Risk Assessment in Finance by irx71328

VIEWS: 34 PAGES: 33

More Info
									CHAPTER 4 - FINANCIAL RISK MANAGEMENT AND
            CONTROL FRAMEWORK
Return to contents page


Statement on Internal Financial Control
The links below will each open an up to date, blank, version of the SoIFC. There are
two versions of the template, both containing all of the mandatory fields – the second
version also contains a residual risk rating column.
SoIFC completion guidance
Standard SoIFC
SoIFC including residual risk ratings



Guides
Accounting System Risks
Advances
Banking
Budgetary Control
Capital Expenditure
Cash Control
Charitable Trust Funds
Expenses
Losses and Special Payments
Order to Receipt
Procure to Pay
Payroll
Prisoners‟ Monies
Prisoners Property
Record to Report
Retail Activities
Special Funds
Staff Clubs
Taxation



4.1    SCOPE
This chapter sets out how to report on controls operated to mitigate local financial
risks, and contains guidance on the types of risk and controls that may be inherent
within finance systems.

This chapter does not contain guidance on Risk Management procedures, which can
be found on the Internal Audit Website
4.2     POLICY
4.2.1   Control Frameworks are based upon the identification of Risks, and Risk
        Management – i.e. the operation of controls to mitigate identified risks.

4.2.2   For each Establishment, Area Office, and HQ Group, business risks must be
        identified, and assessed in terms of likelihood and impact. Where HQ Groups
        have consolidated functions within a Corporate Support Group that serves the
        whole Directorate, the CSU may assume responsibility for the Directorate. A
        full risk assessment must be carried out each financial year, and will inform
        the risks to be reported on in the Statement on Internal Financial Control
        (SoIFC). Financial risks identified on the risk register, required as part of an
        establishment‟s Service Delivery Agreement (see PSI 43/2002), must be
        included.

4.2.3   Controls, commensurate to locally identified risks, must be implemented and
        reported on every quarter through the Statement on Internal Financial Control
        (SoIFC). There are now several versions of the SoIFC, all containing much
        the same information, but tailored for specific local needs. Annex A contains
        all the standard templates available, and a link to guidance on its completion.

4.2.4 The Statement on Internal Financial Control must:
       a) Be completed quarterly.
       b) Describe each inherent risk to finance systems operated locally.
       c) Contain every control operated locally, and include details on what the
           controls are, how they are operated, and the outcome of the controls.
       d) Contain action plans to address identified weaknesses.
       e) Give an opinion as to the effectiveness of the controls within each
           financial system.
       f) Be copied to the relevant area (in accordance with the Statement
           Flowchart).
       g) Be consolidated annually (in accordance with the Statement Flowchart)
           and sent to the appropriate Director (and copied to Financial Policy) by no
           later than the end of week 3 in May.

4.2.5   A guide is available setting out how the SoIFC is to be completed, by whom,
        and when.

4.2.6   The Head of Finance, or HQ equivalent, must communicate a Fraud Policy
        Statement, based on the Prison Service‟s policy on fraud, to all staff on an
        annual basis. Further guidance on the Prison Service‟s policy on fraud can
        be found in PSO 1310 - Anti Fraud Strategy

4.2.7   A register of Gifts and Hospitality must be maintained. An example of this
        register is held within Annex D of PSO 1310 - Anti Fraud Strategy. Guidance
        on the acceptance of gifts and hospitality can be found in the Gifts and
        Hospitality guide. Further guidance on the provision of Hospitality and
        Management entertainment is soon to be released via a PSI.

4.2.8   All potential conflicts of interest must be identified, and recorded, and where
        appropriate, actions taken to minimise risk. Further guidance is contained
        with PSO 1310 - Anti Fraud Strategy
Below are links to the specific finance systems, describing objectives and suggesting
inherent risks and controls that could be in place.



End of Chapter




Guides and Annexes:

Background to Risk Management and Control

Corporate Governance is the method by which an organisation is directed,
administered and controlled. Good financial control is an essential part of
effective Corporate Governance.

All staff have a responsibility to ensure effective financial control. However, it
is Governors, Heads of Group, Area Managers, and Directors that are
ultimately held accountable for their area(s) of responsibility, as the Director
General is responsible for the entire Prison Service. While the Governor,
Head of Group, Area Manager, or Director may not personally supervise all
their financial operations, they are responsible for ensuring flexible
management structures and systems are in place, which are effective, robust
and capable of maintaining acceptable financial control.

Back to guides

Glossary of terms

Risk
Back to guides

Risk can be defined as an event, expected or unexpected, which could arise,
which would stop the achievement of objectives.

SoIFC (Statement on Internal Financial Control)
Back to guides

This is the document in which all system objectives, risks to meeting those
objectives, and controls in place to mitigate the risks are reported on every
quarter

Propriety
Back to guides
Propriety can be described as taking the correct course of action – doing the
right thing. Propriety encompasses far more than simple a sense of financial
rectitude – fairness, integrity, avoidance of extravagance and waste, a sense
of correct behaviour, morals and ethics are all examples of the scope of
propriety.




         Acceptance of Gifts and Hospitality Guide

It is an offence for civil servants to corruptly accept any money, gifts or
consideration as an inducement or reward for:

      Doing (or not doing) anything in their official capacity or;
      Showing favour (or disfavour) to anyone in their official capacity.

As a general rule, it will be considered that any money, gift or reward from a
person or organisation which has received a government contract or order
has been received corruptly unless it can be proved otherwise.

