The URL can be used to link to this page

Home My WebLink About03.d. Review Internal Audit Report on Payroll Controls Page 1 of 12 Item 3.d. Central Contra Costa Sanitary District June 26, 2018 TO: FINANCE COMMITTEE FROM: THERESA NI DETZ, INTERNAL AUDITOR REVIEWED BY: PHILIP R. LEI BER, DIRECTOR OF FINANCE AND ADMINISTRATION ANN SASAKI, DEPUTY GENERAL MANAGER ROGER S. BAILEY GENERAL MANAGER SUBJECT: REVIEW INTERNAL AUDIT REPORT ON PAYROLL CONTROLS Attached is the completed Internal Audit report on Payroll Process Controls. This report is routed through the Finance Committee given the subject matter of the audit, and the Finance Committee's charter to address: • Appropriate levels of internal controls • Oversee proper use of financial resources • Review expenditures The payroll area was selected for review as part of the Fiscal Year(FY)2017-18 internal audit work program given the transfer of the payroll function from Finance to Human Resources, and the changes in responsibilities that took place for a sensitive area which compromises a substantial portion of Central San's spending (over 50% of the annual revenue requirement). The format of the report is as follows: • Audit Objective • Background • Audit Scope, Limitations and Methodology • Summary • Findings; including Recommendation and Management's Response/Action Plan The ten findings related to this controls assessment are documented in the report, as well as actions that management of the relevant areas (Human Resources, Finance, Information Technology) have committed to take in response to the findings. A target date for the actions is also provided and committed to by Management. After review of the report by the Finance Committee, the Internal Audit Report is to be presented to the Board. This report is the last scheduled to be brought to the Board during the current fiscal year. June 26, 2018 Regular FINANCE Committee Meeting Agenda Packet- Page 88 of 156 Page 2 of 12 The Internal Audit function will next bring to the Board a proposed work plan for FY 2018-19. While that document was scheduled for discussion early in the fiscal year, it may be deferred for a period of time until a new staffing approach is developed for the internal audit function. The current internal auditor has elected to continue her professional practice at another client, and Central San will need to proceed with an alternative arrangement for continuing the function. Management presently anticipates drafting and releasing an RFP for internal audit services during the first quarter of FY 2018-19, but is also exploring other options. Strategic Plan Tie-In GOAL ONE:Provide Exceptional Customer Service Strategy 2- Foster employee engagement and interdepartmental collaboration GOAL THREE:Be a Fiscally Sound and Effective Water Sector Utility Strategy 2- Manage costs GOAL SIX:Embrace Technology, Innovation and Environmental Sustainability Strategy 2- Reduce reliance on non-renewable energy ATTACHMENTS: 1. Internal Audit of Payroll Process Controls June 26, 2018 Regular FINANCE Committee Meeting Agenda Packet- Page 89 of 156 Page 3 of 12 CENTRALENTRAL SAN i ■ ■ SANITARY DISTRICT IMHOFF PLACE, MARTINEZ, ■ 94553-A392 DATE: June 19, 2018 TO: Philip R. Leiber, Director of Finance and Administration Teji O'Malley, Human Resources Manager Thea vassallo, Finance Manager FROM: Theresa Nidetz, Internal Auditor SUBJECT: INTERNAL AUDIT OF PAYROLL PROCESS CONTROLS (PART 1) Enclosed is the report on the audit of Central San's Payroll Process Controls after the transition of the Payroll processing function from Finance to the Human Resources Division. We have reviewed management's response to our recommendations and have included them in the audit report. The actions taken and/or planned are responsive to the recommendations in the report. The Internal Audit department request that you provide quarterly status reports on the implementation progress of the recommendations. The Internal Audit department will contact you or your designee near the end of each quarter to request your response. Additionally, testing will be conducted as part of the Payroll Audit Fiscal Year 2018-19 to verify that the agreed-upon corrective actions have been implemented. Your response and updates on the status of the recommendations can be documented in the Audit Findings and Recommendations Tracker that is required until all actions have been implemented. A copy of the tracker will be shared with you and your team. cc: Board of Directors Finance Committee Roger S. Bailey, General Manager Ann Sasaki, Deputy General Manager June 26, 2018 Regular FINANCE Committee Meeting Agenda Packet- Page 90 of 156 Page 4 of 12 INTERNAL AUDIT OF PAYROLL PROCESS CONTROLS (Part 1) DATE: June 19, 2018 INTRODUCTION Audit Objective The objective of