| 2006 Audit Recommendations - Status Tracking | |||||||
| Document 3 | |||||||
| Audit: Financial Control Environment | (EMC Lead: K. Kirkpatrick / Staff Lead: Marian Simulik) | ||||||
| Audit Recommendation | Management Response | Budget Implications 2007 or Beyond | Related Council Motions | Status Update / Comments | |||
| Audit Management Response | Action Required Based on DCM Implementation Plan | Management Timelines (Q1- Q4) | ($$ if known) | (Status, risks, issues regarding implementation, etc) | |||
| SECTION ONE: OMNIBUS RESPONSE | |||||||
| 1 | That Financial Services Branch establish, continually document and review financial processes with staff of the various FSUs and other finance groups. This would reinforce the requirement to follow expected control procedures and provide clear references for testing that the controls are effective. | Management
agrees with these recommendations. This is to be considered a consolidated management response, to address audit recommendations 1, 2, 4 (a), 5, 6, 7, 8, 11, 20, 23 (b), 27, 38 and 40. It deals with the recommendations focusing on internal controls and the Financial Management Information System (FMIS). |
• Obtain documentation for all existing
financial processes • Develop a Compliance Review Universe based on risk assessment of key financial processes; • Review existing policies and procedures and identify gaps in control procedures; • Identify and document new or missing policies and procedures; • Establish process for reviewing financial processes with FSU and other Finance Groups to ensure that control procedures are up-to-date and are working as expected. • Develop training plan for FSU and other Finance groups to reinforce control procedures. |
Q1-Q4/08 & Ongoing | $725,000-$900,000 This amount applies to all the recommendations in the omnibus response. |
None | Jan
2008: · A presentation will be provided to CAWG on Financial Control on Feb. 25. · The Financial Control Framework has been initiated. · The Financial Policy & Management Systems Division has been established. · Policies and procedures continue to be developed and reviewed. · A draft has been completed on the Compliance Review Universe. Previous Comment: All Activities are currently in progress. To date Policy & Compliance has collected 672 financial policies, procedures and guidelines from the various Finance Divisions and is in the process of analyzing these documents to determine the level of effort and resources required to bring them up to corporate standards. |
| 2 | That Financial Services Branch ensure that the review, approval and other control procedures are clearly evidenced by signatures or retention of documents. | Management
agrees with these recommendations. This is to be considered a consolidated management response, to address audit recommendations 1, 2, 4 (a), 5, 6, 7, 8, 11, 20, 23 (b), 27, 38 and 40. It deals with the recommendations focusing on internal controls and the Financial Management Information System (FMIS). |
• Review existing policies and procedures to incorporate this requirement and communicate to FSU and other Finance groups. • Management will also establish a comprehensive process for capturing, communicating, and maintaining evidence of delegation of signing authority. This will require collaboration with ITS regarding enabling technology as well as considerations involving shared/secure access. | Q1- Q2/08 | Purchasing By-Law; Delegation of Authority By-Law. | Jan 2008: The review of existing policies and procedures is continuous to identify any gaps in the control requirements. | |
| 6 | That
Financial Services Branch ensure that guidelines be developed within the
City’s financial control framework to ensure that FSUs implement consistent
control procedures. That Financial Services Branch ensure that in those rare instances where internal control practices need to differ between FSUs, these are based on risk assessment, and are clearly communicated and documented. Units or divisions that rely on controls within FSUs should have a clear understanding of the internal control processes. |
Management
agrees with these recommendations. This is to be considered a consolidated management response, to address audit recommendations 1, 2, 4 (a), 5, 6, 7, 8, 11, 20, 23 (b), 27, 38 and 40. It deals with the recommendations focusing on internal controls and the Financial Management Information System (FMIS). |
Q3/08 | n/a | None | Jan
2008: KPMG has been engaged to develop the Financial Control Framework. Previous Comments: A detailed action plan has been prepared to identify variations in FSU operating policies and procedures and to take steps to harmonize those differences to the extent practical. Efforts are also underway to identify options for resourcing this project. • Specific directives and control requirements will be outlined within the proposed Financial Control Framework. |
|
| 7 | That
Financial Services Branch review all practices used by FSUs so as to develop
