The URL can be used to link to this page

Home My WebLink About2324-1 2023 Global Follow-up report (Final 12-18-23)2023 Global Follow-up #23/24-1 December 2023 2023 Global Follow-up Report Outstanding recommendations – Administration, Clerk’s Office, Fair and Expo, Human Resources, and Finance The Office of County Internal Audit: Elizabeth Pape, CIA, CFE – County Internal Auditor Aaron Kay – Performance Auditor Audit committee: Daryl Parrish, Chair - Public member Jodi Burch – Public member Joe Healy - Public member Kristin Toney – Public member Summer Sears – Public member Stan Turel - Public member Patti Adair, County Commissioner Charles Fadeley, Justice of the Peace Lee Randall, Facilities Director To request this information in an alternate format, please call (541) 330-4674 or send email to internal.audit@Deschutes.org Recommendations 62 2023 Global Follow-up #23/24-1 December 2023 Table of Contents: 1. Introduction ....................................................................................... 1 Audit Authority ............................................................................................................... 1 Background on Audits Issued ....................................................................................... 1 2. Progress towards resolution ............................................................ 1 3. Duration to resolution ...................................................................... 2 4. Auditor Highlights ............................................................................. 5 Successful Resolution .................................................................................................... 5 Long outstanding recommendations ........................................................................... 5 High risk recommendations .......................................................................................... 6 5. Appendix A: Updated workplan (status as of December 2023) ... 7 6. Appendix B: Objective, Scope, and Methodology ........................ 20 Objective and Scope ..................................................................................................... 20 Methodology ................................................................................................................. 20 7. Appendix C: Audit Reports Issued ................................................. 21 2023 Global Follow-up #23/24-1 December 2023 2023 Global Follow-up Executive Summary Since December 2019, the Office of County Internal Audit has released 23 audit reports comprising a total of 190 recommendations, with subsequent follow-ups. This report emphasizes the achievements made thus far and identifies areas requiring further attention. The table below summarizes the current status of those audit reports: Resolved Underway Planned Fully completed. Auditor will no longer monitor In Progress. Auditor will continue to monitor. Agreed to without progress. Auditor will continue to monitor. Link to Audit Report Key Follow-up Findings Status of Recommendations Resolved Underway Planned Treasurer Transition County investment practices have been improved. 22 0 0 HR – Cash Handling Improved fiscal controls and operational efficiency. 13 1 0 Juvenile – Cash Handling Stronger controls for handling customer payments. 4 0 0 Cellular Costs - Verizon Expected completion in September 2024. 5 3 1 CDD - Cash Handling Policy revisions need to be completed. 1 1 0 Munis Security and Workflows Enhanced financial controls have been implemented. 16 2 0 Munis Vendor Master Improved efficiency and compliance in financial processes. 9 2 1 Munis P-Cards Written procedures have been documented; further action is necessary. 3 1 3 County Clerk Transition Progress towards resolution has stalled. 4 1 4 2021 County Fair Ticketing The County Fair continues to improve as its popularity increases. 14 3 0 Munis Analyses Enhancing efficiency, accuracy, and compliance in financial processes. 6 2 2 2023 Global Follow-up #23/24-1 December 2023 Link to Audit Report Key Follow-up Findings Status of Recommendations Resolved Underway Planned Management of Pandemic Case Investigation and Contact Tracing Temporary labor management needs further improvement. 0 3 2 Adult Parole and Probation – Cash Handling Streamlining fiscal controls for infrequent client payments. 1 0 0 Administration and Risk – Cash Handling Optimization of County infrastructure for OLCC permit payments and review. 3 0 0 Assessor’s Office – Cash Handling The Office has stronger fiscal controls and processes. 10 0 0 Initial Cybersecurity Assessment Cybersecurity is a top priority. 0 2 1 Justice Court – Cash Handling Improved reconciliation process for external payments. 2 0 0 Sheriff’s Office - Cash handling Continued progress for a stronger control environment. 0 3 0 Vacation and Sick Leave System data has improved, but policies revisions remain. 5 4 1 Elected District Attorney Transition Progress has been made improving any future transitions. 4 1 0 Treasurer Transition 2022 Collaborating to define newly elected independent County Treasurer position. 7 0 0 Office of the District Attorney – Cash Handling Documented processes mitigate the risk of fraudulent activities. 1 0 0 2023 Global Follow-up #23/24-1 December 2023 Deschutes County Office of the Internal Auditor Page 1 of 22 1. Introduction Audit Authority The Deschutes County Audit Committee has suggested that follow-ups occur within nine months of the reports. The Audit Committee would like to make sure departments satisfactorily address any prior recommendations that have not been completed at the time of the initial or subsequent follow-ups. The Office of County Internal Audit follows up on all recommendations until resolution. The details of this follow-up and the associated commentary are included at the end of the report in Appendix A. Background on Audits Issued This is the fifteenth annual global follow-up looking back at all recommendations included in prior follow-ups. 128 of the 190 recommendations were successfully resolved during the initial follow-up process. Of the remaining 62 open recommendations, 28 have now been resolved for an overall four-year resolution rate of 76.84%.1 Appendix C provides the details of the 23 issued reports over the last four years and the percentage of recommendations resolved in each report. In interpreting recommendation status, Internal Audit may sometimes raise or lower the status provided by the department based on communication received from the department. 