The URL can be used to link to this page

Home My WebLink AboutFinance-Tax-Treasury - Cash controlsReport# 04/05 - 5 (Dated February 6, 2005) FINANCE DEPARTMENT- Review of Internal Controls Over Receipts and Investments Presented to the Deschutes County Audit Committee by the Internal Audit Program David Givans, CPA – County Internal Auditor Report# 04/05 - 5 Dated February 6, 2005 Deschutes County, Oregon Report# 04/05 - 5 (Dated February 6, 2005) {This page intent ionally left blank} Report# 04/05 - 5 (Dated February 6, 2005) To: Audit Co mmittee CC: Mike Daly, Tom DeWolf From: David Givans, Count y Internal Auditor Subject: Internal Audit Report on the Finance Depart ment (Report #04/05-5) Date: February 6, 2005 The enclosed audit report provides informat ion concerning the internal control structure of the Finance Depart ment as it relates to handling of receipts and invest ments. Informat ion contained in this reports is from interviews and observat ions performed. Many o f the necessary internal controls are in place and management and staff are to be commended for developing and using effective internal controls. Opportunit ies for improvement have been ident ified. A summary o f the significant findings and recommendations is provided in the Executive summary. Audit results have been discussed with the Finance Director. Management’s response is included at the end of this report and addresses the findings and recommendations. The staff and management of the Finance Department were cooperative and responsive during our review. Deschutes County, Oregon Internal Audit Program David Givans, CPA County Internal Auditor Deschutes Services Center 1300 NW Wall St., Suite 200 Bend, OR 97701 Phone: 541-330-4674 Fax: 541-385-3202 davidg@co.deschutes.or.us Report# 04/05 - 5 (Dated February 6, 2005) {This page intent ionally left blank} Report# 04/05 - 5 (Dated February 6, 2005) FINANCE DEPARTMENT - Review of Internal Controls Over Receipts and Invest ments TABLE OF CONTENTS: EXECUTIVE SUMMARY 1. INTRODUCTION 1.1. Background …………………………………………………………………….…... 1 1.2. Object ives and Scope ……………………………………………………………. 1-2 1.3. Methodology …………………………………………………………………..…… 2 2. FINDINGS – General 2.1. Controls ………………………………………………………………………….. 2-7 3. FINDINGS – Finance 3.1. Highlights ………………………………………………………………………... 7-8 3.2. Controls …..…………………………………………………………………….. 8-10 3.3. Laws and Regulat ions …………………………………………………………….. 10 4. FINDINGS – Tax 4.1. Controls ……………………………………………………………………….. 10-12 4.2. Laws and Regulat ions ……………………………………………………..….. 12-13 4.3. Performance …………………………………………………………………….… 13 5. FINDINGS - Investments 5.1. Laws and Regulat ions ……………………………………………………….......... 14 6. RESPONSE FROM MANAGEMENT ………………………………………. 15-22 Report# 04/05 - 5 (Dated February 6, 2005) {THIS PAGE LEFT BLANK} Report# 04/05 - 5 (Dated February 6, 2005) i FINANCE DEPARTMENT – Review of Internal Controls Over Receipts and Investments Report# 04/05 - 5 (Dated February 6, 2005) EXECUTIVE SUMMARY Purpose As approved by Deschutes County’s Audit Committee, a review was conducted of the internal controls over receipts and invest ments for the Finance Department. Informat ion contained in this reports is from interviews and observat ions performed. The purpose of the audit is to assist management and staff in improving its internal control system. Results in brief Audit findings result from incidents of non-co mpliance with stated procedures and/or departures from prudent operation. The findings are, by nature, subject ive. Many o f the necessary internal controls are in place and management and staff are to be commended for developing and using effective internal controls. Opportunit ies for improvement have been ident ified. The fo llowing highlights the significant findings presented to management for consideration in a summarized format. The findings and an excerpt of the associated recommendat ion include: GENERAL · Additional accounting oversight needed over supervisors It is reco mmended that reports be developed which list unusual or except ion type transactions. This includes reversals by other users, changes to the tax collect ion system, utilizing transaction dates other than the current date, etc... These reports along with supporting documentation should be reviewed by the Finance Director. Staff other than the one receipt ing the money should be responsible for authorizing any vo ids or reversals and should retain support for the changes made. On a periodic basis, a supervisor should review the voids and reversals for compliance with policy and to determine that was sufficient support exists. Supervisors should not review their own work. The revenue accountant has control over every aspect of the room tax collect ion system. Duties for receipt ing, reconciling accounts, posting payments, or deposit ing the payments should be assigned to at least two emplo yees to establish segregat ion of duties. Appropriate personnel in County operating departments should be informed of the need to reconcile their receipts with account balances reported on HTE. Any differences should be invest igated. Report# 04/05 - 5 (Dated February 6, 2005) ii · Physical security of cash receipt drawers could be improved It is reco mmended steps be taken to acquire cash register drawers that could be physically mounted to the underside of the counter/desk area. It should have a unique key lock and allow for only one emplo yee’s access at a time. Other desirable features include a slot to allow checks to be added without opening the drawer and a mechanism incorporated into the receipt ing system to open the drawer only when change is required. · Finance not prepared in the event computers or software are unavailable for an extended period It is reco mmended Finance develop a sufficient business cont inuit y plan in the event they loose access to computers and so ftware for an extended period of time. This includes obtaining prenumbered forms imprinted with the County’s name and for use on these occasions. These forms should be in duplicate. Any unnumbered receipt stock should be destroyed (dog licenses). The manual receipt books should be controlled. · Written accounting policies and procedures concerning duties of staff are insufficient or out-dated It is reco mmended Finance staff document its account ing policies and procedures. The procedures should emphasize the areas of monitoring, supervision and segregat ion of duties. These po licies and procedures should be available to all emplo yees and should include, in detail, the responsibilit ies of each employee. Operating departments should be informed, in writing, of the duties they should perform to provide effect ive control over their deposits and expenditures. · Physical security over Finance area could be enhanced. It is reco mmended non Finance staff should not have routine access to Finance work areas unless specifically approved by Finance. Building services and IT staff access should be limited to a smaller roster of staff. · Finance attendant windows lack physical security deterrents It