one stringent set of guidelines/procedures for all FSUs to adhere to. That, as part of its Financial Management Control Framework, Financial Services Branch clearly delineate, document and communicate the role and responsibilities of FSUs. |
Management
agrees with these recommendations. This is to be considered a consolidated management response, to address audit recommendations 1, 2, 4 (a), 5, 6, 7, 8, 11, 20, 23 (b), 27, 38 and 40. It deals with the recommendations focusing on internal controls and the Financial Management Information System (FMIS). |
Q4/08 | n/a | None | Jan
2008: KPMG has been engaged to develop the Financial Control Framework. Previous Comment: • See omnibus response regarding roles and responsibilities. • Currently on FSB workplan • This will require use of outside resources to develop a comprehensive document based on FSU client operations. |
|
| 11 | That
Financial Services Branch in conjunction with Information Technology Services
Branch analyze and modify the Corporate Financial Management System (SAP)
design and reporting functions to better meet the needs of FSUs and other
users. That Financial Services Branch in conjunction with Information Technology Services Branch develop and offer “advanced” Corporate Financial Management System (SAP) training to increase staff capabilities. |
Management
agrees with these recommendations. This is to be considered a consolidated management response, to address audit recommendations 1, 2, 4 (a), 5, 6, 7, 8, 11, 20, 23 (b), 27, 38 and 40. It deals with the recommendations focusing on internal controls and the Financial Management Information System (FMIS). |
This requires the establishment of the FMIS Unit. • FMIS Business Analyst must work with the FSU and Client to determine their training needs; • ITS will provide some basic training, training environment and logistical support as required | Q4/08 - Q4/09 | n/a | None | Jan 2008: The Financial Policy & Management Systems Division has been established. |
| 20 | That Financial Services Branch review all practices used by FSUs so as to develop one stringent set of guidelines and procedures for all FSUs, which include the consistent occurrence of three way matching. | Management
agrees with these recommendations. This is to be considered a consolidated management response, to address audit recommendations 1, 2, 4 (a), 5, 6, 7, 8, 11, 20, 23 (b), 27, 38 and 40. It deals with the recommendations focusing on internal controls and the Financial Management Information System (FMIS). |
• This requires the establishment of the FMIS Unit. • See comments under Recomm. #1; Same as #7 and #8. • Create task description and communicate to all FSUs. | Q3/08 | None | Jan
2008: Business Process Management project currently in progress. • All 672 existing FSB policies and procedures are currently under review, as well as options to revise or update those documents. • Additional resources will be required to complete this project. • See also Recomm. #7 re. harmonizing FSU procedures |
|
| 27 | That Financial Services Branch require that Supply Management Division verify the authority of staff that are approving budgetary releases. In addition, if such releases are not approved by an FSU staff, that Supply Management Division ensure that the employee has the proper authority. | Management
agrees with these recommendations. This is to be considered a consolidated management response, to address audit recommendations 1, 2, 4 (a), 5, 6, 7, 8, 11, 20, 23 (b), 27, 38 and 40. It deals with the recommendations focusing on internal controls and the Financial Management Information System (FMIS). |
• Each FSU to prepare a list of employees with authority for budgetary release authority. • FSU to act as screener to ensure appropriate signing authority. • In addition, a comprehensive signing/delegation of authority project is currently underway. | Q4 | n/a | PBL/Delegation of Authority B/L | Jan 2008: FSB is in discussions with ITS to develop a comprehensive process for capturing, communicating, and maintaining evidence of delegation of signing authority and specimen signatures. |
| 40 | a)
That Financial Services Branch, as part of their periodic disbursement
review, examine the supporting documentation, transaction details,
investigate unusual items and take appropriate action. b) That Financial Services Branch, direct staff to ensure purchase orders be established prior to the ordering, receipt or payment of any purchases. c) That Financial Services Branch, develop and implement a policy relating to invoice payment terms and payment practices. Management Response. |
Management
agrees with these recommendations. This is to be considered a consolidated management response, to address audit recommendations 1, 2, 4 (a), 5, 6, 7, 8, 11, 20, 23 (b), 27, 38 and 40. It deals with the recommendations focusing on internal controls and the Financial Management Information System (FMIS). |
Q4/07 - Q3/08 | n/a | None | Jan
2008: (a) COMPLETE (b) COMPLETE (c) A Corporate Payment Policy has been drafted. A/P has implemented a second cheque run per week. |
|
| Audit