2. Progress towards resolution Status updates were requested on 10 of the 23 audit reports with outstanding recommendations including an explanation of the current action plan towards resolution. Each of these reports has undergone at least one follow-up report that was completed more than six months ago, providing ample time for offices and departments to address the recommendations. Figure I 1 Prior rates were measured at three-year intervals. 2023 Global Follow-up #23/24-1 December 2023 Deschutes County Office of the Internal Auditor Page 2 of 22 illustrates the progress made in implementing the recommendations since the last information request; however, a lack of visible movement does not imply no work has been performed but rather indicates that the matter is not yet fully resolved. Figure I – Percent of resolved recommendation progress between the last follow-up and the 2023 Global Follow-up. Some audit reports saw no progress in the percentage of recommendations resolved. 3. Duration to resolution Certain recommendations can be implemented or resolved more swiftly than others. Typically, those pertaining to organizational governance tend to require a more extended timeframe for completion. Internal Audit is monitoring the time it takes offices/departments to address the recommendations. It is noteworthy that, at times, the audited department may not be the primary entity responsible for resolving a given recommendation. A notable example is found in the Administration and Risk Management Cash Handling audit of 2022, where a recommendation was put forth to leverage Report Title HR -Cash Handling Cellular Costs-Verizon CDD –Cash Handling Munis Security andWorkflows Munis Vendor Master Munis P-Cards County Clerk Transition 2021 County Fair Ticketing Munis Analyses Management of PandemicCase Investigation andContact Tracing Progress made 0% 12% 0% 67% 8% 14% 0% 6% 20% 0% -Completed in prior follow-up -Completed in 2023 Global -No change 2023 Global Follow-up #23/24-1 December 2023 Deschutes County Office of the Internal Auditor Page 3 of 22 electronic systems for liquor license review processing. Despite County Administration being the focus of the audit, the responsibility for resolution fell on the shoulders of the department with an existing electronic permitting system and involvement in the liquor license review process—namely, CDD, which consequently became the process owner. This highlights the nuanced nature of recommendation resolution, where the responsible party may not always align with the subject of the audit. The average months to resolution (9) is markedly lower than the average age in months of unresolved recommendations (26). This indicates that easier to implement recommendations are being addressed quickly while a backlog of recommendations is building. Figure II – Average duration (in months) in took to resolve recommendations. 2023 Global Follow-up #23/24-1 December 2023 Deschutes County Office of the Internal Auditor Page 4 of 22 The unresolved items marked with an asterisk (*) in Figure III include recommendations related to contract, policy, or code revision. As previously mentioned, these take longer to complete. A case in point would be the recommendation to the Road Department to amend the County code for noxious weed program information to a more appropriate party than the County Clerk. County code text amendments necessitate thorough legal review and engagement in public meetings for readings and approvals to complete, contributing to the prolonged duration for resolution. Other policy revisions in progress include County Administration collaborating with IT to draft a new policy for mobile device access to County information and HR updating CBA language to reflect current leave practices as those agreements are negotiated. The Finance Department indicated their draft policy revisions are complete and will be forwarded to the newly created Policy Advisory Committee. Refer to Appendix A for detailed comments. Figure III - Average time recommendations have remained outstanding for Deschutes County. 2023 Global Follow-up #23/24-1 December 2023 Deschutes County Office of the Internal Auditor Page 5 of 22 4. Auditor Highlights Some recommendations warrant special recognition for successful resolution, length of outstanding status, and high risk. Successful Resolution Implemented recommendations are a chance to highlight improved County practices and areas of decreased risk. These are areas where the County deserves recognition for making operations more effective and efficient. The Finance Department resolved Munis security and workflow recommendations related to maintaining internal controls. These improvements are vital in preventing fraud, errors, and unauthorized activities within the County's financial operations. Specifically, these recommendations focus on the key principles of segregation of duties, disbursement controls, and regular review of roles and permissions in the Munis system. By implementing and adhering to these foundational principles, the Finance Department aims to enhance the reliability, accuracy, and integrity of its financial operations, ensuring transparency, compliance, and effective risk management. Several of these recommendations were issued before the hiring of the County CFO, Robert Tintle. As illustrated