Staff must not foster the suspicion of any conflict between their official duty
and their private interest.

Staff must refuse gifts, offers of hospitality, or rewards if they or the Prison
Service are in any doubt about the propriety of accepting them, or if they are
offered as a personal reward for a service or transaction performed as part of
an individual‟s official duties. There may be exceptions to this rule, for
example

      Gifts of a trivial or inexpensive seasonal nature;
      Gifts from overseas governments or overseas non-commercial
       organisations;
      Where it could result in offence to the donor to refuse (as in the case of
       visiting dignitaries); and
      For delivery of a lecture or broadcast. Although Governors/ Heads of
       Groups have delegated authority to accept invitations (for themselves,
       or their staff) to give talks or lectures about their own work and the
       work of their establishment/ HQ Group, it is recommended that advice
       be sought from FC&A Financial Policy Section prior to agreeing any
       such activity. Where there is any doubt about the content of the talk,
       advice should be sought from the Press Office, or appropriate Director.
       This is especially important if the theme is likely to cover, or lead to
       questions on, sensitive or controversial issues or matters of penal
       policy, such as alternatives to imprisonment. It is equally important if
       members of the media are likely to be present or to receive a copy of
       the speech. Payments in any form of cash should be avoided,
       especially if the lecture/ broadcast takes place during normal working
       hours. Any payments accepted will attract tax, and must be fully
       declared.


Response to offers

Staff must report any kind of gift, hospitality or offer through line management
(or directly) to their Governor/ Head of Group who have authority to decide on
the propriety of accepting. In exceptional cases, advice can be sought from
FC&A Financial Policy Section

All offers of gifts/ hospitality must be recorded, irrespective of whether they
are accepted or not. Factors to take into account when making a decision to
accept or not include:

      The type of gift or hospitality;
      Its value;
      The frequency with which gifts or hospitality are offered from the same
       source; and
      The relationship between the member of staff and the individual/
       organisation making the offer. For example, contacts which are
       promotional, influential or information gathering are less likely to create
       obligation or embarrassment than those which are regulatory or which
       involve and could lead to contractual business between the Prison
       Service and the contact

When recording offers in the Gifts and Hospitality Register, the guiding
principle of materiality must be remembered, in that offers of very low value
should not necessarily be recorded unless in sufficient quantities to raise
potential concerns.
                               Guides to the completion of the SoIFC



Risk ................................................................................................................................3
SoIFC (Statement on Internal Financial Control) ...................................................3
Propriety........................................................................................................................3
Background to the SoIFC ...........................................................................................7
Description of the fields within the SoIFC................................................................7
   Objective...................................................................................................................... 7
   Risks (subject to local control) ....................................................................................... 7
   Initial Risk Rating .......................................................................................................... 8
   Cont rols in place to mitigat e risks................................................................................... 8
   Routine assurances ...................................................................................................... 8
   Overall Assessment of System ...................................................................................... 8
   Action Plan/ Action Required ......................................................................................... 8
   Additional (optional) field ............................................................................................... 8
Risk Rating and Overall Assessment.......................................................................9
   Risk Rating................................................................................................................... 9
   Overall Assessment ...................................................................................................... 9
Completing the Quarterly Statement ..................................................................... 10
Completing the Governor‟s Statement.................................................................. 11
Annual Statements ................................................................................................... 12
   Areas of Strong Financial Control................................................................................. 13
   Areas of Weak Financial Control .................................................................................. 13
   Quality of Action Plans to Address Weaknesses ........................................................... 13
   Areas of Best Practice Identified .................................................................................. 14
   Areas of Improvement/ Degradation of Financial Cont rol ............................................... 14
   Overall Opinion on Level of Financial Control Across Your Area .................................... 14
CAPITAL EXPENDITURE ...................................................................................... 16
Budgetary Control .................................................................................................... 17
Banking ...................................................................................................................... 18
   Record to Report ........................................................................................................ 23
Objective .................................................................................................................... 24
   Procurement............................................................................................................... 25
   VISA Card .................................................................................................................. 25
   Payments ................................................................................................................... 26
Objective .................................................................................................................... 30
Potential Risks: ......................................................................................................... 30
Possible Controls: .................................................................................................... 30
SSC ............................................................................................................................ 32
Background to the SoIFC

The Statement on Internal Financial Control (SoIFC) is the quarterly
document completed by all establishments, Area Offices, and HQ Groups/
Directorates. It describes how financial control has been ensured within a
given location.

The SoIFC describes every finance system in operation, within which risks to
meeting business objectives are outlined, and rated in terms of their likelihood
and impact. A description is given of the controls operated to mitigate these
risks, and outcome of those controls. Where areas of weakness are
identified, actions plans are identified to make the relevant improvements.
The Governor, Area Manager, or Head of Group, must sign off each SoIFC by
completing their own statement describing what they have done to ensure its
accuracy. They should include comments on the most significant risks, and
action plans proposed to address any identified weaknesses.

The purpose of the SoIFC is to provide management information on the level
of financial control within a given location, and to ensure that continuous
improvement is sought, and achieved, where possible.

For establishments and Area Offices, each quarterly SoIFC is consolidated
into an annual statement for the relevant Area. For HQ groups, these are
consolidated into Annual statements for each Directorate. The Area
statements are approved by the relevant Area Manager or Director, and a
copy is forwarded to FC&A. All of the annual statements are then
consolidated into an HMPS-wide report on financial control, which is used by
the Director General to complete their Statement on Internal Control – a
mandatory requirement, as outlined in Chapter 21.3 of Government
Accounting for the role of Accounting Officer. All Annual statements must be
completed by the end of the 3 rd week in May.

