Audit Fail: Most Common Control Weaknesses in Top 10 Local Government Audit Areas

Unless you have worked in local government, it is hard to really appreciate the complexities of many of the business processes and the wide range of activities of a typical council. These complexities can lead to internal control breakdowns that often have little consequences – lucky!  However in some instances, systemic control weaknesses can have a significant impact on council’s assets, resources and reputation.

As a leading provider of internal audit services to local government serving over 90 NSW Councils, we thought it would be interesting to profile the most common areas we have audited over the last 5 years and analyse the most commonly occurring control weaknesses.

What have we been auditing?

The list below details the top 10 areas we have been engaged to undertake audits of since July 2015. These accounted for slightly over 50% of all audit projects we have undertaken for local government clients since that time.

1. Developer Contributions/VPAs
2. Project/Contract Management
3. Procurement
4. Development Assessment
5. Accounts Payable
6. Accounts Receivable/Debt Recovery
7. Environmental and Health Compliance
8. Planning Certificates
9. Waste Management
10. Works and Maintenance

Not surprisingly, development and finance related functions/processes feature heavily. In particular, we have seen an increase in the demand for audits of developer contributions and voluntary planning agreements. Audits of the management of specific projects or project management in general have also increased as councils embark on more complex and more sensitive projects.

What have we found?

Our audits identified a wide range of good practices and positive control environments.

Very few audits resulted in findings that the control environment was totally lacking or inadequate. In most cases appropriate controls were in place but were just not being applied consistently or with sufficient rigour. In some cases this may have been due to a degree of complacency (we have implemented a control and we assume that it is working appropriately because we haven’t had any problems) or insufficient time or resources to regularly monitor or check that everything is working as intended.

Notwithstanding this, there were some recurrent control weaknesses and issues that arose in each of the top 10 audit areas. The most common control weakness identified included:

Developer Contributions/VPAs

• • • Outdated contributions plans
    • Errors in indexing contribution rates
    • Lack of cross-organisational oversight/engagement in developer contributions plans and processes
    • Incomplete or inadequate contributions registers
    • Lack of clear accountability/responsibility for negotiating VPAs
    • Incomplete or inadequate VPA registers
    • Inadequate monitoring of delivery of developer obligations under VPAs

Project/Contract Management

• • • Lack of contract management plans which include all contract obligations
    • Incomplete or inadequate project risk assessments
    • Lack of formal documented project management methodology
    • Inconsistent approach to project/contract management

Procurement

• • • Purchase orders not raised prior to receipt of goods/services
    • Outdated procurement policies and procedures
    • Inadequate documentation of reasons for selecting providers
    • Inequitable use of contractors on supply panels
    • No segregation between staff requisitioning and approving purchases
    • Lack of strategic approach to procurement planning
    • Lack of analysis and monitoring of procurement spend

Development Assessment

• • • Inconsistent approach to peer review of assessments
    • Lack of formally documented pre-lodgement policies and procedures
    • Inconsistent approach to pre-lodgement activities
    • Inadequate documentation of site inspections undertaken
    • Lack of documented procedures for development assessment

Accounts Payable

• • • Lack of formal process for verifying new supplier credentials
    • Inadequate or inconsistent approach to approving variations to purchase orders
    • Three way match not always completed independent of accounts section

Accounts Receivable/Debt Recovery

• • • Lack of clear process for raising and approving credit notes
    • Inconsistent and/or inefficient processes for raising of invoices
    • Delays between provision of service and issuing of invoice
    • Lack of information provided to business units re status of debts

Environmental and Health Compliance

• • • Outdated or inadequate compliance/enforcement policies
    • Inconsistent or inadequate recording of inspection details
    • Inadequate record keeping including reasons for action taken
    • Confusion over responsibilities of Council in relation to Annual Fire Safety Statements

Planning Certificates

• • • Lack of clear responsibility/accountability for maintaining accuracy of various data sets/ layers
    • Lack of clear policy on what is included in s10.7(5) certificates
    • Lack of clear processes for recording and rectifying identified anomalies in certificates produced
    • Key person dependency

Waste Management

• • • Discrepancies between number of services billed by contractors and number of bins provided by Council
    • Lack of comprehensive contract management plan and follow up to ensure contractors meet all annual requirements
    • Outdated waste management strategies and/or lack of reporting on progress in achieving objectives
    • Quarterly rise and fall adjustments by contractors not adequately checked and approved

Works and Maintenance

• • • Focus on reactive rather than proactive maintenance
    • Inadequate reporting of reasons for movement of funds between programs/projects
    • Inadequate reporting of expenditure against different sources of funding
    • Lack of coordination between planning and delivery arms of Council when developing works programs and estimating project costs
    • Inadequate or inconsistent project management methodology and/or documentation
    • Lack of alignment between Long Term Financial Plans, Asset Management Plans and works and maintenance programs

Hopefully, the above table can serve as a quick checklist of shortcomings to look for in common high risk areas.

Heads up

We also believe that audit committees will be looking for greater assurance that management actions in response to audit recommendations have been implemented appropriately. We have seen some evidence of repeat audit findings and agreed actions not being implemented as effectively as advised. This may lead to an increased expectation that auditors will verify implementation of agreed actions through follow-up audits.

Many audit committees are expressing concern that internal audit resources are not sufficient to provide audit coverage over the multitude of high risk activities and processes that councils are responsible for. This raises the question as to how the committee and management can obtain a reasonable level of assurance regarding the control environments in all of these areas. This may lead to more discussion about other methods of obtaining assurance such as control self-assessments.

A control weakness recap

Development, financial, regulatory and infrastructure related functions have featured prominently on council internal audits plans over the last five years and are likely to continue to do so moving forward. The need to provide greater assurance over the management of major projects and contracts has increased as councils become involved in more complex and higher value projects with greater levels of public scrutiny.

Whilst councils operate in different ways there are a large number of risks and controls that are common. Similarly, our audit work has highlighted that there are common control weaknesses across councils.

In future we expect that cyber, IT, financial sustainability and business continuity risks will also feature prominently on council internal audit plans. We also anticipate an increased demand from audit committees for assurance that agreed control improvements have in fact been implemented appropriately. Committees may also push for assurance processes in addition to internal audits to provide some level of assurance that appropriate controls are in place for those areas not covered by the internal audit plan.

How we can help

InConsult is committed to helping organisations better understand the benefits of internal audit.  We have extensive experience in internal auditing, risk management, cyber security, crisis management, business continuity, emergency management, disaster management and pandemic planning.

If you would like to know more about our internal auditing services, contact us to discuss your needs.