recommendations 1, 2, 4 (a), 5, 6, 7, 8, 11, 20, 23 (b), 27, 38 and 40. OMNIBUS MANAGEMENT RESPONSE: Management agrees with these recommendations. This is to be considered a consolidated management response, to address audit recommendations 1, 2, 4 (a), 5, 6, 7, 8, 11, 20, 23 (b), 27, 38 and 40. It deals with the recommendations focusing on internal controls and the Financial Management Information System (FMIS). At amalgamation, the Financial Services branch created a new policy and compliance unit responsible for: conducting regular compliance reviews; developing, documenting and maintaining policies and procedures; creating business processes and operating guidelines; and dealing with all commodity tax issues. The organizational structure for the policy and compliance unit has 11 FTEs, with 2 FTEs dedicated to developing and maintaining the 53 policies and procedures for which the branch is responsible. However, the 2 staff assigned to the policy area, were redeployed due to the increased workload of this unit, stemming from the credit card audit, the Universal Program Review and changes in legislative requirements. As a result, Financial Services has focused insufficient attention on policy and procedure documentation of internal controls. |
$725,000-$900,000 This applies to all the recommendations in the omnibus response. |
Status updates / comments and timelines have been included beside each recommendation in the previous section. | |||||
| Management
has re-staffed the policy and compliance unit to its original complement.
This unit will continue to document and review financial processes, with the
staff of the Financial Service units and other finance groups ensuring that
consistent control procedures are applied. The policy and compliance unit
will also develop new policies and guidelines to support the City’s financial
control framework. The compliance unit was initially focused on conducting compliance reviews in the area of credit card transactions, but has been expanded to cover key financial processes such as payments without reference to a purchase order, travel claims, petty cash, departmental purchase orders, hospitality, gifts and entertainment, and other such activities as determined by senior management. Compliance reports are circulated to management and financial services staff on a quarterly basis. In response to the recommendations in this audit, the scope of the compliance unit will expand to include periodic reviews of disbursements and invoices to ensure they are in compliance with the City’s policies and business practices. |
|||||||
| As
part of the compliance review, Financial Services will continue to ensure
that staff is establishing purchase orders prior to the commencement of work
or the receipt of goods, when the purchase order is the basis of the
contract. There are some rare occasions where exceptions to this principle
are warranted in order to ensure there is no interruption of essential City
services such as in the purchase of salt and gas. Furthermore, Financial
Services will also continue to ensure that the employee authorizing
expenditures has the appropriate level of delegated authority. The training budget for Financial Services was established at amalgamation in 2001 at approximately $67 per employee. Due to on-going budget constraints, the training budget has not been increased since that time. Subsequently, Financial Services staff training has lagged behind optimal levels. In response to the audit recommendation, specific finance and accounting training will be offered to staff. Training will be provided, through a combination of in-house and external providers, on City-specific policies and procedures, including the use of the Corporate Financial Management System (SAP). |
|||||||
| Section
286 (1) of the Municipal Act assigns responsibility for financial internal
controls of the City to the Treasurer. City Council, through its approval of
the City’s organizational and management structure and the Centre of
Expertise model, has directed the Treasurer to discharge these
responsibilities within this organizational framework. To ensure sufficient
financial controls are in place, the City Treasurer delegates relevant
responsibilities for financial internal controls to specific divisions within
Financial Services, including the accounting and reporting division. Management recognizes that the Corporate Financial Management System (SAP) requires on-going modifications to increase the utility of the system. In 2006, the Financial Services and Information Technology Services branches implemented an on-going process for the identification, prioritization and implementation of SAP enhancements in order to actively control this process within Finance. When these improvements are made, it will be easier for Financial Services staff to use the technology to track activities and create reports. In addition, a number of SAP “real-time” financial reports are available for managers to access on the City’s intranet. This allows managers to keep up-to-date on financial management issues within their areas of responsibility. |
|||||||
| Financial
