The URL can be used to link to this page

Home My WebLink About2122-4 Follow-up Munis Part I-Security and workflows (Final 10-22-21)Follow-up County Accounting System (MUNIS) purchasing topics: Part I – Security and workflows #21/22-4 October 2021 2020 FOLLOW-UP REPORT County Accounting System (MUNIS) purchasing topics: Part I – Security and workflows (Internal audit report #19/20-9 issued January 2021) To request this information in an alternate format, please call (541) 330-4674 or send email to David.Givans@Deschutes.org Deschutes County, Oregon David Givans, CPA, CIA County Internal Auditor 1300 NW Wall St Bend, OR 97703 David.Givans@deschutes.org Audit committee: Daryl Parrish, Chair - Public member Jodi Burch - Public member Tom Linhares - Public member Scott Reich - Public member Summer Sears - Public member Stan Turel - Public member Patti Adair, County Commissioner Charles Fadeley, Justice of the Peace Lee Randall, Facilities Director Follow-up County Accounting System (MUNIS) purchasing topics: Part I – Security and workflows #21/22-4 October 2021 2020 TABLE OF CONTENTS: 1. INTRODUCTION 1.1. Background on Audit …………..………………………………………….……….……..…. 1 1.2. Objectives and Scope …………….………………………………….…………….………… 1 1.3. Methodology …………………………………….…..………………………….…………….… 1 2. FOLLOW-UP RESULTS …………………….……….……………………………………….…… 2 APPENDICES Appendix I – Updated workplan (status as of October 2021) …….…................ 3-8 Follow-up County Accounting System (MUNIS) purchasing topics: Part I – Security and workflows #21/22-4 October 2021 2020 Page 1 1. Introduction 1.1 BACKGROUND ON AUDIT Audit Authority: The Deschutes County Audit Committee has suggested that follow-ups occur within nine months of the report. The Audit Committee would like to make sure departments satisfactorily address recommendations. 1.2 OBJECTIVES and SCOPE “Audit objectives” define the goals of the audit. Objectives: The objective was to follow-up on recommendations from the original audit. Scope: The follow-up included eighteen (18) recommendations from the internal audit report for County Accounting System (MUNIS) purchasing topics: Part I-Security and workflows (#1920-9), issued in January 2021. The original internal audit report should be referenced for the full text of recommendations and associated discussion. The follow-up reflects the status as of October 2021. 1.3 METHODOLOGY The follow-up report was developed from information provided by Greg Munn, Treasurer and CFO. Comments were sought for the status of the outstanding recommendations. Follow-ups are, by nature, subjective. In determining the status of recommendations that were followed up, we relied on assertions provided by those involved and did not attempt to independently verify those assertions. The updates received are included in Appendix I. Since no substantive audit work was performed, Government Auditing Standards issued by the Comptroller General of the United States were not followed. Follow-up County Accounting System (MUNIS) purchasing topics: Part I – Security and workflows #21/22-4 October 2021 2020 Page 2 2. Follow-up Results Figure I - How were recommendations implemented? The follow-up included eighteen (18) outstanding recommendation agreed to by Finance. Figure I provides an overview of the implementation status of the recommendations. With this follow-up, six percent (6%) of the outstanding recommendations have been addressed. As indicated in the provided responses, many of the recommendations have not been fully addressed as Finance has been recruiting a business systems administrator position. The details of the follow-up is included at the end of the report in Appendix I. In interpreting the status, the County Internal Auditor may sometimes raise or lower the status provided by the department based on the communication(s) received from the department. Follow-up County Accounting System (MUNIS) purchasing topics: Part I – Security and workflows #21/22-4 October 2021 2020 Page 3 APPENDIX Appendix I – Updated workplan for recommendations for #19/20-9 (status as of October 2021) Items that are not completed are greyed out. Rec # Recommendations Status Estimated or Actual Date of Completion Updated Follow-up comments 1 It is recommended for segregation of duties to be considered in the overall design of roles given to users. Underway We are in the final interview stages (Nov 4) for the business systems administrator position that will work with county Finance , internal audit and IT staff to evaluation and make security and workflow enhancement recommendations. 2 It is recommended Finance segregate significant duties within the system and provide greater guidance on approvals. This might include additional policy and procedural requirements to discourage self- approvals and further describe proper forwarding of approvals. Underway Same as #1. 3 It is recommended that periodically IT and Finance join forces to perform a segregation of duties review by user of their assigned permissions. Internal audit can provide guidance on how to carry out this review. Underway Same as #1. Follow-up County Accounting System (MUNIS) purchasing topics: Part I – Security and workflows #21/22-4 October 2021 2020 Page 4 Rec # Recommendations Status Estimated or Actual Date of Completion Updated Follow-up comments 4 It is recommended for the County to consider how it might address the additional resources (staffing time) necessary to help Finance and IT maintain ongoing support; document systems controls (such as roles and workflows); and reinforce segregation of duties. Underway Same as #1. 5 It is recommended periodically IT and Finance review the history for the “Munis” roles and make sure that it is not being assigned without reason and that it is not being used to approve any transactions. Underway Same as #1. 