the audit was to identify and assess the design of internal controls over Payroll processing and payroll-related transactions subsequent to transition of the Payroll function from Finance to the Human Resources department in October 2017. Background As of January 31, 2018, Central San had a total of 273 full-time and 23 temporary employees on the payroll. Central San's budgeted salaries,wages and employee benefits net of capitalized overhead and benefits totaled approximately$76.6 million for the current fiscal year, representing approximately 56 percent of Central San's overall four sub- fund budgeted spending of$137.2 million. Expense Category Total as of 6/30/17 Salary/Wages/Overtime (Mgt and Non-Mgt) $37,650,475 Current Employee Benefits 18,807,075 Retiree Benefits 51946,000 Payments for Unfunded Actuarially Accrued 141179,261 Liability(UAAL) Total Salaries, Benefits and Payments for UAAL 76,582,811 (Active employees and retirees) Source: Central San FY 2017-18 Budget, page 19, and page 13. http://centralsan.orp/index.cfm?navid=1534 The District's payroll is processed in-house by a Payroll Analyst using the SunGard system and Microsoft(MS) Excel spreadsheets for calculations and balancing.Time reporting is done using time sheets on Excel templates which are completed by each employee and approved by their supervisors. Central San is in the process of testing and implementing an automated timekeeping application. In addition, Central San will be evaluating various ERP systems to replace SunGard during FY 2018-19. Audit Scope, Limitations and Methodology The scope of this review focused on the internal controls framework and design of controls over Payroll and did not include evaluation of controls prior to the October 2017 transition or controls related to the proposed timekeeping system. Internal Audit plans to conduct afollow-up audit of payroll in FY 2018-19 that will include testing of payroll processing of current employees, new hires, terminations, retirements,and other personnel actions impacting pay and benefits. Central Contra Costa Sanitary District.2059.1.1 nternal_Audit—of_Payroll_Process_Controls_2018_Report_FI NAL.docx 2 June 26, 2018 Regular FINANCE Committee Meeting Agenda Packet- Page 91 of 156 Page 5 of 12 The review was performed using the following methods: • Interviewed team members and observed the processes within the scope of the audit • Reviewed policies, guidelines and procedures • Obtained and reviewed examples of evidence of existing controls • Reported on audit results and discussed recommendations INTERNAL AUDIT RESULTS Summary Based on Internal Audit's assessment of the controls designed around the Payroll process, certain improvements are needed to minimize the risk that payroll is not processed timely, accurately and completely. Responsibility for carrying out the necessary controls and accountability for ensuring that said controls are operating effectively need to be formalized and documented. Audit observations and recommendations were made regarding the following: • Procedures Need Updating • Controls over Payroll Records and Employee Information • Segregation of Duties for Processing and Reviewing Payroll • Evidence of Independent Reviews/Verifications • Appropriateness of Roles and Responsibilities • Documentation for New Hires and Terminations • Reconciliation of Payroll-related GL Accounts Finding 1: Personnel Action Form (PAF) Procedure Needs Updating The Human Resources Procedure for Personnel Action Forms(last updated September 2010) does not reflect current practices as follows: • The PAF procedure requirement for Employee signature and Department Director and General Manager approvals on the PAF was eliminated in 2015 for certain routine actions. This change was not reflected in the procedure and was communicated by an email from the H.R. Manager to directors and managers. • The PAF procedure states that for merit increases,the PAF will not be processed without a corresponding performance review. However, in practice, exceptions to this requirement are made on a case-by-case basis. • The PAF procedure requirement for Board approval of any unpaid leave exceeding 30 days was eliminated in 2013. But this change is not reflected in the procedure. Recommendation: Human Resources management needs to review and update the Personnel Action Form Procedure to reflect current requirements. Because this procedure includes controls such as requirements for documentation and approval of personnel actions,the revised PAF Procedure should be routed for approval and signature by the General Manager. Central Contra Costa Sanitary District.2059.1.Internal_Audit-of Payroll—Process—Controls-2018—Report FINAL.docx 3 June 26, 2018 Regular FINANCE Committee Meeting Agenda Packet- Page 92 of 