Services will also continue to work with ITS to review the ability to
disallow changes to the status of transactions in order to ensure that only
essential, authorized persons, as approved by management, will have this
access. Financial Services continues to work with ITS to ensure proper
training and supervision of staff. Ernst & Young identified the issue of
segregation of duties in the inventory management area in their 2005
management letter. As a result, Council approved additional resources in the
2007 budget that permits appropriate segregation of duties and system
access. Management has also committed to creating a Financial Management Information System (FMIS) unit within the accounting section. This unit will be modeled after the Employee Services Human Resources Information System (HRIS) unit. Creating a specific unit allows the Financial Services branch to develop in-house system experts within the branch capable of ensuring that SAP will be modified to meet the diverse needs of the branch. Modification will ensure increased operational efficiency and will allow the branch to maximize the return on the City’s investment in the technology. Financial Services will develop a Payment Terms Policy as part of its planned review of the accounts payable process. This review will start in Q2 2007 and will be completed by Q3 2007. It should be noted that the process controls for invoice payment terms are already in place. |
|||||||
| This
audit has allowed management to implement many improvements that will
strengthen existing internal financial controls. Management agrees with the
Auditor’s recommendations and will ensure they are implemented. In order to
fully comply with the Auditor’s recommendations, the Financial Services
branch has examined existing resource levels with a view to redeploying
resources wherever possible. As a result of this analysis, it has determined
that some reallocation is possible, however, the branch will require
additional resources. Resources will be required to provide adequate staffing, implement system modifications and provide training identified by the Auditor General. To fully comply, it is estimated that the cost will be approximately $725,000 to $900,000. Prior to requesting additional resources, management has made a commitment to advance the review of the Financial Services branch, as part of the Branch Process Review Program. Any savings identified through this process will be used to fund activities related to implementing the Auditor General’s recommendations. The BPRP review will take place by Q4 2007. |
|||||||
| SECTION TWO: ALL OTHER RECOMMENDATIONS | |||||||
| 3 | That Financial Services Branch in conjunction with Employee Services Branch ensure that detailed task and job descriptions are developed as part of process documentation in order to provide a basis for training and reference for finance employees. | Management
disagrees with this recommendation. The City’s current practise is to develop job descriptions that reflect the skills, knowledge, professional qualifications and experience requirements of the positions, and to list the major duties of the position. This is of value to the City with respect to multi-incumbent positions where only one generic job description is needed. Financial Services will instead improve the detailed process descriptions. |
Detailed process descriptions will be reviewed as part of the overall strategic direction for the Branch and a decision will be made following the completion of the scheduled BPRP. | Q4/08 | n/a | None | Jan 2008: The AG and the City Manager agreed that job descriptions will have more specificity in them. Also, job descriptions will refer to procedural documents which will document specific duties that Finance employees are responsible for. FSB will reference the defining documents in the job descriptions under which a position operates once the project to document procedures is completed. |
| 4b) | That Financial Services Branch identifies an appropriate number of positions that require an accounting designation. | Management
disagrees with this recommendation. Management believes that Financial Services already has an appropriate number of staff with accounting designations in the Financial Service units and the Accounting and Reporting division. Within these divisions, there are currently 18 professional accountants out of a total of 62 positions, almost a 1:3 ratio. All positions in Financial Services were reviewed with respect to the requirement for a professional designation following amalgamation. The branch will continue to determine the skills and abilities required of its staff, including the requirement for an accounting designation, as new positions are created and job requirements change to meet emerging needs. Management feels that it is more appropriate to look at the number of professional accountants within CIPP and the management groups within the FSU and Accounting and Reporting divisions of Financial Services. |
