UNIVERSITY OF CALIFORNIA, SANTA CRUZ OFFICE OF INTERNAL AUDIT AND ADVISORY SERVICES Direct Payment Unit Controls AUDIT NUMBER: SC-08-03 End of Field Work: 2/14/08 Final Report Date: 5/2/08 In-charge Auditor Date Approved Date Brigitte Desouches Geraldine C. Gail Director - Internal Audit and Advisory Services TABLE OF CONTENTS
I. EXECUTIVE SUMMARY...3 II. INTRODUCTION...3 A. Purpose...3 B. Scope...3 C. Background...4 D. Positives...5 III. REMAINING ISSUES...5 A. Library Pro-card Statement Approval...5 B. Center for Adaptive Optics Completion of IRS Vendor Form 204...6 C. Physical Plant Separation of Duties...7 D. Bookstore Offsite location to store back-up media...7 E. Bookstore Sequoia System Accounting Functionality...8 **** 2
I. EXECUTIVE SUMMARY The purpose of this audit was to review the adequacy of financial controls in the five campus units who process their own payments (invoice payment, travel, entertainment and credit card expenses) without using the central function of the Financial Administration Services & Transactions unit (FAST). Following Statement of Auditing Standards (SAS)-112 guidelines to identify control deficiencies that could result in financial reporting misstatements, we looked for possible control weakness. Overall, we found adequate controls in place and compliance with policies and regulations. There were no material weakness or significant deficiencies; we made a few minor recommendations to strengthen separation of duties, Internal Revenue Services (IRS) compliance, back-up media security, and work efficiency, as discussed in Section III. II. INTRODUCTION A. Purpose The purpose of this audit was to review, in light of SAS 112 guidelines, the effectiveness of campus internal controls related to issuance and approval of direct payments, invoice payments, credit card transactions and compliance with applicable University policies and state/federal regulations for the five campus units who process their own payments. We also reviewed the access controls to non-financial Information System (FIS) computing systems and computing back-up storage for each unit. B. Scope We sent internal control questionnaires to the five audited units: Bay Tree Bookstore (Bookstore), Library, Physical Planning & Construction (PP&C), Physical Plant and University of California Observatories/Lick Observatory (UCO/Lick). We interviewed unit staff to gain an understanding of the purchasing, invoice payments and direct pay processes. To verify internal controls and policy compliance, we performed limited testing of financial transactions from July 1, 2006 to June 30, 2007. We reviewed seventy-seven (77) payments and credit card transactions, nineteen (19) Pro-card individual statements and verified thirteen (13) flow charts to review appropriateness and separation of duties for expense authorization and on-line payment approval. We also matched these flow charts with the FIS Approval Queue Summaries provided to us by the FIS staff. Major areas reviewed included: separation of duties, authorization and system approval queues; ledger review and reconciliation; supporting documentation; purchasing card (Pro-card) administration; access controls to non-fis computing systems; and disaster/back-up recovery procedures and practices. 3
C. Background For almost three years, the payments of campus accounts payable, travel and entertainment expenses and campus purchasing credit card (Pro-card) expenses have been centralized and processed through the Financial Administrative Services & Transactions (FAST) unit. FAST utilizes FIS equipped with Banner software. FIS is the system of record for the UCSC official campus financial ledgers and chart of accounts. Because of the unique nature of five campus units, Bookstore, Library, PP&C, Physical Plant and UCO/Lick, their financial transactions and payments were not consolidated into FAST. Reasons included Bookstore s retail operation, PP&C s million dollars construction contracts, and UCO/Lick s specialized observatory related purchases. Three types of payment processes, independent from the campus central system, are used by these units: 1) Invoice with Encumbrance (Invoice) is the payment of a vendor s invoice based on a prior purchase order. 2) Invoice without Encumbrance (Direct Pay) is the payment of travel, entertainment and miscellaneous expenses. Invoice payment: Vendors send purchase orders (PO) invoices directly to the five units instead of routing them to FAST. PP&C and Physical Plant use only the centralized CruzBuy purchasing system to issue POs to vendors. CruzBuy interfaces with Banner, therefore these two units, PP&C and Physical Plant, pay their invoices in Banner from POs that have been downloaded from CruzBuy. PP&C construction contracts do not go through CruzBuy. Contracts are established at PP&C and directly entered in Banner by the Plant Accounting unit. Payments on contracts are processed in Banner by PP&C and approved by Plant Accounting. UCO/Lick, for reason of system configuration, does not use CruzBuy. They use Banner for all of their purchase orders and payments of invoices. The two last units, Bookstore and Library, for the bulk of their purchases, use two systems that do not interface with FIS Banner: o the Bookstore purchases its goods for resale through the Sequoia Retail System, a system used by many colleges and universities. o the Library uses Innovative's Millennium library system for their purchases of books and serials. o these two units process only supplies and equipment purchase for their offices through CruzBuy. The degree of control provided depends on the system used for purchases. Units who purchase and pay on separate systems, have to mitigate the risk of entries errors; provide internal cross references and reconciliations; and ensure adequate separation of duties. 4
