The URL can be used to link to this page

Home My WebLink About1920-9 Munis Purchasing topics PART I report (Final 1-19-21)County accounting system (MUNIS) purchasing topics: Part I – Security and workflows report #1920-9 January 2021 County accounting system (MUNIS) purchasing topics Part I - Security and workflows To request this information in an alternate format, please call (541) 330-4674 or send email to David.Givans@Deschutes.org Deschutes County, Oregon David Givans, CPA, CIA Deschutes County Internal Auditor 1300 NW Wall St Bend, OR 97703 541-330-4674 David.Givans@deschutes.org Audit committee members: Daryl Parrish, Chair - Public member Jodi Burch – Public Member Tom Linhares - Public member Scott Reich - Public member Summer Sears – Public member Stan Turel - Public member Patti Adair, County Commissioner Nancy Blankenship, County Clerk Nick Lelack, Community Development Director Take a survey by clicking HERE County accounting system (MUNIS) purchasing topics: Part I – Security and workflows report #1920-9 January 2021 TABLE OF CONTENTS: HIGHLIGHTS 1. INTRODUCTION 1.1. Background on Audit …………..……………..……………………………………………. 1 1.2. Objectives and Scope ……………….……..…………….…………….……..………… 1-2 1.3. Methodology ………………………………….………….…………………………..……… 2-3 1.4. Background on County accounting system (Tyler Munis) …..……..…… 3-5 1.5. Background information on security and approval workflows ….….. 5-9 2. FINDINGS and OBSERVATIONS 2.1. Security findings and observations …….…………………………………...… 10-13 2.2. Approval workflow findings and observations …………………..………. 14-22 2.3. Internal controls findings and observations …………..…………....……. 22-23 3. MANAGEMENT RESPONSE 3.1. Finance …………………………………………..……………..……….…………..... 23-26 County accounting system (MUNIS) purchasing topics: Part I – Security and workflows report #1920-9 January 2021 HIGHLIGHTS Why this audit was performed: The County transitioned to a new integrated accounting and human resource system. What was recommended: Recommendations include: • including the County Administrator in workflow for all disbursements in excess of department limits; • Including the Board of County Commissioners (or designee) in workflow for disbursements over $150 thousand; • working with departments on rollout of purchase card rebate program; • segregating duties in the overall design of roles given to users; and • reviewing the history “Munis” roles. Part I - Security and workflows The focus of this audit work is on purchasing topics for the County accounting system (Tyler Munis). Purchasing topics will include procurement cards, new procurement workflows, and other adopted technology with the new accounting system. This first report focuses on security and approval workflows established in Munis. What was found Workflows There is a lack of workflow approvals that mirror authority at the highest levels. The County Administrator and the Board of County Commissioners do not have enforced disbursement approvals in the accounting software system. There are significant purchasing card transactions performed by Finance. They are making vendor payments sometimes exceeding $100 thousand with a purchasing card with the idea that rebates (of 1.5%) they receive on the card purchases will offset Finance department costs. Approval workflows in Finance allow vendor setup, edits, and approval by the same person. There are some additional workflows to be considered. Security Plan and design of Finance roles does not adequately consider segregation of duties. Analysis highlighted some potential conflicts that might exist with the assigned permissions. Usage of “Munis” administrative role could be better controlled. Internal controls The documentation of the current state of the County’s Munis accounting system could be improved (such as including the role structure). Deschutes County Internal Audit County accounting system (MUNIS) purchasing topics: Part I – Security and workflows report #1920-9 January 2021 Page 1 1. Introduction 1.1 BACKGROUND ON AUDIT Audit Authority: The Deschutes County Audit Committee authorized the review of purchasing topics for the County Accounting system (Tyler Munis) with the FY 21 internal audit workplan. Purchasing topics will include procurement cards, new procurement workflows, and other adopted technology with the new accounting system. This first report of a series of reports will focus on the review of security and approval workflows established in Munis. The overall topic was divided up due to the complexity of the topic and to release findings in a timelier manner. Additional anticipated report topics to be released from this work based on the audit objectives below will include: 1) Vendor controls 2) Procurement cards 3) Purchasing analyses 1.2 OBJECTIVES and SCOPE “Audit objectives” define the goals of the audit. Objectives included: (carried over to future reports) 1) Assess and evaluate the security roles and approval workflows established for processing purchases through Munis. a) Consider whether there are opportunities to improve efficiency and effectiveness with the purchasing workflow. b) To what extent are County departments using the requisition/purchase order process for purchasing. 2) Assess and evaluate risks to the vendor master file. The vendor master file manages who and how payments are made to vendors. a) Segregation of duties and access County accounting system (MUNIS) purchasing topics: Part I – Security and workflows report #1920-9 January 2021 Page 2 b) Changes and associated support 3) Assess and evaluate the use of County issued procurement cards. 4) Analyze purchases in a number of areas, including a) Effectiveness of approvals b) Duplicates search c) Use of discounts d) Whether transactions have been split to avoid proper approvals or purchasing requirements e) Benford’s analysis – identifies unusual disbursement amounts. 