is reco mmended Finance work with Risk management to enhance physical controls over the front desk areas. These might include some co mbination o f glass barrier, surveillance, and/or alarm system. In responding to this recommendat ion, Finance will have to weigh the benefit s of customer access, communicat ion and staff safet y to develop a meaningful so lut ion. It is recommended staff be trained on how to handle a possible robbery t ype situat ion. FINANCE · Operating department endorsement stamps Report# 04/05 - 5 (Dated February 6, 2005) iii Commend Finance staff on obtaining endorsements stamps for departments. Finance staff should continue to take steps to make all sure all departments have and are using an appropriate endorsement stamp. · Finance Department utilizing bank security features The Finance Depart ment is commended for staying current with evo lving bank practices developed to enhance securit y. · Finance staff have unnecessary authorities in financial accounting software It is reco mmended the disbursements module security be reviewed to deny access to users who have access to the check signature card. Other accounting modules should be reviewed periodically for potential segregat ion of duties conflicts. · Lack of supervisor review of bank reconciliations It is reco mmended the bank reconciliat ions be reviewed by a supervisor on a monthly basis, and document such review by dating and init ialing the bank reconciliat ion. · Security of blank check stock could be improved It is reco mmended that staff reconcile the check stock used (used, voided, or mis-fed) to the number of checks in each check run. All vo ided check stock should be logged and its destruction witnessed. Any blank mis-fed check stock, which is to be re-used, should be logged for use with manual check runs. · Instances exist where dog licensing receipts were not deposited with 24 hours It is reco mmended Finance staff should receipt all payments received wit h dog license applicat ions within 24 hours. Checks should be restrict ively endorsed for any unprocessed dog license applicat ions at the end of each day. TAX · Tax software has insufficient controls over user access It is reco mmended the tax software be modified so USERID’s cannot be altered without re-logging in. Supervisory reports should be developed to report on unusual act ivit y. This would include reversals by other users, utilizing transact ion dates other than the current date, etc... Supervisory staff should oversee these and the supporting documentation. Report# 04/05 - 5 (Dated February 6, 2005) iv The tax area should develop an internal po licy requiring staff to change their password and keep it secret. Staff should not allow other users to utilize their system while they are logged in. · Change fund utilized as petty cash fund The tax area should request authorit y to have petty cash funds for this specific t ype of reimbursement. The Department should consider what amount of petty cash is needed for easier monitoring and immediately deposit any excess. A report should be developed to tally the supply receipts entered into the tax system, this should be reconciled wit h the supply slips submitted, and amounts paid fro m the change monies. · File transfer site used to transmit/receive tax payment information is not secure It is reco mmended the County request the site be secured so files once entered cannot be modified. · Cash overage not deposited It is reco mmended the tax area immediately deposit the monies wit h Finance and prepare the cash over/short reporting form. · Property owner residence address changes taken without written authority It is reco mmended the tax area consider whether they are properly co mplying with their legal obligation to obtain written address changes in accordance wit h the Oregon Revised Statutes. · Lockbox services can streamline performance The County should evaluate the cost vs. benefit of a lockbox arrangement for tax payments. INVESTMENTS · Investment fee assessed to outside districts may not be accordance with State law It is reco mmended, based on discussio n wit h County legal counsel, that Finance develop an agreement to be signed by taxing districts and other entit ies posting mo nies wit h the County, authorizing their invest ments to be subject to County invest ment policies, which includes assessment of the fee. Report# 04/05 - 5 (Dated February 6, 2005) Page 1 1. INTRODUCTION 1.1 BACKGROUND Audit Authorit y: As approved by Deschutes County’s Audit Committee, a review was conducted of the internal controls over receipts and invest ments for the Finance Depart ment. The Audit Committee authorized the audit by its approval o f the County’s internal audit workplan for fiscal year 2004/2005. Purpose of Audit: This audit was init iated in response to the Finance Department’s request to review their internal controls over receipt ing and investing. This report also includes managements’ response to these recommendat ions. Internal Controls: County government is responsible for using public assets and public funds in a prudent and responsible manner. County managers in turn are responsible for developing and maintaining procedures to protect public assets and promote efficient and effect ive services. These procedures and the environment promoted by management are called internal controls. Management is ult imately responsible for implement ing appropriate internal control systems. An effect ive system o f internal controls: · Safeguards assets fro m waste, fraud and inefficient use · Promotes accuracy and reliabilit y in the account ing records · Encourages and measures co mpliance wit h established practices · Evaluates the efficiency of operations Effect ive internal controls minimize the potential for errors and/or irregularit ies to occur. If they do occur, effect ive internal controls detect such errors and/or irregularit ies in a t imely manner during the normal course of business. 1.2 OBJECTIVES and SCOPE Audit objectives: The object ives of the audit were: 1. To review the internal control structure and internal procedures to handle receipts and investments. 2. To evaluate compliance wit h Federal, State or Count y regulat ions and requirements, as ident ified. Opportunities for increased efficiency and effect iveness were included in the recommendat ions when applicable. Scope: The audit was limit ed to the Finance Depart ment receiving of mo nies during the normal course of business and for invest ments made as described during August and September 2004 Report# 04/05 - 5 (Dated February 6, 2005) Page 2 observat ions. The review o f the systems of internal control system was limited to observat ions of procedures observed or described by staff. The review procedures were not extensive enough to provide an overall conclusio n as to the effect iveness of the internal control system for the Finance Department. 