Direct Payments: All five units process their travel, entertainment and miscellaneous expenses through Banner Direct Pay. Pro-card Payments: Each of these units administers their own Pro-card payments, abiding to campus policy and procedures but bypassing the control provided by central campus Pro-card administrator and FAST. In this audit, we paid special attention on the controls not provided by campus centralized organizations. D. Positives We found adequate controls, consistent compliance to segregation of duties, good systems to safeguard authorized approvals and observance of policies and procedures as follows. Purchasers could not access payment processing, and financial disbursement staff were not able to initiate a purchase. Transactions were approved by staff with no data entry access ensuring adequate exploration of duties. We reviewed the pre-authorization procedures for purchase requests, invoice payments, travel and entertainment expenditures and found satisfactory controls in place. On-line approvals for purchases, invoice payments and direct payments were appropriate. Discount opportunities were watched for and taken as much as possible. Processes and procedures were in place for matching original invoices against purchase orders (in Banner, Sequoia or Millenium) and shipping documents. Credit memos were few and monitored closely in the non-retail units. The Bookstore manages diligently their credit memos on a database. Monthly ledger reviews by managers were documented with initialized ledgers and/or a current review log. Reconciliations of separate ledgers were conducted, when necessary. Pro-card statements reviewed were correctly documented, properly reviewed and signed with one exception, and completed within the time range established by Central Purchasing. We found good controls over computer access, and, except at the Bookstore, all back-up media was stored off-site. We would like to express our appreciation to the five units for their gracious cooperation in completing this audit over a lengthy time gap due to a change in auditors. Our special thanks to Patti Mc Gill, Lois Neal, Connie Croker, Roe Shapiro, Myra Katsuki, Susan Bright and Anne Gavin. III. REMAINING ISSUES The following minor issues were noted: A. Library Pro-card Statement Approval Each month the Pro-card credit card bank issues a statement per cardholder showing all itemized expenses incurred during the month. According to Pro-card policies and guidelines: 5
the Cardholder must: Provide reconciled monthly statements, with attached sales receipts, packing slips, and other similar documentation, to the Cardholder Supervisor. the Cardholder Supervisor must: Review purchases to ensure they meet objectives and are within restrictions placed on Card, and forward signed and dated statement to FAST (in the case of this audit to the Unit Pro-card Administrator) within 10 working days of statement issuance date At the Library, one statement was signed by the unit Pro-card administrator instead of the cardholder supervisor. Supervisor s review is essential to monitor the expenses disbursed from a department fund; in addition, having the Pro-card administrator sign the statement does not create adequate separation of duties. RECOMMENDATION TO THE LIBRARY ADMINISTRATIVE SERVICES MANAGER (Medium Risk): A.1. Ensure that all Pro-card statements are reviewed and signed by the cardholder s direct or delegated supervisor. RESPONSE FROM THE LIBRARY ADMINISTRATIVE SERVICES MANAGER: A.1. Process was implemented on 11/20/07 to ensure that a back-up cardholder supervisor was in place to review and sign Pro-card statements when primary cardholder supervisor was absent Responsible Party: Anne Kearney, Library Administrative Services Manager Due Date: Implemented B. Center for Adaptive Optics Completion of IRS Vendor Form 204 Every year, a number of Center for Adaptive Optics (CfAO) student interns participate in summer programs. Related to these programs, these students received non-employee compensation as well as reimbursement of travel expenses. Campus Forms 204, related to Internal Revenue Services (IRS) reporting, were not always accurately completed for these payees, noting that the payee will receive taxable non-employee compensation and non-taxable reimbursements. This form is required to be filled out for every person before they can receive a payment from the University (other than payroll). The department sponsoring the expenditure needs to fill it out and forward it to FAST who then enters the person as a vendor in Banner. Only then the payment can be processed. In this case the CfAO, who is sponsoring the student summer program, was responsible for these forms to be filled out accurately and sent to FAST. This procedure ensures that all non-employee compensation issued by the campus will be properly reported to the IRS RECOMMENDATION TO THE CfAO MANAGING DIRECTOR (Medium Risk): 6
