Department of Purchasing and Supply Management Contract Management Audit Final Report. August 2011. promoting efficient & effective local government

Similar documents
Department of Information Technology Remote Access Audit Final Report. January promoting efficient & effective local government

Department of Finance Department of Purchasing and Supply Management Fixed Assets System Audit Final Report

PERFORMANCE EVALUATIONS OF CONSULTANTS WORKING ON MTA CAPITAL PROJECTS. Barry L. Kluger MTA Inspector General State of New York INTRODUCTION

December 2013 Report No

CITY OF NEW YORK OFFICE OF THE COMPTROLLER John C. Liu Comptroller BUREAU OF FINANCIAL AUDIT H. Tina Kim Deputy Comptroller for Audit

Department of Information Technology Software Change Control Audit - Mainframe Systems Final Report

Office of the City Auditor. Audit Report. AUDIT OF ACCOUNTS PAYABLE APPLICATION CONTROLS (Report No. A10-003) October 2, 2009.

Palm Beach County Clerk & Comptroller s Office Contracting & Purchasing Review

INTERNAL AUDIT REPORT. Review of Software Change Management. Fairfax County Internal Audit Office

Small Business Enterprise Certification Application 49 CFR Part 26


Department of Information Technology Database Administration Management Audit Final Report

Audit of Management of the Government Purchase Card Program, Number A-13-04

City of Berkeley. Prepared by:

EVALUATION REPORT. Weaknesses Identified During the FY 2014 Federal Information Security Management Act Review. March 13, 2015 REPORT NUMBER 15-07

April promoting efficient & effective local government

Audit of Milwaukee Fire Department Fixed Assets Controls

July 2013 Report No

OFFICE OF INSPECTOR GENERAL. Audit Report

CHAPTER 23. Contract Management and Administration

Data Management Policies. Sage ERP Online

Office of Public Affairs Business Process Audit Final Report

December 2014 Report No An Audit Report on The Telecommunications Managed Services Contract at the Health and Human Services Commission

CITY OF LEMOORE REQUEST FOR PROPOSALS FOR CREDIT CARD PROCESSING SERVICE. City of Lemoore Finance Department 119 Fox St Lemoore, CA 93245

September 2014 Report No

Audit Report on the Procurement Practices of the Campaign Finance Board MH07-101A

SHORT FORM For Use by presently certified firms.

We would like to extend our appreciation to the staff that assisted us throughout this audit. Attachment

CITY OF SAN ANTONIO OFFICE OF THE CITY AUDITOR. Audit of Transportation and Capital Improvements. On-Call Contracts. Project No.

New York City Budget -audit

Department of Public Works and Environmental Services Division of Solid Waste Disposal and Resource Recovery

May 2011 Report No An Audit Report on Substance Abuse Program Contract Monitoring at the Department of State Health Services

August 2006 Report No

Audit of Controls over Government Travel Cards FINAL AUDIT REPORT

Request for Proposal. Contract Management Software

DOT.Comm Oversight Committee Policy

POSTAL REGULATORY COMMISSION

Purchasing Card Procedure Manual

How to Do Business With Us ST. LOUIS COUNTY GOVERNMENT DIVISION OF PROCUREMENT AND ADMINISTRATIVE SERVICES

Appendix 1 CJC CONTRACT MANAGEMENT POLICIES AND PROCEDURES. Criminal Justice Commission Contract Management Policies and Procedures

Contracting Officer s Technical Representation

Citywide Contract Compliance Audit Report

GOVERNANCE AND MANAGEMENT OF CITY COMPUTER SOFTWARE NEEDS IMPROVEMENT. January 7, 2011

LOCAL GOVERNMENT MANAGEMENT ASSESSMENT OVERVIEW AND QUESTIONNAIRE

AUDIT REPORT INTERNAL AUDIT DIVISION. Invoice Processing in UNAMID. Internal controls over invoice processing were inadequate and ineffective

Health Insurance Portability and Accountability Act (HIPAA) Compliance Audit Final Report

Notice: Request for Proposals For HUMAN RESOURCES CONSULTANT SERVICES

THE SCHOOL DISTRICT OF CHESTER COUNTY 109 HINTON STREET CHESTER, SOUTH CAROLINA 29706

Internal Audit Information Technology Equipment

KAREN E. RUSHING. Audit of Purchasing Card Program

City of Berkeley. Prepared by:

CITY OF LANCASTER RFP NO LANCASTER PERFORMING ARTS CENTER TICKETING SOFTWARE SUBMISSION DEADLINE. July 24, 2015 BY 11:00 A.M.

New York State Medicaid Program

AUDIT REPORT THE ADMINISTRATION OF CONTRACTS AND AGREEMENTS FOR LINGUISTIC SERVICES BY THE DRUG ENFORCEMENT ADMINISTRATION AUGUST

November 2009 Report No

Table of Contents. Transmittal Letter Executive Summary Background Objectives and Approach Issues Matrix...