5) Be aware of any issues with compliance with federal and state regulations and requirements, as may be applicable. Scope and timing: The audit commenced in March 2020. The work was interrupted by a pressing audit request from the Board of County Commissioners and Budget committee. Work re-commenced in September 2020. Work was focused on purchasing topics within the accounting system in place as of September 2020. The scope of the audit did not include all aspects of internal controls employed. The accounting system is only partly represented in Munis as there are numerous other internal control systems in place at the County including administrative, budgetary, and legal. The work occurred during the COVID-19 pandemic. 1.3 METHODOLOGY “Audit procedures are created to address the audit objectives” Audit procedures relevant to the reported topics in this report include: • Interviewing staff related to accounting system questions. • Reviewing associated accounting system documentation • Analyze background information on purchasing and purchasing within Munis • Analyses of users and established security settings. • Review for appropriate segregation of duties. County accounting system (MUNIS) purchasing topics: Part I – Security and workflows report #1920-9 January 2021 Page 3 o Utilizing a method of assigning approval, entry, and custody type labels to Munis in tasks, we were able to highlight areas where there might be conflicts with assigned permissions. • Analyses of approval workflow for the County, departments, and users around purchasing. • Review of State and County purchasing rules. We conducted this performance audit in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. (2018 Revision of Government Auditing Standards, issued by the Comptroller General of the United States.) The County Internal Auditor was created by the Deschutes County Code as an independent office conducting performance audits to provide information and recommendations for improvement. 1.4 BACKGROUND ON COUNTY ACCOUNTING SYSTEM (Tyler MUNIS) The County recently upgraded to version 2019 of Munis. Deschutes County recognized a need to transition to a new integrated accounting and human resource system in early 2014. The County selected through a competitive bid process Tyler’s Munis accounting and human resource software. Some three years later in July 2017, the accounting system was started after countless hours of work by the Finance department, Information Technology Department and nearly every County department. The County utilized Tyler consulting services to implement and setup the system through discussions with County staff. Countless other milestones have continued after then, including setting up payroll and human resources. The County is continuing to upgrade as there are new releases of the software. The County performed a thorough RFP process for the integrated Financial and HR software in May County accounting system (MUNIS) purchasing topics: Part I – Security and workflows report #1920-9 January 2021 Page 4 GRAPH I Composition of purchasing by type and period (by counts) 2015. The County negotiated with Tyler representatives and brought forth a contract in March 2016. $1.8 million of this project was funded with transfers from the County general fund and to be repaid over a seven year period through internal charges to departments. Charges to departments began in FY 2016 and will continue through FY 2023. The significant goals of the new accounting/human resource software system included: • system management of all electronic documentation; • electronic data entry; • electronic approvals; • County and department specific electronic approvals Integration with other systems; • enhanced internal controls; • compliance with state and federal regulations; • access to data; and • self-service options. One aspect of the new accounting system that was being encouraged was the move to requisitions, purchase orders, and contracts over direct pay invoices. These purchasing types in the system allow an approval of the initial requisition or contract and then a streamlined approval of the forthcoming invoices under those. This was anticipated to be a big boost in efficiency as well as improved internal control (i.e. three-way match on requisitions). In addition, entering purchases through requisitions, purchase orders, or contracts results in encumbrances in the accounting system that help identify costs incurred against available budget. This is a particularly important tool for staying within budget. County accounting system (MUNIS) purchasing topics: Part I – Security and workflows report #1920-9 January 2021 Page 5 The trends show some increase in utilization of contracts, requisitions/purchase orders, and the newest purchasing category of purchasing cards (p-cards) over invoices. The trend for amounts is somewhat similar to this. There is still room for improvement. The Finance Department has instituted a number of reports and processes to bring greater awareness of how the software is operating in terms of workflows and control functions. 1.5 BACKGROUND INFORMATION ON SECURITY AND APPROVAL WORKFLOWS Only a third of County employees have access to Munis. 