Leicestershire Police Authority

Internal Audit Report

General Ledger (14.07/08)

3 January 2008

FINAL
Leicestershire Police General Ledger (14.07/08)
Authority FINAL
3 January 2008

Contents

Section Page

1 Executive Summary 1

2 Findings and Recommendations 3

3 Background 7

ASSIGNMENT CONTROL:
Debrief meeting: 28 September Auditors: Chris Harris - Partner
2007
Jeremy Barton - Client Manager
Draft report issued: 30 October
Rob McCulloch - Auditor
2007
Ritha Khana, - Auditor -
Responses received: 20 December
2007
Final report issued: 3 January 2008 Client sponsor: Chris Smith Treasurer of Police Authority

Distribution: Chris Smith Treasurer of Police Authority

David Lindley – Deputy Chief Constable
Paul Dawkins – Force Finance Director
Ruth Gilbert – Head of Finance
Printed: 13 February, 2008 File: L770093Full.rtf

This report has been prepared for Leicestershire Police Authority and should not be disclosed to any
third parties, including in response to requests for information under the Freedom of Information Act,
without the prior written consent of Bentley Jennison and Leicestershire Police Authority. Whilst every
care has been taken to ensure that the information provided in this report is as accurate as possible, it is
based upon the documentation reviewed and information provided to us during the course of our work.
Thus, no guarantee or warranty can be given with regard to the advice and information contained herein.

© 2007 Bentley Jennison Risk Management Ltd

Bentley Jennison Risk Management Ltd

Bentley Jennison Risk Management Ltd is wholly owned by Bentley Jennison
Registered in England and Wales No. 344889
Registered Office 1 Hollinswood Court Stafford Park 1 Telford TF3 3DE
Leicestershire Police General Ledger (14.07/08)
Authority FINAL
3 January 2008

1 Executive Summary

1.1 Introduction

An audit of General Ledger was undertaken as part of the approved internal audit
periodic plan for 2007/08.

Our review confirmed that there is an adequate framework of control in place to ensure
that financial information on the general ledger is accurate, timely and complete,
processed through a robust general ledger system. Our review assessed whether all
input to the general ledger is complete, accurate, timely and valid. All journals within
the general ledger are authorised and documented.

1.2 Overall Conclusion

Taking account of the issues identified in paragraphs 1.4 to 1.6 below, in our opinion
the control framework for the area under review, as currently laid down and operated,
provides substantial assurance that risks material to the achievement of the
organisation’s objectives for this area are adequately managed and controlled.

1.3 Limitations to the Scope of the Audit

The objective of our audit was to evaluate the auditable area with a view to delivering
reasonable assurance as to the adequacy of the design of the internal control system
and its application in practice. The control system is put in place to ensure that risks to
the achievement of the organisation’s objectives are managed effectively. The
following limitations to the scope of the audit were agreed when planning the audit:

• The scope of the audit was limited to reviewing processes in place. Conclusions
are based on sample testing of transactions relevant to the current financial year to
date.

• In addition, our work will not provide any guarantee against material errors, loss or
fraud or provide an absolute assurance that material error, loss or fraud does not
exist.

1.4 Conclusion on the Adequacy of Controls

Based on the evidence obtained, we have concluded that the design of the system of
control, if complied with, is sufficiently robust to provide assurance that the activities
and procedures in place will achieve the objectives for the system.

We have made no fundamental and no significant recommendations.

Bentley Jennison Risk Management Ltd Page 1

Leicestershire Police General Ledger (14.07/08)
Authority FINAL
3 January 2008

1.5 Conclusion on the Application of Controls

Based on the evidence obtained from our testing, we have concluded that the
application of established controls is adequate.

We have made no fundamental and no significant recommendations.

1.6 Other Findings

We have made no recommendations classified as ‘merits attention’.

1.7 Summary:
Objective Recommendations
Fundamental Significant Merits
Attention
Compliance with established policies, 0 0 0
procedures, laws and regulations
Safeguard the organisation's assets and 0 0 0
interests from losses of all kinds
Integrity and reliability of information, 0 0 0
accounts and data.