by the progress depicted in Figure I, the CFO has actively sought to comprehend the nature of these recommendations and has been working diligently to address them. Long outstanding recommendations Some recommendations are complicated and take longer to implement. This is why auditors track recommendation status for four years. But in some cases, management does not prioritize risk identified by auditors and recommendations languish without attention. Figure III highlighted revisions to policies concerning mobile device access to County information and financial controls have been pending for over three years and should be prioritized by the County. The Policy Advisory Committee, tasked with ensuring 2023 Global Follow-up #23/24-1 December 2023 Deschutes County Office of the Internal Auditor Page 6 of 22 policies are relevant, efficient, and aligned with County objectives, currently has numerous pending policy revisions awaiting review. Human Resources has not addressed a recommendation related to Munis implementation. The recommendation will increase efficiency and control of receipted transactions but has remained unresolved for over four years. Updated comments from Human Resources Director, Kathleen Hinman, indicate that the adoption of the system into regular duties is currently in progress. These comments can be found in Appendix A. High risk recommendations Some recommendations are related to exceptionally high areas of risk. Even though these recommendations have not been open for as long as some other recommendations, they are areas that deserve increased attention from management. Among the unresolved recommendations, the one posing the highest risk to the organization is the implementation of a comprehensive cybersecurity program. This recommendation emphasizes the establishment of a framework for assessing risks, implementing security controls and procedures, and continuously monitoring their effectiveness. In the current era of increasing cyber threats, an organization's vulnerability to cyber-attacks can have severe consequences, including data breaches, financial losses, and reputational damage. A robust cybersecurity program is crucial to safeguard sensitive information, maintain operational continuity, and protect against evolving cyber threats. Therefore, prioritizing the implementation of a thorough cybersecurity strategy is essential for mitigating substantial risks associated with potential cyber incidents. The County Information Technology Director’s, Tania Mahood, said “The hope is to have a framework in place that meets the business needs, provides metrics, process, and procedures in place by (Fiscal Year) 2025.” More detailed comments can be found in Appendix A. 2023 Global Follow-up #23/24-1 December 2023 Deschutes County Office of the Internal Auditor Page 7 of 22 5. Appendix A: Updated workplan (status as of December 2023) Audit Recommendation Updated Status Updated Comment HR – Cash Handling It is recommended for Human Resources to consider using Munis to enter and provide receipts and bill and manage receivables. Underway HR met with Finance to learn more about the process. HR staff (newly hired Admin Assistant) will be trained on the process by Tax staff who do this regularly. Additionally, Finance built a query for our use to capture all receipts. Cellular Costs - Verizon It is recommended for the County to consider updating the Cell Phone Policy to address management and expectations around utilization. This would include monitoring and routine assessment as to whether an employee truly needs the device/phone, what services, and what plan best fits their intended usage. Underway Admin- Draft policy updates are complete and will be shared with departments for their feedback. Cellular Costs - Verizon It is recommended for departments to periodically review their cellular plans by line to align them with plan design, device, availability, usage, and cost. Completed As indicated in the initial response, Administrator Anderson and Deputy Administrator Kropp followed up with departments under their administrative direction to directly address the cost and efficiency findings noted in the report. Cellular Costs - Verizon It is recommended for the County to consider updating policies regarding cellular devices to improve adherence to policy, reduce costs, and reduce risks. The policy improvements should consider addressing: • relationship of stipend levels to the cost of cellular phone services to the County; • developing plan selection criteria for business needs aligned with anticipated usage to right size costs; • developing legal and information technology framework to assure that technologies, data, and security are aligned and appropriate given the rise in new technologies and software; Underway Admin- Draft policy updates are complete and will be shared with departments for their feedback. 2023 Global Follow-up #23/24-1 December 2023 Deschutes County Office of the Internal Auditor Page 8 of 22 Audit Recommendation Updated Status Updated Comment • criteria for selecting between employee phone (stipend) and County owned phone; • monitoring and modification of plan levels (including elimination of devices) for actual usage below anticipated; • utilizing free devices and upgrades to maintain the level of technology as well as getting credits for devices sold back. • establishing when devices require mandatory applications and restrictions from modification for protecting data; and • addressing applicability of policy to non-employee users. Cellular Costs - Verizon It is recommended the County consider how to address the risks that come with allowing mobile device access or external computer access to internal County information and who and how the risks will be mitigated. Underway Admin- Admin is working with IT to develop a standalone policy to address these risks. Cellular Costs - Verizon It is recommended the County provided forms for cell phone allowance be updated to reflect any updated policy language. Planned Admin- Once the policy is updated, forms will be updated CDD - Cash Handling It is recommended the County consider updating fiscal policy to allow Finance the authority to manage increases and decreases in petty cash. Underway Finance- Updated policies have been drafted and will be sent to the newly created Policy Advisory Committee. Munis Security and Workflows It is recommended for segregation of duties to be considered in the overall design of roles given to users. Completed IT has created a query to pull access by user. IT and Finance have established monthly meetings to evaluate current roles. An annual review will be utilized going forward. 