HomeMy WebLinkAbout22.b. Receive Internal Audit Report on revenue controls Page 1 of 17
Item 22.b.
,ek CENTRAL SAN
CENTRAL CONTRA COSTA SANITARY DISTRICT
October 3, 2019
TO: HONORABLE BOARD OF DIRECTORS
FROM: ERICA BROOKS PETERS, SENIOR INTERNALAUDITOR
REVIEWED BY: PHIL LEIBER, DIRECTOR OF FINANCE AND ADMINISTRATION
ANN SASAKI, DEPUTY GENERAL MANAGER
ROGER S. BAILEY, GENERAL MANAGER
SUBJECT: RECEIVE INTERNAL AUDIT REPORT ON REVENUE CONTROLS
Attached is the PowerPoint presentation for the above item.
Strategic Plan Tie-In
GOAL ONE: Provide Exceptional Customer Service
Strategy 3- Maintain a strong reputation in the community
GOAL THREE: Be a Fiscally Sound and Effective Water Sector Utility
Strategy 2- Manage costs
ATTACHMENTS:
1. Internal Audit Report
October 3, 2019 Regular Board Meeting Agenda Packet- Page 154 of 263
REVENUE CONTROLS PART
INTERNAL AUDIT REPORT
JULY 02 , 2019
00-
wr
October 3, 2019 Regular Board Meeting Agenda Packet- Page 155 of 263
Audit Report Summary
Internal Audit has completed a review of certain key areas within Central San's
Revenue process at the Permit Counter for the residential customers (see Page 4
for the scope of the review).
Internal controls were observed in the process indicating that management has
given consideration to the overall control environment. In addition, no exceptions
were noted during testing. However, further consideration is recommended to
strengthen the existing internal control environment.
Due to the manual nature of the process, there are also recommendations for
monitoring controls. Improvements in the control environment can be achieved by
automating the existing control processes. Refer to page 3 for a general overview of
the observations noted in the report.
October 3, 2019 Regular Board Meeting Agenda Packet- Page 156 of 263
Audit Report Summary
Summary of Observations & Recommendations
Need for documentation of procedures or 1
updates
Segregation of Duties 2 and 3
IT Related Controls 4
General Process and/or Control 5 and 7
Improvements
Automation Opportunities 6
October 3, 2019 Regular Board Meeting Agenda Packet- Page 157 of 263
Scope and Objectives
Scope of Work The review was performed on the revenues assessed and collected by the
Performed Permit Counter for residential customers.
• The review covered internal controls and processes in the areas of revenue
fee assessment, collection, posting and reconciliation.
Review Objectives Identify the internal controls in the areas reviewed.
• Assess the adequacy of the internal controls identified.
• Identify opportunities to strengthen the internal controls.
4
October 3, 2019 Regular Board Meeting Agenda Packet- Page 158 of 263
Summary of Work Performed
The following procedures were performed during this review:
General Pro Interviewed key personnel.
• Observed personnel performing duties in the Permit Counter and
Accounting areas.
• Reviewed existing policies and procedures, management reports and other
relevant documentation.
• Compared internal controls against best control practices.
Testing Performed detailed transaction testing for residential revenue from July-Dec
2018. Refer to page 6 for a description of the testing performed.
October 3, 2019 Regular Board Meeting Agenda Packet- Page 159 of 263
Testing Performed
Assess and Collect Fees
• Reviewed a sample of permits issued for the following: Assess fees
• All fees assessed agree to the rates and fees per the Board ordinance. Record fees
Collect fees
• Fees assessed appear appropriate for the type of permit issued. Specific fees reviewed include _
Recor
Application, Inspection, Sewer Service Charge, Capacity and Pumped Zone Capacity fees.
• Permit issue date is on or after the date the fees were paid in full.
Post/Record Fees
• From the samples selected above for one month verified the following:
• Cash receipt as posted and deposited agrees to the cash receipt documentation.
• Cash receipt is posted to the correct General Ledger (GL) account based on the type of fee and within the correct period.
