1 MANAGEMENT AUDIT REPORT OF ACCOUNTS PAYABLE REPORT NO CITY OF ALBUQUERQUE OFFICE OF INTERNAL AUDIT AND INVESTIGATIONS
2 of Accounts Payable Report No Executive Summary Background The Department of Finance and Administrative Services (DFAS), Accounts Payable Division (AP), is responsible for verifying, researching, and paying vendor invoices. The City s accounts payable system is MARS/G. Albuquerque Housing Services (AHS) has a separate accounts payable system. Objective: Are AP and AHS compliant with their respective department policies and procedures, City rules, regulations and ordinances, state statutes and other applicable rules and regulations for processing accounts payable? Recommendations: The AP User s Guide (Guide) has not been reviewed and updated recently. AHS purchasing flowchart does not document the entire purchasing process. AHS does not have written policies and procedures for its AP process. DFAS should review and update the Guide. AHS should update its purchasing flowchart and develop written policies and procedures for its AP process. Objective: What are the controls over processing payments through MARS/G and AHS AS/400 system? Recommendations: Printed AP checks are stored in an unlocked cabinet. AP bank reconciliations are not completed timely. AHS does not use Positive Pay. DFAS should secure printed AP checks in a locked cabinet. DFAS should complete AP bank reconciliations timely. AHS should use Positive Pay. Objective: What are the controls over processing manually prepared checks? Recommendations: Back-up documentation is not provided to the Treasury Division for manual checks. Authorization levels have not been established for manual checks. The Risk Management Division and the Department of Senior Affairs issue sight drafts. DFAS should provide back-up documentation to Treasury for manual checks. DFAS should establish authorization levels for manual checks. The CAO should review sight drafts and make a determination on whether they should be issued. i
3 of Accounts Payable Report No Executive Summary Objective: Who has access to the MARS/G system and AHS AS/400 system and how is it monitored? Recommendations: The MARS/G and RACF user listing included users who have transferred to other City departments and users who have left employment with the City. There is not a City-wide model for setting MARS/G access levels. Access levels are established at the departmental level. All users of the AS/400 system have command line access in AHS. DFAS-ISD should provide the MARS/G and RACF user listings to departments. The CAO should require departments to review the MARS/G and RACF user listings on a regular basis. DFAS should develop model access levels for MARS/G users. AHS should limit command line access to its AS/400 system. Objective: Who has access to the master vendor file and what is the integrity and reliability of the data it contains? Recommendations: The daily vendor file maintenance reports are not reviewed. The vendor file in MARS/G has never been purged. Social security numbers are used as vendor ID numbers for individuals. One individual in the Purchasing Division is able to edit the vendor file. The vendor file in AHS AS/400 system has never been purged. Daily vendor file maintenance reports are not reviewed at AHS. DFAS should review the daily vendor file maintenance reports and retain supporting documentation for all changes to the vendor file. DFAS should develop a policy for vendor file maintenance. DFAS should not use social security numbers as vendor ID numbers. DFAS should review Purchasing s access to MARS/G and ensure they are not able to edit the vendor file. AHS should develop a policy for vendor file maintenance. AHS should develop and review daily vendor file maintenance reports. During our fieldwork we noted no exceptions for the following objectives: Has the Department accomplished its accounts payable performance measures? Management responses are included in the audit report. ii
4 City of Albuquerque Office of Internal Audit and Investigations P.O. Box 1293 Albuquerque, New Mexico Accountability in Government Oversight Committee City of Albuquerque Albuquerque, New Mexico Audit: Management Audit Accounts Payable FINAL INTRODUCTION The Office of Internal Audit and Investigations (OIAI) conducted a management audit of accounts payable operated by the Department of Finance and Administrative Services (DFAS), Accounts Payable Division (AP) and the Department of Family and Community Services (DFCS), Albuquerque Housing Services Division (AHS). AP is responsible for verifying, researching, and paying vendor invoices. AP works closely with City departments and the vendor community to ensure that invoices are processed accurately and timely. The City s accounts payable system is the Management Analysis and Response System/Government (MARS/G). City departments use MARS/G to release invoices for payment after goods and services are received. AP uses MARS/G to maintain the master vendor file and process invoices for payment. AP processes approximately 150,000 payment transactions per year. The Department of Housing and Urban Development (HUD) requires AHS to maintain separate financial systems and bank accounts. AHS has a separate accounts payable system.
