The URL can be used to link to this page

Home My WebLink About2324-8 Fair and Expo Cash Handling Report (Final 2-5-24)Fair and Expo Center—Cash Handling—#23/24-8 February 2024 Fair and Expo Cash Handling The Office of County Internal Audit: Elizabeth Pape, CIA, CFE – County Internal Auditor Aaron Kay – Performance Auditor Audit committee: Daryl Parrish, Chair - Public member Jodi Burch – Public member Joe Healy - Public member Kristin Toney - Public member Summer Sears – Public member Stan Turel - Public member Patti Adair, County Commissioner Charles Fadeley, Justice of the Peace Lee Randall, Facilities Director To request this information in an alternate format, please call (541) 330-4674 or send email to internal.audit@Deschutes.org Take survey by clicking here Recommendations 5 Fair and Expo Center—Cash Handling—#23/24-8 February 2024 Table of Contents: 1. Introduction .................................................................................. 1 Background on Fair and Expo ....................................................................................... 1 2. Finding: Incomplete financial procedures increase risks ....... 4 3. Management Response ............................................................... 9 4. Appendix A: Objective, Scope, and Methodology .................. 11 Objectives and Scope ................................................................................................... 12 Methodology ................................................................................................................. 13 Fair and Expo Center—Cash Handling—#23/24-8 February 2024 Deschutes County Office of the Internal Auditor Highlights: Why we performed this audit: As a money-making County enterprise, Fair and Expo has a higher revenue-related risk- profile than other County departments. What we recommended: We recommended that Fair and Expo management: • conduct a fraud risk assessment and implement procedures to address risks. • outline major financial processes and determine whether any roles are conflicting. • design efficient reconciliation processes between financial systems. • document security controls for all financial information systems. Fair and Expo Cash Handling What we found: We found that Fair and Expo did not have complete policies and procedures to ensure that revenue due to the organization was received and deposited. Fair and Expo had not conducted assessments to document risks in areas such as: • overall fraud risks, • segregation of duties within financial processes, • risks associated with using separate financial information systems, and • information system user access and transaction authority. Despite a vulnerable control environment, we did not observe any instances of fraud or theft. Fair and Expo Center—Cash Handling—#23/24-8 February 2024 Deschutes County Office of the Internal Auditor Page 1 of 13 1. Introduction The Deschutes County Audit Committee authorized the review of cash handling practices for the Fair and Expo Center in the Internal Audit Program Work Plan for 2024-2025. Internal audits of fiscal controls are routinely performed for identified County departments or functions. Audit objectives, scope, and methodology can be found in Appendix A. Background on Fair and Expo The Fair and Expo Center is a County-operated 320-acre facility located in Redmond. Fair and Expo’s largest event is the annual Deschutes County Fair, but it also hosts over 400 events annually with an emphasis on events supporting youth, agriculture, and community. In addition to events, Fair and Expo operates a 105- space RV park, which is open year-round. Fair and Expo supports County operations by acting as a response and evacuation center, as well as a staging area for fires and other disasters. Most recently, it served as the host site for the Deschutes County Circuit Court during the Covid-19 pandemic. The County classifies Fair and Expo finances as an enterprise fund due to the department’s business-like operations aimed at generating revenue to sustain its operations. In addition to revenue generated directly by Fair and Expo, operations are supplemented by County transient room tax. Fair and Expo Center—Cash Handling—#23/24-8 February 2024 Deschutes County Office of the Internal Auditor Page 2 of 13 Since 2019 revenue has been variable but is trending up. 1 Source: Deschutes County Financial Information Fair and Expo revenue is comprised of a few different categories, with the largest source being event revenue. These are fees that are paid by outside organizers who rent Fair and Expo facilities for private events. These include large events such as music festivals and small events such as weddings. 1 The audit did not include funds assigned to the Annual County Fair, the County Fair Food and Beverage Fund, the Fair and Expo Food and Beverage Fund or the RV Park. These funds have either been the subject of recent audits or will be the subject of future audits in fiscal year 2024 or 2025. Figure I Fair and Expo revenue increased from $910,000 in 2019 to $1.2 million in 2023. Fair and Expo Center—Cash Handling—#23/24-8 February 2024 Deschutes County Office of the Internal Auditor Page 3 of 13 Source: Deschutes County Financial Information Other categories of revenue are much smaller comprising of signage rights, horse stall rentals, RV storage, camping, vending machine revenue, and other smaller categories. Source: Deschutes County Financial Information Fair and Expo staffing has increased since Fiscal Year 2022 from Figure II Event revenue fluctuated from 2019 to 2023 Figure III Smaller Fair and Expo revenue streams Fair and Expo Center—Cash Handling—#23/24-8 