2023 Global Follow-up #23/24-1 December 2023 Deschutes County Office of the Internal Auditor Page 9 of 22 Audit Recommendation Updated Status Updated Comment Munis Security and Workflows It is recommended Finance segregate significant duties within the system and provide greater guidance on approvals. This might include additional policy and procedural requirements to discourage self-approvals and further describe proper forwarding of approvals. Completed Based on how the workflow system is set up, it would be rare if this occurred. Finance performs a monthly review of workflow for requisitions, POs, contracts, and invoices to confirm a transaction has not been self-approved. An official policy is not needed as the system is designed to prevent this from occurring and the proper detective controls have been implemented. Munis Security and Workflows It is recommended that periodically IT and Finance join forces to perform a segregation of duties review by user of their assigned permissions. Internal audit can provide guidance on how to carry out this review. Completed IT has created a query to pull access by user. IT and Finance have established monthly meetings to evaluate assigned permissions. An annual review will be utilized going forward. Munis Security and Workflows It is recommended periodically IT and Finance review the history for the “Munis” roles and make sure that it is not being assigned without reason and that it is not being used to approve any transactions. Completed IT has created a query to pull access by user. IT and Finance have established monthly meetings to evaluate current roles. An annual review will be utilized going forward. Munis Security and Workflows It is recommended for the procedures for establishing new Munis users be updated to include a provision to include the association with their employee number, if applicable. Completed All employees of the County do have an employee number within Munis. However, temporary or contact staff do not have an associated number. IT provides a report to Finance annually identifying the reason for any active user in Munis without an associated employee number. Munis Security and Workflows It is recommended for the County Administrator be included in workflow for all disbursements in excess of department limits. Completed Finance has determined that there are already compensating controls mitigating risk of unauthorized approvals. Additionally, effective January 1, 2024, signing authority approval limits have increased for department heads to $50,000, the County Administrator up to $250,000, and the Board for amounts over $250,000. This reduces the quantities of approvals over $50,000 as there are less issues with the higher limits. The County Administrator (CA) is 2023 Global Follow-up #23/24-1 December 2023 Deschutes County Office of the Internal Auditor Page 10 of 22 Audit Recommendation Updated Status Updated Comment already set up in workflow for items over $50,000 (effective 1/1/24), however, as the CFO approves items prior to the County Administrator, if the CA has already physically signed documents, it is unnecessary to forward those items within Munis, thus duplicating approvals. Finance has evaluated the cost/benefit of items going directly to the CA in Munis workflow and has determined it is inefficient when the CA has already signed documents outside of the system and the documentation is attached within Munis. Munis Security and Workflows It is recommended the County Administrator (or designee) receive the Finance designed disbursement control reports on at least a monthly basis and review for any anomalies (approvals made without the County Administrator or Board designee). The Information Technology department should assure the monitoring reports are working as designed. Completed Workflow approvals for the CFO, County Administrator and Board are currently being reviewed by the Controller, a licensed CPA, who is outside of the approval process at these higher levels. The reports are working as designed. Munis Security and Workflows It is recommended the Board of County Commissioners clarify by policy (perhaps in Policy F-15 – Department purchasing thresholds) that the purchasing approval thresholds also apply to all payments being made and excluding certain payments that by statute can be made by the County Treasurer. It would also be a place where they direct whether the County Administrator should review and approve any payments coming to them for approval. Completed Finance- Policy F-15 was reviewed, updated, and approved by the Board on November 29, 2023. Signing authority limits were updated. The current language was evaluated and considered sufficient as written. 