1) SECURITY Security (and intertwined with that privacy) is of significant importance to the makeup of any system of internal controls around the accounting/human resource software. Security by user is established first over access to the County network where the software resides. The County’s Information Technology Department is the gate keeper for adding users to the network and to Munis. Not all county employees have a need to access the County accounting system (nor do all employees have access to the network). There are approximately 340 users in the accounting system (approximately a third of the number of County employees) and of those only a third or so have approval rights in the system. The County has significant control over what a user can see and do in Munis. The County limits access to social security numbers as well as dates of birth, to name a few restrictions. The County utilizes role based access control (RBAC) which is a best practice. RBAC tailors a user’s roles to the access needed to do their job. Roles are established to control functional access, data access, and menu access. Utilizing job and functional roles is more efficient than setting up unique roles by user. • Functional access roles define the permission of what a user can do. • Data roles limit the records a user can see, generally, to a specific fund, department, County accounting system (MUNIS) purchasing topics: Part I – Security and workflows report #1920-9 January 2021 Page 6 DIAGRAM I Architecture for security over accounting system and/or division. • Menu access is usually kept within the functional role as it can limit what a user can see of the software menus and options in order to use the system. RBAC does not inherently provide segregation of duties. This is implied with the setup of roles assigned that there should be an effort to separate authorization, record keeping (data entry), custody, and reconciliation. That is one of the questions that is being asked in this audit. These major areas provide varying controls over access and approval of accounting transactions and settings. • Network security • Munis user directory • Munis Security – established user roles and attributes for carrying out transactions and for what they can see and do. • Munis approval workflows establish how any transaction is approved before it can happen. County accounting system (MUNIS) purchasing topics: Part I – Security and workflows report #1920-9 January 2021 Page 7 DIAGRAM II Direct invoice approval workflows 2) APPROVAL WORKFLOWS Workflows help to mirror prior paper approvals that occurred prior to this system and that are established by the County for purchasing levels. There are a number of actions (steps) that when setup will trigger one or more approval workflows. These can be tailored to departments (by accounts) and or amounts. These workflows can trigger notifications as well as approvals. These workflows are available for some of the most controlled areas of the system. These include disbursements and vendor administration. Departments benefit from greater transparency in the system of approvals and improved access to information on their accounting. “Direct Invoices” represent bills for services or goods that do not have an associated requisition, purchase order, or contract. These are generally a direct payment and generally are not subject to competitive bidding. County accounting system (MUNIS) purchasing topics: Part I – Security and workflows report #1920-9 January 2021 Page 8 DIAGRAM III Requisition approval workflows Having structured approval workflows helps in mitigating some segregation of duties issues. The three most significant workflows are described below for direct invoices, requisitions, and contracts. You will note that the two workflows for invoices and requisitions are very similar. Requisitions generally are converted into purchase orders and then any invoices associated with the purchase order are processed and paid without much additional review. Contracts are similar in many ways to requisitions, except they have attached an associated contract and these, also, can have multiple invoices associated to them. The workflow for contracts “Requisitions” are a request for services or goods and generally are converted into purchase orders. Many invoices can be presented against a purchase order. These might require bids or other competitive process. County accounting system (MUNIS) purchasing topics: Part I – Security and workflows report #1920-9 January 2021 Page 9 DIAGRAM IV Contract approval workflows is as follows. Contracts tend to be for greater amounts and may have competitive bids associated with the procurement. Contracts go through an additional workflow through Legal Counsel and Administration. In addition to procurement workflows there are a number of other workflows that were reviewed. Probably, the most significant is the control over additions and changes to vendor records. “Contracts” can be a request for services or goods. Many invoices can be presented against a contract. These might require bids or other competitive process. Some are intergovern- mental agreements. County accounting system (MUNIS) purchasing topics: Part I – Security and workflows report #1920-9 January 2021 Page 10 2. Findings and Observations The audit included limited procedures to understand the systems of internal control around revenues. No significant deficiencies were found in this audit. A significant deficiency is defined as an internal control deficiency that could adversely affect the entity’s ability to initiate, record, process, and report financial data consistent with the assertions of management in the financial statements. The findings noted were primarily compliance and efficiency matters. Audit findings result from incidents of non-compliance with stated procedures and/or departures from prudent operation. The findings are, by nature, subjective. The audit disclosed certain policies, procedures and practices that could be improved. The audit was neither designed nor intended to be a detailed study of every relevant system, procedure or transaction. Accordingly, the opportunities for improvement presented in the report may not be all-inclusive of areas where improvement may be needed and does not replace efforts needed to design an effective system of internal control. 