City council doesn’t have audit trail after Oracle disaster • The Register
Birmingham City Council, Europe’s biggest local authority, has no way of knowing if financial fraud has been committed after it failed to run security and audit features in a new Oracle Fusion ERP system.
The council, which was responsible for £3.7 billion revenue in 2021, also continues to struggle with “segregation of duties” features that set who is legally allowed to see and control transactions, essential for preventing fraud.
Fiona Greenway, director of finance and statutory officer, told the Audit Committee yesterday that the council would almost certainly never know if fraud had been committed.
“In terms of the segregation of duties … the fact that that decision was made somewhere … to switch off the one thing that could give us the assurance within the control environment of the ERP system [means that] I’m probably going to be in a position where I can never give that 100 percent assurance … that trail is just not there,” she said.
Greenway later said Oracle’s audit features had never been turned on. “I have never – and I’ve done this job a lot of years – known anybody not to decide to have an audit trail switched on.”
The council’s Oracle Fusion ERP system, which replaced an aging system from German vendor SAP, went live in April 2022. The cost of implementing a functioning system that allows external auditors to sign off accounts is expected to be more than £100 million more than initial estimates. In September last year, the council was effectively declared bankrupt because of the Oracle implementation and a string of equal pay claims going back a number of years, the bill for which has been estimated up to £760 million.
Greenway said that producing accounts for financial years 2022-2023 and 2023-24 would be difficult “because the audit trail was not switched on until August [or] September, which means we have at least half a year of transactions with no audit trail and ability to test for fraud in that system. So that’s a concern.”
The Register has asked the council to clarify in which year the audit trail was switched on.
In October last year, a 12-page public interest report from external auditors Grant Thornton highlighted concerns over security and governance from when the system was first introduced. “Some IT security systems were not implemented and there is an inadequate segregation of duties in the system,” it said.
City councillor and member of the audit committee Meirion Jenkins, who also runs a business reselling and implementing Microsoft Dynamics 365 ERP systems, said: “In my 40 years of selling and implementing these systems [neither Fiona Greenway or I] have ever seen this situation arise before. And neither of us can offer an explanation as to why one would decide [not to implement audit features]. That’s a mystery.”
Earlier this month, Councillor Fred Grindrod, chair of the council’s audit committee, asked why the Oracle system was still not “safe and compliant” in terms of legal and statutory obligations going into the new financial year, something Grant Thornton said would be “absolutely crucial.” ®