The URL can be used to link to this page

Home My WebLink About2324-19 County Legal Integrated (Final 6-17-24)County Legal—Integrated Audit—23/24-19 June 2024 County Legal Integrated Audit The Office of County Internal Audit: Elizabeth Pape, CIA, CFE – County Internal Auditor Aaron Kay – Performance Auditor Audit committee: Daryl Parrish, Chair - Public member Jodi Burch – Public member Joe Healy - Public member Kristin Toney - Public member Summer Sears – Public member Stan Turel - Public member Patti Adair, County Commissioner Charles Fadeley, Justice of the Peace Lee Randall, Facilities Director To request this information in an alternate format, please call (541) 330-4674 or send email to internal.audit@Deschutes.org Take survey by clicking here Recommendations 3 County Legal—Integrated Audit—23/24-19 June 2024 Table of Contents: 1. Introduction ....................................................................................... 1 Background on County Legal ........................................................................................ 1 2. Findings and Observations .............................................................. 2 Findings ........................................................................................................................... 3 Performance reporting did not provide clear information about how well the Department functioned. ............................................................................................ 3 No fraud was uncovered, but County Legal did not have documented procedures for mitigating cash handling risks. ....................................................... 4 Observations ................................................................................................................... 6 Payment card used appropriately. ........................................................................... 6 Suitable information system controls were in place considering low-risk use. ... 7 County Legal took steps to ensure that office space was safe and accessible. ... 8 3. Management Response .................................................................... 8 4. Appendix A: Objective, Scope, and Methodology ........................ 14 Objectives and Scope ................................................................................................... 15 Methodology ................................................................................................................. 16 County Legal—Integrated Audit—23/24-19 June 2024 Deschutes County Office of the Internal Auditor Highlights: Why this audit was performed: A periodic review of administrative practices. What was recommended: We recommended that the County Legal: • Improve performance reporting. • Conduct a fraud risk assessment and implement procedures to address financial risks. County Legal Integrated Audit Our overall objective was to conduct a survey-level risk assessment of administrative practices in the County Legal Department. We did not review specific functions of the Department including providing counsel and legal services to County officials. What was found: We found areas for improvement related to performance reporting and cash handling. • County Legal did not report performance measures that adequately described how well the Office functioned. • No fraud was uncovered but cash collection procedures were not documented despite some risky practices. In many areas, we observed that County Legal complied with administrative policies and best practices. Staff used the procurement card appropriately with adequate documentation. Staff complied with information system controls given the low-risk manner in which the system was used. The Department took steps to ensure that office space was accessible and safe. Other areas we include in our standard integrated audit methods did not apply to County Legal. These included human resources, purchasing, and grants. County Legal—Integrated Audit—23/24-19 June 2024 Deschutes County Office of the Internal Auditor Page 1 of 17 1. Introduction The Deschutes County Audit Committee authorized the review of the County Legal Department in the Internal Audit Program Work Plan for 2024-2025. Internal audits of administrative controls are routinely performed for identified County departments, elected offices, and functions. The last cash handling audit at the Department was performed in 2017. This is part of an effort to have regular audits done on a recurring cycle. Audit objectives, scope, and methodology can be found in Appendix A. The Office of Internal Audit is expanding the scope of its traditional cash handling audits to include a high-level risk survey of administrative functions in each department or office. We are making this transition because the move towards electronic transactions has shifted risk away from cash handling to information security. We are also including other administrative risks such as human resources, procurement, and health and safety in addition to following up on outstanding audit recommendations. Background on County Legal The Deschutes County Legal Department provides legal services