5 Page 2 AUDIT OBJECTIVES The objectives of our audit were to determine: SCOPE Are AP and AHS compliant with their respective department policies and procedures, City rules, regulations and ordinances, state statutes and other applicable rules and regulations for processing accounts payable? What are the controls over processing payments through MARS/G and AHS AS/400 system? What are the controls over processing manually prepared checks? Who has access to the MARS/G system and AHS AS/400 system and how is it monitored? Who has access to the master vendor file and what is the integrity and reliability of the data it contains? Has the Department accomplished its accounts payable performance measures? Our audit did not include an examination of all the functions, activities and transactions of AP. Our scope included the accounts payable processes followed by the City and AHS between February 2004 and March This report and its conclusions are based on information taken from a sample of transactions and do not intend to represent an examination of all related transactions and activities. The audit report is based on our examination of AP s activities through the completion of fieldwork, March 15, 2007, and does not reflect events or accounting entries after that date. The audit was conducted in accordance with Government Auditing Standards, except Standard 3.49, requiring an external quality control review. METHODOLOGY During the audit, OIAI interviewed DFAS and AHS staff. OIAI used judgmental and statistical sampling techniques to determine sample sizes for testing. OIAI reviewed documentation, including the following:
6 Page 3 AP policies and procedures; MARS/G training schedule; MARS/G user listing; Master vendor file, including daily maintenance reports; System generated checks, manual checks and Automated Clearing House (ACH) payments, including documentation supporting these payments; Unmatched Releases and Unmatched Invoices reports; and AP bank reconciliations. FINDINGS The purpose of an internal audit is to identify changes in the auditee s activities, which would improve its effectiveness, efficiency, and compliance with administrative policies and applicable rules and regulations. Therefore, the auditee s activities that appear to be functioning well are not usually commented on in audit reports. The following findings concern areas that OIAI believes would be improved by the implementation of the related recommendations. 1. DFAS SHOULD REVIEW THE DAILY VENDOR FILE MAINTENANCE REPORTS AND RETAIN SUPPORTING DOCUMENTATION FOR ALL CHANGES MADE TO THE VENDOR FILE. OIAI reviewed six vendor file daily maintenance reports and judgmentally selected twentytwo additions/changes to review. The following was noted: o No documentation was available to support four of the additions/changes; o OIAI could not identify who requested two address changes (e.g. the vendor, another City department/division); and o One address change was entered incorrectly. DFAS does not review the City-wide daily vendor file maintenance report, perhaps due to staffing constraints. When additions/changes to the vendor file are not reviewed, new vendors and changes to existing vendors may be entered incorrectly. Further, without adequate oversight, individuals with access to the vendor file can create fictitious vendors or alter existing vendor information, such as payment addresses, for personal gain. Control Objectives for Information and Related Technology (COBIT) DS11.9, which is issued by the IT Governance Institute, recommends that management maintain and periodically review audit trails for unusual activity and accuracy of changes made. These reviews should be completed by a supervisor who does not perform data entry.
7 Page 4 DFAS should review the daily vendor file maintenance reports. This review should be completed by someone who does not have update access to the master vendor file. DFAS should document their monitoring activities. DFAS should maintain documentation to support all additions/changes to the master vendor file. The documentation should include who requested the addition/change. RESPONSE FROM DFAS DFAS concurs with this recommendation. The accounts payable fiscal analyst will review all daily vendor file maintenance reports and document this control step on the report. In instances where the fiscal analyst makes changes to the vendor file, an assigned finance technician will initial all of those changes. Back up documentation for vendor file changes are now being attached to the daily vendor report. 2. DFAS SHOULD DEVELOP A POLICY FOR VENDOR FILE MAINTENANCE. The City-wide master vendor file in MARS/G has never been purged. As of October 2006, the vendor file contained 39,387 vendors, including: o 7,510 (19 percent) vendors with duplicate vendor addresses; and o 969 (2 percent) vendors with no vendor addresses. OIAI also statistically sampled 39 vendors from the population of 39,387. The average number of days since the most recent payment date was 1,544. Based on discussions with DFAS, no one knows how to purge the vendor file. If the vendor file is not periodically reviewed and purged, the number of vendors without recent activity will increase. As the size of the vendor file increases, the time and effort required to maintain the file also increases. Jonathan D. Casher is chairman of a financial operations consulting firm and president of an information technology consulting firm. In his article Managing Your Vendor File, Mr. Casher discusses the following best practice: Inactive vendors should be regularly removed from the vendor file so payments are not accidentally made to the wrong vendors or sent to addresses that are no longer current. COBIT DS11.20 recommends that management document and communicate retention standards and storage terms for data.
8 Page 5 DFAS should develop a formal written policy that outlines vendor file maintenance. The policy should require a periodic review of the vendor file to identify vendors with no addresses, potential duplicate vendors, and vendors with no recent activity. Following this periodic review, vendors tagged for removal should be purged from the master vendor file. RESPONSE FROM DFAS DFAS concurs with this recommendation and will develop a formal written policy that outlines vendor file maintenance. The annual vendor purge procedures will be included in the future ERP software business practices and policies manual. 3. DFAS SHOULD PROVIDE BACK-UP DOCUMENTATION TO THE TREASURY DIVISION FOR APPROVAL OF MANUAL CHECKS. OIAI inquired of DFAS personnel and determined that no back-up documentation is included with manual checks provided to and signed by the Treasury Division (Treasury). Also, only one signature is required for manual checks regardless of the dollar amount. This is standard operating procedure. Without supporting documentation, Treasury does not know what the check is for and who approved the request. Treasury could sign manual checks that have not been approved and that are for inappropriate purposes. Also, as payment amounts rise, the impact of payment errors increases. If only one person signs high dollar checks, proper oversight may not be exercised and payment errors may occur resulting in a loss of City assets. Administrative Instruction No. 2-3 requires adequate internal controls to safeguard city assets against loss from unauthorized use or disposition. The Government Finance Officers Association s (GFOA) recommends that agencies should require two signatures on checks over a designated amount. DFAS should provide supporting documentation to Treasury for manual checks, including the approved manual check request. Treasury should record its review of the supporting documentation. DFAS should require dual signatures for manual checks above certain dollar amounts.