Description of the fields within the SoIFC

Objective
This is what this system is aiming to achieve. This is the only field that is pre-
completed.

Risks (subject to local control)
Risks included within this section must relate back to the objective – i.e. risks
that would prevent the objective from being achieved. There is no upper or
lower limit to the amount of risks that can be included within this field – it
should be based upon the risk assessment conducted locally, and any further
information that has come to light since that risk assessment. For every risk
stated, there must be a control, or controls, to mitigate that risk
Initial Risk Rating

This section is to record the inherent business risk, and inherent impact of that
risk. Inherent risks are based upon there being no controls in operation given
the environment in which that business unit is operating.

Further guidance on risk ratings can be found on the Audit and Corporate
Assurance website.

Controls in place to mitigate risks

This is where a description of each control must be recorded. For every risk,
there must be at least one control in place to mitigate that risk, although one
control may mitigate more than one risk.

Routine assurances

This is where the detail of the controls is described. It is essential that for
each control listed, a description of the following is included:
    How is the effectiveness of the control confirmed?
    What was the outcome?

Overall Assessment of System

This is where an opinion is given as to how well the system has been
controlled. It must reflect the outcome of the controls, and the severity of the
risks the controls were intended to mitigate. Only one category can be
chosen for an entire system (i.e. each risk/ control is not assessed, it is the
entire system that is to be assessed)

Action Plan/ Action Required

Where any deficiencies have been identified, actions must be suggested to
improve that particular area. These actions are then to be discussed and
agreed with the Governor/ Head of Group.

Within this section, it is also essential that the person responsible for
implementing the action plan is stated, along with a time frame. Ideally, all
target dates will be no later than the end of the following reporting quarter


Additional (optional) field

There is one additional field that can be reported on should it be so desired:

Residual Risk Rating
This section is to record the residual business risk, and residual impact of that
risk. Residual business risks are those remaining after operation of stated
controls.

Risk Rating and Overall Assessment

Risk Rating
The SoIFC requires all significant business risks to be rated, both in terms of
likelihood, and impact, and included within the form.

The risk rating (within the standard SoIFC) is the inherent risk, i.e. the risk
present without any controls in a given environment. The reasoning for this is
that there should be a relationship between the risk rating given, and the
controls operated within that system: if the risk is high, there should be
detailed, frequent controls/ checks in place; if the risk is low, then the controls
can be more relaxed.

Also, some locations may wish to report on Residual risk, which is the
perceived risk remaining after operation of the stated controls. It must be
noted, however, that residual risk cannot replace the overall assessment of
the system.

Full guidance on risk rating processes can be found on the Audit and
Corporate Assurance website:
     Guidance on risk management
     Risk management process documentation

Overall Assessment
At the end of each system is a section in which an opinion as the overall
rating of the system is to be given. The choices are:

      Well Controlled
      Satisfactory
      Marginal
      Deficient

As a general guide, for a system to be described as:

      Well controlled - all of the controls operating have done so as
       described; they can be evidenced, and have effectively controlled all of
       the identified risks.
      Satisfactory – most the controls operated have done so as described,
       or evidence could not be found to support the control operated as
       described. If this control related to a high risk, the system should
       normally be described as marginal.
      Marginal, some of the controls will not have operated as described (or
       intended). The control that has not operated as intended may also
       relate to a high risk. There may also be occasions where no evidence
       can be found to demonstrate that controls were operated as intended.
      Deficient, there will be instances where controls will not have operated,
       or there is no evidence to demonstrate they have been operated.
       Risks will not have been mitigated, and there may even be cases
       where business objectives were not met due to the lack of control.

The purpose of the overall assessment is to demonstrate the effectiveness of
the controls operated. It should also support the level of action plans stated –
for any system not described as well controlled, there should be an action
plan: the worse the overall rating, the higher the need for an action plan, or
action plans, to address those weaknesses. The timeframe set for completion
of an action plan should also relate to the risk associated with that action plan,
although it is expected that most action plans should be implemented by the
following quarter.

If a risk is known to have changed, then it should be reflected within the
relevant quarterly statement. On an annual basis, each risk is to be revisited,
and re-assessed if necessary to ensure continued applicability. Evidence
must be kept of this annual risk assessment to provide a n audit trail.
Completing the Quarterly Statement

The Head of Finance or HQ equivalent is responsible for ensuring that the

Statement is completed in a timely and accurate fashion. That is not to say

that they need to personally complete every section: it is acceptable to

delegate the completion of particular sections to those staff most involved,

although it will still be necessary for the HoF, or HQ equivalent to describe

any management checks and their outcome, and to ensure that what is

written by other staff is reflective of the operations undertaken by those

sections.



Every control included within the SoIFC must include a description, within the
„Routine Assurance‟ section. The following are examples of the information
that should be considered for inclusion:
      How the effectiveness of the control was confirmed;
      What the outcome was;
      Details on management checks:
          o How often checks are performed – e.g. daily, weekly, monthly,
              random;
          o How detailed the checks are – e.g. 10%, 50%, anything over £x;
          o Who is responsible for the control – e.g. cashier, Finance
              Manager;
          o What the results of the checks were – e.g. no errors, 2 mis-
              codings;
      Action taken as a result of the outcome of the control – e.g. spending
       decision, additional control, relaxation of control

Evidence is key to ensuring the SoIFC is auditable. Evidence can either be
attached to the relevant parts of the statement, as an appendix to the
statement, or kept separately in a file and referred to within relevant parts of
the statement. Evidence must support the narrative within the statement – for
example, “budgets are discussed at Finance Committee meetings” will require
a copy of the minutes from one or some of those meetings, signed by the
chairperson. Due to the amount of evidence that can be collected, a
recommended approach would be to maintain a file containing all supporting
documentation. Each file would relate to a specific financial year, split into 4
sections – one for each quarter.