and advice to the Board of County Commissioners, leadership of elected and appointed departments and offices, other boards and commissions, and County employees. The Department strives to provide high quality services in a timely, effective, and professional manner according to the highest ethical standards. The Department is overseen by the County Legal Counsel who is appointed directly by the Board of County Commissioners. Other staff include four attorneys and two paralegals who provide services related to general counsel, litigation, planning and code enforcement, employment and labor, procurement and contracting, and public records requests. Over the past five years, County Legal—Integrated Audit—23/24-19 June 2024 Deschutes County Office of the Internal Auditor Page 2 of 17 expenses have trended up slightly from $1.1 million in fiscal year 2019 to $1.6 million in 2023. The Department collects a small amount of revenue, mostly for public records requests. Charges are based on the County fee schedule and are meant to cover costs for staff time. In many cases, the Department does not charge for public records requests either because staff time is minimal or the request serves the public interest (for example, requests from the media). Fee revenue doubled from Fiscal Year 2019 to 2023, from $900 to $2,000, but it was low compared to overall Department expenditures. 2. Findings and Observations The Audit’s overall objective was to conduct a survey-level risk assessment of administrative practices. Audit objectives were focused on general areas of administrative risk and not on the specific functions of providing counsel and legal services to County officials. For a detailed list of audit objectives, see Appendix A. Figure I: County Legal fee revenue doubled from 2019 to 2023. County Legal—Integrated Audit—23/24-19 June 2024 Deschutes County Office of the Internal Auditor Page 3 of 17 We found that County Legal complied with most administrative policies and best practices including those related to purchasing cards, information system controls, and creating a safe and accessible workspace. In other areas, the Department operated in an administratively low-risk environment. However, we found areas for improvement related to performance reporting and cash handling. Findings Performance reporting did not provide clear information about how well the Department functioned. Good performance measures tell a story of what an organization does and how well it’s doing. Performance measures inform decisions, facilitate improvement, and increase understanding of programs. In government, they increase accountability by informing voters about whether programs are meeting expectations. When measures show subpar performance, they can lead to evaluations that identify root causes and fixes. Less than ideal performance measures impede these processes. The Government Finance Officer Association recommends that all governments identify, track, and communicate performance measures as a best practice. County Legal reporting did not meet the standards recommended by the Government Finance Officer Association. The Department reported on the County’s performance dashboard but the reported activities were not performance measures. The Department reported that it used an updated case management system for real-time information sharing and provided all departments with real-time legal support. County Legal—Integrated Audit—23/24-19 June 2024 Deschutes County Office of the Internal Auditor Page 4 of 17 Other benchmark counties reported better performance measures. For example, County Legal’s report about using a case management system appears to be related to staff productivity. A better measure might be related to workload (projects per employee) as is reported by legal departments in Clackamas and Marion counties. Providing real-time support appears to be related to customer service. A better measure might be turnaround time for requests as reported Clackamas, Jackson, and Lane counties. Another option could be to report the results of an internal customer satisfaction survey as is done by Jackson and Lane counties. 1. County Legal should create new performance measures that are more useful, relevant, and adequate. Consider measures used by benchmark counties including staff workload, timeliness, and satisfaction. No fraud was uncovered, but County Legal did not have documented procedures for mitigating cash handling risks. When any organization collects revenue there is always the potential for fraud. Section 6 of the County’s Financial Policy F-7, Bank Accounts and Cash Handling, tasks managers with designing and documenting procedures to prevent fraud to ensure that money ends up where it is supposed to go. Figure II: County Legal 2023 Performance Measures. County Legal—Integrated Audit—23/24-19 June 2024 Deschutes County Office of the Internal Auditor Page 5 of 17 County Legal did not have written cash handling procedures despite engaging in some risky practices. There were no procedures to address: • Segregation of duties. One staffer was responsible for most duties. For public records requests, the same