2.1 SECURITY FINDINGS and OBSERVATIONS Plan and design of Finance roles does not adequately consider segregation of duties. The documentation of roles has not been completed and the assignment of roles (functional and job) imparts a significant amount of authority within the Finance department. The audit developed an analyses tool for segregation of duties, by assigning approval, entry, and custodial type responsibilities to significant Munis permissions. This analysis highlighted some of the potential conflicts that might exist with the assigned permissions. For instance, the Accounting Manager position has super-user rights to the system and can do most anything in the system without oversight. This position has three job roles and three functional roles that span most of the available permissions available. In addition, the Chief Financial Officer also has significant user rights from County accounting system (MUNIS) purchasing topics: Part I – Security and workflows report #1920-9 January 2021 Page 11 one functional role and two job roles. In some cases it was noted that Finance staff can approve their own entries. This parallels prior Finance control over the prior accounting system, in order to get the financial work done. With the new system there are added responsibilities to assure that workflows are working and that delays or issues are resolved in a timely manner. Segregation of duties is particularly important within the Finance Department. It is probably most significant because they have significant oversight responsibilities as well as record keeping responsibilities. No single user should be able two or more duties such as initiate a transaction, authorize the transaction, provide custody for the transaction when they are goods, and reconcile underlying records. Deschutes County has relied to a greater extent on Finance since they lead the project management and purchasing decisions around the new accounting system implementation. Finance is responsible for a lot of the troubleshooting and upkeep of the system and therefore has been given significant rights. Information technology (though it has significant access as well) is not affecting change to accounting records and is mostly establishing users by re-using existing roles. During the implementation, Finance had additional project management/oversight resources for handling the additional system duties. Post implementation, these extra resources were not continued and Finance Department has not been able to continue documentation and proactive management of the accounting system after implementation. Given the size of the County and the associated internal service funds, Finance is the most pragmatic department to provide many of these services. Some of the role permissions are further mitigated by workflow approvals that are required from someone else as well as reports available from the system or as developed. To mitigate the risk of assigning conflicting permissions, a review of the role based accesses for both individual roles and individual users’ combination of assigned permissions should be periodically performed. A review of approvals indicated the Accounting Manager did not have any significant invoice transactions they approved that hadn’t been forwarded to them for approval. The CFO has not initiated any County accounting system (MUNIS) purchasing topics: Part I – Security and workflows report #1920-9 January 2021 Page 12 invoices. It is recommended for segregation of duties to be considered in the overall design of roles given to users. It is recommended Finance segregate significant duties within the system and provide greater guidance on approvals. This might include additional policy and procedural requirements to discourage self-approvals and further describe proper forwarding of approvals. It is recommended that periodically IT and Finance join forces to perform a segregation of duties review by user of their assigned permissions. Internal audit can provide guidance on how to carry out this review. It is recommended for the County to consider how it might address the additional resources (staffing time) necessary to help Finance and IT maintain ongoing support; document systems controls (such as roles and workflows); and reinforce segregation of duties. “Munis” administrative user is strictly guarded. Usage of “Munis” administrative role could be better controlled. The Munis software has a user and a role called "Munis". This role has super-users rights and is limited to those individuals with system administration type duties. It was noted in the user history that two users were given “Munis” rights and then the rights were removed. • In one case a non-IT administrative user was able to give themselves this right. This Finance user was given rights to help others with permissions, but it was not intended to be used for them to give themselves an additional right. • In the other situation IT was testing something and quickly removed the right. County accounting system (MUNIS) purchasing topics: Part I – Security and workflows report #1920-9 January 2021 Page 13 The system has the Munis user for certain administrative tasks that cannot be achieved elsewhere. Therefore the usage of this by any other users is strictly guarded. In both the situations, the permission appeared to be removed shortly after it was given and no unusual transactions were performed with those rights. It is recommended periodically IT and Finance review the history for the “Munis” roles and make sure that it is not being assigned without reason and that it is not being used to approve any transactions. Some active Munis users do not have employee credentials. Some County Munis users do not have their employee number associated with their account. This appears to be a problem with the timing of