A matrix of controls (including management checks) describing the frequency,
and who is responsible for its completion can be attached to the statement –
this will leave only the detail, outcome, and action taken as a result of the
control to be included in the Statement.



Completing the Governor’s Statement

Throughout each 3-month period, the Governor must undertake management
checks to ensure risks are being minimised, and to be assured of the
accuracy of the SoIFC. The amount of checks, and their detail should be
linked to the risks included within the statement.

Using the information obtained from these checks, SMT meetings, and any
other source (for example, Area feedback), the Governor must confirm their
opinion on the statement, and identify what they consider to be the most
significant risk to fi nancial control faced by their establishment. Through
discussion with the relevant staff (most likely the Head of Finance) an action
plan should be agreed to address this risk (or risks).

The Governor must complete their section of the Statement, which will involve
the following:

      Describing the checks and controls the Governor has undertaken
       themselves - e.g. any management checks, reviewing minutes of
       meetings, attendance at meetings (e.g. finance meetings) and verbal
       checks with staff, such as confirmi ng actions as described in the
       statement are what those members of staff undertake.
      Confirming the accuracy of the report - have any staff contradicted
       what was written in the statement when randomly questioned? Did any
       checks undertaken by the Governor result in outcomes different from
       those described in the statement? Have any Area based staff indicated
       concerns in sections of the statement that imply otherwise?

      Giving their opinion on the level of financial control, and where
       applicable justifying that opinion, and / or suggesting an action plan to
       address the issue(s) – Using the assurances obtained through SMT,
       and other staff meetings, as well as that gained from the SoIFC and
       subsequent discussions with the HoF, the Governor should confirm
       whether, in their opinion, the level of financial control is acceptable
       within their establishment? Have there been any instances that have
       adversely affected their establishment, where better financial control
       would have prevented an occurrence in the first place? E.g. more
       effective budgetary control? Breaches of delegated authority? Losses
       or write offs due to poor financial management/ business planning?

      Stating what they (i.e. The Governor) consider to be the weakest
       system, and what is being done to make improvements – Based on the
       statement and their own findings, is there a particular system in which
       the risks are most significant? There may be more than one system.
       An action plan should be formulated, and agreed with the relevant staff
       responsible for that system, and details of that plan included within the
       response given in this section.

      Offering any other comments they believe to be applicable, or
       necessary, in relation to the level of financial control, or the manner in
       which it is assured – This is a section in which the Governor may write
       whatever they chose (including nothing), that have a bearing of the
       level of financial control, or on any of the specific controls operated
       within their establishment.


Annual Statements

Each Area Office receives quarterly statements, and as part of their duties
reviews these statements, and obtains assurances as to its quality and
applicability.

Once a year, these quarterly statements are to be consolidated into an annual
summary, covering the following topics:
      Areas of strong financial control
      Areas of weak financial control
      Quality of action plans to address weaknesses (and any monitoring
       arrangements set up to ensure action is taken)
      Areas of best practice identified
      Any areas of improvement/ degradation of financial control - if these
       are attributable to specific action(s), please also describe
      Overall opinion on level of financial control across your area

The annual statement is to be completed, and sent to the Director of
Operations (or the Director of High Security for the High Security Estate), with
a copy also being sent to F&A, Financial Policy Section. This annual
statement must be received in HQ by no later than end of the 3rd week in
May.

The Area Accountant is responsible for this report and, once completed, will
discuss with the Area Manager. Upon agreement, the Area Manager must
sign the report to confirm their acceptance of both the contents, and action
plans stated to improve any highlighted weaknesses. The paragraphs below
provide detailed guidance on the requirements of each section of the Annual
Statement.

Areas of Strong Financial Control
Which systems were, in your opinion, controlled most effectively throughout
the reporting period? There is no limit (maximum nor minimum) on the
amount of systems that can be included in this section; it is completely
dependant upon the overall level of control within that area.

For each area of strong financial control stated, justification should be given to
demonstrate why these areas are stronger than others. Examples could be:

      Best practice shared throughout the area;
      x% of establishments reported those areas as being the best controlled
       (and that this fact was backed up by independent verification, such as
       visits);
      The introduction of new IT or equipment that had a significant,
       beneficial effect; or
      Internal Audit report findings.

Areas of Weak Financial Control

As with the above section, all systems that showed weaknesses must also be
described, with the same level of justification give n.

Quality of Action Plans to Address Weaknesses

For each system highlighted as being among the weakest, information must
be given on the action plans produced to address the weakness. Where
possible, confirmation must be given on how effective the action plans were in
each instance. If an action plan has successfully resulted in strengthening a
particular area, then this too should be confirmed, with a brief description
given of how the outcome was ascertained, and confirmed.
For action plans that have yet to be commenced, an opinion should be given
on the quality of those action plans, and whether or not it should address the
weakness identified.
Areas of Best Practice Identified
This area is for best practice suggestions, i.e. something that your area is
doing well, that could be adopted elsewhere.

