Comptroller of the Treasury. Central Payroll Bureau

Transcription

1 Audit Report Comptroller of the Treasury Central Payroll Bureau August 2003

2 This report and any related follow-up correspondence are available to the public. Alternate formats may also be requested by contacting the Office of Legislative Audits as indicated at the bottom of the next page or through the Maryland Relay Service at Please address specific inquiries regarding this report to the Audit Manager listed on the inside back cover by telephone at (410) Electronic copies of our audit reports can be viewed or downloaded from the Internet via The Department of Legislative Services Office of the Executive Director, 90 State Circle, Annapolis, Maryland can also assist you in obtaining copies of our reports and related correspondence. The Department may be contacted by telephone at (410) or (301)

3 August 13, 2003 Delegate Van T. Mitchell, Co-Chair, Joint Audit Committee Senator Nathaniel J. McFadden, Co-Chair, Joint Audit Committee Members of Joint Audit Committee Annapolis, Maryland Ladies and Gentlemen: We have audited the Comptroller of the Treasury - Central Payroll Bureau (CPB) for the period beginning May 9, 2000 and ending March 3, Our audit disclosed that CPB did not thoroughly review agency requests for online payroll processing capabilities and available computer security features were not used effectively to protect certain State payroll data. Furthermore, CPB did not establish proper internal controls over certain types of disbursements. Respectfully submitted, Bruce A. Myers, CPA Legislative Auditor

4 2

5 Table of Contents Background Information 4 Agency Responsibilities 4 Current Status of Findings From Preceding Audit Report 4 Findings and Recommendations 5 Disbursement Transactions * Finding 1 Proper Internal Controls Were Not Established Over the 5 Processing of Certain Disbursement Transactions State Payroll System Finding 2 CPB Approved Agency Requests for On-line Access to the 5 State s System Without Ensuring the Propriety of Each Employee s Access Payroll Processing Finding 3 Access to Critical Automated Payroll Processing Functions 6 Was Improperly Granted to Numerous CPB Employees Computer Security * Finding 4 Monitoring of Direct Modifications to Critical Payroll Files 7 Was Inadequate Audit Scope, Objectives and Methodology 8 Agency Response Appendix * Denotes item repeated in full or part from preceding audit report. 3

6 Agency Responsibilities Background Information The Central Payroll Bureau (CPB), which is a unit of the Comptroller of the Treasury, is primarily responsible for processing and issuing payroll checks and direct deposit advices on a bi-weekly basis for the regular State payroll, and the payrolls of the Maryland Department of Transportation and the University System of Maryland. CPB is also responsible for processing payroll deductions, certain employee withholding statements, and other payroll reports for State government. Current Status of Findings From Preceding Audit Report Our audit included a review to determine the current status of the three fiscal/compliance findings contained in our preceding audit report on CPB dated October 18, We determined that CPB satisfactorily resolved one of these items. The remaining two items are repeated in this report. 4

7 Disbursement Transactions Findings and Recommendations Finding 1 Proper internal controls were not established over the processing of certain disbursement transactions. Analysis CPB did not fully use the security features available on the State s Financial Management Information System (FMIS) to establish proper internal controls over certain disbursements. Consequently, unauthorized transactions could be processed which may not be readily detected. Specifically, five employees could initiate and approve certain disbursement transactions without independent approval. Furthermore, three of these employees could establish vendors on the system. A similar condition was commented upon in our preceding audit report. During fiscal year 2002, disbursement transactions totaling approximately $9.3 million were both initiated and approved by three of these employees. Recommendation 1 We again recommend that CPB fully use the available FMIS security features by establishing independent on-line approval requirements for all critical disbursement transactions. State Payroll System Finding 2 The CPB approved agency requests for on-line access to the State s payroll processing system without ensuring the propriety of each individual employee s access. Analysis CPB did not review on-line payroll processing capability requests submitted by State agencies to ensure that employees were not granted incompatible payroll functions. Specifically, each State agency submits security forms to CPB indicating the payroll processing capabilities requested for its employees. These capabilities include the ability to modify the on-line payroll time reports and the 5