establishing the user versus the entry of the employee by Human Resources. Though it may matter for some p-card functionality, it also establishes a way to locate the user in the personnel records. Without the employee number, it is not clear why the user was established. It is also not likely there will be a trigger to remove these users from access when their reason for access has ended. In limited circumstances, some users who are not employees are provided access to Munis. This is generally to input budgets for some of the funds. It is recommended for the procedures for establishing new Munis users be updated to include a provision to include the association with their employee number, if applicable. County accounting system (MUNIS) purchasing topics: Part I – Security and workflows report #1920-9 January 2021 Page 14 2.2 APPROVAL WORKFLOW FINDINGS and OBSERVATIONS County Administrator relies on forwarded approval requests. Lack of workflow approvals that mirror authority. As noted in the above workflow diagrams (Diagrams II-IV), the County Administrator and the Board of County Commissioners are not included in the workflows for approving disbursements in the accounting software system. Included under disbursement approvals are workflows for requisitions, purchase orders, contracts, procurement cards, and invoices. The systems is setup so the Treasurer/Chief Financial Officer forwards select approvals to the County Administrator and documents decisions of the Board of County Commissioners. Whether or not this occurs is dependent on the CFO choosing to forward these to the County Administrator or assuring Board approvals prior to disbursement. Approval workflows established in the system provide a proactive control that pushes certain transactions to certain roles/users for approval. Without approval these transactions/entries cannot be completed. This is particularly important check for internal control. Under Oregon statute (ORS 208.010) County Treasurers are to disburse on the proper orders, issued and attested by the Board of County Commissioners. On exception to this appears to be the distribution of monies collected on behalf of taxing districts. Oregon statute (ORS 311.395) expressly makes that the authority of tax collectors and County Treasurers. The county treasurer shall distribute the amount of money set out in the tax turnover statement. The most significant purchasing approval workflows are banded by purchasing limits with departments and senior county officials and outlined in County policy F-15 - Payments to Suppliers. Most County Department heads have a purchasing authority up to $25 thousand (Health Services’ is $50 thousand). The County Administrator has authority from the Department head’s authority up to $150 thousand. In excess of those amounts the Board of County Commissioners has approval. It County accounting system (MUNIS) purchasing topics: Part I – Security and workflows report #1920-9 January 2021 Page 15 is not clear the County Administrator is being asked to approve payments over $150 thousands as a means to assuring these are ready for Board approval. The policy guidance does not go so far as other disbursements that are not under purchasing, such as, turnover of taxes, refunding payments, payments of funds held in trust, and benefit payments, to name a few. Some examination of approvals indicated that sometimes the County Administrator or Board approvals are not requested or documented. For example, analyses of approval workflow history for FY20 through September 2020, indicates that not all disbursements from the API workflow (direct invoices) were approved by the County Administrator. • For disbursements greater than $25 thousand and less than $150 thousand (those that the County Administrator are responsible for), seven percent (7%) were not forwarded to the County Administrator ($590 thousand over sixteen transactions). This excludes tax turnover payments. • For disbursements greater than $150 thousand (those that are the responsibility of the Board of County Commissioners), eleven percent (11%) were not forwarded through the County Administrator ($4.2 million over about eighty transactions). Some of these that were reviewed did not have explicit Board approval. This excludes tax turnover payments. This limiting of workflows to the County Administrator seems to have been part of growing into the new software system. Same as with the Board of County Commissioners (who do not have access to the system). There are certain workflow reports developed by Finance that highlight approvals by threshold dollar level. This is a possible mitigating control in that these can identify unusual approval transactions but it isn’t clear they are being used by the County Administrator. These reports are being used inside Finance to monitor the approval workflows across the County. The County Administrator is also forwarded by the CFO expenditure authorization listing (EAL) reports that identify payments being made. These are in turn shared with the Board of County Commissioners. County accounting system (MUNIS) purchasing topics: Part I – Security and workflows report #1920-9 January 2021 Page 16 However, it is important the County Administrator have direct and complete access to all financial activities in case the CFO chooses not to forward such a report. In addition, many of these reports are all after the payments have been authorized. With approvals as they currently are, it is possible the CFO could approve large dollar value transactions without other management involvement. It is important for all larger disbursements be approved by the County Administrator before disbursed. {County comparisons: A brief survey of some of our larger peer counties was used to see how they authorized payments. Many reiterated the county