FSB will review which positions require a professional designation and identify other appropriate qualifications for the remaining Finance positions. The Branch will also identify steps taken to encourage staff to upgrade their skills. | Q4 | n/a | None | Jan 2008: This item is to be addressed at the next meeting of CAWG. |
| 9 | That Financial Services Branch review current Corporate Financial Management System (SAP) user authorization in relation to incompatible duties and modify access as required and that such reviews be conducted periodically. | Management
agrees with this recommendation. The Auditor General noted that 25 users have the ability to create a vendor, enter an invoice, create cheque information and post outgoing payments. Of these 25 users, 3 are operational staff and 22 are ITS staff. Management is aware of the assignment of these duties to operational staff. In this case, the Manager of Accounting and Reporting has provided written authorization approving operational staffs access to meet operational requirements. ITS staff use their access to provide user support to Helpline calls and to research reported problems. ITS will take steps to review the number of staff who have access and will apply the same standard of care with respect to incompatible duties, although these staff do not update data and transactions within the production environment. This review will commence in Q2 2007. |
•
Discussion and documentation of the rationale for a set of comprehensive
controls that will govern access to the vendor maintenance function. • Needs Assessment to determine who needs access and which requests should be elevated to Deputy Treasurer • Review and document compensating controls • Establish process for quarterly review of incompatible duties • Audit position in Stores Inventory to be filled by year end. • ITS to review support roles in SAP production and reduce the number of ITS staff that are able to make changes to production. • ITS to provide access in such a way as to separate incompatible duties in the SAP Support Centre. |
Q4/07 | n/a | None | Jan
2008: 1. Access to the vendor maintenance function is limited to 2 staff in Accounts Payable (1 staff for regular duties; 1 staff for backup) and 8 technical staff in the Support Centre (who have administrative access to the SAP, required to properly administer the system). 2. Draft procedures have been completed that stipulate that the Deputy Treasurer’s approval is required where there are requests for SAP access that result in role conflicts. 3. Review of duties in conflict being done monthly. Risk mitigation conducted and continually reviewed on a monthly basis. ITS access security reviews being conducted weekly. 4. Periodic reviews have been in place since Q1 2003. Draft Procedures for monthly/quarterly review of profiles in conflict and controlling role conflicts currently underway. 5. Audit position for Stores Inventory to be posted in Q1/08. 6. COMPLETE. ITS has reviewed SAP production support roles and has removed the ability for Support Centre functional staff to make changes to production. In the event they need additional access to diagnose a problem, specific access may be approved for a specific duration (normally 1 day). There are 8 technical staff in the Support Centre that have administrative access which is required to properly administer SAP. ITS requirements for non-standard access is assigned on a time limited basis, for specific task completion only after formal management review. 7. ITS duties assigned to the four roles are separated to avoid incompatible duties. |
| 10 | That Financial Services Branch in conjunction with Information Technology Services Branch review systems design to implement controls to disallow overriding prices, processing of duplicates, drawing and taking greater than set sick leave allowance, etc., and that reviews be conducted on a regular basis to confirm that any override capabilities deemed necessary are appropriate and approved. | Management
disagrees with this recommendation. There are operational requirements that require overrides of the standard processes. Management understands there are additional risks associated with such overrides, but there are compensating controls to mitigate such risks. For example, in order to release contract holdbacks, the system requires that the authorizing document be amended. There is no way to release holdbacks without this override ability. The compensating controls are that the ability to amend the document is limited to the supervisor of Accounts Payable and that every override has to be documented. The system generates a report for review by management of all overrides so that they can be checked against the list maintained by the A/P supervisor. |
See #9, re: rationale for comprehensive access
controls. • Identify compensating controls; • Determine whether current practises are reasonable and provide reasons for or against; • Requires a separate project for each of the six items to review and document the rationale for each override and why it is necessary. • (a) N/A; • (b) ACL request submitted to ITS; • (c) Currently on ITS workplan • (d) (e), (f) - None |
