An organisation required an assessment of the controls in place across their financial processes and general computing environments.
We provided an organisation with Internal Audit services to provide assurance for their financial and IT general controls. This review focused on the areas as outlined below.
- We assessed their internal financial and IT general controls.
- Reviewed assessment questionnaire which was completed by the organisation.
- We conducted walk-through testing on the main financial transaction cycles to confirm our understanding of the financial controls as explained to us.
- We produced a report which outlined any areas where improvements could be made.
- A large number of ex-employees had access to the financial systems, which was subsequently removed.
- The setting up of supplier accounts (including amendments to master files) was not recorded on a standard pre-numbered form and did not require authorisation by a second person in line with best practice.
- Employees who claimed mileage expenses did not submit car insurance certificates annually to the Administration Manager in support of the indemnity.
- We identified several IT general controls deficiencies:
- Passwords were not changed at regular intervals.
- Security logs were not maintained to identify unauthorised access.
- A comprehensive security policy was not in place.
- Reliance on the IT service provider was excessive.
- A strategic plan for the development of IT Systems was not in place.
- The Payroll system had no password in place to restrict access.
- The Inventory System had a password which is the user’s first name.
- The organisation did not have a formally appointed individual with specific responsibilities for Secretarial and governance matters.
- We noted that a formal schedule of matters reserved for Board decision was not in place.
- A fixed asset register was not in place to enable comparisons between the general ledger and an independently prepared register.