9 Page 6 RESPONSE FROM DFAS DFAS concurs with this recommendation. The accounts payable section is now providing the back up documentation to Treasury for the manual checks prior to obtaining the signature approval. DFAS will discuss this recommended dual signature control with Treasury personal to determine the availability of a dual signer and whether this control is feasible at this time. 4. DFAS SHOULD SECURE PRINTED AP CHECKS IN A LOCKED CABINET. Printed AP checks are stored in an unlocked cabinet in the back of the ISD computer room. Perhaps other security measures, such as key card access to the ISD computer room and cameras, are considered adequate. However, the ISD computer room contains equipment for both the City and the County, and vendors/contractors are also in the room periodically. If checks are lost/stolen, it may prove difficult to determine what happened. Administrative Instruction No. 2-3 requires adequate internal controls to safeguard city assets against loss from unauthorized use or disposition. DFAS should secure printed checks in a locked cabinet. Access to this cabinet should be restricted to authorized personnel. RESPONSE FROM DFAS DFAS concurs with this recommendation. DFAS will work with ISD to limit access to the location where the accounts payable and payroll checks are stored by either securing the location or by storing the checks in a locked cabinet. 5. DFAS SHOULD NOT USE SOCIAL SECURITY NUMBERS AS VENDOR ID NUMBERS. OIAI inquired of DFAS personnel and reviewed the master vendor file to determine how vendor ID numbers are assigned. For individuals, the Vendor ID number is the person s social security number (SSN). This is standard operating procedure. If the master vendor file is compromised, unauthorized persons will have access to individuals SSNs. Stolen SSNs can be used to perpetrate identity theft. Identify theft hurts
10 Page 7 not only the people whose identities have been stolen, but also the City through negative publicity and potential lawsuits. The City has moved away from using SSNs as personal identifiers for employees through the use of randomly assigned employee ID numbers. OIAI also noted the following best practice of a prominent university system. The use of the SSN as an individual's primary identification number should be discontinued unless required or permitted by law. The SSN may be stored as a confidential attribute associated with an individual. DFAS should not use SSNs as Vendor ID numbers. RESPONSE FROM DFAS DFAS concurs with this recommendation. The current payable system requires a unique vendor number; at the time the system was implemented, the use of social security and FEIN numbers was the solution to avoid the issuance of duplicate vendor numbers. With the implementation of the new ERP software, a unique vendor identification number will be automatically issued by the new software. 6. THE CAO SHOULD REQUIRE DEPARTMENTS TO REVIEW THE MARS/G AND RACF USER LISTINGS PROVIDED BY THE DFAS INFORMATION SYSTEMS DIVISION (ISD). MARS/G OIAI reviewed the MARS/G user listing, which included 775 user IDs, to determine if individuals with access are active City employees. The following exceptions were noted: o Seventeen have left employment with the City but are still included on the user listing; o Nine have moved to departments/divisions other than those noted on the user listing; o Six generic IDs; o In two instances, the user name was not identified; and o One user was assigned two IDs. The MARS/G user listing is not periodically reviewed by departments because it is not provided by DFAS-ISD. If access is not removed or modified when employees leave the City or transfer to other departments/divisions, individuals may have inappropriate access rights and could potentially:
11 Page 8 o Modify the vendor file; o Process invoices for payment; and o Release invoices for payment. COBIT DS5.5 recommends that organizations periodically review access rights to ensure they reflect the initial authorizations and the user s and the organization s needs. RACF RACF is a security system used to control access to applications on the City s IBM Mainframe computer system. OIAI reviewed an informal listing of RACF users maintained by ISD. The listing included users with multiple user IDs and terminated employees with active user IDs. OIAI randomly selected 38 of 184 users on the listing and noted the following exceptions: o Ten have dual RACF user IDs; o Five have left employment with the City, but still have active RACF user IDs; and o Five have left employment with the City, but are still on the MARS/G user listing. The RACF user listing is not periodically reviewed by departments because it is not provided by DFAS-ISD. If terminated employees have active RACF user IDs, they may have unauthorized system access. COBIT DS5.5 recommends that organizations periodically review access rights to ensure they reflect the initial authorizations and the user s and the organization s needs. DFAS-ISD should provide the MARS/G and RACF user listings to departments. The CAO should require departments to review the MARS/G and RACF user listings on a regular basis for: o employees who have transferred to other departments/divisions, o terminated employees, o generic user IDs and multiple user IDs assigned to one individual, o incomplete user profiles RESPONSE FROM CAO The CAO agrees that a periodic review of MARS/G and RACF user listings would be useful and will work with DFAS/ISD to develop a protocol for a manual review process unless it is determined that the process can be automated as part of the ERP Phase I implementation.
12 Page 9 RESPONSE FROM DFAS DFAS will work with the CAO to develop a protocol for a manual review process of MARS/G and RACF user listings. 7. DFAS SHOULD DEVELOP MODEL ACCESS LEVELS FOR MARS/G USERS. There is not a City-wide model for setting MARS/G access levels. Access levels are established at the department level. For example, DFAS could develop one access model for all MARS/G users responsible for releasing invoices for payment. Under the current system, users who are performing the same duties within MARS/G may have different access rights. Some users may have update/edit/delete capabilities that are not necessary for their position. When unauthorized changes are made, the validity of the data within that application and all other programs that application feeds into comes into question. COBIT DS5.2 recommends that system owners should be responsible for granting, changing and removing access, taking into account least privilege, separation of duties and required access levels. DFAS should develop model access levels for MARS/G users, such as users who are responsible for releasing invoices for payment. RESPONSE FROM DFAS DFAS concurs with the recommendation. The accounts payable section will work with ISD and the ERP software implementation team to ensure there is a process in place to periodically review user access to city-wide systems. This is a recommendation that affects many different city-wide system applications and should be addressed within the scope of the ERP software implementation. This will enable each ownership department to review user s access to their specific software application for validity. DFAS accounts payable and accounting sections will work with ISD and the ERP implementation team to develop city-wide templates for access to the new ERP software accounts payable application.