As with all other sections in the annual statement, there is no mandatory limits
(max nor min) that have to be met for this section. If there are no areas of
best practice, then you need not write anything. Conversely, if there are
many, each must be described.

Areas of Improvement/ Degradation of Financial Control
Compared to previous financial years, what is the overall level of financial
control? Has it improved, or weakened? Have individual systems improved,
or weakened throughout the reporting period?

For each of the above, descriptions should be given to provide information on
specific systems, and how they have improved or worsened. Where
possible, an opinion should also be given on the underlying reasons.

Overall Opinion on Level of Financial Control Across Your
Area

Collectively, how would your describe the level of financial control within your
area for the reporting period?

Whatever your opinion is, it must be justified with a brief narrative explaining
the reasons behind your opinion, and where applicable/ possible, examples
given.
Guides:

CHARITABLE TRUST FUNDS
Back to guides

Objective:

To hold monies in accordance with the objectives of the individual charitable
trust(s).

Potential Risks:

      Misappropriation of funds
      Theft/ loss/fraud
      Overdrawn account
      Inaccurate accounts


Possible Controls:

Cross reference to controls detailed for:

      Banking (if operated through separate bank account) and
      Special Funds


Back to guides

Cash Control
Back to guides

Objective:

To ensure that cash, cheques and postal orders are adequately safeguarded
and brought to account.

Potential Risks:

      Fraud
      Theft
      Loss
      Inaccurate accounts
      Incorrect allocation of receipts (prisoners‟ monies, and prison related income)
      Inability to make cash payments
      Inadequate records
Possible Controls:

      Cash held securely (locked boxes)
      Security of cashier‟s office
      Cashier uploading transactions daily
      Daily cash reconciliation
      Ad hoc independent cash reconciliations
      One post opening area, with secure entry
      Post opening staff are fully aware of the opening and recording procedures
       for mail
      Segregation of duties
           o Recording prisoner cash receipt on Phoenix, and corresponding
               entries in PIES
           o Authorising cheques and secure holding of cheques
      Authorisation of cash floats
      Regular inspections of cash floats (i.e. contain correct amount of cash, held
       securely, held by nominated individual, used for correct purposes)
      Cash takings presented to cashier regularly (and no less than weekly)
      Records kept and maintained of manual cheque usage
      Cash transported securely (i.e. from external retail shops to cashier; prisoners
       monies taken to reception)
      Training/guidance
    A fully trained Cashier
    Adequate cover provided for key staff
    Regular reviews of cash holdings to ensure optimum cash holding
    Records retained for appropriate periods.
Back to guides


CAPITAL EXPENDITURE
Back to guides

Objective:

Best capital investment options are selected and are fully evaluated in terms
of financial viability and meeting business need.

Potential Risks:

      Lack of planning i.e. time pressures, escalating costs
      Poor project management – leading to overspends/ inappropriate
       delivery
      All options are not considered
      No appraisal technique
      Failure to identify business need/ not the right project
      Priorities not met
Possible Controls:

      Business plans including full costings options, certified by HoF
      Macro impact assessment
      Methodology for evaluating projects – option appraisal
      Capital Business planning system
      Assessment of impact of not obtaining project funding
      Standardised approvals process (SMT-Area)
      Continuous ranking process
      Post implementation review.


Budgetary Control
Objective :

To plan, monitor, control and adapt resources to meet agreed business objectives
whilst remaining within notified limits


Potential Risks:

      Inappropriate allocation of resources – failure to meet business objectives
      Inability to adapt to unexpected events
      Poor decision-making
      Inadequate / inaccurate records
      Fraud/ Theft – financial loss
      Departmental embarrassment
      Business interruption
      Inefficient use of resources


Possible Controls:

      Delegation letters
      Forecasting
      Variance Analysis
      Business planning (including challenge – review plan / planning process)
      Communication between Budget Holders and Budget Managers
      Regular Finance Meetings.
      Use and dissemination of Phoenix reports.
      Training and guidance (including non-finance staff).
      Continuously challenging assumptions used in setting plan.
      Area & Central Monitoring – up and down the line
      Exception reporting
      Process to capture and record information
      Consistent methodology –
      Standardisation of output
Back to guides


Banking
Back to guides

Objective:

To optimise cash and bank holdings to meet liabilities efficiently and
effectively in line with current policy and legislation

Potential Risks:

      Theft
      Inefficient use of resources
      Misappropriation
      Business Interruption
      Insufficient funds


Possible Controls:

     Reconciliation of bank account
          o Prompt investigation, and clearing of non-reconciled items
    Physical and logical access restrictions
    Fraud policy statement
    Separation of duties
          o One off payments process (authorisation of request to pay
             separated from entry of payment and approval of payment)
          o Manual cheque runs
          o Sweeps
    Cash Forecasting
    Review of systems and procedures (both in terms of cost and business
      need)
    Accurate Management Information compared to relevant performance
      indicators
    Training/ guidance
Back to guides

Advances
Back to guides

Objective

To provide advance funds necessary to support staff in carrying out official activities
Potential Risks:

      Non recovery
      Inappropriate payments
           o Non compliance to policy
           o Incorrect payments (amount/ person)
      Fraud

Possible Controls:

      All advances have full, completed and approved documentation, e.g.
            o T & S advances approved by Head of Finance
            o Advance of salary approved by Head of Personnel
      Advances issued by BACS, or system generated cheque – no local cash/
       cheque advances
      Outstanding advances reviewed each month to ensure continued
       applicability/ need
      Reconciliation of advances
      Prompt recovery action once immediately overdue
            o Recovered from pay
            o Recovered by cheque
            o Recovered by standing order



Back to guides


Accounting System Risks:
Back to guides

Objective:

To provide a system that accurately records financial transactions, budgets
and produce timely reports to stakeholder requirements.