6 It is recommended for the procedures for establishing new Munis users be updated to include a provision to include the association with their employee number, if applicable. Underway Same as #1. Follow-up County Accounting System (MUNIS) purchasing topics: Part I – Security and workflows #21/22-4 October 2021 2020 Page 5 Rec # Recommendations Status Estimated or Actual Date of Completion Updated Follow-up comments 7 It is recommended for the County Administrator be included in workflow for all disbursements in excess of department limits. Underway The CAO is included in workflow that includes disbursement requests in excess of individual department head limits. However, the workflow has a manual step in it that is reviewed and processed by the CFO. Disbursements for county expenses above $50K (for the Health Dept. director) and those above $25K for all other dept. heads are manually forwarded by the CFO to the CAO for approval. Disbursements for tax related activities (normal tax distributions to taxing districts, refunds, etc.) are approved by the CFO in the agent role of tax collector regardless of amount as these are not county expenditures but rather disbursement of funds to taxing districts. However, along with the review mentioned in #1 above, we will review this workflow to determine if there is a way to automate it within Munis or confirm a manual method if necessary. 8 It is recommended the Board of County Commissioners have the County Administrator (or designee) review all payments over $150 thousand before they go to them. Underway As mentioned in #7, the CAO approves all payments over the department director's limits ($50K for Health, $25K for all others) which includes those that exceed $150K. Once the CAO has approved, and if the amount is over $150K, the CFO determines whether or not the Board has approved the expenditure by way of contract, resolution or motion. If there is evidence of Board approval then the CFO will approve on the Board's behalf. Follow-up County Accounting System (MUNIS) purchasing topics: Part I – Security and workflows #21/22-4 October 2021 2020 Page 6 Rec # Recommendations Status Estimated or Actual Date of Completion Updated Follow-up comments 9 It is recommended the County Administrator (or designee) receive the Finance designed disbursement control reports on at least a monthly basis and review for any anomalies (approvals made without the County Administrator or Board designee). The Information Technology department should assure the monitoring reports are working as designed. Underway Weekly accounts payable batch reports are approved by the CFO and sent to the CAO for review. Each disbursement on the report is linked back to Munis where the backup documentation can be reviewed. It has also been practice for the CAO to forward this report to the Board for their review/info. 10 It is recommended for the Board of County Commissioners (or designee) assure that disbursements over $150 thousand have their approval. They might consider staffing this review through Administration/BOCC to lend additional segregation of duties over Finance. Underway This step is completed by the CFO by confirming that the >$150K spend is supported by a Board approved contract, resolution, motion or similar mechanism. 11 It is recommended the Board of County Commissioners clarify by policy (perhaps in Policy F-15 – Department purchasing thresholds) that the purchasing approval thresholds also apply to all payments being made and excluding certain payments that by statute can be made by the County Treasurer. It would also be a place where they direct whether the County Administrator should review and approve any payments coming to them for approval. Underway Same as #1. Follow-up County Accounting System (MUNIS) purchasing topics: Part I – Security and workflows #21/22-4 October 2021 2020 Page 7 Rec # Recommendations Status Estimated or Actual Date of Completion Updated Follow-up comments 12 It is recommended for Finance to work with departments on the rollout of using the purchase card rebate program and who should benefit from the purchase card rebate. Underway We will be issuing an RFP for banking services early in 2022 that will include a component for purchase card services which we will have the option to award together with traditional banking services or independently. Since it is a possibility that we will have a new pcard provider, the plan is to roll out information on the new program (assuming we change) along with other information and guidance on pcard protocols including the rebate program. 13 It is recommended for the department considering use of a purchase card to see what payment arrangements can be made with their vendor that maximizes the potential discount on timely payment. Underway See #12. 14 It is recommended for vendors who are to be setup for payment through purchase card be setup from the beginning by the department. Underway See #12. 15 It is recommended for Finance to regularly collect on purchase card rebates and post them to the County accounting records. Underway See #12. 16 It is recommended for Finance to improve segregation of duties over vendor additions and changes by requiring a separate person approve any additions or changes. Completed 17 It is recommended for the County to consider some of the workflows they have not been using. Underway See #1. Follow-up County Accounting System (MUNIS) purchasing topics: Part I – Security and workflows #21/22-4 October 2021 2020 Page 8 Rec # Recommendations Status Estimated or Actual Date of Completion Updated Follow-up comments 18 It is recommended for the County to consider and document how they are controlling roles, permissions, and workflows for Munis. Underway See #1. {End of Report}