156 Page 6 of 12 Management's Response/Action Plan: Management agrees with this finding and the Personnel Action Form Procedures will be revised to reflect the current practice(s). Target Date/Responsible:July 2018/Teji O'Malley Finding 2: Payroll Operating Procedures Need to be Revised Prior to the October 2017 transition,the Payroll Analyst's responsibilities included all tasks related to payroll including: receipt of time sheets/leave taken; entry of time into the payroll system; adjusting salary/hourly rates; inputting changes to deductions and withholdings; balancing hours, salaries, deductions, withholdings, benefits; generating paychecks/direct deposit transmission file; printing paychecks and pay advices; delivering pay checks and advices to departments;transmitting direct deposit file to the bank; remitting payroll withholdings and deductions; and reconciling payroll-related General Ledger accounts. One of the Finance Administrators and, in some instances the Finance Manager, reviewed the Payroll Analyst's work. Because of the relocation of the Payroll function from Accounting to Human Resources department, some accounting-related tasks previously performed by the Payroll Analyst (such as printing paychecks and direct deposit advices and reconciling GL accounts)were re-assigned to various individuals in Accounting. The H.R. Manager is now a reviewer in the payroll process in addition to the Finance Administrator and Finance Manager. However, in anticipation of the new time keeping application being implemented in mid-2018, management has not yet updated the Payroll Desktop Procedures "Finance Desktop Procedures/86 Payroll—June 2016"to reflect current division of tasks and which function or department performs the tasks. Recommendation: The Payroll desktop procedure "Finance Desktop Procedures/86 Payroll—June 2016"should be updated once the automated timekeeping application is in place in mid-2018. The procedure should include which tasks are performed by H.R./Payroll and which are performed by Finance. A more detailed SOP that replaces the current "bullet-point" procedure would also facilitate cross-training of staff for succession planning and business continuity purposes. [See also Segregation of Duties finding and recommendation below.] Management's Response/Action Plan: Management agrees with this finding and procedures shall be updated once the implementation of Intellitime°, the electronic timekeeping system, is implemented. Target Date/Responsible: October 2018/Teji O'Malley and Phil Leiber Central Contra Costa Sanitary District.2059.1.Internal—Audit-of Payroll—Process—Controls-2018—Report FINAL.docx 4 June 26, 2018 Regular FINANCE Committee Meeting Agenda Packet- Page 93 of 156 Page 7 of 12 Finding 3: Access to Electronic Payroll Records and Employee Information A) A review of users' access to the Human Resources and Payroll modules in SunGard is not performed and documented by management on a regular basis. • Internal Audit requested and reviewed a user access report prepared by IT and noted that 4 IT department employees, 2 generic user ID's, and S Finance employees appear to have access to payroll functions without clarification as to what type of access they have within the system. 0 H.R. and Finance management were not performing a review of the (ad hoc) user access report because it is difficult to interpret and review. B) A review of who has what type of access to H.R. and Payroll documents stored on the internal network drives is not performed on a regular basis to ensure that only authorized individuals have access to the files and that the appropriate access (read-only,write, etc.) is granted based on each user's job responsibilities. Recommendation: A) In order for management to perform timely and effective reviews of user access, a request should be made for IT to provide a more user-friendly report that lists users and their access to the Human Resources and Payroll functions. The review by the H.R. Manager and Finance Manager should be done at least annually and should be evidenced by their sign-off on the report(s) reviewed, noting any exceptions that need to be explained and/or corrected. B) The H.R. Manager should perform a review of user access to H.R./Payroll records maintained on the network drives for appropriateness of access granted to users. Evidence of the H.R. Manager's review should be documented and retained. Management's Response/Action Plan: A) The year-end financial close schedule (period 12) has been updated to include a review of user access. The H.R. annual activity schedule has been updated to include the H.R. Manager's review of user access to the H.R. and Payroll system functions. IT will develop and provide a more user-friendly report for review by the Finance