February 2024 Deschutes County Office of the Internal Auditor Page 4 of 13 12.5 full-time equivalent employees to 17.5 in 2024. Operations staff grew from 7 to 10.75. Administrative staff experienced a smaller increase, from 5.5 to 6.75. Source: Deschutes County Budget Books 2. Finding: Incomplete financial procedures increase risks As a business-type County enterprise, Fair and Expo has a higher revenue-related risk-profile than other County departments or elected offices which are more public service oriented. Yet Fair and Expo did not have complete policies and procedures to ensure that revenue due to the organization was received and deposited. Fair and Expo had not conducted assessments to document risks in areas such as overall fraud risks, segregation of duties within financial processes, risks associated with using separate financial information systems, and information system user access and transaction authority. Despite a vulnerable control environment, we did not observe any instances of fraud or theft. Fair and Expo did not have comprehensive financial policies and procedures even though they are required by County policy. Staff verbally explained some procedures, but not all were documented. Documented procedures were limited to Figure IV Operations staff increased more than Administrative staff. Fair and Expo Center—Cash Handling—#23/24-8 February 2024 Deschutes County Office of the Internal Auditor Page 5 of 13 information system instructions with screen shots. They did not include other critical processes such as custody, reconciliation, and reporting. The absence of substantial documented procedures appears to be long-standing and was noted by auditors in a 2007 report. Staff may not have prioritized documenting procedures because they had not conducted a fraud risk assessment of their operations. Fraud risk assessments serve as the foundation for developing a robust and comprehensive set of procedures within an organization. Conducting a fraud risk assessment before designing procedures will help staff understand the importance of procedures and why they must be followed. By identifying potential vulnerabilities and weaknesses, Fair and Expo can proactively address and mitigate the risk of fraudulent activities through the design and implementation of tailored procedures specific to their unique working environment. By documenting the assessment process, the department creates the framework for long-term resilience, continuous learning, and adaptive capabilities for any future improvements. 1. Fair and Expo management should conduct a fraud risk assessment and document outcomes. 2. Fair and Expo management should document procedures to address the risks identified in the fraud risk assessment. Policies governing cash controls are in place to keep people from stealing money from the County, but they can also seem redundant or inefficient. Without documented policies staff may engage in high-risk activities that seem to increase efficiency but also increase the likelihood of fraud. Auditors observed multiple cases of high-risk business activities where internal controls were missing or insufficient. Staff assigned conflicting duties. There are fewer eyes on the process, and it is easier to conceal Fair and Expo Center—Cash Handling—#23/24-8 February 2024 Deschutes County Office of the Internal Auditor Page 6 of 13 theft when there are conflicting duties. For example, at a high level the process of booking an event through posting it in the County financial system involved four steps. There were too many duties concentrated in the Staff B role. Of particular concern is that the same person made bank deposits and reconciled the financial system with the reservation and invoicing systems. These duties should always be performed by different people when possible. If duties cannot be separated, other controls need to be put in place. County financial policy requires directors to design and implement effective cash handling controls, including adequate segregation of duties. In addition to putting more eyes on the process, segregating duties also creates opportunities for cross training and succession planning. There are a few different options for segregating duties. Fair and Expo may need to add staff to distribute duties more effectively. As noted in the Background section, the number of Operations staff has increased faster than Administrative staff. Other options include re-assigning duties to other existing staff or implementing dual controls where two staff work together to complete a task. Staff A generate the booking and reservation. They enter it into software which generates an invoice. Staff B takes in-person and mailed payments, keeps them in a locked drawer, and makes bank deposits. Staff B enters payments into the County's financial system. Staff B reconciles the County Financial System to reservation and invoicing systems once a week. Figure V Most duties were performed by one person, creating conflicts. Fair and Expo Center—Cash Handling—#23/24-8 February 2024 Deschutes County Office of the Internal Auditor Page 7 of 13 3. When designing procedures, Fair and Expo management should outline major financial processes, along with staff assigned to specific activities, and determine whether any roles are conflicting. Manual reconciliation process was inefficient and led to less confidence about finances. Fair and Expo used three different software packages to process events: Event Pro (reservations and booking), Square (invoicing and payments), and Munis (financial reporting). A fourth system was used for RV storage. It was not possible to automatically reconcile transactions in