1.3 METHODOLOGY The audit involved gaining an understanding o f the control environment as described by management and staff during interviews. Relevant evidence was obtained through observat ion and interviews. This review is, by nature, subjective. Effect ive internal control provides reasonable assurance of achieving the fo llowing object ives: 1. Effect iveness and efficiency of operations. 2. Reliabilit y of reporting information. 3. Compliance with applicable laws and regulat ions. Audit procedures included: · Developing an understanding of Finance Department issues through review of audit reports and associated recommendat ions issued by other local governments · Interviews with front desk attendants, other staff and departmental management to ident ify procedures in place · Assessment of key internal controls · Observations of actual transact ions and procedures to see how the procedures were 4being performed The Finance Depart ment has four separate operating areas that were reviewed: · Finance - Account ing/controllership · Invest ment / Treasury · Tax - Property tax collect ion · Dog licensing The audit was conducted in accordance with Government Auditing Standards issued by the Comptroller General of the United States. 2. FINDINGS – General Many o f the necessary internal controls are in place and management and staff are to be commended for developing and using effective internal controls. Opportunit ies for improvement have been ident ified. Report# 04/05 - 5 (Dated February 6, 2005) Page 3 2.1 Controls Additional accounting oversight needed over supervisors Supervisors re-count and balance receipted monies to internal act ivit y reports. Supervisors have sufficient software access and authorit y to reverse or override the informat ion on such activit y reports or to adjust property tax records. If cash or checks were misappropriated and the activit y reports modified, it would be nearly impossible to detect such irregularit y. Supervisors have access to the daily receipts unt il they are deposited. The software systems, in mo st cases, maintain a sufficient audit trail but there are no procedures in place for management to review reversals and overrides. In some cases, the supervisor has responsibilit y for recording transact ions and has access to the assets (cash and checks). This lack of segregation of dut ies occurs with the fo llo wing act ivit ies: · Property tax payments · Room tax payments · Dog licensing · Operating department receipts Duties should be segregated so that no one person is responsible for receiving, reconciling, depositing mo ney and posting payments. Voids and reversals are a normal part of the receipt ing process but should be performed and reviewed by another authorized staff person. Adequate documentation should be retained to support any vo ids or reversals. Cash drawer attendants should sign and init ial reports from their balancing of their registers. Supervisory staff should not have authorit y to change batches and vo id or alter payments without the written acknowledgment of another emplo yee. Wit hout segregation of duties, it may be nearly impossible to detect that monies are missing. Some Count y operating departments do not verify that deposits made with Finance are properly recorded. It is recommended that reports be developed which list unusual or exception type transactions. This includes reversals by other users, changes to the tax collection system, utilizing transaction dates other than the current date, etc... These reports along with supporting documentation should be reviewed by the Finance Director. Some staff person other than the one receipting the money should be responsible for authorizing any voids or reversals and should retain support for the changes made. On a periodic basis, a supervisor should review the voids and reversals for compliance with policy and to determine that was sufficient support exists. Supervisors should not review their own work. The revenue accountant has control over every aspect of the room tax collection system. Duties for receipting, reconciling accounts, posting payments, or depositing the payments should be assigned to at least two employees to establish segregation of duties. Report# 04/05 - 5 (Dated February 6, 2005) Page 4 Appropriate personnel in County operating departments should be informed of the need to reconcile their receipts with account balances reported on HTE. Any differences should be investigated. Physical security of cash receipt drawers could be improved Cash register drawers are accessible by more than one staff person at a time. Cash drawers, in the tax area, are not locked and are so met imes left unattended. Visibilit y o f cash drawers by other staff is limited. Cash registers monies are kept in the safe overnight and are accessible by so me supervisory staff. Access to any cash drawer should be limited to one staff person unt il the monies in the drawer are reconciled to the activit y report. Sole custody over cash register drawers is the most effect ive way to track problems in the event the monies and act ivit y reports do not balance. Cash drawers should be physically safeguarded to protect their contents. Insufficient physical securit y of the cash drawers (due to concurrent or overnight access) could lead to inabilit y to trace where the funds went in the event of a misappropriation o f mo nies. It is recommended steps be taken to acquire cash register drawers that could be physically mounted to the underside of the counter/desk area. It should have a unique key lock and allow for only one employee’s access at a time. Other desirable features include a slot to allow checks to be added without opening the drawer and a mechanism incorporated into the receipting system to open the drawer only when change is required. Monies remaining in the safe should be counted, balanced, and placed in a tamperproof bank bag and the staff person should initial the bag. The staff person should recount these monies if the bag has any indication of being tampered with. Finance not prepared in the event computers or software are unavailable for an extended period Business continuit y planning for Finance can be improved in the event there is no access to their computers and so ftware. Staff do not have sufficient manual procedures and forms in place should they loose access to computers or software. It would be difficult to provide sufficient control over receipts without established procedures, manual receipts, and other forms. Appropriate manual receipts should conform to Count y policy. County policy (P-1999-075) requires all invo icing to be recorded using pre-numbered forms imprinted with the Count y’s name and department. These forms should be in duplicate. It is recommended Finance develop a sufficient business continuity plan in the event they loose access to computers and software for an extended period of time. This includes Report# 04/05 - 5 (Dated February 6, 2005) Page 5 obtaining prenumbered forms imprinted with the County’s name and department for use on these occasions. These forms should be in duplicate. Any unnumbered receipt stock should be destroyed (dog licenses). The manual receipt books should be controlled. Written accounting policies and