TG-2026-041critical

Segregation of duties not maintained for payment authorisation above £10k threshold

Treasury Management Review

Jump to:

RISK RATING

critical

CONTROL OWNER

Head of Finance

TARGET DATE

1 Apr 2026

OVERDUE

19 days

Finding Description

Testing identified that the same officer is able to both create and approve payments exceeding the £10,000 threshold in the accounts payable system. This control weakness creates a material risk of unauthorised or fraudulent payments being processed without independent verification. Evidence gathered during fieldwork confirmed 14 instances over the review period where a single user performed both actions.

Policy / Standard Reference

Section 4.2 of the Council's Financial Regulations and CIPFA's Code of Practice on Treasury Management require that no single officer may both initiate and authorise a payment transaction above the prescribed threshold.

Evidence

Accounts Payable System Access Report — Q4 2025

18 Feb 2026

Document Review

Interview with Head of Finance — Payment Processes

20 Feb 2026

Interview

User Role Configuration Testing — AP Module

21 Feb 2026

Testing

Remediation Plan

Finance to reconfigure system roles so that payment creation and authorisation functions are assigned to distinct user profiles. An interim manual authorisation log to be maintained pending system changes.

Owner

Head of Finance

Target Date

1 Apr 2026

Status

Overdue

Audit Log

Finding reviewedHelen Bergström · 20 Apr 2026, 11:14

Annual review of open findings — no change to risk rating.

Remediation update requestedChidinma Obi · 15 Apr 2026, 16:32

Chased Head of Finance for evidence of system role reconfiguration.

Target date breachedSystem · 1 Apr 2026, 12:00

Remediation target date of 01 April 2026 passed without completion.