Potential Risks:

      Unavailability of the system
      Fraud/ Theft
      Loss
      Inaccurate data
      Breach of Data Protection Act
      National Audit Office or Public Accounts Committee criticism
      Unauthorised/ inappropriate access
      Inadequate records


Possible Controls:
      Training and guidance
      Strong communication from Phoenix and local level communication
       policy.
      Access controls in place, to be managed at a local level and at the
       SSC.
      Password security, ensure that they are not shared.
      Separation of duties, to be managed at a local level and by the Phoenix
       User Support Team based in the Shared Service Centre (SSC).
           o Delegated point of authority (Area/ Directorate Accountant; HoF/
               Head of Group) for authorisation new users, amendments to
               access, and access deletions. Requested actioned by Phoenix
               User Support Team based in the SSC
           o Entry, approval and posting of journals
           o Entry and approval of AP/ AR invoices
      Phoenix User Support Team will ensure that potential users have had
       attended the appropriate training courses before they are given access.
      Input controls, audits of users access,
      House keeping - check unapproved invoices, regularly run reports,
       online/ offline matching and coding at the SSC.
      Reconciliation of control/suspense accounts
      Records are retained for the appropriate periods.


Back to guides



Taxation
Back to guides

Objective:

Tax is correctly accounted for and liabilities are met promptly

Potential Risks:

      Back tax,
      Financial penalties
      Interest
      Failure to recover VAT


Possible Controls:

      Training & Guidance
      All payments are liable to tax and NI (unless dispensation from FC&A
       Tax Section given)
      All Office holders are paid via Bootle
      Self Audit including personnel section -
       ½ yearly
      Tax Liaison Officer
      Nominated Tax Liaison Officer (T.L.O.)
      T.L.O. signs off returns as being complete and accurate
      All payments are liable to tax (unless conditions within guidance are
       met)
      Liabilities are identified and approved in advance.
      Returns are completed, checked and submitted to HMRC before the
       deadline for their submission


Back to guides

Staff Clubs
Back to guides

Objective:

To minimise the risk of write-offs and fruitless payments by the Prison Service
in respect of any debts incurred by Staff Clubs.

Potential Risks:

      Payments outside the ambit of the vote
      Fruitless payments
      Public/ Political embarrassment
      NAO/PAC criticism.
      Poor record keeping


Possible Controls:

      Contract indemnifying the Prison Service
           o Contract is up to date (i.e. committee members are correct)
           o Contains all necessary signatures
      Regular meetings with Committee representatives to seek assurance
       the contract is being adhered to:
           o Appropriate, up to date insurance;
           o Alcohol licence, up to date, applicable for the premises
           o Accounts demonstrate Staff Club remains a going concern
           o Costs to be borne by the Staff Club are being met
      Records are retained for the relevant periods



Guides
Special Funds

Objective:

To ensure non-voted funds are properly accounted for, and are expended in
line with the original purpose of the funds.

Potential Risks:

      Misappropriated funds
      Misuse of funds
      Inaccurate accounts
      Loss (i.e. repayment of funds used inappropriately)

Possible Controls:

      Formal Special Fund approval process maintained
      Approval documentation retention
      Comparison/ reconciliation of expenditure to Special Fund aims and
       objectives
      Accounts preparation (quarterly and annual)
      Expenditure approval process (same as for voted funds)
      Training/guidance
      Periodic management checks


Back to guides




Retail Activities
Back to guides

Objective:

To provide a facility at the most effective cost to the public purse providing the
opportunity to purchase an agreed range of goods at an agreed price, in
accordance to agreed policy.

Potential Risks:
      Inappropriate levels of stock/ poor stock control
      Loss/ theft (takings and/ stock)
      Operation of cash floats
      Inappropriate pricing
      Health and Safety, and Hygiene
      Fraud
      Failure to achieve appropriate levels of income

Possible Controls:

      No credit to be offered under any circumstances
      Clear pricing policy – either RRP or at a levels in accordance with
       current policy (e.g. staff mess)
      Production of accounts (annual and quarterly), with clearly explained
       notes to the accounts
      Reconciliation of sales to income recorded on Phoenix
      Standard self audits
      Stock Control (reconciliations of purchases, stock holdings, and sales)
      Regular checks to float holding to e nsure appropriate level maintained
      Security of stock room
      Condition of stock room (i.e. prevent wastage due to poor environment)
      Training/guidance
      Daily reconciliations of sales to receipts/income
      Restricted access to cash/till
      Restricted access to stock
      Separation of duties between receiving of income and recording on the
       accounting system
      Financial statements
      Regular reviews of actual income to that expected; investigate and take
       action where necessary.
      Management checks


Back to guides

Record to Report
Back to guides

Objective:

To accurately record financial transactions to retrieve meaningful information.
To maintain, safeguard and utilise assets to meet business objectives.