procedures concerning duties of staff are insufficient or out-dated There were no current written accounting policies and procedures in the Finance Department. Communicat ion is an essent ial co mponent of internal controls. Written policies and procedures are effect ive for controls. Well-designed and maintained po licies and procedures enhance accountabilit y and consistency. The resulting documentation is also useful for training and cross-training personnel. The lack o f comprehensive written accounting procedures can lead to inadequately planned controls, inadequate supervisio n, poor and inadequate training, and lack of adherence to stated control procedures. Finance has co mpleted some work towards updating written procedures. It is recommended Finance staff document its accounting policies and procedures. The procedures should emphasize the areas of monitoring, supervision and segregation of duties. These policies and procedures should be available to all employees and should include, in detail, the responsibilities of each employee. Operating departments should be informed, in writing, of the duties they should perform to provide effective control over their deposits and expenditures. Physical security over Finance area could be enhanced. The new County/State building utilizes access cards to control access to specified areas. All County staff in the County/State building (approximately 83 emplo yees) have access during normal business hours to the north and south entrances to Finance. County informat ion techno logy (IT) and building maintenance workers have access during all hours (approximately 34 emplo yees). A situation was ident ified in which a retired maintenance worker still had access. Most County staff do not need access to the Finance working areas. In addit ion, though IT and building maintenance workers often need access outside normal business hours to Finance, it should be limited to a smaller group. Users who are terminated or retired should have their cards deactivated and returned. Physical access to Finance potentially allo ws access to monies and documents. During tax season, a significant amount of money is in the area at any given point of time. These monies (mostly checks) are not kept in a place wit h restricted access unt il the day’s receipts are Report# 04/05 - 5 (Dated February 6, 2005) Page 6 balanced. The County established open access for County emplo yees to ease the administration o f the access card system. It is recommended non Finance staff should not have routine access to Finance work areas unless specifically approved by Finance. Building services and IT staff access should be limited to a smaller roster of staff. Finance attendant windows lack physical security deterrents The front desk attendant areas in the Deschutes Services Center are open and there are no surveillance-type devices. Finance staff are the often the first contact for customer inquiry and are often interrupted by customers asking for direct ions. The open window areas allow sound and movement in the hallway to distract staff probably reducing their efficiency in performing their duties. It is easy to come up on staff at the windows without them noticing your approach. The County building currently has no panic or other type of alarms. Finance receives, at times, receives a significant amount of cash fro m customers and operating departments. Currently, the safeguards have been limited to transporting the mo nies by armed courier and locking mo nies in the safe. During tax season, the Department has a Sheriff’s officer visibly present for security purposes. Attendants are concerned that they have to count out their cash register drawers at the front desk areas. Tax staff are not allowed flexibilit y to close their stations to allow them to count the drawer contents away fro m customers. There should be adequate physical securit y so monies and personnel are safeguarded. Emplo yees should be trained and systems should be available to timely notify authorit ies in case of a robbery and to provide effect ive wit nessing of events. Best practices for banks generally include closed circuit televisio n systems, some form of barrier (if a significant amount of cash is present), height markers, emplo yee training, unobstructed views, signage, and alarm systems. Wit hout sufficient training and systems, emplo yees may be put at risk, monies might be stolen, and perpetrators may not be adequately ident ified for law enforcement to pursue recovery. The original plan was to have a glass screen at each attendant window. This was not done. It is recommended Finance work with Risk management to enhance physical controls over the front desk areas. These might include some combination of glass barrier, surveillance, and/or alarm system. In responding to this recommendation, Finance will have to weigh the benefits of customer access, communication and staff safety to develop a meaningful solution. It is recommended staff be trained on how to handle a possible robbery type situation Report# 04/05 - 5 (Dated February 6, 2005) Page 7 . Tax attendant procedures should be reviewed to allow staff the ability to count-out their register drawers away from customers. 3. FINDINGS – Finance 3.1 Highlights Operating department endorsement stamps Finance recent ly ordered endorsement stamps for several departments, which included the name of the department on the stamp. This assists with the ident ification o f checks by ident ifying the receiving depart ment and allows fo r departments to restrict ively endorse their checks before bringing them to Finance. Operating departments should be restrictively endorsing checks on receipt. Endorsing all checks received in departments upon receipt minimizes the opportunit y for misuse. Endorsement stamps wit h the department name on them, helps ident ify the source when deposits are reviewed electronically (online or on CD). Commend Finance staff on obtaining endorsements stamps for departments. Finance staff should continue to take steps to make all sure all departments have and are using an appropriate endorsement stamp. Finance Department utilizing bank security features The Finance Depart ment requested and adopted posit ive pay and ACH filters as a means to safeguard County bank accounts for its major accounts with Bank of the Cascades (the Bank). Posit ive pay - Positive pay is effect ive in deterring check fraud. Posit ive pay allows an issuer and its bank to work together to detect check fraud by ident ifying checks presented for payment that are not as they were when issued. With positive pay, an issuer prepares a “checks issued” data file (including check number, payee, amount and date) and transmit s this data to its bank. The bank co mpares all checks received for payment with the record of all issued checks. The bank contacts the issuer if it receives a check that does not match the specific data fields. The County has been utilizing posit ive pay wit h its major accounts since it became available at the Bank. ACH (Automated Clearing House) filters - The