13 Page DFAS SHOULD REVIEW THE PURCHASING DIVISION S EMPLOYEE ACCESS TO MARS/G AND ENSURE THEY ARE NOT ABLE TO MAKE CHANGES TO THE VENDOR FILE. One Purchasing Division (Purchasing) individual stated that she is able to edit vendor tax ID numbers in the master vendor file if no vendor activity has occurred. This could be a programming issue or a failure to periodically review access rights to the City s accounts payable system. If vendor tax ID numbers are edited to an incorrect number and the City is required to file tax forms with the IRS, such as 1099s, the City may incur IRS penalties. COBIT DS5.5 recommends that organizations periodically review access rights to ensure they reflect the initial authorizations and the user s and the organization s needs. Further, to ensure adequate separation of duties, Purchasing should not have update access to the vendor file. DFAS should review Purchasing s access to MARS/G and ensure that Purchasing staff is not able to add, edit, or delete vendor information. RESPONSE FROM DFAS DFAS concurs with the recommendation. DFAS accounts payable has reviewed Purchasing staff s access and has restricted access to MARS/G that will enable them to add, edit, or delete vendor information. 9. DFAS SHOULD COMPLETE AP BANK RECONCILIATIONS TIMELY. DFAS did not complete the June 2006 AP Bank Reconciliation until October Due to other priorities and staffing limitations, bank reconciliations may not have received timely attention. Banks may have deadlines for resolving discrepancies between the bank s records and the City s records. If these deadlines pass, the City may not be able to correct errors in the bank s records. Also, as time passes, it may prove more difficult to research discrepancies between the bank s records and the City s records. Per the GFOA s Recommended Practices, agencies should reconcile all bank statements and notify banks of discrepancies in a timely manner.
14 Page 11 DFAS should complete its AP bank reconciliations within thirty days of receiving the bank statement(s). RESPONSE FROM DFAS DFAS concurs with the recommendation. DFAS will ensure that the accounts payable bank reconciliation is completed within 30 days of receipt of the bank statement. 10. THE CAO SHOULD REVIEW SIGHT DRAFTS AND MAKE A DETERMINATION WHETHER THEY SHOULD CONTINUE TO BE ISSUED. Both the Risk Management Division of DFAS (Risk Management) and the Department of Senior Affairs (DSA) issue sight drafts even though DFAS already has a process in place for issuing manual checks. In Risk Management, sight drafts are used for emergency situations, such as payment for a sewer backing-up into a house. In DSA, sight drafts are used to refund activity fees to seniors. However, when control over disbursement of funds is decentralized, the potential for misallocation of funds increases. Administrative Instruction No. 2-3 requires adequate internal controls to safeguard city assets against loss from unauthorized use or disposition. The CAO should review sight drafts and make a determination whether they should continue to be issued. RESPONSE FROM CAO The CAO agrees that the continued use of sight drafts by Risk Management and the Department of Senior Affairs does not seem to be necessary and will meet with the directors of both units to explore appropriate alternatives to meet their operating needs. 11. DFAS SHOULD REVIEW AND UPDATE THE AP USER S GUIDE. The AP User s Guide (Guide) has not been updated since August 2001, and it does not include guidance for AP Finance Techs who update the vendor file.
15 Page 12 If the Guide is not reviewed and updated periodically, new policies and procedures may not be included in the Guide. Existing policies and procedures may have changed since the last time the Guide was reviewed. This may lead to confusion among staff and inconsistency in how tasks are performed. Per the GFOA Recommended Practices, accounting policies and procedures should be updated periodically and changes that occur between these periodic reviews should be updated promptly as they occur. Management is responsible for performing this duty, and a specific employee should oversee this process. DFAS should periodically review and update the Guide. DFAS should also add instructions to the Guide to assist AP Finance Techs who update the vendor file. RESPONSE FROM DFAS DFAS concurs with the recommendation. DFAS Accounts Payable section will ensure that the AP user guide is reviewed on an annual basis and updated when necessary. 12. AHS SHOULD UPDATE ITS PURCHASING FLOWCHART AND DEVELOP WRITTEN POLICIES AND PROCEDURES FOR ITS AP PROCESS. AHS has developed a flowchart of its purchasing process. The flowchart does not describe the reviews conducted after payment information is entered into the AS/400 system. AHS does not have written policies and procedures to provide additional detailed guidance to AP staff. Processes are in place, but detailed guidance has not been formally documented. Without written policies and procedures: o New employees may not know how to process accounts payable transactions; and o Current employees may not consistently process accounts payable transactions. Per the GFOA s Recommended Practices, agencies should develop financial policies in the following areas: Financial Planning, Revenues, and Expenditures. AHS should update its purchasing flowchart and develop written policies and procedures to guide accounts payable staff.
16 Page 13 RESPONSE FROM AHS AHS concurs with this finding. Since this audit began, AHS has updated their purchasing flowchart to include all steps and relevant staff involved in the procurement process. Over the course of the next two months, AHS will update written policies and procedures to include additional detailed guidance for staff. 13. AHS SHOULD LIMIT COMMAND LINE ACCESS TO ITS AS/400 SYSTEM. All users of AHS AS/400 system have command line access. AHS staff use the command line to manage print jobs and run queries. These functions could be accessed through the AS/400 menu rather than the command line. Anyone can access critical AS/400 commands on the internet. For example, OIAI went online and printed 28 pages of critical AS/400 commands. Users who have command line access and knowledge of critical AS/400 commands may have the ability to access and edit critical data files. COBIT DS5.2 recommends that system owners should be responsible for granting, changing and removing access, taking into account least privilege, separation of duties and required access levels. AHS should limit command line access to individuals with AS/400 system administrator responsibilities. All other AS/400 users should have menu access only. RESPONSE FROM AHS AHS concurs with this finding. Since this audit began, AHS has initiated action to limit command line access to select authorized individuals. AHS estimates this will be fully implemented before the end of the calendar year. 14. AHS SHOULD DEVELOP A POLICY FOR VENDOR FILE MAINTENANCE. OIAI inquired of AHS accounting staff and determined that although they have the ability to tag vendors so they are not brought up as options in the vendor file, the vendor file has not been purged. AHS Fiscal Officer was not aware of any policy, rule or regulation that requires them to periodically review and purge their vendor file.