State of Vermont. Intrusion Detection and Prevention Policy. Date: Approved by: Tom Pelham Policy Number:

LEGISLATIVE AUDIT DIVISION MEMORANDUM

INTERNAL AUDIT DIVISION CLERK OF THE CIRCUIT COURT

Information System Audit Report Office Of The State Comptroller

Department of Health and Mental Hygiene Community and Public Health Administration

OFFICE OF INTERNAL AUDIT. Report to the Board of Supervisors. Human Resources. Employee Benefits Administration

APPLICATION FOR THE E911 RURAL COUNTY GRANT PROGRAM

Auditor General s Office. Governance and Management of City Computer Software Needs Improvement

TABLE OF CONTENTS. Purchasing and Contracts Division Purchasing Policies and Procedures The Competitive Process... 2

Guideline on Access Control

REPORT NO OCTOBER 2010 VALENCIA COMMUNITY COLLEGE. Operational Audit

The consultant found that the original contract s objective of modernizing the state s IT infrastructure has been largely achieved.

Request for Proposal and Qualifications for Audit and Tax Preparation Services October 2015

NEW HAMPSHIRE RETIREMENT SYSTEM

OFFICE OF AUDITS & ADVISORY SERVICES SUNGARD TREASURY MANAGEMENT SYSTEM CONTRACT COMPLIANCE FINAL AUDIT REPORT

Information Technology Operational Audit DEPARTMENT OF STATE. Florida Voter Registration System (FVRS) Report No July 2015

Cayo Software Reseller Agreement

HUB PROGRAM & VENDOR TIP GUIDE

Merchant Account Services

The CFPB Should Continue to Enhance Controls for Its Government Travel Card Program

LEGAL SERVICES CORPORATION OFFICE OF INSPECTOR GENERAL FINAL REPORT ON SELECTED INTERNAL CONTROLS RHODE ISLAND LEGAL SERVICES, INC.

UNITED STATES DEPARTMENT OF EDUCATION OFFICE OF INSPECTOR GENERAL

MANSFIELD UNIVERSITY PURCHASING CARD POLICIES AND PROCEDURES GUIDE FOR CARDHOLDERS

Small Business Contracting at Marine Corps Systems Command Needs Improvement

Prince George s County Public Schools

AUDIT REPORT. Materials System Inventory Management Practices at Washington River Protection Solutions

UW-EXTENSION BUSINESS SERVICES POLICY AND PROCEDURE DOCUMENT (BSPPD) #18 CAPITAL EQUIPMENT

CASH HANDLING AND REPORTING

HOSPITAL PURCHASING AND MATERIALS SUPPORT DIRECTOR

APEC Private Sector. Supply Chain Security Guidelines

Travel Card Policy and Procedure Manual

Small Business Enterprises (SBE) Certification Application

Department of Information Technology Active Directory Audit Final Report. August promoting efficient & effective local government

BOARD POLICY DJA: PROFESSIONAL/TECHNICAL SERVICE CONTRACTS

Food Service Management Companies Table of Contents

AV Parking System Review

FINANCIAL POLICIES ADMINISTRATION AND FINANCE

West Texas A&M University: Review of Physical Plant Operations PROJECT SUMMARY. Summary of Significant Results

Seattle Public Schools The Office of Internal Audit

OFFICE OF THE CITY AUDITOR

Audit of Controls Over Contract Payments FINAL AUDIT REPORT

Subsequent Injury Fund

Texas Real Estate Commission Contract Management Procedures

Transcription:

Department of Purchasing and Supply Management Contract Management Audit Final Report August 2011 promoting efficient & effective local government

Introduction The Purchasing and Supply Management Department (DPSM) serves to support the county in the procuring of goods, professional/non-professional and consultant services. The department also administers the Technical Review program so that agencies with technical, functional or program responsibilities can review all purchases that fall under their purview or may impact their area of responsibility. The contract division of DPSM is currently comprised of three active teams of contract administrators assigned to directly support the procurement needs of the county government. This division issues formal and informal solicitation, oversees the selection process, assists in negotiations and awards the ensuing contracts for a variety of contracts including maintenance, one time, requirements, cooperative, sole source, emergency, and blanket contracts. The total number of active contracts for the review period, March 1, 2009, through April 30, 2011, was approximately 890 of which, 83 were new contracts. Executive Summary We found that internal controls were in place and appeared to be adequate and effective to ensure contract management processes and standards are fully established and in compliance with county purchasing policies and procedures. Formal documentation was complete and protected from unauthorized access. However, there were two areas in which controls could be strengthened as follows: DPSM did not have written procedures for contract renewal and expired contract close-out processes. Two temporary employees who no longer worked for the department had readonly access to the application system that stores contract documentation. We would like to commend the DPSM staff for their support and invaluable time spent conducting walk-throughs, meetings, and providing assistance to ensure a thorough understanding of the steps and functions involved in each procurement process reviewed by Internal Audit. Scope and Objectives This audit was performed as part of our fiscal year 2011 Annual Audit Plan and was conducted in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. The DPSM Contract Management Audit 1