Manager and H.R. Manager. B) The H.R. annual activity schedule has been updated to include the H.R. Manager's review of user access to the H.R. and Payroll documents on the network. Target date/Responsible: A) August 2018/Thea Vassallo, Teji O'Malley and John Huie B) July 2018/Teji O'Malley Finding 4: Protection of Physical Payroll Records and Employee Information Payroll forms and reports are kept in the Payroll Analyst's office inside of filing cabinets. Currently,the Payroll Analyst is the only person with a key specific to her office. Even though the Payroll Analyst's office door is locked after office Central Contra Costa Sanitary District.2059.1.Internal_Audit-of Payroll—Process—Controls-2018—Report FINAL.docx 5 June 26, 2018 Regular FINANCE Committee Meeting Agenda Packet- Page 94 of 156 Page 8 of 12 hours, certain other employees outside of the H.R./Payroll functions hold "master" keys that can unlock any office door in the HOB location. As of May 2018,these individuals include the Risk Management Administrator, General Manager, IT Department Manager, Security Guards, Safety Officer, Operations Safety Specialist, and Director of Engineering &Technical Services. Recommendation: A) Master keys should only be issued to authorized individuals based on business need and job responsibilities and only upon written approval from the General Manager or Deputy General Manager. Access Controls Procedures—AP016 should be revised to include this approval requirement. B) For business continuity purposes, another H.R. staff member or the H.R. Manager should also have a key specific to the Payroll Analyst's office in case access to payroll records is needed in the Payroll Analyst's absence. Management's Response/Action Plan: A) Access Controls Procedures—AP016 will be revised to include written approval by the GM or Deputy GM for issuance of a master key. B) The H.R. Manager will be issued a key to the Payroll Analyst's office and file cabinets. Target Date/Responsible: A) July 2018/Teji O'Malley B) June 2018/Teji O'Malley Finding 5: Segregation of Duties for Input and Verification of Payroll Information While duties for input and review of payroll information and changes to this information is segregated among different individuals,the following were noted: • The Finance Administrator reviews the Payroll Audit Listing and verifies that changes made to the employee master file are supported and authorized. The Finance Administrator's access also allows him to make changes to data in the Payroll and the Human Resources modules in SunGard. • The Payroll Analyst generates the paycheck and direct deposit file in SunGard for Accounting to print these documents. After printing the paychecks and pay advices,Accounting gives them to the Payroll Analyst who distributes them to the various departments or mails them to the payee. Recommendation: A) Finance personnel should only be given read-only and query/reporting access to enable Finance to perform financial reviews, and prepare journal entries and account reconciliations. B) Accounting staff, or someone independent of the payroll function, should distribute or mail out the paychecks and direct deposit advices instead of routing them to the Payroll Analyst. The Payroll Analyst can continue to receive a photocopy of all paychecks and pay advices for review and reference purposes. Central Contra Costa Sanitary District.2059.1.Internal—Audit-of Payroll—Process—Controls-2018—Report FINAL.docx 6 June 26, 2018 Regular FINANCE Committee Meeting Agenda Packet- Page 95 of 156 Page 9 of 12 Management's Response/Action Plan: A) Management agrees with this finding and Finance staff will only be given read-only access. B) Management agrees with this finding and procedures will be implemented for paychecks and pay advices to be secured and distributed by someone independent of Payroll processing. Target Date/Responsible: A)July 2018/Teji O'Malley B)July 2018/Thea Vassallo Finding 6: Evidence of Reviews by Finance The reviews of Payroll processing that is currently performed by the Finance Administrator are not evidenced,whether by sign-offs on the applicable reports or forms or by email confirmation that the review was completed and that any errors noted have been corrected. Recommendation: To document the payroll cycle reviews and controls being performed,whether the reviews and controls are done by H.R. or Finance going forward, a Payroll Review/Verification Checklist should be implemented that lists key steps completed by the reviewers. For each pay period,the reviewer would then check-off or initial each item on the checklist and sign-off as evidence of review. Due to the complexity of the function and the large number of separate review steps that should take place, a comprehensive checklist