in England and Wales. Registered Office 66 Chiltern Street, London W1U 4GB. England

Cleveland Police Authority

Corporate Credit Cards (10.2011/12)

1
1.1

EXECUTIVE SUMMARY
INTRODUCTION An audit of Corporate Credit Cards was undertaken in addition to the approved internal audit periodic plan for 2011/12 at the request of the Chief Executive, who was supported in this by the Chief Constable.

1.2

CONCLUSION Taking account of the issues identified, the Authority cannot take assurance that the controls upon which the organisation relies to manage this area are suitably designed, consistently applied or effective. Action needs to be taken to ensure risks in this area are managed. The above conclusions feeding into the overall assurance level are based on the evidence obtained during the review. The key findings from this review are as follows: Design of control framework A Protocol exists which details: Designated Card Holders Use of the Card Restrictions on the use of the card Credit Card receipts and official receipts Hospitality Submission of statements and receipts Loss or theft of card Return of a card Reimbursement of non-approved items Audit arrangements We were advised by the Treasury Manager that credit cards are issued to certain members of staff and receive approval, normally from the Head of Finance. When staff leave the organisation they are required to return the credit card to the Treasury Department. Limits on each transaction spend and total monthly spend have been set for each credit card. Any changes to limits are to be approved by a senior individual. Evidence is to be retained to support all transactions; receipts and credit card statements. This is forwarded to Treasury. In addition, procurement guidelines are to be adhered to when using the corporate credit card. The cardholder is required to formally agree the transactions on the statement. A reconciliation is required between the statement and the supporting evidence on a monthly basis by the Treasury Team.

Application of and compliance with control framework We have made recommendations in relation to the application of the control framework relating to the following findings:

Cleveland Police Authority

Corporate Credit Cards (10.2011/12)

The existing Protocol is undated, and requires updating. It is unclear when the Protocol was written, who by and who reviewed and approved the Protocol. There are both formal and informal procedures in place; however these would benefit from codification, updating and formal documentation. Further clarification, formal Executive approval and communication to all card holders is required. The procedure is not available on the staff intranet. All items of expenditure from corporate credit cards which require further analysis have been passed to the Chief Executive/Chief Constable.

1.3

SCOPE OF THE REVIEW To evaluate the adequacy of risk management and control within the system and the extent to which controls have been applied, with a view to providing an opinion. When planning the audit, the following limitations and controls for review were agreed: Limitations to the scope of the audit: This audit included only those areas listed within the scope above. Whilst this was a substantive audit, we did not test that every transaction for every card holder had a receipt and was in line with the Protocol and have applied a degree of materiality. For example, regular payments for subscriptions have been excluded. Our work does not provide any guarantee against material errors, loss or fraud or provide an absolute assurance that material error; loss or fraud does not exist. Seven cardholders were excluded from the scope of this review at the request of the Chief Executive.

Substantive Testing Substantive testing was undertaken. This focused on 2009/10, 2010/11 and 2011/12. Areas for consideration: Policies and Procedures Whether there is a Policy in place which communicates who is entitled to receive a card, the rules governing use, the action that will be taken if misuse is identified and security arrangements. Detailed procedures are in place covering the issue of cards, the requirement for all expenditure to be supported by a valid receipt, checking and authorisation of statements, reconciliation of receipts and posting to the nominal ledger. Procedures have been regularly reviewed and issued to staff Policies and procedures are readily available via the intranet. Issue of Cards Corporate credit cards are only allocated to appropriate staff members. Where these are not budget holders, the agreement is sought from the budget holder. Credit card holders have to sign to confirm receipt of the card and agreement of roles and responsibilities. When staff leave the organisation they hand back the credit card. Finance should be informed of all leavers by Personnel. Use of the Cards Users have a clear understanding of what the credit card can be used for in line with the Policy. Limits on transaction spend and total monthly spend have been set for each credit card. Evidence is retained to support all transactions; receipts, related expenditure and credit card statements. This is forwarded to Finance.

Cleveland Police Authority

Corporate Credit Cards (10.2011/12)

Responsibility for checking that all transactions are legitimate business expenditure has been determined and communicated. There is a process in place for dealing with suspected misuse, including an escalation process to ensure that all users are fully accountable. Monthly Reconciliation The cardholder is required to formally agree the transactions on the statement. A reconciliation is completed between the statement and the supporting evidence on a monthly basis. The approach taken for this audit was a System-Based Audit. 1.4 RECOMMENDATIONS SUMMARY The following tables highlight the number and categories of recommendations made. The Action Plan at Section 2 details the specific recommendations made as well as agreed management actions to implement them. Recommendations made during this audit: Our recommendations address the design and application of the control framework as follows:
Priority High Design of control framework Total 2 2 Medium 1 1 Low 0 0