17 Page 14 If the vendor file is not periodically reviewed and purged, the number of vendors without recent activity will increase. As the size of the vendor file increases, the time and effort required to maintain the file also increases. In his article Managing Your Vendor File, Jonathan D. Casher discusses the following best practice: Inactive vendors should be regularly removed from the vendor file so payments are not accidentally made to the wrong vendors or sent to addresses that are no longer current. COBIT DS11.20 recommends that management document and communicate retention standards and storage terms for data. AHS should develop a formal written policy that outlines vendor file maintenance. The policy should require a periodic review of the vendor file to identify vendors with no addresses, potential duplicate vendors, and vendors with no recent activity. Following this periodic review, vendors tagged for removal should be purged from the master vendor file. RESPONSE FROM AHS AHS concurs with this finding. AHS has incorporated guidance addressing the process for maintenance of vendor files as part of their internal A/P policies and procedures. At year-end, an AHS fiscal staff person, other than the staff person setting up the vendor files, will review the master file and inactivate any vendor files not used in the prior 24 months. This will ensure no accidental or intentional payments to inactive vendors. In addition, any incomplete files will be updated and any duplicate files will be cross-referenced. Initially, AHS was considering purging vendor files with no recent activity. However, after discussing the issue with the software vendor and the local HUD office, AHS determined purging is not a good option because of the loss of history. The vendor file module is the quickest way for AHS to pull up history of any vendor payments (tenants and landlords) that may be in question.
18 Page AHS SHOULD DEVELOP AND REVIEW DAILY VENDOR FILE MAINTENANCE REPORTS. OIAI determined that Accounting staff do not generate a vendor file maintenance report. The AS/400 system used by AHS may not be able to generate a vendor file maintenance report. When additions and changes to the vendor file are not reviewed, new vendors may be entered incorrectly, and changes to existing vendors may be entered incorrectly. Further, without adequate oversight, persons with access to the vendor file can create fictitious vendors or alter existing vendor information, such as payment addresses, for personal gain. COBIT DS11.9 recommends that management maintain and periodically review audit trails for unusual activity and accuracy of changes made. These reviews should be completed by a supervisor who does not perform data entry. AHS should develop a daily vendor file maintenance report. AHS should review these maintenance reports. This review should be completed by someone who does not have update access to the vendor file. AHS should document their monitoring activities. RESPONSE FROM AHS AHS has discussed the AS 400 reporting capabilities with the software vendor and determined there is no vendor change report available. To clear this finding, AHS has created a process that will limit the ability of staff to make vendor file changes. AHS has created a vendor file change form that must now be completed by the program person needing to make vendor file changes. The form will be approved by the Section Manager and the Fiscal Manager before any changes are entered. At month end, the respective accountant will reconcile the change forms against the vendor master file. This process will be added to the written A/P policies and procedures. 16. AHS SHOULD USE POSITIVE PAY. Positive Pay is a service used to combat check fraud. The financial institution pays only those items with serial numbers and dollar amounts matching the company s issue file. AHS stated they currently review discrepancies between the positive pay files sent to the bank and the actual checks presented on a daily basis. If discrepancies are discovered, AHS contacts
19 Page 16 the bank and the bank credits AHS account. As currently set-up, the bank honors all checks presented even if they do not agree with the positive pay files. This is a management decision. With the current set-up, the bank may pay checks that have not been issued by AHS. AHS may incur a loss if the bank pays these checks and refuses to credit AHS account. GFOA recommends that agencies use positive pay services provided by banks, through which banks pay only those items that match a check issue file provided to the bank. CONCLUSION AHS should use Positive Pay and its bank should pay only those items that match a check issue file provided to the bank. RESPONSE FROM AHS AHS concurs with this finding. With the help of the Assistant Treasurer for Cash Management, AHS implemented Positive Pay in the spring of Improvement is needed to ensure adequate oversight of the accounts payable process. By implementing the recommendations noted above, DFAS and AHS should enhance the efficiency and effectiveness of the accounts payable process. OIAI appreciates the cooperation of DFAS and AHS staff during the audit.
20 Page 17 Principal Auditor REVIEWED: Audit Manager APPROVED: APPROVED FOR PUBLICATION: Carmen Kavelman, CPA, CISA, CGAP Director Office of Internal Audit and Investigations Chairperson, Accountability in Government Oversight Committee
FOLLOW-UP OF COMPUTER EQUIPMENT TRACKING CONTROLS AND PROCEDURES REPORT NO. City of Albuquerque Office of Internal Audit and Investigations City of Albuquerque Office of Internal Audit and Investigations
SPECIAL AUDIT REPORT OF GOLF MANAGEMENT DIVISION POINT-OF-SALE SYSTEM PARKS AND RECREATION DEPARTMENT REPORT NO. 08-105 CITY OF ALBUQUERQUE OFFICE OF INTERNAL AUDIT AND INVESTIGATIONS Special Audit Golf
FOLLOW-UP OF PERSONAL COMPUTER LICENSING REPORT NO. City of Albuquerque Office of Internal Audit and Investigations City of Albuquerque Office of Internal Audit and Investigations P.O. BOX 1293 ALBUQUERQUE,
Internal Control Guidelines The four basic functions of management are usually described as planning, organizing, directing, and controlling. Internal control is what we mean when we discuss the fourth
Internal Audit Committee of Brevard County, Florida Internal Audit Review of Accounts Payable Prepared By: Internal Auditors of Brevard County September 22, 2010 Table of Contents Transmittal Letter...