Bentley Jennison Risk Management Ltd Page 2

 Leicestershire Police Authority General Ledger (14.07/08)
3 January 2008 FINAL
2 Findings and Recommendations
1 Objective: Compliance with established policies, procedures, laws and regulations
Controls (actual and/or Evaluated Test Result / Implications Recommendation Categorisation
as effective
missing)
(yes/no)

Risk: Ineffective operation and management of the system

1 The Financial Regulations should
specify the responsibilities and
day to day operations for the
general ledger and related
systems and be fit for the
purpose.
Suitable procedure notes have
been documented that set out the
required checks and controls.
2 Management undertakes regular
reviews of the performance of the
system against the pre-agreed
performance standards as part of
the month end procedures.
Yes Financial Regulations and Procedure notes are None.
in place and outline the main responsibilities of
the general ledger process.
The financial regulations were approved by the
general purposes committee on 29 September
2004.
The financial procedures show the date that
they were last updated and the date that they
are scheduled to be reviewed.
Yes Management review of the performance is None.
conducted as part of the month end
procedures.

3 Day-to-day roles and Yes The job descriptions for employees who None.
responsibilities are detailed in worked on the general ledger system were
staffing structures and in relevant reviewed and it was apparent that the roles and
staff job descriptions. responsibilities were clearly set out.
Objective: Safeguard the organisation's assets and interests from losses of all kinds
2
Controls (actual and/or Evaluated Test Result / Implications Recommendation Categorisation
as effective
missing)
(yes/no)

Risk: Unauthorised access to data

Bentley Jennison Risk Management Ltd Page 3

 Leicestershire Police Authority
3 January 2008
4 Logical and physical access to all
systems is restricted to authorised
staff. Access is through personal
passwords which are changed on
a regular basis.
Regular checks on users’ access
are undertaken to ensure that only
appropriate staff have access and
that their usage is appropriate.
Risk: System failure resulting in the loss of data or the organisation being unable to carry out day to day activities.
5 Regular back-ups of the system
and data are undertaken and
these are periodically tested for
completeness.
A suitable disaster contingency
plan has been documented and is
subject to periodic testing.
Risk: Distortion of account balances due to inappropriate movements of figures.
Bentley Jennison Risk Management Ltd
General Ledger (14.07/08)
FINAL
Yes Access to the General Ledger system is None.
controlled by Corporate Finance. Each user is
given a user name and password which is
required every time they need to log in. Users
of the system are required to change their
passwords every 30 days and upon employees
leaving the Police Authority, Corporate Finance
make the necessary changes so that the
system cannot still be accessed using the
leaver’s details.
Yes Full backups of each system are taken on a None.
daily basis. There are fireproof safes in the
Admin 2 block and Comms block where the
tapes are stored. There is a cycle of 14 tapes,
backups are taken initially to disk and then
transferred to tape. Once a quarter an entire
set of tapes is taken out of the cycle and
replaced and these are kept indefinitely. The IT
helpdesk perform daily checks which include
the success or failure of the backup tapes.
IT Disaster Recovery Audit is due to take place
over the next couple of months (October-
November).
Page 4
 Leicestershire Police Authority General Ledger (14.07/08)
3 January 2008 FINAL
6 All journals should be Yes For the sample selected it was apparent that all None.
documented, reviewed and journals had been authorised prior to
authorised before processing by a processing; the different signatures ensured
senior officer other than the that there was adequate segregation of duties
originator. between input and authorisation. Journals
contained narratives and were sequentially
Access to journals (either through
numbered. As previously mentioned access to
batch or on line) should be
the system is only for authorised users and
restricted by such measures as
requires a password.
sequential numbering/password
control.
All journals should have a detailed
narrative.
7 Suspense accounts are Yes It was confirmed through testing that the None.
appropriately maintained and previous four months’ suspense accounts had
reviewed and cleared on a been reviewed and cleared appropriately.
monthly basis.