scope of the audit encompassed a review of the management practices, system of internal controls, policies, and procedures pertaining to the contract administration and procurement practices and their compliance with established polices and procedures for the period from March 1, 2009, through April 30, 2010, and our audit objectives were to determine that: Internal controls were adequate and effective to ensure contract management processes and standards were fully established Contract administration processes were in compliance with county purchasing policies and standards Formal documentation was complete and protected from unauthorized access Contract performance was monitored, and contract changes were restricted to authorized personnel Management periodically reviewed the contract management process Adequate controls existed over access to the purchasing application systems, and data/information was protected Methodology Our audit approach included reviewing related policies, procedures, guidelines and processes, conducting individual interviews with the staff, reviewing procurement and contracting documentation including files, reports, segregation of duties, bidding and selection criteria, contracting application systems users lists, and payment reporting entries into the Intranet version of the County and Schools Procurement System (icasps). We selected 30 contracts (requirements, cooperative, maintenance) and reviewed the bidding, selection, and approval processes. Also, we selected ten sole source contracts to determine whether these contracts were valid, properly authorized, and approved. Additionally, test work was performed in the areas of expired and closed-out contracts, advertising processes, debarred and prohibited contractors, LaserFiche Web Access, Intranet Quorum (IQ), and CASPS application controls. Our audit did not examine the system controls over purchasing and financial applications. Our transaction testing did rely on those controls; therefore, this was a scope limitation. The potential impact of this circumstance on our findings was that some portion of transaction data may have been erroneous. Findings, Recommendations, and Management Response 1. Internal Policies and Procedures While DPSM implemented specific procedures for contract renewal and closing out expired contracts, they were not documented. Lack of documentation for DPSM Contract Management Audit 2

department specific procedures increases the potential for inconsistent work processes causing errors, omissions, and control weaknesses. For example, of the six contract renewals tested, one was not processed in a timely manner increasing the risk of inability to renew stated contract services and prices, delays in service, and customer dissatisfaction. Recommendation: We recommend DPSM document their current procedures for contract renewal and expired contracts close-out processes. These procedures should include, but not be limited to, processes for: reviewing the list of expiring contracts; providing written notice to the end-using departments to determine whether they wish to renew or terminate the contract; notifying the vendor of the decision; verifying the final payments have been made to the vendor; and updating the status of the contract in the appropriate application system, as well as the staff position title responsible for performing the duties. Management should involve staff in this process to ensure accuracy, operational efficiency, and effectiveness. Management Response: DPSM will develop written procedures for contract renewal and close-out for expired contracts. The anticipated completion date is November 1, 2011. 2. Access Control We noted one exempt limited term employee who was on annual break, and an intern who no longer worked for DPSM still had read-only access to the LaserFiche Web Access database. LaserFiche is the application that stores contract documentation. However, their access was disabled during the audit. Additionally, of the 95 users, 48 had never logged into the system as of this audit. Finally, we did not see evidence of routine reviews of the LaserFiche Web Access users list. Moreover, a CASPS user whose position title was Material Management Driver had a profile which allowed for department processing of procurement and accounts payable documents. According to DPSM staff, the user who currently works in the warehouse at one point needed this access to perform administrative duties; however, the access was no longer needed. Section 2.1 Account Management/Access Control Policies of the county s IT Security Policy (PM 70-05.1) states that, The owner of information assets shall implement procedures and safeguards to ensure that access to Fairfax County Government information is made available only to those who have the right to such access. The concept of Least Privilege, i.e., providing only those privileges necessary to perform one s job function, will be used to insure the security of networks, computers, and Fairfax Government data. Failure to remove a transferred and/or terminated employee s access to contract documentation increases the risk of unauthorized access to the system and its DPSM Contract Management Audit 3

sensitive information in addition to loss of data. Recommendation: We recommend DPSM review and document user s access to the application systems that store contract information on a regular basis, and send out notices to the appropriate supervisors to confirm the user status. Inactive users should be removed from the list or their access should be disabled. Additionally, DPSM should update the New Employee and Exiting Employee Program Procedural Memorandum, No. 12-111, to include procedures to remove access privileges from all contract-related application systems when an employee leaves the department, or modify access levels if an employee s job description changes requiring different access to the application systems. These procedures should also assign responsibility for removing information systems access, and ensure accountability for timely performance. The department should periodically review system records to ensure access was removed promptly. Management Response: DPSM will update IPM 12-111 to include removing access privileges from contract-related application systems when an employee leaves DPSM or modify access levels if an employee s job description changes requiring different access to the application systems. The updated procedure will assign responsibility for removing information systems access and assign accountability for these actions. This action is tasked to the human resources coordinator. The anticipated completion date is November 1, 2011. DPSM will use e-mail notification from the IT service desk users whose RACF IDs have been changed as a trigger to modify Laserfiche access, if applicable. Implementation of the process will start by November 1, 2011. DPSM conducts a full review of CASPS user access annually in January. The review will be expanded to include a review of Laserfiche and DPSM IQ users to validate their system access requirements. The anticipated completion date is February 28, 2012. DPSM Contract Management Audit 4

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information