2023 Global Follow-up #23/24-1 December 2023 Deschutes County Office of the Internal Auditor Page 11 of 22 Audit Recommendation Updated Status Updated Comment Munis Security and Workflows It is recommended for Finance to work with departments on the rollout of using the purchase card rebate program and who should benefit from the purchase card rebate. Completed All departments benefit from revenues associated with the purchase card rebate program. Offsetting revenues received within Finance reduces the internal service charges allocated to departments, thus benefiting all departments proportionally. No need to change the current process. Munis Security and Workflows It is recommended for the department considering use of a purchase card to see what payment arrangements can be made with their vendor that maximizes the potential discount on timely payment. Completed Finance currently reviews invoices over $50,000 to determine if there is an option to pay with a purchase card. If the vendor charges a fee to pay via a purchasing card, we do not pay by this method as it would increase costs to the departments. A majority of the vendors we have evaluated charge a processing fee based on the total invoice amount which eliminates the benefit of using a purchasing card. Munis Security and Workflows It is recommended for vendors who are to be setup for payment through purchase card be setup from the beginning by the department. Underway Finance is evaluating this process. Munis Security and Workflows It is recommended for Finance to regularly collect on purchase card rebates and post them to the County accounting records. Completed Finance- This is completed annually. The last rebate request was in November 2023. Munis Security and Workflows It is recommended for the County to consider some of the workflows they have not been using. Underway Finance and IT will review all process codes in January 2024 and annually thereafter. Munis Security and Workflows It is recommended for the County to consider and document how they are controlling roles, permissions, and workflows for Munis. Completed Finance- The process has been documented. 2023 Global Follow-up #23/24-1 December 2023 Deschutes County Office of the Internal Auditor Page 12 of 22 Audit Recommendation Updated Status Updated Comment Munis Vendor Master It is recommended for the County to consider how to implement electronic signatures across County departments and functions based on the associated risks and requirements. Completed County purchased centralized electronic signature software, DocuSign. IT is in the process of implementing Countywide. Munis Vendor Master It is recommended that Finance and County departments investigate if they are receiving all of the discounts they can get by paying in a timely manner. Underway Finance is evaluating this recommendation. Munis Vendor Master It is recommended for Finance to work with departments to utilize the discounts field when discounts are available. Underway Finance is evaluating this recommendation. Munis Vendor Master It is suggested that vendors be evaluated as to whether a better type could be assigned that better reflects the service or product they provide. Planned Finance is evaluating this recommendation. Munis P-Cards It is recommended Finance update policies and procedures to assure adherence to the delegated purchasing authority. This might include changes to policy, altering P-Card limits, or modifying Munis processing. Completed Procedures were formally documented in May 2022. The CFO approves all changes to P-Card limits and new P-Card requests. County RFP for a new p-card program is still planned. Munis P-Cards It is recommended for cardholders to enter in invoice/receipt numbers to help prevent duplicate payments. Underway Initial tests were performed. Finance is still determining the best solution. Munis P-Cards It is recommended the policy clarify whether an employee can have more than one P-Card assigned to them; whether other employees can use the P-Card; and whether non-employees can be provided a P-Card. Planned Finance- Procedures were formally documented in May 2022. Policy will be evaluated and updated as necessary after a new procurement professional is hired and issuance of RFP for a new p-card program. The Board approved the new position in June 2023 and the position is expected to be hired in Q1 2024. 2023 Global Follow-up #23/24-1 December 2023 Deschutes County Office of the Internal Auditor Page 13 of 22 Audit Recommendation Updated Status Updated Comment Munis P-Cards It is recommended for the policy to address deployment of these high- dollar P-Cards and procedures and controls over their usage. Planned Finance- Procedures were formally documented in May 2022. Policy will be evaluated and updated as necessary after a new procurement professional is hired and issuance of RFP for a new p-card program. The Board approved the new position in June 2023 and the position is expected to be hired in Q1 2024. Munis P-Cards It is recommended for the County to consider the suggested policy improvements (1-8) in an updated policy and any associated changes to procedures. Planned Finance- Procedures were formally documented in May 2022. Policy will be evaluated and updated as necessary after a new procurement professional is hired and issuance of RFP for a new p-card program. The Board approved the new position in June 2023 and the position is expected to be hired in Q1 2024. County Clerk Transition It is recommended for the Clerk's Office identify and proceed with developing contracts and contract renewals with significant vendors. Planned Clerk- No progress made - refer to prior comments from April 2022: We plan to have all contracts and renewals up to date as soon as possible. Estimated date is difficult to pinpoint as we will be working with vendors. County Clerk Transition It is recommended the Clerk's Office enter any contracts into the County financial system as contracts so that effective approvals and contract management can occur. Planned Clerk- No progress made - refer to prior comments from April 2022: As contracts are brought up to date, we are intending to enter and track them in Munis. County Clerk Transition It is recommended for the County to consider addressing the remaining recommendations from the Office of Homeland Security. Underway Clerk- No progress made - refer to prior comments from April 2022: We