Start in Q1 /08 | n/a | None | Jan 2008: This item is to be addressed at the next meeting of CAWG. |
| These types of compensating controls exist for all system
overrides. Specific management comments regarding the audit findings are as
follows: a. SAP override - No such functionality exists in SAP. CLASS is a stand-alone program that is linked to SAP via an interface file. Pricing information does not exist within SAP and thus price overrides are not possible. b. Duplicate invoice payments - See management response in Section 5.3.1. c. Cheque printing – See management responses in Sections 5.3.5/5.3.6 d. Sick days – See management response in Section 5.4.5 e. Annual leave - See management response in Section 5.4.8 f. Pay rates - See management response in Section 5.4.5 |
|||||||
| 19 | That
Financial Services Branch in conjunction with Information Technology Services
Branch review the system design to include controls that do not permit entry
of duplicates, as well as, reports that identify possible duplicate entry. That Financial Services Branch establish more stringent review by FSUs, and greater follow-up by Accounts Payable to prevent duplicate payments. In addition, a program of on-going review designed to identify duplicate invoice processing would also reduce the risk of duplicate payments or serve as a mechanism for cash recovery. A comprehensive approach would serve to prevent duplicate entries, reduce duplicate payments, and increase the prospect for cash recovery in the event of a duplicate payment. That Financial Services Branch recover duplicate payment totalling $9,064 and the overpayment of $750 (see 5.6.2), identified in this audit. |
Management
disagrees with this recommendation. Management is of the opinion that internal controls to prevent the processing of duplicate supplier invoices are already appropriate to manage the risk of such errors in a cost effective manner. However, as a precautionary measure, Financial Services is assessing the value of using Audit Control Language as a detective tool to identify any duplicated payments and will be completing a review of the accounts payable process by the end of Q4 2007. Financial Services has recovered all the duplicate payments identified in the recommendation. |
•
Ongoing Analysis by A/P • Scheduled compliance testing is already in place • FSB is in consultation with ITS in order to implement Audit Control Language solution, which would permit more timely detection and recovery of duplicates payments. |
Q1/08 | n/a | None | Jan
2008: ACL training has been completed and the software has been
installed. ACL will be used as a
detective tool to identify duplicate payments. Although management is satisfied with the current business process, SAP configuration options will be reviewed in 2008-Q1 to ascertain the feasibility of enhancing the duplicate invoice validation routine. Compensating controls and procedures will be reviewed and documented as part of the FMIS program. |
| 21 | That Financial Services Branch establish a practice requiring all goods based invoices be signed off by the client department as evidence of receipt of goods. If the invoice is not signed, that the Accounts Payable staff return the invoice to the FSU for approval on a timely basis. | Management
disagrees with this recommendation. The current process requires that vendor invoices be routed directly to Central Accounts Payable, where staff relies on the controls embedded in SAP to process the payments for goods-based invoices. Service-based invoices are re-routed to the FSU for the client’s approval and sign-off. It is also important to distinguish between inventory goods and non-inventory goods receipts. For inventory goods, a goods receipt entry is processed at the inventory location on the basis of a packing slip. The packing slip is retained at the receiving site. Compensating controls include an automated inventory management system and physical inventory counts. For non-inventory goods, the goods receipt is entered by the client or the FSU on the basis of a packing slip, if one is available, otherwise, an invoice is used for that purpose. The packing slip is retained at the receiving site. |
•Document process for receipt of inventory and
non-inventory goods •Document ordering/receiving/payment function •Assess risk of fraud or other irregularities involving the procurement of goods and services. •The procedure will outline the control process |
Q2 2008 | n/a | None | Jan 2008: This item will be moved to ongoing status tracking. Compensating controls and procedures will be reviewed and documented as part of the FMIS program. |
| The above processes leverage the best practices embedded in SAP, including the three way match between the purchase order, goods receipts, and vendor invoice. Management’s preference is to have all goods receipts issued on the basis of packing slips and to continue routing all vendor invoices to Central Accounts Payable. This will minimize the number of lost or misplaced invoices and reduce the likelihood of late payment fees. | |||||||