The recommendations address the risks within the scope of the audit as set out below:
Priority Area Policies and Procedures Total High 2 2 Medium 1 1 Low 0 0

Cleveland Police Authority

Corporate Credit Cards (10.2011/12)

ACTION PLAN
The priority of the recommendations made is as follows:
Priority High Medium Low Suggestion These are not formal recommendations that impact our overall opinion, but used to highlight a suggestion or idea that managem ent may want to consider. Recommendations are prioritised to reflect our assessment of risk associated with the control weaknesses. Description

Ref

Recommendation

Categorisation

Accepted (Y/N) Y

Management Comment

Implementation Date Anticipated implementation date to be agreed following board meeting and alignment of SDG meeting to ratify

Manager Responsible Chie Constable

1.1

The Policy should be updated and revised to ensure that it governs: who is entitled to receive a card; approved expenditure on the card; restrictions on card including personal use; expenditure

High

retaining and submitting of receipts; timeline for submitting receipts to support the credit card statement appropriate formal escalation and disciplinary consequences of misuse/non-compliance ; and demonstrating value for money. The Policy be publicised on the intranet and signed by each card holder to

A revised policy has been drafted incorporating the audit recommendations. The draft policy will be consulted upon and discussed at the next meeting of the Integrity Board, chaired by the Chief Constable. [Note the meeting intended for March was deferred due to the death of a member of this board and will be reconvened as soon as possible].

Cleveland Police Authority

Corporate Credit Cards (10.2011/12)

Ref

Recommendation confirm their acceptance of the terms of the Policy. The Policy should be clearly dated and we recommend a biannual review. Updated documented procedures should be produced which support the new policy above and specify the following: the issue and authorisation of cards including cancellation and leavers; the requirement for all appropriate expenditure to be supported by a valid receipt; credit limits variation; approval and by their the

Categorisation

Accepted (Y/N)

Management Comment

Implementation Date

Manager Responsible

1.2

High

Procedures which impact directly on users are included in the draft policy. More detail covering all areas will be incorporated within a separate procedures document being drafted alongside the policy document. Care will be taken to ensure that this aligns with policy in one above and incorporates all audit points.

As for the policy document

ACO (F&C)

checking of statements Treasury Team;

coding of expenditure to the correct nominal code and attaching of receipts by the cardholder; reconciliation of receipts; posting to the nominal ledger; internal checking ensuring value for money probity escalation processes. mechanism for

Cleveland Police Authority

Corporate Credit Cards (10.2011/12)

Ref

Recommendation

Categorisation

Accepted (Y/N) Y

Management Comment

Implementation Date 30 April

th

Manager Responsible Head of Corporate Finance

2.2

The summary list of authorised corporate credit cards should be reviewed and updated on a six monthly basis to show the current cardholders and their limits. A documented review should also take place on a six monthly basis to ensure the cardholders still require use of the corporate credit card.

Medium

The list of card holders is maintained by Corporate Finance and will be reviewed as recommended. Service Unit Managers have been surveyed and only those cards necessary for operational activities will be continued and renewed.

Cleveland Police Authority

Corporate Credit Cards (10.2011/12)

FINDINGS AND RECOMMENDATIONS

This report has been prepared by exception. Therefore, we have included in this section, only those areas of weakness in control or examples of lapses in control identified from our testing and not the outcome of all audit testing undertaken. Controls (actual and/or missing) Adequate Design (yes/no) Test Result / Implications Recommendation Categorisation

Area 1: Policies and Procedures 1.1 There is a Policy in place which: communicates who is entitled to receive a card; the rules governing use; the action that will be taken if misuse is identified; and security arrangements. No The Policy includes the following: Designated Card Holders. Use of the Card. Restrictions on the use of the card. Credit Card receipts and official receipts. Hospitality. Submission of statements and receipts. Loss or theft of card. Return of a card. Reimbursement of non-approved. Internal control arrangements. Audit arrangements. The Policy should be updated and revised to ensure that it governs: who is entitled to receive a card; approved expenditure on the card; restrictions on card expenditure including personal use; retaining and submitting of receipts; timeline for submitting receipts to support the credit card statement appropriate formal escalation and disciplinary consequences of High

Cleveland Police Authority

Corporate Credit Cards (10.2011/12)

Controls (actual and/or missing)

Adequate Design (yes/no)

Test Result / Implications

Recommendation

Categorisation

mis-use/noncompliance ; and demonstrating value for money. The Policy be publicised on the intranet and signed by each card holder to confirm their acceptance of the terms of the Policy. The Policy should be clearly dated and we recommend a biannual review. Updated documented procedures should be produced which support the new policy above and specify the following: the issue and authorisation of cards including cancellation and leavers; the requirement for all appropriate expenditure to be supported by a valid receipt; credit limits approval and their variation;

1.2

Detailed procedures are in place covering: the issues of cards; the requirement for all expenditure to be supported by a valid receipt; checking and authorisation of statements; reconciliation of receipts; and posting to the nominal ledger.