are taking appropriate steps to address recommendations from Homeland Security. Date of completion is undeterminable at this time. County Clerk Transition It is recommended for the Clerk's Office to see if the recording software provider can further improve the audit trail. Planned Clerk- No progress made - refer to prior comments from April 2022: A software change will need to be made and the timeframe of this update is currently unknown as enhancements from this vendor are provided in a prioritized order. Date of completion is undeterminable at this time. 2023 Global Follow-up #23/24-1 December 2023 Deschutes County Office of the Internal Auditor Page 14 of 22 Audit Recommendation Updated Status Updated Comment County Clerk Transition It is recommended for the County to amend code section 8.35.070(D) to direct the notification responsibilities to a more appropriate party than the County Clerk. Planned Clerk- No progress made - refer to prior comments from April 2022: This recommendation is noted and will be incorporated into a future update to Code Section 8.35, which is currently not scheduled in the near term. 2021 County Fair Ticketing It is recommended for fair management to split out convenience fee revenue and associated ticketing costs to improve transparency of the ticketing technology net cost. Underway Fair & Expo will work with the Finance department to create an additional category for the receipt of "ticketing" or "convenience" fees for the 2024 Fair to allow for transparency of ticketing technology expense. 2021 County Fair Ticketing It is recommended for Fair & Expo management to formalize written procedures over financial areas of the County Fair (including change, gate receipts, and concessions). {The County Internal Auditor created a listing of observed procedures that should help in the creation of procedures.} Completed Fair & Expo created written procedures for financial areas of the annual County Fair, including Admission Revenues, change procedures, and Food & Beverage Concessionaire revenues received in advance of the 2023 Fair & Rodeo. 2021 County Fair Ticketing It is recommended for Finance to develop a change policy (possibly through an amendment to the petty cash policy F-8) to address the requirements for change cash issuance and its accountability. Underway Finance- Updated policies have been drafted and will be sent to the newly created Policy Advisory Committee. 2021 County Fair Ticketing It is recommended for the County to use an expanded contract form for a contractor used for handling monies and include a background check, Legal Counsel review, Risk Management review, and appropriate bonding. Underway Fair & Expo will update the specialized contract for any/all contractors who handle cash as part of the admissions process; with input from Legal, and Risk management departments. Fair & Expo has and will continue to require bonding by the admissions coordinator; which began in 2022. Munis Analyses It is recommended that Finance develop procedures to review for duplicate invoice payments and, at least annually, perform a duplicate invoice search/review. Completed Finance completes this process annually. 2023 Global Follow-up #23/24-1 December 2023 Deschutes County Office of the Internal Auditor Page 15 of 22 Audit Recommendation Updated Status Updated Comment Munis Analyses It is recommended for Finance to consider additional training to approvers on batching approvals. This would include setting expectations at various levels in the approval process as well as communicating them in written procedures. Completed Finance- Detailed instructions posted in SharePoint (Enterprise ERP Dashboard). Munis Analyses It is recommended for Finance to assess, periodically, the usage of bulk approving and the impacts on the purchasing workflow. Underway Finance has the documentation on the process and plans to implement Q1 2024. The process will be added to the accounting monthly/quarterly close. Munis Analyses It is recommended, with the incidence of some invoices not being entered against a purchase order or contract, that Finance consider whether it would be beneficial to provide departments a tool to reference their purchase orders. Planned Finance- The Board approved a new procurement position in June 2023 and the position is expected to be hired in Q1 2024. This will be evaluated after the position is filled. Munis Analyses It is recommended for Finance to work with departments to identify and consider setting up routine payments with a purchase order or contract. Planned Finance- The Board approved a new procurement position in June 2023 and the position is expected to be hired in Q1 2024. This will be evaluated after the position is filled. Munis Analyses It is recommended the County limit usage of its accountable plan payments to employees/volunteers and that other departmental payments should not be paid through the County’s accountable plan. Underway Finance plans to implement Q1 2024. The process will be added to the accounting monthly/quarterly close. Management of Pandemic Case Investigation and Contact Tracing It is recommended for the County to develop a new invitation to bid to cover the newer needs of the County for temporary labor and address the handling of margin and concerns noted above. Planned HR- RFP for temporary and agency staffing pushed out for one year due to HR staffing. 