person calculated fee estimates, notified requesters about fees, received payment, and conducted most of the work. • Accounting for public record request fee estimates. Instead of an accounting system, fee estimates were documented only in the email account of the staffer responsible for calculating estimates and receiving payment. • Reconciling cash receipts with the County financial system. There were no procedures for reconciling work performed to fulfill public records requests with receipts in the County financial system. There may not have been procedures because the Department had not conducted and documented a fraud risk assessment. Fraud risk assessments offer an opportunity for managers and staff to brainstorm ideas about how someone might defraud the County and then come up with processes to prevent it from happening. Staff participation in an assessment increases buy-in by helping staff understand why procedures are in place even though they may seem redundant or inefficient. Fraud prevention processes might include limiting access to revenue, requiring secondary approval for transactions, or reconciling funds. In some cases, management may decide to accept a fraud risk because the likelihood of it happening is low or because there are not enough staff or resources to implement a mitigating procedure. In these cases, the acceptance of risk should be documented. 2. County Legal should conduct a fraud risk assessment, and document outcomes. County Legal—Integrated Audit—23/24-19 June 2024 Deschutes County Office of the Internal Auditor Page 6 of 17 3. County Legal should document and implement procedures to address fraud risks identified in the risk assessment. Observations In many areas, we observed that County Legal complied with County administrative policies and best practices. Staff used the procurement card appropriately with adequate documentation. Staff complied with information system controls given the low- risk manner in which the system was used. The Department took steps to ensure that office space was accessible and safe. Other areas we include in our standard integrated audit methods did not apply to County Legal. There were too few employees in the Department to draw meaningful conclusions related to human resources policy, though it should be noted that the County Counsel completed all employee performance reviews on time. The Department was not required to comply with competitive procurement policies because all purchases were below the dollar amount thresholds, and it was not required to comply with grant policy because it did not have any grants. Payment card used appropriately. Purchasing cards are convenient for making purchases for small items or training registrations where invoicing is not possible. However, they also create risk because of the potential for inappropriate use. Staff could use the purchasing card to make disallowed or personal purchases without identification. The County Purchasing Card Policy F-3 requires card holders to only use cards for appropriate transactions and to keep cards secure. Disallowed purchases include cash, alcohol, tobacco, firearms, casinos, and meals while on travel status. In Fiscal Year 2023, County Legal charged $10,600 to its purchasing card mostly for training and office supplies. There County Legal—Integrated Audit—23/24-19 June 2024 Deschutes County Office of the Internal Auditor Page 7 of 17 were no inappropriate transactions on the card and there was appropriate documentation for most transactions. However, early in the year, receipts from one online retailer did not include details about purchases. This issue was resolved later in the year. Suitable information system controls were in place considering low-risk use. County Legal used an electronic case management system called FileVine for record keeping and file access control. Although the system could create reports, status updates, and timekeeping the Department was either not using it for these purposes or only using it internally for information purposes. Information system controls ensure that data kept in electronic systems are secure and accurate. For example, segregating duties enhances data reliability by allowing staff to check work. Appropriately identifying and authenticating users (including disallowing generic user identification and passwords) promotes security. Documented procedures make sure that practical controls are in place. The Federal Information Systems Controls Audit Manual outlines best practices for information systems controls. Overall, County Legal had appropriate information systems controls in place for FileVine. The Department implemented access controls with different user roles and there was an audit trail to report each time staff entered or changed data. However, there were no written procedures. The absence of procedures may have been acceptable considering that the information system was not used for tracking time, reviews, or approvals; to account for revenue including record public record request fees; or performance reporting. If the Department decided to use FileVine for these purposes, the risk level may