Audit Committee Tuesday 14 June 2011 Item No 9

Accounts Payable: Risk Assessment Report by Gerald Tait, Risk and Audit Manager 1. Introduction This report invites scrutiny of the risk assessment into the Accounts Payable system which is one of the Councils main financial systems. 2. Background At previous meetings, the Audit Committee has received and promoted risk assessments in the IT systems and Accounts Receivable. Recently, the risk assessment of Accounts Payable has been concluded by management and is attached. The assessment has been used to promote robust internal control and to highlight specific controls that could be improved. The right-hand column of the appendix highlights any residual risks viz:Control 3 discussions are ongoing as to when leavers should be deleted from user accesses to computer systems; Control 5 work is underway to agree the exception reports most appropriate for the business; Control 14 User guidance is to be updated and version controls put in place; Control 18 Procurement procedures to be expanded to encourage robust audit trails; Control 19 review of separation of duties in ordering goods and services; Control 21 Specimen authorised signatories are being secured so that they cannot be copied; Control 22 Internal Audit will review the counter-signatory procedures for orders over 50k; Control 22 Review counter-signatures when an official order is not used e.g. engagement via letter; Control 23 Review of signatory powers and use in electronic systems; Control 46 Use of credit cards by council officials being reviewed and new procedures to be produced; and Control 49 new authorising powers for credit card use to be set up in the electronic authorised signatories system. 3. Report Implications 3.1 Resource There are unlikely to be any direct resource implications arising from this report.

3.2 Risk Risk assessment provides an opportunity to review in detail internal controls and the means to manage risk. The assessment has highlighted where internal control could be improved. The risk assessment is included in the Finance and Human Resources risk register and will be subjected to regular review. 3.3 Policy Strategy this report addresses directly the councils policy to have a robust internal control environment, management of risk and effective governance. Consultation consultation has taken place with the Risk and Audit team, the Business Services section, Audit Scotland and the Head of Finance and Human Resources (s95 officer). Equalities there are no equalities issues arising from this report Sustainability the Audit Committee has a key role in promoting sound governance, management of risk and the internal control environment and the risk assessment of the main financial and IT systems helps to ensure the sustainability of the Council and in particular the control over payments. 4. Recommendations The Audit Committee is invited to:(1) Welcome the risk assessment; (2) Note the residual risks being addressed; and (3) Note that a follow-up report on residual will be presented to the committee at a later date.

30 May 2011 Report Author: Gerald Tait, Risk and Audit Manager Tel: 0131-271-3284 E-Mail: Gerald.tait@midlothian.gov.uk