8 The creation, amendment and Yes It was confirmed through testing that when None.
deletion of accounts within the accounts were created the appropriate
accounting system is restricted documentation is used and authorised.
and documentation is retained to
evidence the change made.
Objective: Integrity and reliability of information, accounts and data.
3
Controls (actual and/or Evaluated Test Result / Implications Recommendation Categorisation
as effective
missing)
(yes/no)

Risk: Monthly accounts may be distorted due to delays or non-input of data.

9 A timetable detailing deadline Yes After reviewing a sample of month end files it is None.
input dates is issued and apparent that a month end checklist is in place
produced to staff. and has been completed accordingly.
Risk: Information held in the accounting system may be inaccurate

Bentley Jennison Risk Management Ltd Page 5

 Leicestershire Police Authority General Ledger (14.07/08)
3 January 2008 FINAL
10 An authorised signatory list is in Yes There is appropriate segregation of duties in None.
place which details general ledger place regarding the input and checking of all
responsibilities and provides data.
specimen signatures.
Management reports are produced following
There is appropriate segregation data input and verified independently.
of duties in the input and checking
An authorised signatory list is in place for the
of all data.
Finance Department.
Management reports following
input are produced and
independently verified.
11 Control accounts are reconciled Yes Testing identified that the control accounts are None.
monthly, prepared by someone reconciled on a monthly basis. There is
other than those responsible for adequate segregation of duties in place
the feeder system and subject to between staff preparing and reviewing the
an independent review by accounts. Following the reconciliation a
management. detailed trial balance and budget reports are
produced for each department.
Items rejected are regularly
reviewed and promptly cleared.
A detailed trial balance is
generated and reviewed for
reasonableness before final
income and expenditure, balance
sheet and budget reports are
produced.

Bentley Jennison Risk Management Ltd Page 6

Leicestershire Police General Ledger (14.07/08)
Authority FINAL
3 January 2008

3 Background

3.1 Outcome of the Previous Audit

Date of last audit: 16 February 2007

Conclusion on the adequacy of controls adequate
last time:
Conclusion on the application of controls adequate
last time:
Overall level of assurance given for the last Substantial
audit:
Number of recommendations agreed with • fundamental 0
Management last time:
• significant 0
• merits attention 0
Number of recommendations implemented • fundamental 0
by Management since last time:
• significant 0
• merits attention 0

No recommendations were made at the previous audit.

3.2 Objectives and Risks

The audit considered the organisation’s objectives for the area under review and the
risks to the achievement of those objectives.

Objectives Risks
Compliance with established policies, Ineffective operation and management of
procedures, laws and regulations the system

Bentley Jennison Risk Management Ltd Page 7

Leicestershire Police General Ledger (14.07/08)
Authority FINAL
3 January 2008
Unauthorised access to data
Safeguard the organisation's assets and
interests from losses of all kinds System failure resulting in the loss of data
or the organisation being unable to carry
out day to day activities.
Distortion of account balances due to
inappropriate movements of figures.

Monthly accounts may be distorted due

Integrity and reliability of information, to delays or non-input of data.
accounts and data.
Information held in the accounting system
may be inaccurate

3.3 Determination of Audit Approach

In determining the audit approach, we took into account:

• the outcome of the previous audit of this area;
• the assessed risk of the auditable area;
• any material changes in systems or the control environment since the last audit;
• the outcome of any other form of assurance review, either internal or external.

Factors relevant to the selection of the

audit approach:
Audit tool selected: Key Controls Testing
Audit approach used: Audit testing clearly focussed on a small
number of material or key controls.

The conduct of this audit complied with the standards set out by CIPFA.

3.4 Acknowledgement

The following staff gave their time and co-operation during the review and we would
like to record our thanks:

Name Position
Ruth Gilbert Head of Finance

Bentley Jennison Risk Management Ltd Page 8