purchasing requirements that Deschutes also follows. Some indicated the practice of the Board of County Commissioners doing weekly approvals of the checks being processed (as was done previously by Deschutes). Some indicated that some approvals were based on budgets being approved. } It is recommended for the County Administrator be included in workflow for all disbursements in excess of department limits. It is recommended the Board of County Commissioners have the County Administrator (or designee) review all payments over $150 thousand before they go to them. It is recommended the County Administrator (or designee) receive the Finance designed disbursement control reports on at least a monthly basis and review for any anomalies (approvals made without the County Administrator or Board designee). The Information Technology department should assure the monitoring reports are working as designed. It is recommended for the Board of County Commissioners (or designee) assure that disbursements over $150 thousand have their approval. They might consider staffing this review through Administration/BOCC to lend additional segregation of duties over Finance. It is recommended the Board of County Commissioners clarify by policy (perhaps in Policy F-15 – County accounting system (MUNIS) purchasing topics: Part I – Security and workflows report #1920-9 January 2021 Page 17 Department purchasing thresholds) that the purchasing approval thresholds also apply to all payments being made and excluding certain payments that by statute can be made by the County Treasurer. It would also be a place where they direct whether the County Administrator should review and approve any payments coming to them for approval. Significant purchasing card transactions performed by Finance. A number of Solid Waste vendor payments of around a $100 thousand dollars were made by Finance on their purchasing card (the only one that is outside of limits for a department head and can be up to $300 thousand). Finance has this special card for paying large approved expenses that are payable by a purchase card as an alternative to writing a check. It appears this was done to take advantage of a purchase card rebate with the County’s bank. These invoices were originally submitted to be paid by check and approved through normal invoice approvals. Finance was able to negotiate with the County’s banking institution to obtain a rebate of 1.5% on purchase card purchases. Finance anticipates using these purchase card rebates (on other department purchases) as income in Finance to reduce Finance internal service charges to all departments. It does appear the invoices went through the same procurement workflow for invoices, but were also put through purchase card workflow. The workflow as a purchase card lacked sufficient detail on its own. The Solid Waste Department was not consulted in advance of the change in payment method. It appears the transaction could have been setup by the department for purchase card payment. It is thought this will be more efficient and create a better trail for the transaction. In addition, the department in negotiation with the vendor might be able to obtain better discount terms if they are paid promptly. Vendors may provide for discounts on timely payment and may take check payment and give an equal or greater discount than having to take a purchase card. This might be of benefit County accounting system (MUNIS) purchasing topics: Part I – Security and workflows report #1920-9 January 2021 Page 18 to the department and the vendor. Finance indicates they have discussed the rebate arrangement with departments. It is not clear County departments are supportive of Finance benefiting from the terms of payment on a department purchases. Finance over four invoices from Solid Waste should receive close to $6 thousand for the rebates. As of September, Finance has not received these rebates as they have not requested them from the bank. Finance is targeting larger invoices from departments and has not introduced procedures to maximize the use of the potential rebate across County departments. It is recommended for Finance to work with departments on the rollout of using the purchase card rebate program and who should benefit from the purchase card rebate. It is recommended for the department considering use of a purchase card to see what payment arrangements can be made with their vendor that maximizes the potential discount on timely payment. It is recommended for vendors who are to be setup for payment through purchase card be setup from the beginning by the department. It is recommended for Finance to regularly collect on purchase card rebates and post them to the County accounting records. Approval workflows allows vendor setup/edits and approval by same person. Noted that a vendor was updated in Finance with new information and then approved by the same person. Approval Workflows established for some Finance staff with responsibilities for vendor changes allow them to edit and approve their own changes. County accounting system (MUNIS) purchasing topics: Part I – Security and workflows report #1920-9 January 2021 Page 19 Appropriate segregation of duties over important vendor information should require a separation of the approval from the entry. Finance staff are responsible for attaching relevant documentation for any changes. However, without another set of eyes on the material it is not clear that there is appropriate approval of the change. The County (like many businesses) is receiving fictitious requests to change vendor information that could allow the payments to go to the wrong place. In addition to risks for establishing fictitious vendors, these heighten the need to have segregation of duties on the vendor master file. The vendor master file contains