Potential Risks:

      Theft/ loss/ fraud
      Deterioration,
      Misuse (intentional/ unintentional),
      Obsolescence (Fruitless payments)
      Inaccurate/ unqualified accounts.
      Erroneous records


Possible Controls:

      Proper authorisation of journals
          o Separation of duties between initiator, approver, entry and
              posting of journals
      Reconciliation of IUC bucket accounts
      IUC received/ sent supported by adequate documentation
      Use of Real Asset Management System (RAM) to accurately identify
       and notify all amendments to an asset register including purchases,
       disposals, discoveries and transfers.
      Nominated Fixed Asset Manager (FAM) and Local Asset Manager
       (LAM)
      Nominated asset custodians
      Training and guidance
      Assets have unique identifiers
      Removal of assets must be authorised by the FAM
      Gate staff must check with the FAM authorisation -gate passes
      Reconciliation of RAM to Phoenix
      Local and national fixed and local assets policies
      Separation of duties between:
          o Purchase of asset;
          o Custody of asset;
          o Maintaining the asset register; and
          o Annual physical asset check.
      Regular independent checks of assets to asset registers
      Restricted access to asset registers
      Regular backups of asset registers, where appropriate
      Security marking of assets considered portable or desirable
      Disposal of surplus or condemned assets are properly authorised.
      Access to assets considered portable/desirable/expensive restricted to
       authorised staff.


Back to guides


Procure to Pay
Back to guides

Objective

To ensure goods and services obtained from commercial and internal
suppliers are managed and controlled at all stages to deliver value for money
and ensure propriety. To ensure that payments are made to the right payee
on time and at the agreed amount.

Potential Risks:

      Unauthorised purchases
      Loss or theft
      Fraud
      Financial loss
      Poor decision making
      Duplicate payments
      Paying the wrong person (fraud or error)
      Paying the wrong amount (fraud or error)
      Late Payment Interest
      Lost discounts
      Invalid payments
      Paying for goods/ services not received
      Inefficiencies of system
      Misuse
      Erroneous records

Possible Controls:

Procurement
Controls associated with the procurement process are contained within PSO7700
(Procurement orders)

      A list of I-Procurement Requisitioners, Approvers and Receiptors has been
       documented, agreed by the Governor and communicated to staff.
      User access to the I-Procurement system is appropriately authorised.
      Issue of budgetary delegations
      Adherence to tendering/sourcing procedures – PSU
      Staff made aware of purchasing policies and relevant instructions
      Retention of records – local and PSU
      Adequate separation of duties between requisitioner, approver and receiver of
       goods/services
      Goods/services are properly receipted and discrepancies notified to
       appropriate parties for follow up with supplier
      Purchases are authorised by the relevant budged holder
      Documentation retained for relevant periods – local and PSU
      Training/guidance issued to staff – local and PSU
      Periodic management checks – local and PSU

VISA Card
Controls associated with the VISA card are set out in the VISA guidance notes held
within the PSO7700 (Procurement orders)
     Nominated card officer to oversee the local use of Barclaycards
     Training and guidance
     Card holders are selected according to their roles and on a „need to know‟
        basis
     Card holders should have budget holder authority, if possible
     All purchases are recorded and supported by adequate documentation
      Barclaycards are held securely
      Changes to account details can only be made by authorised staff
      Barclaycard used to purchase goods/services to carry out HM Prison Service
       business
      Regular management checks

Payments
      Supporting documentation checks – 2 or 3 way matching depending on the
       nature of the supply - SSC
      Regular review and investigation of the on-holds report
      Inspection of the payment time performance report, and investigation into
       occasions whereby 100% payments not made on time
      Separation of duties
           o On iProcurement – i.e. separation between Requisitioner, Approver
               and Receipter. All three roles must not be undertaken by the same
               individual
           o Between invoice entry/ validation and invoice approval for payment
               where invoices are direct entry (i.e. not matched to on-system PO‟s)
      Regular inspection of Distribution Detail Report
           o Confirmation that separation of duties maintained
           o Follow up action on all deliveries to non-prison addresses
      Confirmation of budgetary authority/ distribution codes from business units for
       direct entry invoices
      Ad hoc checks of authorising signatures to list of signatures maintained at
       SSC
      Consistency in entry of invoice numbers on Phoenix to prevent duplicate
       invoice payment
      Regular checks of the manual cheque log to ensure no AP related payments
       have been made

Back to guides




Prisoners’ Property
Back to guides

Objective:

To accurately record, monitor and retain Prisoner‟s property is a safe and
secure environment

Potential Risks:

      Loss
      Damage
      Theft by Staff
      Inappropriate descriptions/ poor record keeping
      Claims/ compensation
      Loss in transit
      Inadequate records

Possible Controls:

      Record keeping and use of complete description on records.
      Avoidance of terminology such as gold – instead use yellow metal
      Kept in secure location
     Restricted access to property/records
     Prisoner to state value (need for verification if over £xxx?)
     Very high value property recommended to be sent out to family/
      relatives
    Prisoners sign for and agree the property being held
    Release of prisoners‟ property properly authorised
    Prisoners sign for release of their property
    Periodic management checks
    Records retained for relevant periods
Back to guides




Prisoners’ Monies
Back to guides

Objective:

To accurately record and manage monies held on behalf of prisoners in line
with current policy and legislation.