Count y provides the bank with the routing numbers of financial inst itutions for which they expect to have ACH transfers. No other ACH transactions are allowed. The County is the first of the Bank’s customers to utilize this securit y feature. Report# 04/05 - 5 (Dated February 6, 2005) Page 8 The GFOA reco mmends governmental ent it ies use posit ive pay as the primary check clearance process in banking services agreements. This service should be included as part of an overall program of check fraud protection, including secure file transmission. The GFOA also recommends establishment and use of adequate controls against unauthorized Automated Clearing House (ACH) debits. The County requested these services in its most recent request for banking services. These services are provided for the County’s main bank accounts with Bank of the Cascades. Addit io nal bank accounts could be added for an addit ional fee. The positive pay and ACH filters are progressive steps towards protecting the Count y’s main accounts fro m theft. It has been determined there currently is not a cost/benefit to add this service to the County’s minor bank accounts. The Finance Department is commended for staying current with evolving bank practices developed to enhance security. 3.2 Controls Finance staff have unnecessary authorities in financial accounting software The County’s financial so ftware (HTE) is co mprised of various account ing modules each with their own securit y options. Some staff have access to modules their job dut ies do not require them to use. The revenue accountant has access to the check writ ing funct ion and can init iate a check run. It did not appear staff wit h these authorities ever used them. It was also noted some new features and reports added through software updates have not been made available to users who could ut ilize them. Software access rights should be limited to the functions appropriate to a given staff’s duties. Wit hout proper securit y settings, staff might be able to access systems, which could compro mise established segregat ion of duties. In addit ion, staff need to have access to new reports and features made available in modules they ut ilize. Reviewing the securit y settings for the various mo dules and over various staff is not easily accomplished through the current reports available with this account ing system. It is recommended the disbursements module security be reviewed to deny access to users who have access to the check signature card. Other accounting modules should be reviewed periodically for potential segregation of duties conflicts. Security settings should be reviewed, periodically, for any new reports so those can be authorized for appropriate users. Report# 04/05 - 5 (Dated February 6, 2005) Page 9 Lack of supervisor review of bank reconciliations Supervisory staff do not review bank reconciliat ions prepared by Finance staff. External auditors periodically review the fiscal year-end reconciliat ions as part of the financial statement audit. Bank reconciliat ions serve as an important control element in accounting systems. Supervisio n over this process is important in verifying that the reconciling items are appropriate. Properly prepared bank reconciliat ions can often detect improper accounting and are often the detection method for many fraud schemes. It is recommended the bank reconciliations be reviewed by a supervisor on a monthly basis, and document such review by dating and initialing the bank reconciliation. Security of blank check stock could be improved During an observat ion of check print ing, it was noted the check run utilized so me check stock that was either vo ided and/or mis-fed. These occurrences are normal and ant icipated but usage of check stock was not properly accounted for. Other staff discovered so me mis-fed blank stock while preparing the checks for mailing. Staff responsible for checks stock should have sufficient procedures over check stock to ident ify any missing check stock. Wit h posit ive pay, it is improbable anyo ne could use the check stock without it being detected. It is recommended that staff reconcile the check stock used (used, voided, or mis-fed) to the number of checks in each check run. All voided check stock should be logged and its destruction witnessed. Any blank mis-fed check stock, which is to be re-used, should be logged for use with manual check runs. Dog licensing software required additional control A discussio n with the IT programmer on software level controls indicated it was possible for some Finance staff to post negative receipt amounts. Posting negat ive receipts would reduce the expected amount of receipts for the batch. Monies could then be diverted and it would be difficult to detect. A scan of the database of receipts indicated there were no negative receipts made. Financial so ftware should have sufficient controls to limit the abilit y o f staff to alter receipt amounts without appropriate supervisio n. Report# 04/05 - 5 (Dated February 6, 2005) Page 10 After these discussions, the programmer removed the ability of staff to enter a negative receipt amount. No further action required. 3.3 Laws and regulations Instances exist where dog licensing receipts were not deposited with 24 hours It was noted there was a mult iple day backlog of dog licensing payments. Finance staff do not restrict ively endorse checks unt il the license applicat ion is processed. If the application is not processed, the applicat ion and the unendorsed check are placed in the safe overnight. County po licy (P-1999-075) requires all mo nies received to be deposited within 24 hours with the Treasurer’s Office or the Bank. Monies not deposited could be misappropriated. It is recommended Finance staff should receipt all payments received with dog license applications within 24 hours. Checks should be restrictively endorsed for any unprocessed dog license applications at the end of each day. 4. FINDINGS – Tax 4.1 Controls Tax software has insufficient controls over user access The tax area uses custom software for handling tax collect ion. USERID’s are defined for each staff person and control their access authorit ies. Staff, logged-into the system, can change the USERID associated with their activit y without use of a password. This could potentially disguise the staff person and their entries. Tax staff indicated a number of them have not changed their passwords and that other staff know those passwords. USERID’s should be based on the logged-in user and should not be able to be changed at the discretion of the user. Staff should log out of their batch when out for lunch and on break. Staff posting act ivit y and corrections should be monitored and reviewed. The County has adopted a password policy and staff should similarly develop and ut ilize unique passwords for internal software. This will assure the system can properly track entries by staff person. Wit hout sufficient safeguards over software access, someone can utilize another staff person’s access to enter or change informat ion in the system. This may