City of Berkeley Accounts Payable Audit Prepared by: Ann-Marie Hogan, City Auditor, CIA, CGAP Teresa Berkeley-Simmons, Audit Manager, CIA, CGAP Frank Marietti, Senior Auditor, CIA, CGAP Presented to Council
SPECIAL AUDIT REPORT OF DATABASE SECURITY CITYWIDE REPORT NO. 11-103 City of Albuquerque Office of Internal Audit Database Security Citywide Report No. 11-103 Executive Summary The Office of Internal Audit
BASIC POLICY STATEMENT The Mikva Challenge is committed to responsible financial management. The entire organization including the board of directors, administrators, and staff will work together to make
Accounts Payable Best Practices Presented by: Eddy Castaneda, CPA, MBA Accounts Payable Best Practices Top Practices AP Top Practices Document your current AP procedures Can identify overlapping work Can
ACCOUNTS PAYABLE DEPARTMENT AUDIT OF SELECTED ACCOUNTING PROCESSES THE UNIVERSITY OF NEW MEXICO September 3, 2009 J.E. Gene Gallegos, Chair Carolyn Abeita, Vice Chair James Koch Audit Committee Members
Checks and Balances Internal Controls West Virginia State Auditor s Office Chief Inspector Division POP QUIZ Internal Controls Internal Controls The auditor will test the effectiveness of your internal
County of San Diego Auditor and Controller OFFICE OF AUDITS & ADVISORY SERVICES ACCOUNTS PAYABLE VENDOR MASTER FILE AUDIT FINAL REPORT Chief of Audits: Juan R. Perez Senior Audit Manager: Lynne Prizzia,
City of Berkeley Berkeley Public Library Purchasing and Accounts Payable Audit Prepared by: Ann-Marie Hogan, City Auditor, CIA, CGAP Teresa Berkeley-Simmons, Audit Manager, CIA, CGAP Frank Marietti, Senior
Cabinet Member or Representative responsible for completing this form: INSTRUCTIONS FOR COMPLETING THIS FORM: Answer each question by placing an X in the either the Yes, No,, or Applicable () column. Provide
Internal Control Guide & Resources Section 5- Internal Control Activities & Best Practices Managers must establish internal control activities that support the five internal control components discussed
ACCOUNTS PAYABLE VENDOR PAYMENT Audit Report No. AP0110 November 06, 2009 MENTAL HEALTH MENTAL RETARDATION AUTHORITY OF HARRIS COUNTY Report AUDITOR S REPORT Harris County, Texas Report November 06, 2009
COUNTY OF TRINITY CASH HANDLING PROCEDURES Prepared by the Trinity County Auditor/Controller s Office Revised October 1, 2009 TABLE OF CONTENTS I. Introduction--------------------------------------------------------------------1
Internal Controls over Cash for Small Nonprofits Internal controls may be a sensitive issue in small nonprofit organizations. These organizations are built on the concepts of honesty, truthfulness, and
City of Berkeley Purchase Order Audit Select Public Works Divisions At the Corporation Yard Prepared by: Ann-Marie Hogan, City Auditor, CIA, CGAP Teresa Berkeley-Simmons, Audit Manager, CIA, CGAP Frank
DIVISION OF CHILD CARE AND EARLY CHILDHOOD EDUCATION HEALTH AND NUTRITION UNIT P O BOX 1437, SLOT S 155 501-320-8982 FAX: 501-682-2334 TDD: 501-682-1550 TO: NON-PROFIT INSTITUTIONS FROM: HEALTH AND NUTRITION
AU12-003 Financial Services Central Cashiering Office of the City Auditor Arlena Sones, CPA, CIA, CGAP City Auditor June 6, 2014 Executive Summary In accordance with the FY 2012 Annual Audit Plan, we conducted
Western Climate Initiative, Inc. Accounting Policies and Procedures Adopted May 8, 2013 WESTERN CLIMATE INITIATIVE, INC ACCOUNTING POLICIES AND PROCEDURES Adopted May 8, 2013 Table of Contents I. Introduction...