change, and documented procedures would enhance the control environment. County Legal—Integrated Audit—23/24-19 June 2024 Deschutes County Office of the Internal Auditor Page 8 of 17 Christopher Bell, Sr. Assistant Legal Counsel John E. Laherty, Sr. Assistant Legal Counsel Stephanie Marshall, Sr. Assistant Legal Counsel Kimberly Riley, Sr. Assistant Legal Counsel David Doyle, Legal Counsel County Legal took steps to ensure that office space was safe and accessible. People spend a significant amount of their time at work, so it is important that office space is safe and accessible. The Americans with Disabilities Act requires reasonable accommodations to ensure spaces are accessible and Oregon Occupational Safety and Health Division requires quarterly safety committee meetings where safety inspections are reviewed. County Legal complied with both requirements. The Department missed only two safety committee meetings since January 2022 and attended more meetings than any other department at the downtown campus except Risk Management which hosted the meetings. County Legal staff reported safety inspections every quarter and no accidents were reported. The Department did not have any Americans with Disability Act complaints. 3. Management Response June 5, 2024 To: Elizabth Pape, County Internal Auditor From: David Doyle, Legal Counsel COUNTY LEGAL County Legal—Integrated Audit—23/24-19 June 2024 Deschutes County Office of the Internal Auditor Page 9 of 17 Subject: Management’s response to Audit report Recommendation: 1. County Legal should create new performance measures that are more useful, relevant, and adequate. Consider measures used by benchmark counties including staff workload, timeliness, and satisfaction. a) Management position concerning recommendation: Partially Agree We disagree with this finding. Metrics and bar charts have little to no relevance with regard to the operations of County Legal. The practice of law weighs heavily upon the skills and experience of each attorney, and the complexity or duration of the specific assignment/matter. That said, and in the interest of providing metric-based year-over-year optics, County Legal will begin to track the following: County Legal—Integrated Audit—23/24-19 June 2024 Deschutes County Office of the Internal Auditor Page 10 of 17 County Legal—Integrated Audit—23/24-19 June 2024 Deschutes County Office of the Internal Auditor Page 11 of 17 County Legal—Integrated Audit—23/24-19 June 2024 Deschutes County Office of the Internal Auditor Page 12 of 17 b) Comments: {Relevant comments on findings, recommendations, corrective plan, clarification, or disagreement. } See 1.a. c) Date completed 5/31/24 with FY25 data available once complete. d) Estimated cost to implement recommendation, if significant County Legal—Integrated Audit—23/24-19 June 2024 Deschutes County Office of the Internal Auditor Page 13 of 17 Recommendation: County Legal should conduct a fraud risk assessment, and document outcomes. a) Management position concerning recommendation: Agree b) Comments: {Relevant comments on findings, recommendations, corrective plan, clarification, or disagreement. } County Legal completed the following: FRAUD RISK ASSESSMENT 1. Cash Receipting. County Legal receives monetary payments for public records requests and for processing annexation petitions. These amounts are small, usually averaging less than $1,000. Procedure to Address Risks: One staff member will open the mail and take any payments to Finance; a separate staff member will receipt and process. 2. Purchasing. County Legal utilizes a department checking account and department P-Card to pay for a modest number of purchases. Department purchases typically include continuing education trainings, and witness fees. Procedure to Address Risks: Both accounts are reconciled monthly by County Legal and County Finance. Checks may not be signed by the same staff person who prepared the check, and check preparers do not have signing authority, or if a reimbursement, by the designated payee. Blank checks are never prepared or signed. All purchases are within budget authority. 3. Office Supply & Inventory. County Legal maintains a small inventory of office supplies, including copier paper, pens, paperclips, toner, batteries and sticky notes. Procedure to Address Risks: Inventory usage is tracked against prior use history; if inconsistent with prior use history, Legal Counsel inquires as to any specific reason or justification. If none, Legal Counsel addresses excessive usage with staff and will, if necessary, implement a sign-out procedure. c) Estimate date of completion: Complete. d) Estimated cost to implement recommendation, if significant Recommendation: County Legal—Integrated Audit—23/24-19 June 2024 Deschutes County Office of the Internal Auditor Page 14 of 17 County Legal should document and implement procedures to address fraud risks identified in the risk assessment. a) Management position concerning recommendation: Agree b) Comments: {Relevant comments on findings, recommendations, corrective plan, clarification, or disagreement. } We already have segregated the duties around receiving