be done in order to perpetrate or cover-up monies stolen. Report# 04/05 - 5 (Dated February 6, 2005) Page 11 It is recommended the tax software be modified so USERID’s cannot be altered without re- logging in. Supervisory reports should be developed to report on unusual activity. This would include reversals by other users, utilizing transaction dates other than the current date, etc... Supervisory staff should oversee these and the supporting documentation. The tax area should develop an internal policy requiring staff to change their password and keep it secret. Staff should not allow other users to utilize their system while they are logged in. Change fund utilized as petty cash fund The tax area has a policy of supplying mo nies to taxpayer payments if they are wit hin $1 of the balance to pay the account in full. These supply credits are taken fro m the addit ional change monies held by the Department and periodically reimbursed. The tax area has $377 segregated for this use. This use does not appear to have been authorized. Change funds are not normally authorized to be spent by departments. Change monies should remain intact and should not be spent. The Board should authorize any mo nies retained by departments for change or petty cash. Wit hout sufficient oversight, change or petty cash mo nies could be taken. The tax area should request authority to have petty cash funds for this specific type of reimbursement. The Department should consider what amount of petty cash is needed for easier monitoring and immediately deposit any excess. A report should be developed to tally the supply receipts entered into the tax system, this should be reconciled with the supply slips submitted, and amounts paid from the change monies. Tax supervisors have access to Assessor’s tax module In review of the tax software access rights, it was noted that some tax supervisory staff had access to a module that could allow them to modify tax values. This is a funct ion normally handled by the Assessor’s Office. Tax staff should not have authorit y to change the tax roll without oversight fro m the Assessor. It is probable these rights had been provided at some point to allow access to tax informat ion. Tax staff with these rights could alter the underlying tax roll affect ing what taxes are due and potentially cover-up a reduction in tax payments. It is recommended the Finance Director or Assessor periodically review the access rights to tax software. On discovery, the Assessor’s Office removed the noted access from the tax area. No further action required. Report# 04/05 - 5 (Dated February 6, 2005) Page 12 File transfer site used to transmit/receive tax payment information is not secure Numerous financial inst itutions receive and transmit data to Oregon counties via a special File Transfer Protocol (FTP) site. This site provides an efficient means to handle batch processing of tax payments received fro m mortgage companies and financial inst itutions. The site is only accessible by authorized users but the site does not preclude other counties and financial inst itutions fro m accessing or modifying other data on the site. The data should be kept from being modified or erased once the financial inst itution or County places it there. Current ly, those with access to the FTP site could alter the underlying data, which includes the applicat ion of payments. The mit igat ing control over this would be the taxpayers not receiving appropriate credit would likely receive notices of delinquency in payment. In addit ion, most financial inst itutions send paper copy o f the electronically submitted data. This informat ion could be researched if problems surfaced. It is recommended the County request the site be secured so files once entered cannot be modified. 4.2 Laws and regulations Cash overage not deposited In review of cash drawer and change monies held in the tax area, noted $100 in extra cash that staff believes originated in October 2003 as an overage. These monies have not been deposited or reported to Finance. The County cash over/short reporting policy (P-2003-104) requires departments to report over/short amounts to County Finance as they occur. In addit ion, County po licy P-1999-075 requires received mo nies be deposited within 24 hours. Monies not deposited could be stolen. It is recommended the tax area immediately deposit the monies with Finance and prepare the cash over/short reporting form. Property owner residence address changes taken without written authority Tax staff frequent ly receive address changes from taxpayer. This informat ion is often received by phone. Administratively, the Department has been accept ing these verbal address changes. Report# 04/05 - 5 (Dated February 6, 2005) Page 13 ORS §308.212 requires owners provide in writ ing their changed residence address wit hin 30 days of the change. Their address is especially important if the Depart ment needs to send any notices to the owner. Addresses might be changed inappropriately if verbal informat ion is not taken correctly or is not provided correctly. The Department might not be able to send notices and statements to the owner. Administratively the Depart ment strives to be flexible in providing t imely services to taxpayers. They have not had any issues in accept ing address changes by phone. They indicate the state is aware of this pract ice and many other counties are doing the same. It is recommended the tax area consider whether they are properly complying with their legal obligation to obtain written address changes in accordance with the Oregon Revised Statutes. 4.3 Performance Lockbox services can streamline performance A significant amount of tax payments are received by tax area on the due dates for property tax installments. The tax area obtains addit ional part time staffing to handle the addit ional property tax inflows. The Government Finance Officer Associat ion (GFOA) recommends government ent ities evaluate the benefits and costs of utilizing lockbox services to determine if advantages can be gained in the areas o f accuracy, cash flo w, and efficiency. Handling cash receipts internally can delay deposit of receipts. Reasons for continuing without a lockbox arrangement would include: · There are a significant number of payments received requiring special handling · Tax management indicates there has been a great track record in processing accuracy at minimal cost for extra tax season staff · A significant number of receipts are handled by through mortgage lenders and these are all paid in lump (by batch) which significant ly reduces the number of payments to be handled. The County should evaluate the cost vs. benefit of a lockbox arrangement for tax payments. Report# 04/05 - 5 (Dated February 6, 2005) Page 14 5. FINDINGS – Investments 5.1 Laws and regulations Investment fee assessed to outside districts may not be accordance with State law Oregon Revised Statute(ORS) §294.080 indicates “Interest earned by any invest ment of any mo neys received by the Count y Treasurer fro m any source, which mo neys have been designated for a particular municipal organizat ion as defined by ORS §294.311, shall be credited to the account of the particular municipal corporation and not to any count y fund.”