AUDITOR GENERAL WILLIAM O. MONROE, CPA HILLSBOROUGH COUNTY DISTRICT SCHOOL BOARD LAWSON FINANCIALS MODULE Information Technology Audit SUMMARY To support its financial management needs, the Hillsborough
Department of Human Resources Payroll Accounting and Processing Audit Final Report August 2009 promoting efficient & effective local government Introduction The Internal Audit Office performed an audit
Overview Property management is an important function at the University. Prudent inventory practices help protect the University s multi-million dollar investment in equipment, provide documentation needed
Internal Audit Information Technology Equipment June 2012 Bernalillo County Internal Audit Information Technology Equipment Executive Summary SUMMARY OF PROCEDURES REDW performed an internal audit of the
City of Austin AUDIT REPORT A Report to the Austin City Council Mayor Lee Leffingwell Mayor Pro Tem Sheryl Cole Social Services Contract Monitoring Audit October 2011 Council Members Chris Riley Mike Martinez
DIXON MONTESSORI CHARTER SCHOOL FISCAL CONTROL POLICY 1. Purpose The Dixon Montessori Charter School Board of Directors ( Board ) has reviewed and adopted the following policies and procedures to ensure
Office of Inspector General Audit Report Third Party Draft Payment System Department of Transportation Report Number: FI-2001-001 Date Issued: October 3, 2000 U.S. Department of Transportation Office of
MANAGEMENT AUDIT REPORT OF FUEL USAGE AND SECURITY DEPARTMENT OF FINANCE AND ADMINISTRATIVE SERVICES REPORT NO. 12-101 NAME OF AUDIT DEPARTMENT REPORT NO. City of Albuquerque Office of Internal Audit Fuel
Date: June 25, 2014 To: Brenda S. Fischer, City Manager From: Candace MacLeod, City Auditor Subject: Audit of Glendale Fire Department s Payroll Process The City Auditor s Office has completed an audit
REPORT # 2010-06 AUDIT of the Customer Information System (BANNER) January 2010 TABLE OF CONTENTS Executive Summary..... i Comprehensive List of Recommendations. iii Introduction, Objective, Methodology
O FFICE O F T HE C ITY A UDITOR C OLORADO S PRINGS, C OLORADO 12 05 City Cash Receipts Audit Report Some parts of this public document have been redacted in an effort to minimize the opportunity for control
Fleet Management Internal Audit March 2015 Bernalillo County Internal Audit Fleet Management Executive Summary SUMMARY OF PROCEDURES REDW performed an internal audit over Fleet Management at Bernalillo
Report Issue Date: May 18, 2015 Report Number: 2015-08 AUDIT OF ACCOUNTS PAYABLE DIVISION Richmond City Council Office of the City Auditor Richmond City Hall 900 E. Broad Street, Suite 806 Richmond, Virginia
Accounting Research Manager - Audit Private Accounting Research Manager Miller Interpretations and Other Resources Knowledge-Based Audit Procedures Chapter 15: Accounts Payable and Purchases Chapter 15:
THOMAS P. DiNAPOLI COMPTROLLER STATE OF NEW YORK OFFICE OF THE STATE COMPTROLLER 110 STATE STREET ALBANY, NEW YORK 12236 STEVEN J. HANCOX DEPUTY COMPTROLLER DIVISION OF LOCAL GOVERNMENT AND SCHOOL ACCOUNTABILITY
Audit Report Financial Management Information System Centralized Operations March 2003 This report and any related follow-up correspondence are available to the public. Alternate formats may also be requested
John Keel, CPA State Auditor An Audit Report on The Texas Windstorm Insurance Association Report No. 12-048 An Audit Report on The Texas Windstorm Insurance Association Overall Conclusion The Texas Windstorm
CHAPTER 14 INFORMATION TECHNOLOGY CONTROLS SCOPE This chapter addresses requirements common to all financial accounting systems and is not limited to the statewide financial accounting system, ENCOMPASS,
Guidelines for Congregations Internal Control Best Practices A resource provided by the Office of the Treasurer of the Evangelical Lutheran Church in America Congregations should establish and maintain
Fraud Detection and Prevention Financial Management Advisory Council August 28, 2014 Sarah Mahugh, CPA, MBA Financial Audit Audit Manager Overview Fraud trends Fraud Risks and internal controls Case Studies
SUMMARY OF CORRECTIVE ACTION FOR SEGREGATION OF DUTIES AUDIT ISSUES CASH MANAGEMENT I. Checks a. All checks are restrictively endorsed, using the endorsement stamp maintained by the building secretary.
INTERNATIONAL BANKING AND CASH MANAGEMENT TULANE INTERNATIONAL RESPONSIBLE TULANE INTERNATIONAL OFFICIAL: Treasurer 1 RESPONSIBLE OFFICE: Tulane International Financial Office COORDINATING DEPARTMENTS:
CASH As public servants, it is our responsibility to safeguard taxpayer s dollars while adhering to laws and regulations governing processes over cash handling. Internal controls over cash are necessary
Recommendations for Improving Purchasing Card Procedures I. Cardholder Issues: 1. Receipts are not provided for all card charges. A. Current Policy Statement: The Cardholder must: Obtain all sales slips,
LIVINGSTON COUNTY CREDIT CARD PROCEDURES INTRODUCTION Livingston County is introducing an alternative approach to purchasing products and services through the use of credit cards. A credit card purchase
CITY OF DALLAS Dallas City Council Office of the City Auditor Audit Report Mayor Tom Leppert Mayor Pro Tem Dwaine Caraway Deputy Mayor Pro Tem Pauline Medrano Council Members Jerry R. Allen Tennell Atkins
University of San Diego University Audit Office Self-Audit Tool Department: Budget Officer: Completed by: Date: The Self-Audit Tool is a guide and is not all-inclusive. Yes indicates a needed control is
Audit of Controls over Government Travel Cards FINAL AUDIT REPORT ED-OIG/A19-B0010 March 2002 Our mission is to promote the efficiency, effectiveness, and integrity of the Department s programs and operations.