No

There are both formal and informal procedures in place; however, these could benefit from codification and updating.

High

Cleveland Police Authority

Corporate Credit Cards (10.2011/12)

Controls (actual and/or missing)

Adequate Design (yes/no)

Test Result / Implications

Recommendation

Categorisation

checking of statements by the Treasury Team; coding of expenditure to the correct nominal code and attaching of receipts by the cardholder; reconciliation receipts; posting to nominal ledger; of the

internal checking mechanism for ensuring value for money probity escalation processes. Area 2: Issue of Cards 2.1 Corporate credit cards are only allocated to appropriate staff members. Where these are not budget holders, the agreement is sought from the budget holder. Yes Through discussions with the Treasury Manager, we were advised that credit cards are for certain members of staff and receive approval, normally from the Head of Finance. A standard Nat West credit card application form is completed which includes basic information, the As 1.2 above We recommend that this be formalised under recommendation 1.2 above and this will be substantively tested in a

Cleveland Police Authority

10

Corporate Credit Cards (10.2011/12)

Controls (actual and/or missing)

Adequate Design (yes/no)

Test Result / Implications

Recommendation

Categorisation

credit limit and is signed by two members of the Treasury department. When the card is received, the letter is signed to confirm the individual has collected their card.

separate follow up audit in financial year 2012/13.

2.2

A list is retained showing all individuals who have a corporate credit card and their credit limit.

Yes

There is an overarching list in place.

The summary list of authorised corporate credit cards should be reviewed and updated on a six monthly basis to show the current cardholders and their limits. A documented review should also take place on a six monthly basis to ensure the cardholders still require use of the corporate credit card. See recommendation 1.2

Medium

2.3

Credit card holders have to sign to confirm receipt of the card and agreement of roles and responsibilities. Cards are cancelled after receiving approval from a suitably senior individual.

Yes

We recommend that this be formalised under recommendation 1.2 above and this will be substantively tested in a separate follow up audit in financial year 2012/13. We recommend that this be formalised under recommendation 1.2 above and this will be substantively tested in a separate follow up audit in financial year 2012/13.

2.4

Yes

See recommendation 1.2

Cleveland Police Authority

11

Corporate Credit Cards (10.2011/12)

Controls (actual and/or missing)

Adequate Design (yes/no)

Test Result / Implications

Recommendation

Categorisation

Area 3: Use of the Cards 3.1 Limits on transaction spend and total monthly spend have been set for each credit card. No Three instances were viewed on file in 2009/10, 2010/11 and 2011/12 whereby the credit limit was increased. All cards were reviewed, there were only 2 instances of increase of credit card limit documented in three years. We could not locate the formal approval for one of these; however, that holder is not now employed by the Force, and has ceased to hold a corporate credit card. Formal approval was in place for the other instance. 3.2 Application forms are held with Treasury for all cardholders. Yes We undertook a test to ensure that the application form was held on file for the individuals whose cards were recently used. Of the employee cards, six of the 13 December statements did not have an application form on file. The others were held elsewhere in the organisation. We recommend a central repository for these and this should be formally documented. 3.3 Evidence is retained to support all transactions; receipts, related expenditure and credit card statements. This is forwarded to Treasury. Responsibility for checking that all transactions are legitimate No Through our substantive testing, we note that itemised receipts were not available in all cases. Further information is to be provided to the Force and Authority separate to this report. No Testing identified a number of business expenditure items that require further analysis. See recommendation 1.2 See recommendation 1.2 See recommendation 1.2. The recommendation is covered in 1.2 above.

3.4

Cleveland Police Authority

12

Corporate Credit Cards (10.2011/12)

Controls (actual and/or missing) business expenditure has been determined and communicated. 3.5 There is a process in place for dealing with all complaints, including an escalation process to ensure that all users are fully accountable. Area 4: Monthly Reconciliation 4.1 The cardholder is required to formally agree the transactions on the statement.

Adequate Design (yes/no)

Test Result / Implications

Recommendation

Categorisation

Further details have been provided to the Chief Executive/Chief Constable. No Whilst informally high value or occasional items which require further explanation are flagged, the procedure requires both formalisations and documentation. See recommendations 1.1 and 1.2.

Yes

All items on the credit card statement should be coded to an appropriate budget code. We were not able to verify the coding between August 2011 and December 2011; however we understand this follows changes to processes following the implementation of a new software system and this will be subject to audit follow up.

See recommendation 1.2

4.2

A reconciliation is completed between the statement and the supporting evidence on a monthly basis.

No

Through our testing we noted a number of instances had not been documented between the supporting evidence and the credit card statements. We recommend that this is formalised under review of processes..

See recommendation 1.2