. County Finance assesses a 5% fee on invest ment earnings that is netted from invest ment earnings before earnings are distributed to districts, County funds and other entit ies for which the County invests monies. The County is responsible for collecting tax district funds and turns over those funds to districts throughout the year. The County also invests monies under agreement with certain entit ies. All mo nies are pooled together and invested in accordance with the County’s invest ment policy. The County believes other taxing districts are aware of the invest ment fee but there are no formal agreements with a number of those entit ies. The County is not required to invest mo nies for other taxing districts and could discont inue invest ing for theses districts. County legal counsel believes the Count y should develop agreements with outside ent it ies to accept the County’s invest ment policy and associated invest ment fee. By deduct ing the investment fee fro m investment earnings, the County is expending funds belo nging to other entit ies wit hout their oversight. Invest ment fees might need to be returned if those ent it ies do not approve the service fee. Total investment fee assessed in 2003/2004 were approximately $66,000. Approximately $9,000 was charged to outside ent it ies. It is recommended, based on discussion with County legal counsel, that Finance develop an agreement to be signed by taxing districts and other entities posting monies with the County, authorizing their investments to be subject to County investment policies, which includes assessment of the fee. Report# 04/05 - 5 (Dated February 6, 2005) Page 15 6. REPONSE FROM MANAGEMENT Date: February 4, 2005 To: David Givans, Internal Auditor From: Marty Wynne, Finance Director Re: Finance/Tax Department-Review of Internal Controls Response from Management 2. FINDINGS 2.1 Controls RECOMMENDATION: It is recommended software reports be developed to report on unusual activity. RESPONSE: We agree that a report should be developed that would facilitate management oversight of tax adjustments. Voucher adjustments are an important component of the Unsegregated Tax Fund reconciliation. It is unquestionably the primary area where a defalcation could be perpetrated; therefore, it needs to be monitored carefully. The information is available now but not in an efficient and comprehensive format. RECOMMENDATION: A staff person other than the one receipting the money should be responsible for authorizing any voids or reversals. RESPONSE: We do not agree that having a staff person, other than the one receipting the money, be responsible for authorizing any voids or reversals is practical or efficient. There are substantive mitigating controls over the receipting process that render this alternative Report# 04/05 - 5 (Dated February 6, 2005) Page 16 unnecessary. If implemented, it would be very time-consuming, disruptive, and would negatively impact customer service – particularly for taxpayers who come to our front counter. The mitigating controls are: 1. Cash receipting personnel, cannot make non-cash adjustments to a tax account. 2. Each staff person must balance to the penny, daily. 3. There is close, ongoing supervision and observation of staff activities. 4. Taxpayers receive frequent notices of any balances and promptly inform our office of any irregularities. The existence of any receipt that does not match our records, as adjusted receives a thorough review by management. {Auditor comment- It is understood that this issue for the tax area is significantly mitigated by the follow-up on any outstanding tax balances. However, this and the subsequent recommendation were not addressed for Finance area receipts. Currently, Finance staff have the ability to subsequently void out a receipt without sufficient oversight or supervision. Balancing expected receipts will not identify receipts that have been removed from the daily batch. Sufficient supervision over receipting is needed to identify potential problems.} RECOMMENDATION: On a periodic basis, a supervisor should review the voids and reversals for compliance with policy and that there was sufficient support to warrant the action taken. RESPONSE: We do not think that having a supervisor review the voids and reversals for compliance with policy and to verify sufficient support to warrant the action taken is practical or efficient. These transactions are routine, recurring and there are sufficient controls over balancing. {Auditor comment- See above} RECOMMENDATION: The revenue accountant oversees room tax collections and should not receipt the room tax payments since they are also responsible for reconciling accounts, posting payments, and depositing the payments. RESPONSE: We agree that improvements should be made regarding segregation of duties. A new position has been included in the FY 04-05 budget and it is management's intention to re- assign responsibility for receipting room tax payments to this new position. Report# 04/05 - 5 (Dated February 6, 2005) Page 17 RECOMMENDATION: County departments should be encouraged to check their receipts to amounts posted in HTE or periodically perform an analytical review comparing revenues with what they anticipated. RESPONSE: We agree that County operating departments should be informed of the need to reconcile revenue reports available on HTE or received from Finance to the operating department's records; however, we think this direction should come directly from the Board of County Commissioners' Office. RECOMMENDATION: It is recommended Tax and Finance investigates a cash register drawer that could be physically mounted to the underside of the counter/desk area. Also, monies remaining in the safe should be counted, balanced, and placed in a tamperproof bank bag and the staff person should initial the bag. RESPONSE: We will investigate a more secure environment for cash drawers and will look into a procedure regarding tamper proof bags. RECOMMENDATION: It is recommended Finance/Tax develop sufficient manual systems should they lose access to computer or software systems. This would include developing a prenumbered receipt book for use on these occasions. RESPONSE: We agree to develop procedures outlining how the department will function in the event of a long-term system failure. This procedure will be developed in conjunction with the Information Technology Department. RECOMMENDATION: It is recommended Finance and Tax staff document all accounting policies and procedures. The procedures should emphasize the areas of monitoring, supervision and segregation of duties. These policies and procedures should be available to all employees and should detail the responsibility of each employee. RESPONSE: We agree there are insufficient written accounting policies and procedures over the duties of staff and the process of creating procedural documentation was