these systems. In a sample of 20 events from Fiscal Year 2023, there were discrepancies between systems for eight events. There were no missing transactions, but the reconciliation process was inefficient and required help from Fair and Expo staff researching records. This is a long-standing finding and was noted by auditors in 2007. The software systems are not integrated, so reconciliation between systems was manual. Staff relied on an excel spreadsheet with date and event names to track transactions between systems, but the process was inefficient and based on text and date fields that did not always correspond. Transactions in one system could easily be missing from others. With a manual reconciliation process, there is less confidence that all booked events were invoiced and that all receipts were entered into the County's financial system. It is also less efficient because it takes longer to track transactions between systems. County financial policy requires directors to design and implement effective cash handling controls. Effective controls for information systems include communication networks for linking technology and reconciliation of systems. Fair and Expo Center—Cash Handling—#23/24-8 February 2024 Deschutes County Office of the Internal Auditor Page 8 of 13 4. Fair and Expo management should design and document an efficient reconciliation process across systems. It might be helpful to create a log of unique identifiers from each system to record how records relate to one another. Staff shared the password to payment software. County Information Technology policy requires that employees keep passwords confidential and change them frequently. Multiple Fair and Expo staff shared the same password to access event invoicing and payment software. The account was assigned to the generic public contact email address. Staff had not configured the software for multiple users. Without unique accounts, multiple staff could delete bookings or change the bank account information without being identified. The risk was higher because the software was web-based and did not require logging into the County network for access. The password was also kept in binders at terminals, so anyone with access to the building could also access sensitive financial information. Even former employees could have access because staff did not change the password on the account for ten months. Since the start of the audit, staff have set up unique user profiles with passwords and multifactor identification. They now have Figure VI Instructions, including the shared password, were kept in binders at every Square terminal. (username and password redacted in this image, but available in the original document) Fair and Expo Center—Cash Handling—#23/24-8 February 2024 Deschutes County Office of the Internal Auditor Page 9 of 13 distinct roles; for example, only the Deschutes County Chief Financial Officer can change the bank account. Each staff member has their own identifier and password. But these improvements did not address the underlying cause, management had not documented data security controls including system access and who can execute transactions. 5. Fair and Expo management should document data security controls for all financial information systems including who has access to data and rights to execute transactions. Each user should have unique access credentials. 3. Management Response Fair & Expo Cash Handling Audit Management Responses First and foremost, Fair & Expo appreciates working with the Audit department and their willingness to engage and discuss items, and to work to understand the unique intricacies of the Fair & Expo department, its enterprise fund status, and the operations of the Fair & Expo department. While we may not fully agree with all related findings or elements, we do appreciate the opportunity to share our perspective, and the additional consideration shown by the Internal Audit team in areas of concern. Fair and Expo Center—Cash Handling—#23/24-8 February 2024 Deschutes County Office of the Internal Auditor Page 10 of 13 Fair & Expo also believes it is key to identify, as the Cash Handling Audit identifies, that despite recommendations for improved documentation or improved control strategies, no instances of fraud or theft were observed or identified. Incomplete financial procedures increase risks. 1: Fair & Expo management should conduct a fraud risk assessment and document outcomes. We agree with this recommendation. Fair & Expo has informally conducted fraud risk assessments on an ongoing basis, without documentation. Moving forward, a formalized and documented fraud risk Assessment will be conducted on a regular basis. 2: Fair & Expo management should document procedures to address the risks identified in the fraud risk assessment. We agree with this recommendation. Fair & Expo has informally conducted fraud risk assessments on an ongoing basis, without documentation. Moving forward, a formalized and documented fraud risk assessment will be conducted on a regular basis. This documentation will be utilized to formulate, or update documented financial procedures. Staff assigned conflicting duties. 3: When designing procedures, Fair & Expo management should outline major financial processes, along with staff assigned to specific activities, and determine whether any roles are conflicting. We agree with this recommendation and are working to create separation or clarity and/or documented steps between assigned financial duties. In the current system, while an individual employee may perform multiple duties, multiple parties have access to/or awareness of the activities to provide additional layers of oversight and to identify any item that may be out of compliance. Manual Reconciliation process was inefficient and led to less confidence about finance. 