B.1. Update procedure for filling out the Payee Set-Up Form 204 for student interns: in order to ensure compliance with the IRS and trigger the 1099 automatic default in Banner, specify in the Activity check boxes the two types of payment they will be receiving: Non- Employee Compensation and Reimbursement. RESPONSE FROM THE CfAO MANAGING DIRECTOR: B.1. The CfAO s Financial Analyst, who is responsible for preparing the Campus Forms 204 has reviewed the comments regarding the correct procedure to be followed in completing these forms and has discussed the process with the Managing Director. We are confident that she fully understands the requirements. All check boxes will completed as described in the B1 requirement above. Responsible Party: Debbie Meyers, CfAO Financial Analyst Due Date: Implemented C. Physical Plant Separation of Duties For several years, the Physical Plant Store Supervisor has had the ability to make and approve orders up to $500. He occasionally receives in-coming orders sent by vendors, issues supplies to jobs and helps perform the annual inventory. Additional separation of duties is needed. At the minimum the supervisor should not approve his own orders. AGREED UPON MANAGEMENT ACTION WITH PHYSICAL PLANT (Medium Risk): C.1. Physical Plant Business Manager will cancel the Store Supervisor access to purchase on line approval. Responsible Party: Susan Bright, Physical Plant Business Manager Due Date: Implemented on 4/1/08 D. Bookstore Offsite location to store back-up media A past audit recommendation to the Bay Tree Bookstore to store back-up media in an offsite location was not implemented. The back-up media is still stored on a drive in the same building as the bookstore server. It should be stored on electronic media, taken to a different location on campus and regularly renewed. To have the back-up files in the same place as the server presents a risk of loosing major data in case of small fire or server room break-in. RECOMMENDATION TO THE BAY TREE BOOKSTORE DIRECTOR (Medium Risk): D.1. Promptly find a solution to store the Bay Tree Bookstore back-up media off site RESPONSE FROM THE BAY TREE BOOKSTORE DIRECTOR: D.1. We are seeking locations that are secure, reasonably accessible and convenient to two or more Bookstore employees, reasonably inexpensive, and that are not a storage and access imposition to other campus units. Since we are also actively seeking an off-campus 7
warehouse site, we see this as the ultimate combined solution. We are anticipating obtaining a warehouse site over the summer, or sooner. If that does not happen, and also in the meantime, we have arranged for limited space in Hahn Student Services building. Responsible Party: Amy Purcell, Bay Tree Bookstore Programmer Analyst / Bob McCampbell, Bay Tree Bookstore Executive Director Due Date: Hahn storage, May 1, 2008 Off-Campus storage, July 31, 2008 E. Bookstore Sequoia System Accounting Functionality Bay Tree Bookstore orders all goods for resale through the Sequoia System purchasing module. Upon receipt of an invoice, a financial assistant performs duplicate entries for both the invoice and the purchase information: 1) The FileMaker Pro, used as a payables management system; and 2) in Banner in order to process the invoice payment as a Direct Pay. The Sequoia System, we learned, has an accounting functionality module that some University of California campuses use. The data entered in FileMaker Pro already exists in Sequoia. It would seem worthwhile to explore the possibility of using the Sequoia accounting module instead of FileMaker Pro and avoiding the cost involved with keeping a shadow payable system. RECOMMENDATION TO THE BAY TREE BOOKSTORE DIRECTOR (Low Risk): E.1. Perform a study to determine the costs and benefits to use the Sequoia accounting functionality module to replace FileMaker Pro to manage accounts payables. RESPONSE FROM THE BAY TREE BOOKSTORE DIRECTOR: E.1. Some studying has already been done. One other UC campus bookstore (Irvine) utilizes the Sequoia Point of Sale system. The store does utilize a Stock Ledger module from Sequoia, but not the actual Accounting/General Ledger Module itself. At this point they are also paying their invoices and handling their accounting needs through the campus General Ledger system, which is not BANNER, and monitoring the activity through an in-store system, likely similar to ours. Sequoia has indicated to me that they do have customers utilizing their POS and Accounting/General Ledger module in conjunction with BANNER, and that each is a customized module because BANNER installations are unique to a particular campus needs. We will review and study this further between now and August 31, 2008. Responsible Party: Patti McGill, Bay Tree Bookstore Business Office Manager / Bob McCampbell, Bay Tree Bookstore Executive Director Due Date: August 31, 2008 *** 8