2023 Global Follow-up #23/24-1 December 2023 Deschutes County Office of the Internal Auditor Page 16 of 22 Audit Recommendation Updated Status Updated Comment Management of Pandemic Case Investigation and Contact Tracing It is recommended the current contract with the primary vendor for temporary labor be extended out 12-18 months until an invitation to bid can be developed and issued. Underway HR- Contract to be finalized in January 2024. Most terms have been confirmed, with only a few terms still under review for specialized work. Management of Pandemic Case Investigation and Contact Tracing It is recommended for the County to establish more effective leadership and management of the temporary labor contracts and how they are used by County departments. They may want to consider a policy or procedures to address the variety of human resource (HR) issues that come with using a temporary workforce. This would include whether an in-house labor pool could be developed and when departments should consider contracted labor. Human Resources has indicated they will be taking over efforts to work on the temporary labor RFP/contracts. Planned HR will draft guidelines for oversight of temporary and agency workforce management. Management of Pandemic Case Investigation and Contact Tracing It is recommended for the County (and Health Services) consider what practices should be employed to provide feedback (formal and informal and to what extent) to contracted temporary staff working for the County. Underway HR will include guidance in the upcoming revised employee performance management project. Management of Pandemic Case Investigation and Contact Tracing It is recommended for Health Services and the County to consider using more metrics as they manage temporary and remote staffing workloads (for case investigation and contact tracing). Underway HR will include guidance in the upcoming revised employee performance management project and the guidelines for oversight of temporary and agency workforce management. 2023 Global Follow-up #23/24-1 December 2023 Deschutes County Office of the Internal Auditor Page 17 of 22 Audit Recommendation Updated Status Updated Comment Initial Cybersecurity Assessment (as of May 2023) It is recommended for the County to implement a cybersecurity program that includes establishing a framework and continuous cycle of activity for assessing risk, developing and implementing effective security controls and procedures, and monitoring the effectiveness of those procedures as noted above. Underway IT: A fresh approach to the cybersecurity program will be put in place under the guidance of new leadership in the IT department. In the meantime, we are striving to fulfill the CIS controls' IG2 requirements to reduce risks. To aid in this effort, a managed cybersecurity service company was brought on board in January 2023. In partnership with the vendor, an Incident Response Plan will be started in Q2. IT staff from multiple units are working in collaboration with cybersecurity vendors on a weekly basis to accurately identifying and responding to vulnerabilities. These meetings' participants have informally been referred to as the advisory committee. Quarterly vulnerability scanning is being conducted by the vendors in collaboration with the advisory committee. The hope is to have a framework in place that meets the business needs, provides metrics, process, and procedures in place by FY25. Administration: We will support the IT department’s continued work to establish a cybersecurity program. Continued funding for this program was included in the FY24 budget . IT will continue to track this work through its performance measures, which should provide consistent progress updates both to the Board and to residents. Initial Cybersecurity Assessment (as of May 2023) It is recommended, at least annually, the Board of County Commissioners review and approve the County’s cybersecurity program. Planned IT: IT will provide current state of the County's cybersecurity posture by summer 2023. A full cybersecurity program report will be provided by FY25. Administration: We agree with this recommendation and will support IT in facilitating this annual check in with the Board. 2023 Global Follow-up #23/24-1 December 2023 Deschutes County Office of the Internal Auditor Page 18 of 22 Audit Recommendation Updated Status Updated Comment Initial Cybersecurity Assessment (as of May 2023) It is recommended for the County, led by the IT Department, continue improvements in addressing cyber defenses. Underway IT: During the budget planning for FY24, the new IT leadership did not request a full-time employee (FTE). Instead of hiring a dedicated FTE for security, the plan is to use the allocated funding for a managed cybersecurity services company. Although outsourcing has identified many gaps, it alone is not enough. By adding a dedicated resource, we can significantly improve our cybersecurity defenses both proactively and reactively. Administration: Administration looks forward to future discussions with the IT Department about potential new FTE that may be needed to meet organizational needs. Sheriff’s Office - Cash handling (as of Sept 2023) It is recommended the Sheriff’s Office strengthen the internal control system to better oversee all payments they receive and periodically assess their operating environment to assure the system is operating as intended. Underway DCSO- Recommendation is completed in several guidance areas; work remains in Records and Civil for Munis training. Sheriff’s Office - Cash handling (as of Sept 2023) It is recommended the Sheriff’s Office develop procedures to make more timely deposits. Underway DCSO- Recommendation is completed in several guidance areas; work remains in evidence money deposits and electronic transfers. Sheriff’s Office - Cash handling (as of Sept 2023) It is recommended the Sheriff’s Office implement additional control activities through policies and procedures. Underway DCSO- Recommendation is completed in several guidance areas; work remains in CODE accounting. Vacation and Sick Leave (as of Oct 2023) It is recommended Human Resources and Payroll establish secondary review processes for employee leave balance limit calculations and adjustments. Planned Finance - Given the Pay Period Alignment Project and the Tyler/Munis Upgrade Project, this item was deferred until June 2024. 