| 22 | That Financial Services Branch in conjunction with Information Technology Services Branch review the Corporate Financial Management System (SAP) design and configuration to disallow changes to the status of the transaction by anyone that is capable of processing invoices payments. | Management
disagrees with this recommendation. There are a number of valid reasons for allowing or requiring changes to the status of accounts payable documents. These include the release of holdback and changes to the method of payment. Based upon a review of the findings, management has determined that the incident reported by the Auditor was caused by an error of omission. Financial Services staff at one of the City’s locations was improperly removing the system-generated payment blocks. Further investigation revealed that this was a gap in process training. Management has corrected this oversight. There are compensating controls to detect the inappropriate removal of payments blocks and this report will now be reviewed on a regular basis. |
•
Document the existing compensating controls • Develop process to review and maintain SAP tracking/exception report |
Q4/2008 | n/a | None | Jan
2008: This item will be moved to ongoing status tracking. Compensating
controls and procedures will be reviewed and documented as part of the FMIS
program. Sept 2007: A briefing note is provided. • Directive issued to the operating department to change the current practice and the business process procedure is included in our current catalogue of policies and procedures. • FSB needs the flexibility for error correction and for releasing holdbacks |
| 23a) | That Financial Services Branch in conjunction with Information Technology Services Branch review the Corporate Financial Management System (SAP) design and configuration to permit for a single download of the daily and weekly Corporate Financial Management System (SAP) cheque run to the printer or at a minimum require special approval for the file to be re-printed. | Management
agrees with this recommendation. Management believes that there is already sufficient compensating controls in place in its accounting for the usage of the secure forms used to create cheques. However, in response to this recommendation, management, in conjunction with ITS, will review SAP design and configuration options to permit for a single download of the daily/weekly SAP cheque run to the printer or at a minimum require special approval for the file to be re-printed. It is estimated that the modification to the system will cost $25,000-$50,000 of professional services effort. This includes conducting an IT security threat and risk assessment and reconfiguring SAP to ensure the proper security measures are in place to permit a single download of the weekly cheque run to the printer. Due to other corporate IT priorities, this work will not commence until late Q4 2007. |
•
Document compensating controls
• IT review and risk assessment is currently on ITS Workplan |
Q3/08 | n/a | None | Jan
2008: This item will be moved to ongoing status tracking. Compensating
controls and procedures will be reviewed and documented as part of the FMIS
program. Sept 2007: Management has changed its position and disagrees with this recommendation. A briefing note has been prepared. |
| 26 | That Financial Services Branch establish a procedure requiring two signatures on all cheque requisitions and that reconciliations be maintained by someone other than the individuals who orders and receives the cheques. | Management
disagrees with this recommendation. Management believes that there are already sufficient manual controls in place. Part of the control processes include that the City’s supplier of cheques verify the person and organization placing the order and ensure continuity and completeness with respect to document number sequence. As well, incoming cheque stock orders are delivered to shipping and receiving where they are verified against the accompanying packing slip. The packing slip is initialled by the receiver and delivered with the cheques to the print shop coordinator who passes them to the senior supervisor for final verification and safe storage. It should also be noted that the cheque stock, as is the case for any type of secure document, are produced under tight controls by the paper manufactures. |
FSB will continue to monitor the controls and risks in this area to ensure the control measures are working as intended. | None | Jan 2008: This item will be moved to ongoing
status tracking. Compensating controls and procedures will be reviewed and
documented as part of the FMIS program. Sept 2007: A briefing note is provided. Management has documented the control process and has provided this to the AG. |
||
| As part of the continuous improvement process, management will explore the possibility of assigning the ordering function to an individual other than the supervisor. Corporate Security also reviewed the procedures when the print shop started to print Employment and Financial Assistance cheques. | |||||||