4: Fair and Expo management should design and document an efficient reconciliation Fair and Expo Center—Cash Handling—#23/24-8 February 2024 Deschutes County Office of the Internal Auditor Page 11 of 13 process across systems. It might be helpful to create a log of unique identifiers from each system to record how records relate to one another. We agree with this recommendation; however, our current systems are not compatible with this recommendation. Fair & Expo has proactively researched new computer systems that are capable of handling the complex process necessary to operate as an enterprise fund; and to reconcile as a County Department. F&E went as far as to make an investment in new software, that ultimately was unable to improve upon current concerns; as well as working with Deschutes County IT to try to design a custom solution; both without success. To date, no single system has been identified as a solution; but efforts are ongoing. Staff shared the password to payment software. 5: Fair and Expo management should document data security controls for all financial information systems including who has access to data and rights to execute transactions. Each user should have unique access credentials. We agree with this recommendation. During the audit it was discovered that the software utilized had made updates, allowing for new controls to be put in place. F&E worked with Deschutes County Finance to adjust software, and shared passwords are no longer utilized. Deschutes County Fair & Expo Center 3800 Airport Way, Redmond OR 97756 (541) 548-2711 EXPO.DESCHUTES.ORG 4. Appendix A: Objective, Scope, and Methodology The County Internal Auditor was created by the Deschutes County Code as an independent office conducting performance audits to provide information and recommendations for improvement. The audit included limited procedures to understand the systems Fair and Expo Center—Cash Handling—#23/24-8 February 2024 Deschutes County Office of the Internal Auditor Page 12 of 13 of internal control around revenues. Audit findings result from incidents of non-compliance with stated procedures and/or departures from prudent operation. The findings are, by nature, subjective. The audit disclosed certain policies, procedures and practices that could be improved. The audit was neither designed nor intended to be a detailed study of every relevant system, procedure, or transaction. Accordingly, the opportunities for improvement presented in the report may not be all-inclusive of areas where improvement may be needed and does not replace efforts needed to design an effective system of internal control. Management has responsibility for the system of internal controls, including monitoring internal controls on an ongoing basis to ensure that any weaknesses or non-compliance are promptly identified and corrected. Internal controls provide reasonable but not absolute assurance that an organization’s goals and objectives will be achieved. Objectives and Scope Objectives included: 1. Review of internal controls for cash handling with the Fair and Expo Center as outlined in County Finance policy for cash handling (F-11). Identify areas to improve efficiency and effectiveness. Additionally, review management of any change cash, petty cash, receipts, credit cards, judgements, collections, and billings, as applicable. 2. Be aware of any issues with compliance with federal and state regulations and requirements, as may be applicable. Scope and timing: The audit occurred in October – December 2023. Included in review of cash handling of Fair and Expo accounting for Fund 6159651. The audit did not include funds assigned to the Annual “Audit objectives” define the goals of the audit. Fair and Expo Center—Cash Handling—#23/24-8 February 2024 Deschutes County Office of the Internal Auditor Page 13 of 13 County Fair, the County Fair Food and Beverage Fund, the Fair and Expo Food and Beverage Fund or the RV Park. These funds have either been the subject of recent audits or will be the subject of future audits in fiscal year 2024 or 2025. The focus of the review was on event revenue, rentals, and other small payments. The scope of the audit did not include all aspects of the internal controls employed. Methodology Audit procedures included: • Interviewing staff related to cash handling, receipting, and billing procedures (staff reviewed and answered the County’s cash handling checklist provided in the Deschutes County cash handling policy F-11). • Reviewing documents provided. • Reviewing and analyzing receipt transaction data for the identified funds; and • Reconciling transactions between systems. We relied on a random sample of 20 transactions out of a population of 237. With 8 discrepancies identified, the projection to the population is between 46 and 144 discrepancies at the 95% confidence level. We conducted this performance audit in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. (2018 Revision of Government Auditing Standards, issued by the Comptroller General of the United States.) Audit procedures are created to address the audit objectives. Fair and Expo Center—Cash Handling—#23/24-8 February 2024 Deschutes County Office of the Internal Auditor Please take a survey on this report by clicking this link: https://forms.office.com/g/f8ewGXMyBw Or use this QR Code: If you would like to receive future reports and information from Internal Audit or know someone else who might like to receive our updates, sign up at http://bit.ly/DCInternalAudit.