Potential Risks:

      Inaccurate records (e.g. Omission of deductions (eg shop, TV, catalogue,
       adjudication‟s), deducting/ crediting incorrect accounts)
      System Failure
      Theft/ Loss/fraud
      Laundering
      Timing (i.e. not all transactions in accounts at time of discharge)
      Purchasing beyond limits
      Prisoner transfer errors
      Misuse of disbursements
      Spend limits not complied with (breaches of IEPS policy)
      Inappropriate transfers to spend (governor applications)
      Inappropriate earnings
      Inadequate records

Possible Controls:

      Monitoring of incoming and outgoing cash
      Intelligence (continuity of) – use of SIRs (security intelligence report)
      Training in awareness of laundering/ abuse
      Prisoner request in presence of officer „who can confirm identity of prisoner
       and that they are aware of what they are doing‟
      Witnessing officer signs disbursement as evidence of above (medical officer
       to confirm if necessary)
      Regular reconciliation of suspense accounts for prisoner purposes (for
       example catalogue suspense, anonymous gifts)
      Security clearance for disbursement
      PIES clerk confirms balance of prisoner, and deducts from account
      Cashier completed disbursements (either P/O or cash) in presence of another
       officer
      PIES to Phoenix reconciliation daily (with monthly management checks)
      Local earnings policy (tied to Pay PSO) communicated to prisoners
      Local spends policy communicated to prisoners
      Budgetary control (for prisoner earnings)
      Spot check of earnings sheets to PIES (checking for absence due to court,
       sick etc)
      Adequate contingency plans
      Security of cash handling areas
      Training/guidance
      Nominated PIES clerk
      Adequate cover for key staff
      Records are retained for the relevant periods
      Prisoners‟ earnings are properly authorised
      Prisoners‟ earnings/expenditure recorded on relevant accounts on a
       timely basis
      Restricted access to cash and records
      Handling of cash clearly evidenced
      Two officers verify cash receipts
      Prisoner signs for all transactions out of his/her account
      Handover of cash clearly evidenced
      Separation of duties between:
           o Receipt of cash/goods; and
          o Updating records/accounts
      Periodic management checks

Back to guides


Payroll
Back to guides

Objective:

The right people are paid the right amount at the right time.

Potential Risks:

      Incorrect payments
      Ghost staff
      Not paying starters & leavers accurately
      Not paying staff on time
      Breach of Data Protection Act
      Fraud
      HOPPS not meeting HMPS need
      Loss of system
      Inadequate records

Possible Controls:

      Authorisation of amendments by approved signatories
      Pre & post processing checks of exception reports
      An exception report of changes in data i.e. names, rates etc.
      Authorisation of amendments by approved signatories
      Segregation of duties i.e. authorisation of changes; authorisation of additional
       payments; and checking payroll reports
      Effective contract management
      Payroll errors are recorded and notified to the contract manager
      Output checks of exception reports
      Starters/leavers/amendments are properly authorised and processed on time
      Monthly payroll checks
      Management checks
      Overtime claims are:
            o Pre-authorised in advance
            o Claims certified by line manager
      All records are retained for the relevant periods

Back to guides


Order to Receipt
Back to guides

Objective

To promptly recover payment in full for goods and services supplied on credit

Potential Risks:

      Late Payment
      Bad Debt
      Non-Invoiced
      Inappropriate use of credit notes
      Inaccurate Invoices
      Incorrect VAT treatment
      Fraud/ Theft


Possible Controls:

      Separation of duties between entering and approving invoices/ credit
       notes
      Separation of duties between creation/ amendment of customer
       accounts and entering of financial transaction data on the system
      Credit Limits set at appropriate levels
      SSC credit control and management, including regular reviews of credit
       levels and customer accounts
      Management checks to track potential doubtful/ bad debts; needs to
       have a central contact point for information; hold a database of poor
       payers; and have a management facility for the larger debts
      Need to use Agency credit ratings; have a Central PES co-ordinator;
       service controller; and review the credit limits

Back to guides



Losses and Special Payments:
Back to guides

Objective:

To ensure all losses and special payments are made in accordance with
Government Accounting, and are kept to a minimum.

Potential Risks:

      Fruitless payments
      Public/ Political embarrassment
      NAO/PAC criticism.
      Losses/claims not reported
      Losses and claims not properly investigated
      Remedial actions not taken to prevent losses or claims from being repeated

Possible Controls:

      Annual fraud risk assessment
      All instances or fraud and theft reported to the Losses and Compensation
       section on a timely basis
      All losses and compensation claims are properly investigated and fully
       documented
      Appropriate action is taken to minimise losses and fraud recurring
      The correct level of authority is obtained where write off action is taken
      Claims for special payments are properly investigated and reported
      The correct level of authority is obtained where special payments are being
       made

Back to guides




Expenses
Back to guides

Objective:

To reimburse staff and others for expenditure necessarily incurred through
official activities.

Potential Risk:

      Fraudulent claims
      Duplicate claims
      Erroneous claims
      Incorrect Tax treatment
      Lack of understanding of policy
      Lack of budgetary control
Possible Controls:

Local
    Training and concise guidance – for claimants, and certifying officers
    Permission to travel forms, incorporating estimates on total cost, line
      management certification that the journey is necessary, and budget
      holder‟s approval to incur expenditure. Ad hoc checks on these forms
      to ensure method of travel chosen is most cost effective
    Ad hoc checks on Insurance documentation – to ensure claimants
      have appropriate insurance (i.e. business use, and fully comprehensive
      cover if claiming full mileage rate)
    Ad hoc checks on receipts (including all hand -written invoices)
    Periodic management checks


SSC
   Consistent naming convention for entering claims (reduce potential for
    duplicate claims)
   Reconciliation of outstanding advances
   Transaction entry staff properly trained
   Periodic management checks

Back to guides




   Risk Management and Control Annex
Quarterly Statement on Internal Financial Controls Flowchart
Back to guides

								
To top