Audit of Accounts Payable Procedures March 6, 2006 Report 2006-03 Audit of Accounts Payable Procedures Table of Contents Page EXECUTIVE SUMMARY PURPOSE AND AUTHORITY SCOPE' AND METHODOLOGY BACKGROUND 1
LEGAL SERVICES CORPORATION OFFICE OF INSPECTOR GENERAL FINAL REPORT ON SELECTED INTERNAL CONTROLS RHODE ISLAND LEGAL SERVICES, INC. RNO 140000 Report No. AU 16-05 March 2016 www.oig.lsc.gov TABLE OF CONTENTS
Florida A & M University AP PROCEDURES 3-8-2013 TABLE OF CONTENTS 1.0 OVERVIEW... 1 2.0 DEFINITIONS... 1 3.0 RESPONSIBILITIES... 2 4.0 GENERAL PROCEDURES... 3 4.1 DEPARTMENTAL FISCAL REPRESENTATIVES...
Audit Report AUDIT DEPARTMENT Information Technology Email Service May 2014 Angela M. Darragh, CPA, CISA, CFE Audit Director AUDIT COMMITTEE: Commissioner Steve Sisolak Commissioner Chris Giunchigliani
STATE OF CONNECTICUT Information System Audit Report Office Of The State Comptroller AUDITORS OF PUBLIC ACCOUNTS KEVIN P. JOHNSTON ROBERT G. JAEKLE TABLE OF CONTENTS EXECUTIVE SUMMARY...1 AUDIT OBJECTIVES,
MANAGEMENT AUDIT REPORT OF DISASTER RECOVERY PLAN DEPARTMENT OF FINANCE AND ADMINISTRATIVE SERVICES INFORMATION TECHNOLOGY SERVICES DIVISION REPORT NO. 13-101 City of Albuquerque Office of Internal Audit
Financial Management Program BEST PRACTICES IN ACCOUNTS PAYABLE GASBO 2015 Tracy Arner, CPA firstname.lastname@example.org 1 Objectives At the end of this session, the participant will be able to - Discuss the definition
UW-EXTENSION BUSINESS SERVICES POLICY AND PROCEDURE DOCUMENT (BSPPD) #18 CAPITAL EQUIPMENT INTRODUCTION UW-System policy F33 establishes a systemwide policy on the accountability for capital equipment.
ULSTER COUNTY COMPTROLLER S OFFICE Elliott Auerbach, Comptroller July 28, 2015 Review of Internal Controls over IT Equipment The mission of the Ulster County Comptroller s Office is to serve as an independent
Thomas A. Schweich Missouri State Auditor FOLLOW-UP REPORT ON AUDIT FINDINGS Webster County Procurement Procedures and County Clerk November 2014 http://auditor.mo.gov Report No. 2014-118 Follow-Up Report
11-1 CHAPTER 11 COMPUTER SYSTEMS INFORMATION TECHNOLOGY SERVICES CONTROLS INTRODUCTION The State Board of Accounts, in accordance with State statutes and the Statements on Auditing Standards Numbers 78
Tulane Purchasing Card Policies and Procedures I. Purpose The Purchasing Card program was established to provide a more efficient and cost-effective method for purchasing and paying for small dollar transactions,
Audit of Milwaukee Fire Department Fixed Assets Controls MARTIN MATSON City Comptroller AYCHA SIRVANCI, CPA Audit Manager City of Milwaukee, Wisconsin August 2013 Table of Contents Transmittal Letter...1
By Cindy Cumfer NOTE: These policies and procedures are designed for small nonprofits that do not have an administrator with financial expertise. They are set up to divide the fiscal control roles between
Purchasing Card Program User Guidelines University of North Alabama Procurement Department Created: March 2008 / Updated 7/16/2015 University of North Alabama Purchasing Card Program 1 Table of Contents
2004094 Accounting Documents (ADVANTAGE Financial System Input) This record series is used to input information into the ADVANTAGE Financial System. The files may contain, but are not limited to: copies
PURCHASING CARD POLICY AND PROCEDURES 1. PURPOSE To establish policies and procedures for procuring goods and/or services using a Purchasing Card. Purchasing Cards are referred to throughout this policy
FACILITIES MANAGEMENT DEPARTMENT Policy Title: Key Control and Card Access Policy Policy Number D-12 Section: Safety and Security Effective Date: April 12, 2007 Last Review: April 12, 2007 Purpose: The
items for the months ending September 30, 2004, December 31, 2004, and March 31, 2005 for the 18 accounts that represented 99 percent of the dollar value of activity in all 35 accounts. These 18 accounts
MICHIGAN OFFICE OF THE AUDITOR GENERAL AUDIT REPORT PERFORMANCE AUDIT OF THE ENTERPRISE DATA WAREHOUSE DEPARTMENT OF TECHNOLOGY, MANAGEMENT, AND BUDGET August 2014 Doug A. Ringler, C.P.A., C.I.A. AUDITOR
NONPROFIT FINANCIAL MANAGEMENT SELF ASSESSMENT TOOL I. Financial Planning/Budget Systems 1. Organization has a comprehensive annual budget which includes all sources and uses of funds for all aspects of
Accounts Payable Outsourcing Follow-Up Audit February 2015 Lori Brooks, City Auditor Susan Edwards, Assistant City Auditor Abraham Gandarilla, Staff Auditor City Auditor s Office February 11, 2015 Honorable
4.0 Receiving Process Delivery of requested products or services marks a transition in the Purchase-to-Pay process from a purchasing activity to a payables activity. All purchases must be received to release
Accounts Payable Policies & Guidelines Updated July 2014 The following outlines all of the policies and guidelines for the Accounts Payable function at Mount Saint Joseph University. The policies dictate
City of San Diego AUDIT REPORT CASH COUNT AND BANK RECONCILIATION AUDIT KROLL REMEDIATION OF THE CITY S BANK RECONCILIATION PROCESS April 28, 2008 Internal Audit Eduardo Luna, CIA, CGFM, Internal Auditor