is the best way to ensure this review is taking place. Additionally,the checklist would also be instrumental in cross-training of staff for business continuity purposes. [Internal Audit provided Finance and H.R. with an example of a checklist.] Management's Response/Action Plan: Management agrees with this finding and will review current payroll verification task assignments for appropriateness. Based on this review, we will implement a Payroll Review/Verification Checklist which will incorporate all HR and Finance tasks in one comprehensive checklist. Target Date/Responsible:July 2018/Teji O'Malley and Thea Vassallo Finding 7: Assignment of Roles and Responsibilities Between Human Resources and Finance As part of Internal Audit's evaluation of process controls,we reviewed the assignment of responsibilities between H.R. and Finance functions and noted the following: Currently,the Payroll Analyst is the only H.R. staff member who can process the payroll. Others in the Finance department (Finance Manager, Finance Administrators, one Accounting Tech) know how to process payroll. However, due to the move of the Payroll function to Human Resources, Finance personnel should not process the payroll. Central Contra Costa Sanitary District.2059.1.Internal_Audit-of Payroll—Process—Controls-2018—Report FINAL.docx 7 June 26, 2018 Regular FINANCE Committee Meeting Agenda Packet- Page 96 of 156 Page 10 of 12 • Review of the Payroll Analyst's input and balancing work as well as review of payroll adjustments and system-generated reports, including the Payroll Audit Listing, is still being done by the Finance Administrator, even though the Payroll Analyst now reports directly to the H.R. Manager who is ultimately accountable for the payroll processing function. Recommendation: A) To ensure business continuity, another H.R. department employee should receive training on how to process payroll as a backup for the Payroll Analyst. (See also Finding#2 regarding updating payroll procedures.) B) Because the Payroll Analyst no longer reports to the Finance Administrator, the Payroll Analyst's work should be verified by the H.R. Manager or an authorized designee in the H.R. department. The reviewer should evidence his/her review and approval. C) Finance staff could continue to perform other independent verifications of the results of payroll processing,for example: o Review of the Payroll Register against prior periods and review for any unusual fluctuations and trends o Verification of system-generated GL entries to the supporting payroll reports and approved calculations o Review of adjusting journal entries for appropriateness, accuracy and completeness o Preparation and recording of payroll-related accrual entries o Independent reconciliation of all payroll-related balance sheet accounts o Validation and approval of certain payments due third parties to supporting payroll reports and approved calculations such as taxes and benefit providers o Verification and approval of payment authorizations and instructions to the County Treasurer's office and to Central San's bank o Etc. Management's Response/Action Plan: A) Management agrees with this finding and the newly hired Senior Administrative Technician who will be transferring to HR effective June 18, 2018 will be trained to perform all back-up functions of the Payroll Analyst. B) Management agrees with this finding and all work, other than work delegated to Finance for independent verification as listed in recommendation C, shall be reviewed by the HR Manager or designee with evidence that the review has taken place. C) Management agrees with the recommendation. Target Date/Responsible: A) August 2018/Teji O'Malley B) June 2018/Teji O'Malley C) June 2018/Thea Vassa l to Central Contra Costa Sanitary District.2059.1.Internal_Audit-of Payroll—Process—Controls-2018—Report FINAL.docx 8 June 26, 2018 Regular FINANCE Committee Meeting Agenda Packet- Page 97 of 156 Page 11 of 12 Finding 8: Documentation for New Hires—Onboarding Process Internal Audit reviewed the process and checklists used for onboarding new hires (permanent,temporary, and seasonal) and noted the following: • Temporary employees do not receive an Offer Letter or a formal communication establishing the terms of their employment with Central San (i.e., rate of pay, maximum #of hours the employee can work), benefits, etc. prior to employment with the District.They are only given a signed copy of the Personnel Action Form on their first day at Central San. • Temporary and seasonal employees (interns, co-ops) are on the District's payroll, and are subject to the same District policies regarding conduct— such as anti-harassment, whistleblower protection, data security, etc. However, these items are not included in the New Hire