important banking information, addresses, and taxpayer identification that are critical for proper payment and reporting. In subsequent audit work, there will be additional review of changes and support. It is recommended for Finance to improve segregation of duties over vendor additions and changes by requiring a separate person approve any additions or changes. County accounting system (MUNIS) purchasing topics: Part I – Security and workflows report #1920-9 January 2021 Page 20 TABLE I – Current Munis workflows being utilized (descending order of activity) Workflows in Munis trigger additional review and approvals. Additional workflows to be considered. The current version of Munis (ver. 2019) has a number of approval workflows over purchasing that are being utilized. Those purchasing workflows currently in use are as follows: Workflow code Workflow Description API Accounts Payable Invoice Approvals REQ Requisition Approvals RQC Requisition Conversions PEA Payment Entry Batch Approval VIU Vendor Internal Update RCP Requisition Conversion to Purchase Order Notify VIA Vendor Internal Addition COE Contract Approvals POM Purchase Order Change Order Approvals COM Change Order Approvals APC Accounts Payable Purchasing Cards APN Procurement Card Import Notification RCR Requisition Conversion Reject Notify APH Accounts Payable Check Approvals APP Accounts Payable Payment Approvals RVA Payment Reversals Approval EEA Employee Expense Actual Claim County accounting system (MUNIS) purchasing topics: Part I – Security and workflows report #1920-9 January 2021 Page 21 TABLE II – Additional Munis workflows available There are some additional workflows available in the system that could be further explored. These include: Workflow code Workflow Description APD Accounts Payable Invoice Discrepancies Settings need to be activated for one or more discrepancies: • Invoice entered without a Purchase order • Invoice entered for a purchase order without sufficient receiving • Invoice entered for a purchase order where the unit price is outside of allowed variance • • Invoice entered for purchase order where the quantity is greater that the ordered quantity • Invoice entered for an expired purchase order • Direct pay invoice entered without a commodity code. This also requires that three-way match be activated. None of these discrepancies is currently set for the County settings. APP Check Payment Approvals This additional check and balance of payment workflow requires that a posted Accounts Payable Invoice be approved before it can transition to the next step and be paid by check. Check approval workflow can be setup by amount or account segment and/or purchasing department. We currently use APH workflow (which may be sufficient) RFC Check Request Approval Useful for employee related reimbursement expenses, travel expenses, or direct invoices and seek easier routing of workflow beyond API workflow. County accounting system (MUNIS) purchasing topics: Part I – Security and workflows report #1920-9 January 2021 Page 22 Maximizing the capabilities of the accounting software can assure the County is using efficient and effective controls. Though all of these may not be as important as some of the workflows, the invoice discrepancy workflow (APD) seems to be one that should be considered for use in combination with three-way match which is an important control. It is recommended for the County to consider some of the workflows they have not been using. 2.3 INTERNAL CONTROLS FINDINGS and OBSERVATIONS Overall, the documentation of the current state of the County’s Munis accounting system could be improved. With this audit and the review of security and workflows, it would have been great if the documentation included the planned role structure and how the system was established. There used to be a significant amount of documentation during the implementation. That is, however, not available since moving to live. The system has now been in place since July 2017. Software security, settings, and approaches to roles, modules, and workflows have a big impact on how the software will operate. The software provides a significant level of controls over the accounting for the County. In the absence of deliberate control permissions the system may not be adequately controlled. This could allow some staff with too much authority over the system. County accounting system (MUNIS) purchasing topics: Part I – Security and workflows report #1920-9 January 2021 Page 23 It is recommended for the County to consider and document how they are controlling roles, permissions, and workflows for Munis. 3. Management response Finance Department Greg Munn, Chief Financial Officer and Treasurer DATE: January 15, 2021 TO: David Givans, County Internal Auditor FROM: Greg Munn, Chief Financial Officer and Treasurer CC: Tom Anderson, County Administrator SUBJECT: Response to Munis System Audit 2.1(A) Plan and design of Finance roles does not adequately consider segregation of duties. • It is recommended for segregation of duties to be considered in the overall design of roles given to users. • It is recommended Finance segregate significant duties within the system and provide greater guidance on approvals. This might include additional policy and procedural requirements to discourage self- approvals and further describe proper forwarding of approvals. • It is recommended that periodically IT and Finance join forces to perform a segregation of duties review by user of their assigned permissions. Internal audit can provide guidance on how to carry out this review. County accounting system (MUNIS) purchasing topics: Part I – Security and workflows report #1920-9 January 2021 Page 24 Finance Department (continued) • It is recommended for the County to consider how it might address the additional resources (staffing time) necessary to help Finance and IT maintain ongoing support; document systems controls (such as roles and workflows); and reinforce segregation of duties. Agreed. Once the system was up and running there were staffing changes prevented a normal transfer resources from implementation to support. Most of that support demand fell on Finance staff which does not have adequate bandwidth to continue to move the system beyond the initial implementation to maturity. Next steps are to secure additional permanent support to work closely with county staff, including Finance, Internal Audit and department business manager representation to address these recommendations. 