2023 Global Follow-up #23/24-1 December 2023 Deschutes County Office of the Internal Auditor Page 19 of 22 Audit Recommendation Updated Status Updated Comment Vacation and Sick Leave (as of Oct 2023) It is recommended the County develop a process to support supervisors in monitor employees’ use of vacation leave in compliance with policy. Underway HR- The County has a policy covering expectations for employee’s use of vacation leave. It is a supervisor’s responsibility to hold their employees accountable to all policies, including this one. Human Resources will update the attendance expectations in the employee performance evaluation form to include this review. This will prompt supervisors to review all aspects of an employee’s attendance and use of leave with respect to County policies. The performance evaluation update is still in process. Vacation and Sick Leave (as of Oct 2023) It is recommended the County revise leave policy HR-16 to be in conformance with State law. Underway HR- HR has drafted an Oregon Paid Sick Time (OPST) Policy which will be ready for consideration soon. Additionally, HR will update HR-16 to comply with the OPST law and will present for consideration in coordination with the OPST policy. Vacation and Sick Leave (as of Oct 2023) It is recommended the County update policy and CBA contract language to align with practice. Underway HR- HR will engage with unions, as each CBA is bargained, to align CBA language with practice. This policy is in draft and underway. Vacation and Sick Leave (as of Oct 2023) It is recommended for the County to consider adjustments to the leave cash out policies to further address constructive receipt. Underway HR- HR will engage with unions, as each CBA is bargained, to align CBA language with practice. This policy is in draft and underway. Elected District Attorney Transition (as of Oct 2023) It is recommended the Elected District Attorney document transitional information for their successor. Underway DA- We have successfully compiled an outline of transitional information and are presently in the process of collecting data and making real-time updates as new items arise. 2023 Global Follow-up #23/24-1 December 2023 Deschutes County Office of the Internal Auditor Page 20 of 22 6. Appendix B: Objective, Scope, and Methodology Objective and Scope Objective: The objective was to follow up on previously unresolved recommendations. Scope and timing: This 2023 Global follow-up included all reports issued in the last four years. Those reports with unresolved recommendations that had a follow-up report completed in approximately nine months were subject to a new request for information. Updates to the recommendations outlined in the audit reports presented in Figure I have been incorporated into this report and are detailed in Appendix A. There are fifty-four (54) recommendations included in this update over ten (10) audit reports. Status was determined through information provided by offices and departments in December 2023. The original internal reports should be referenced for the full text of recommendations and associated discussion. All internal audit performance reports are published on the County website at https://www.deschutes.org/administration/page/internal-audit- reports. Methodology The follow-up report was developed from information provided by appropriate staff in the associated offices and departments. In cases where recommendations have not been implemented, comments were sought for the reasons why and the timing for addressing these. The follow-ups are, by nature, subjective. In determining the status of recommendations that were followed up, we relied on assertions provided by those involved and did not attempt to independently verify those assertions. Since no substantive audit work was performed, Government Auditing Standards issued by the Comptroller General of the United States were not followed. “Audit objectives” define the goals of the audit. 2023 Global Follow-up #23/24-1 December 2023 Deschutes County Office of the Internal Auditor Page 21 of 22 7. Appendix C: Audit Reports Issued Audit Title Original Report # Report Issued # of Original Recommend ations # of Recommend ations Outstanding % Resolved Treasurer Transition 19/20-1 Dec-19 22 0 100% HR – Cash Handling 19/20-4 Dec-19 14 1 93% Juvenile - Cash Handling 19/20-7 Jan-20 4 0 100% Cellular Costs - Verizon 17/18-5 Mar-20 9 4 56% CDD - Cash Handling 19/20-10 Jun-20 2 1 50% Fair and Expo – Trending Costs 19/20-12 Aug-20 16 0 100% Munis purchasing topics Part I - Security and Workflows 19/20-9 Jan-21 18 2 89% Munis purchasing topics Part II - Vendor Master 20/21-6 Mar-21 12 3 75% Munis purchasing topics Part III – P-Cards 20/21-8 May-21 7 4 43% County Clerk Transition 20/21-11 Jul-21 9 5 44% 2021 County Fair - Ticketing and selected areas 21/22-1 Sep-21 17 3 82% Munis purchasing topics Part IV - Analyses 20/21-9 Nov-21 10 4 60% Management of Pandemic Case Investigation and Contact Tracing 21/22-5 Mar-22 5 5 0% 2023 Global Follow-up #23/24-1 December 2023 Deschutes County Office of the Internal Auditor Page 22 of 22 Audit Title Original Report # Report Issued # of Original Recommend ations # of Recommend ations Outstanding % Resolved Adult Parole and Probation - Cash Handling 21/22-11 May-22 1 0 100% Administrative Services & Risk - Cash handling 21/22-10 May-22 3 0 100% Assessor's Office - Cash Handling 21/22-13 Jun-22 10 0 100% Initial Cybersecurity Assessment 21/22-6 Jul-22 3 3 0% Justice Court - Cash handling 21/22-15 Sep-22 2 0 100% Sheriff’s Office - Cash handling 21/22-16 Nov-22 3 3 0% Vacation and Sick Leave 21/22-17 Dec-22 10 5 50% Elected District Attorney Transition 22/23-4 Jan-23 5 1 80% Treasurer Transition 2022 21/22-12 Mar-23 7 0 100% District Attorney’s Office – Cash Handling 23/24-4 Sep-23 1 0 100% Total 23 190 44 76.84% If you would like to receive future reports and information from Internal Audit or know someone else who might like to receive our updates, sign up at http://bit.ly/DCInternalAudit.