mail and check processing when feasible for an office of two administrative staff. Implemented May 27, 2024. Documentation and implementation of these procedures is under way. c) Estimate date of completion: July 15, 2024. d) Estimated cost to implement recommendation, if significant 4. Appendix A: Objective, Scope, and Methodology The County Internal Auditor was created by the Deschutes County Code as an independent office conducting performance audits to provide information and recommendations for improvement. Audit findings result from incidents of non-compliance with stated procedures and/or departures from prudent operation. The findings are, by nature, subjective. The audit disclosed certain policies, procedures and practices that could be improved. The audit was neither designed nor intended to be a detailed study of every relevant system, procedure, or transaction. Accordingly, the opportunities for improvement presented in the report may not be all-inclusive of areas where improvement may be needed and does not replace efforts needed to design an effective system of County Legal—Integrated Audit—23/24-19 June 2024 Deschutes County Office of the Internal Auditor Page 15 of 17 internal control. Management has responsibility for the system of internal controls, including monitoring internal controls on an ongoing basis to ensure that any weaknesses or non-compliance are promptly identified and corrected. Internal controls provide reasonable but not absolute assurance that an organization’s goals and objectives will be achieved. Objectives and Scope Objectives included: 1. Review performance reporting from County dashboard and compare measures to prior reporting. Test against Government Finance Officers Association standards. Request back-up materials supporting reported goals and measures. 2. Review internal controls for cash handling with County Legal as outlined in the section of County Finance policy for cash handling (F-7). Identify areas to improve efficiency and effectiveness. Additionally, review management of any change cash, petty cash, receipts, credit cards, judgements, collections, and billings, as applicable. 3. Identify top five vendors for the agency. Verify audit clause, licensing requirements, current insurance record. Review payment methods for vendors. Test against County Policy regarding payments to suppliers (F-15) and Deschutes County Code 2.37. 4. Use an information security checklist to test general level information security controls. Check against Federal Information Security Controls Audit Manual. 5. Review safety committee meeting materials for compliance with Occupational Safety and Health Administration rules. Review any safety training records for regularity and compare them to active roster. Complete Americans with Disabilities Act checklist. Test against County policy “Audit objectives” define the goals of the audit. County Legal—Integrated Audit—23/24-19 June 2024 Deschutes County Office of the Internal Auditor Page 16 of 17 regarding Americans with Disabilities notice and grievance policy (GA-13). 6. Identify the number of active employees and demographic information; vacancy rate (current and historic); current turnover rate; employee evaluation completion. Compare trends over time and to County averages. 7. Determine budgetary significance of grants for the agency. Review selected grant agreements. Test against County policy regarding grant applications and administration (GA- 20). 8. Be aware of any issues with compliance with federal and state regulations and requirements, as may be applicable. We did not report findings related to objective six because there were too few employees in the Department to draw meaningful conclusions about employee information. We did not report findings about objective seven because the Department did not have any grants. Scope and timing: The audit occurred in April—June 2024. It included activity in Fiscal Year 2023 and 2024. Methodology Audit procedures included: • Interviewing staff about cash handling, information systems, purchasing, performance measurement, and physical security and safety. • Reviewing documents provided including policies and procedures, performance measures, vendor contracts, and purchasing card documentation. • Reviewing user roles and reports in FileVine, the information system used for case management. We conducted this performance audit in accordance with Audit procedures are created to address the audit objectives. County Legal—Integrated Audit—23/24-19 June 2024 Deschutes County Office of the Internal Auditor Page 17 of 17 generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. (2018 Revision of Government Auditing Standards, issued by the Comptroller General of the United States.) County Legal—Integrated Audit—23/24-19 June 2024 Deschutes County Office of the Internal Auditor Please take a survey on this report by clicking this link: https://forms.office.com/g/MSciYGiMRc Or use this QR Code: If you would like to receive future reports and information from Internal Audit or know someone else who might like to receive our updates, sign up at http://bit.ly/DCInternalAudit.