2.1(B) Usage of “Munis” administrative role could be better controlled. • It is recommended periodically IT and Finance review the history for the “Munis” roles and make sure that it is not being assigned without reason and that it is not being used to approve any transactions. Agreed. This will be incorporated with addressing recommendation 2.1(A). 2.1(C) Some active Munis users do not have employee credentials. • It is recommended for the procedures for establishing new Munis users be updated to include a provision to include the association with their employee number, if applicable. Agreed. This will be incorporated with addressing recommendation 2.1(A). 2.2(A) Lack of workflow approvals that mirror authority. • It is recommended for the County Administrator be included in workflow for all disbursements in excess of department limits. • It is recommended the Board of County Commissioners have the County Administrator (or designee) review all payments over $150 thousand before they go to them. County accounting system (MUNIS) purchasing topics: Part I – Security and workflows report #1920-9 January 2021 Page 25 Finance Department (continued) • It is recommended the County Administrator (or designee) receive the Finance designed disbursement control reports on at least a monthly basis and review for any anomalies (approvals made without the County Administrator or Board designee). The Information Technology department should assure the monitoring reports are working as designed. • It is recommended for the Board of County Commissioners (or designee) assure that disbursements over $150 thousand have their approval. They might consider staffing this review through Administration/BOCC to lend additional segregation of duties over Finance. • It is recommended the Board of County Commissioners clarify by policy (perhaps in Policy F-15 - Department purchasing thresholds) that the purchasing approval thresholds also apply to all payments being made and excluding certain payments that by statute can be made by the County Treasurer. It would also be a place where they direct whether the County Administrator should review and approve any payments coming to them for approval. Agreed. This will be incorporated with addressing recommendation 2.1(A). 2.2(A) Significant purchasing card transactions performed by Finance. • It is recommended for Finance to work with departments on the rollout of using the purchase card rebate program and who should benefit from the purchase card rebate. To date we have communicated that the rebate will be collected as a revenue source in the Finance internal service fund which results in reducing the amount of next Finance expenses that need to be collected through internal service charges, thus “passing through” the rebate indirectly to direct service department budgets. • It is recommended for the department considering use of a purchase card to see what payment arrangements can be made with their vendor that maximizes the potential discount on timely payment. Finance has worked with some departments that have large purchase card eligible transactions but need to prioritize this activity for existing spend to maximize the rebate. County accounting system (MUNIS) purchasing topics: Part I – Security and workflows report #1920-9 January 2021 Page 26 Finance Department (continued) • It is recommended for vendors who are to be setup for payment through purchase card be setup from the beginning by the department. • It is recommended for Finance to regularly collect on purchase card rebates and post them to the County accounting records. Agreed. The County is relatively new at utilizing purchase cards as a spending tool for county business. Finance will prioritize this work with department partners. 2.2(B) Approval workflows allows vendor setup/edits and approval by same person. • It is recommended for Finance to improve segregation of duties over vendor additions and changes by requiring a separate person approve any additions or changes. Complete. Since this recommendation, Finance has separated these duties so that vendor additions and changes are requested and approved by different staff members. 2.2(C) Additional workflows to be considered. • It is recommended for the County to consider some of the workflows they have not been using. Agreed. This will be incorporated with addressing recommendation 2.1(A). 2.3 Overall, the documentation of the current state of the County’s Munis accounting system could be improved. • It is recommended for the County to consider and document how they are controlling roles, permissions, and workflows for Munis. Agreed. This will be incorporated with addressing recommendation 2.1(A). County accounting system (MUNIS) purchasing topics: Part I – Security and workflows report #1920-9 January 2021 Page 27 {End of Report} Please take a survey on this report by clicking on the attached link: https://www.surveymonkey.com/r/Security_and_workflows_1920-9 If you would like to receive future reports and information from Internal Audit or know someone else who might like to receive our updates, sign up at http://bit.ly/DCInternalAudit.