initiated approximately 2 Report# 04/05 - 5 (Dated February 6, 2005) Page 18 years ago and is a work in progress. Due to demands on the staff this project has not yet been completed. Each area requiring procedures will be evaluated and prioritized in order of importance and as time allows the documentation will be written. RECOMMENDATION: It is recommended Non-Finance/Tax staff should not receive routine access to Finance/Tax area unless first approved by Finance/Tax. RESPONSE: Management will request all access be denied to Non-Finance/Tax staff, then review access requests on an individual basis. RECOMMENDATION: It is recommended Finance/Tax work with Risk Management to develop some form of physical controls over the front desk areas. Also, Tax attendant procedures should be reviewed to allow staff the ability to count-out their register drawers away from customers. RESPONSE: We agree security at the attendant window could be improved. We will consult with Risk Management to see what options are available. Management agrees with the recommendation to revise our tax attendant procedures to allow staff the ability to count-out their register drawers away from customers. 3. FINDINGS - Finance 3.2 Controls RECOMMENDATION: It is recommended the disbursements module security be reviewed and users removed who have access to the signature card. Other accounting modules should be reviewed periodically for potential segregation of duty conflict. Security settings should also be reviewed periodically for any new reports, so those can be authorized for appropriate users. RESPONSE: We agree that HTE securities (authority for HTE function use given to user groups or individual users) should be reviewed periodically to determine that any user or user group has access to all the HTE functions needed and only those needed. The review would include identifying potential segregation of duty issues. Report# 04/05 - 5 (Dated February 6, 2005) Page 19 RECOMMENDATION: It is recommended a supervisor review the bank reconciliations on a monthly basis, and signify this review by leaving their initials and date on the bank reconciliation. RESPONSE: Review, as evidenced by a supervisor's initialing and dating, of the monthly bank reconciliations will be added to the Department's monthly checklist. RECOMMENDATION: It is recommended for staff to reconcile the check stock used (used, voided, or mis- fed) to the number of checks in the check run. RESPONSE: We believe existing procedures for storage of blank check stock provides adequate security. However, we will modify procedures regarding use of check stock to include accounting for duplicate checks and stock not usable due to printer mis-feeds. 3.3 Laws and Regulations RECOMMENDATION: It is recommended Finance staff should receipt all the cash received on dog licenses within 24 hours. RESPONSE: County policy requires that payments (cash, checks, etc.) be deposited within 24 hours of receipt. We agree that this includes payments received via U.S.P.S. for dog licensing. At the time of the internal audit, there was a backlog in this area, which is no longer the case. 4. FINDINGS - Tax 4.1 Controls RECOMMENDATION: It is recommended the Tax software be modified so USERID's cannot be altered without relogging in. Supervisory reports should be developed to report on unusual activity. RESPONSE: We agree that USERID’s should not be alterable. The feature, which is used by other counties, has been disabled for our County. We have added a software enhancement Report# 04/05 - 5 (Dated February 6, 2005) Page 20 request for the development of a report that will comprehensively report all Tax credit, discount, and interest adjustments to management. The enhancement request has been given a “1” (highest) priority. RECOMMENDATION: The Tax Department should develop an internal policy requiring staff to change their password and keep it secret. Staff should not allow other users to utilize their system while they are logged in. RESPONSE: We will develop a policy regarding effective password maintenance. RECOMMENDATION: The Tax Department should be authorized to convert part of these monies to petty cash for this specific type of reimbursement. RESPONSE: We agree. RECOMMENDATION: It is recommended the Finance Director or Assessor periodically review the access rights to tax software. RESPONSE: We agree. Access has been removed for the Tax supervisors. RECOMMENDATION: It is recommended the County request the site be secured so files once entered cannot be modified. RESPONSE: The Oregon Data Exchange FTP site has been a huge improvement over its predecessor tape exchange program. Only authorized users have access, so it is somewhat of a misstatement to say that the file transfer site is not secure. However, in its current state, one participant could delete, alter, or replace another county's, or tax agent's data. The issue of security will be addressed at the next OACTC Tape exchange meeting. The proposed solution of prohibiting the modification of files may not be a practicable solution due to current naming conventions and upload/download processes and requirements. Report# 04/05 - 5 (Dated February 6, 2005) Page 21 4.2 Laws and Regulations RECOMMENDATION: It is recommended the Tax Department immediately deposit the monies with Finance and prepare the cash over/short reporting form. RESPONSE: The monies have been deposited with the Treasurer. RECOMMMENDATION: It is recommended the Tax Department consider whether they are properly complying with their legal obligation to obtain written address changes in accordance with the Oregon Revised Statutes. RESPONSE: There are two relevant statutes: ORS 308.212 and 311.555. The Tax Department has extensive policies and controls over address changes. Written documentation on all address changes is maintained. Written requests are obtained whenever practicable. Address changes are accepted over the phone and a written form is prepared that notes the change, who called with the request and the staff person taking the request. Department of Revenue is aware of our practice. The Tax Department has carefully compared the relatively low risk of taking verbal phone requests with the inconvenience to the taxpayer of requiring that they communicate in writing. Management has elected to continue our existing process. 4.3 Performance RECOMMENDATION: The County should evaluate the cost vs. benefit of a lockbox arrangement for tax payments. RESPONSE: We are in the process of evaluating the cost vs. benefit of a lockbox arrangement for tax payments. Report# 04/05 - 5 (Dated February 6, 2005) Page 22 5. FINDINGS - Investments 5.1 Laws and regulations RECOMMENDATION: It is recommended, from discussion with County legal counsel, the County develop an agreement to be signed by taxing districts and other entities posting monies with the County for their money to be subject to County investment policies including the investment fee. RESPONSE: We plan to further evaluate implementation of this recommendation or discontinue providing investment services to outside agencies.