Checklist for Students, Temporaries, and Co-ops. In addition,the Employee Handbook, which contains the Code of Conduct, Information Security policies, and other legally-binding policies, is only given to permanent employees. This could expose the District to the risk of the temps and interns/co-ops unknowingly violating District policies or laws, resulting in damage to Central San's reputation and possible fines and penalties. Recommendation: A) The formalized communication in the form of a letter signed by an authorized representative of Central San and the temporary staff would protect the organization and the individual in case of any misinterpretation regarding the employment relationship, rate of pay, benefits, etc. B) Management needs to ensure that all policies and procedures applicable to newly hired temporary staff, interns, co-ops and contractors are provided to these individuals upon hire. These items, and a copy of the Employee Handbook, should be added to the New Hire Checklist for Students, Temporaries, and Co-ops. Management's Response/Action Plan: A) Management agrees with this finding and all employees, regardless of their employment status,will get a formal offer letter prior to their first day of employment. B) Management agrees with this finding and the above-mentioned policies will now be provided to temporary employees and added to the New Hire Checklist for Students,Temporaries, and Co-ops. Target Date/Responsible:June 2018/Teji O'Malley Finding 9: Documentation for Terminations—Off-boarding A Termination Checklist is not in place to ensure that all the necessary steps were taken by the responsible party(ies) prior to the employee leaving Central San. Thus,there is a risk that District assets provided to the employee may not be returned; access to applications/systems and security badges may not be deactivated timely; legally required notifications and disclosures may not be provided to the employee; or the employee may not be deactivated in the payroll system timely. Central Contra Costa Sanitary District.2059.1.Internal—Audit-of Payroll—Process—Controls-2018—Report FINAL.docx 9 June 26, 2018 Regular FINANCE Committee Meeting Agenda Packet- Page 98 of 156 Page 12 of 12 Recommendation: Management is in the process of developing an "Electronic Equipment Procedure"that includes the return of District-owned equipment upon employee termination. However,the procedure does not address other items such as deactivating access to District systems and premises, retrieving keys and P-Cards, etc. Implementing a complete Termination Checklist will not only ensure compliance with the "Electronic Equipment Procedure" but will also address other pertinent tasks related to the termination process. Management's Response/Action Plan: Management agrees with this finding and is currently revising the HR procedure for consistency with the IT Security procedure to include other items that need to be tracked at the time of an employee's termination. The HR procedure will also include a Termination Checklist. Target Date/Responsible: August 2018/Teji O'Malley Finding 10: Reconciliation of Payroll-related General Ledger Balances During the transition of the reconciliation of payroll-related General Ledger accounts from the Payroll Analyst to Accounting staff,the staff assigned to reconcile the accounts did not receive adequate instructions to perform the reconciliations. In addition, the review of the reconciliations performed by the Finance Administrator did not indicate that he verified the GL balances to supporting details or supporting documentation. As a key financial control,the reconciliation process may be rendered ineffective in detecting and resolving errors and irregularities if not properly performed and reviewed. Recommendation: Management needs to provide more detailed procedures and training to the Accounting staff who are now responsible for preparing the reconciliations. The Finance Administrator who is now responsible for reviewing and approving payroll related reconciliations should ensure that appropriate support and explanations are attached to the reconciliations and evidence his review with notations/checkmarks. Management's Response/Action Plan: Further meetings between Finance and HR staff have taken place, as a result of the audit recommendation,to discuss the following: balance sheet payroll accounts, how transactions are being recorded,what the balances should be and what to look for when there are discrepancies, and general reconciliation of ending balances. Target Date/Responsible: June 2018/Thea Vassallo Central Contra Costa Sanitary District.2059.1.Internal_Audit-of Payroll—Process—Controls-2018—Report FINAL.docx 10 June 26, 2018 Regular FINANCE Committee Meeting Agenda Packet- Page 99 of 156