8 ability to release these reports for processing. However, CPB granted the payroll processing capabilities requested by the State agencies without reviewing the forms to identify incompatible processing functions. Our review of the on-line payroll processing capabilities granted to employees at eight State agencies disclosed that at three agencies, eleven employees could both prepare the on-line payroll time reports, and release the reports for processing, without independent review and approval. The payroll expenditures of these three agencies totaled approximately $424 million during fiscal year Recommendation 2 We recommend that CPB review the current on-line payroll processing capabilities of State employees, identify those employees with incompatible functions, and advise the applicable State agencies so that appropriate corrective action can be taken. Additionally, we recommend that in the future, CPB review the payroll processing capability request forms submitted by State agencies to ensure that employees are not granted incompatible capabilities. Payroll Processing Finding 3 Access to certain critical automated payroll processing functions was improperly granted to numerous CPB employees. Analysis Numerous CPB employees had access to 11 critical automated payroll processing functions even though their job responsibilities did not require such access. For example, 39 CPB employees had the ability to modify wage garnishment information on the system, even though only 4 CPB employees were actually responsible for adding or deleting a wage garnishment or changing a garnishment amount. We were advised by CPB management personnel that reliance is primarily placed on manual supervisory reviews of changes made to critical payroll data to detect any unauthorized changes. However, the automated controls that are available to prevent unauthorized personnel from modifying critical payroll data should be used. Recommendation 3 We recommend that access to critical automated payroll processing functions be limited to only those CPB employees whose job duties require such access. 6

9 Computer Security Finding 4 Monitoring of direct modifications to critical payroll files was inadequate. Analysis Monitoring procedures for direct modifications to CPB s critical payroll production data and program files were not adequate. CPB uses the Comptroller of the Treasury s Annapolis Data Center to process the State s payroll. The Data Center's computer system contains a security software system capable of restricting and logging direct modification access to CPB s data and program files. CPB, however, did not fully use these capabilities to detect unauthorized changes to critical payroll production data and program files. Specifically, we noted that CPB personnel did not review the security log reports used to record direct modification accesses to critical production data and program files. As a result, improper or unauthorized modifications to critical payroll files may not be detected by CPB management. A similar condition was noted in our preceding audit report. Recommendation 4 We again recommend that CPB revise security procedures so that security logs of direct modification accesses to critical payroll files are reviewed and investigated by supervisory personnel. These reviews should be documented and retained for future reference. 7

10 Audit Scope, Objectives and Methodology We audited the Comptroller of the Treasury - Central Payroll Bureau (CPB) for the period beginning May 9, 2000 and ending March 3, The audit was conducted in accordance with generally accepted government auditing standards. As prescribed by the State Government Article, Section of the Annotated Code of Maryland, the objectives of this audit were to examine CPB s financial transactions, records and internal control, and to evaluate its compliance with applicable State laws, rules and regulations. We also determined the status of the findings contained in our preceding audit report. In planning and conducting our audit, we focused on the major financial related areas of operations based on assessments of materiality and risk. Our audit procedures included inquiries of appropriate personnel, inspection of documents and records, and observation of the CPB s operations. We also tested transactions and performed other auditing procedures that we considered necessary to achieve our objectives. Data provided in this report for background or informational purposes were deemed reasonable, but were not independently verified. Our audit did not include certain support services provided to CPB by the Comptroller of the Treasury Office of the Comptroller. These support services (such as processing of invoices, maintenance of accounting records, and related fiscal functions) are included in the scope of our audits of the Office of the Comptroller. Our audit also did not include certain support services provided to CPB by the Comptroller of the Treasury Information Technology Division related to the procurement and monitoring of information technology equipment and services. These support services are included in the scope of our audits of the Information Technology Division. CPB s management is responsible for establishing and maintaining effective internal control. Internal control is a process designed to provide reasonable assurance that objectives pertaining to the reliability of financial records, effectiveness and efficiency of operations including safeguarding of assets, and compliance with applicable laws, rules and regulations are achieved. Because of inherent limitations in internal control, errors or fraud may nevertheless occur and not be detected. Also, projections of any evaluation of internal control to future periods are subject to the risk that conditions may change or compliance with policies and procedures may deteriorate. 8

11 Our reports are designed to assist the Maryland General Assembly in exercising its legislative oversight function and to provide constructive recommendations for improving State operations. As a result, our reports generally do not address activities we reviewed that are functioning properly. This report includes conditions that we consider to be significant deficiencies in the design or operation of internal control that could adversely affect CPB s ability to maintain reliable financial records, operate effectively and efficiently and/or comply with applicable laws, rules and regulations. Our audit did not disclose any significant instances of noncompliance with applicable laws, rules, or regulations. The Office of the Comptroller s response, on behalf of CPB, to our findings and recommendations is included as an appendix to this report. As prescribed in the State Government Article, Section of the Annotated Code of Maryland, we will advise the Office regarding the results of our review of its response. 9

12

13

14 AUDIT TEAM Mark A. Ermer, CPA Audit Manager A. Jerome Sokol, CPA Information Systems Audit Manager Jeffrey C. Womack, CPA Senior Auditor Omar A. Gonzalez, CPA Information Systems Senior Auditor Hun K. Hur Staff Auditor