6
October 3, 2019 Regular Board Meeting Agenda Packet- Page 160 of 263
Background Statistics
General Fee Assessment, Collection, Posting and Depositing
Background Information As Provided by Management
• Headcount: 3 employees with responsibilities for Fee Assessment and Collection at the Permit Counter ; 1
employee with the responsibility of Posting and Depositing and 1 employee with the responsibility for
Reconciliation in Accounting.
• As of the end of FY 2019, there were 1933 permits issued during the year. This does not include the
encroachment verification for which an application is completed but no fees are assessed or collected and a
permit is not issued. The total applications processed for the year is 4302.
October 3, 2019 Regular Board Meeting Agenda Packet- Page 161 of 263
Process Overview ( 1/2 )
Assessment and Collection of Fees
7 Fees assessed and payment is
Receive Application and Plans received
Permit is issued&Inspection Permit is closed
kk hk 4
* Permit Counter * Fee assessment * Permits are auto- * Several reports
staff verifies within SunGuard which generated and pre- detailing permit
credentials of is updated annually as numbered by issuance, status and
contractors. authorized per the SunGuard. inspection activity are
* Quotes for District Ordinance. reviewed by the
billing over $100k * Checks are Development Services
are reviewed by restrictively endorsed Supervisor each month.
the lead PC staff upon receipt and
and over $500k checks and cash are
are reviewed by secured until
the Development deposited.
Services * Permits are not
Supervisor. issued until full
payment is received.
s
October 3, 2019 Regular Board Meeting Agenda Packet- Page 162 of 263
Process Overview ( 2/2 )
Cash Receipts Posting & Depositing
% Reconcile Payment and
Collect Permit Counter Receipts Post Receipts to GLDeposit
* Accounting and * SunGuard * Receipts are * The account
Permit Counter captures the secured by reconciliation is
sign-off on cash receipt for posting Accounting until completed by a
receipts when from the cash deposited. person other than
collected by receipt as entered the accounting
Accounting. by the Permit personnel posting
Counter. and depositing
*Accounting the cash receipts.
verifies the
amount of the cash
receipt prior to
posting the receipt
in SunGuard.
9
October 3, 2019 Regular Board Meeting Agenda Packet- Page 163 of 263
Best Control Practice Summary and Recommendations
Revenue — Permit Counter and Accounting
Best Control Practices Control •. Response
Vow
1. The policies and There are written procedures which are It is recommended that Management formally Management agrees that documenting procedures
procedures are used for training and as reference for document the procedures on the role performed by addressing these matters is important.Central San has
documented and current Permit Counter staff.Key the Accounting Technician on the collection, had an ongoing effort to develop Standard Operating
followed. procedures identified:annual rate changes depositing and posting of fees and rates. Procedures(SOPS)by each Division. With the
in SunGuard,entering permit applications Strengthen the controls around the collection of cash development and implementation of the new entity-wide
and posting fees to SunGuard.Procedures receipts by drafting and implementing a procedure ERP planned during FY 2019-20 several existing SOPs will
are documented as to how refunds are to on revenue control and management.The procedure be reviewed and modified and several new ones will be
be handled requiring review by the should highlight key internal controls over the created,including that for cash handling and deposit
Developer Services Supervisor and written collection of revenue,acceptable forms of payment, posting. The new ERP is projected to go-live on July 1,
approval by the Senior Engineer,Technical cash handling,securing,processing,depositing, 2020.
Services for refunds less than$7500 or the timelines and any nonstandard transactions including
Planning and Development Division the management of returned checks,voided and In addition,the"as-is"procedures for cash handling will
Manager if$7500 or above. refunded transactions. be documented,along with the enhanced controls
There is currently no procedure that defines recommended from these findings.
how returned checks should be managed.
There are no formal written procedures on
the role performed by the Accounting
technician for the posting of fees and rates.
Notes were drafted by the Accounting
Technician as instructions for personal use
while being trained for the role.
10
October 3, 2019 Regular Board Meeting Agenda Packet- Page 164 of 263
Best Control Practice Summary and Recommendations
Revenue — Permit Counter and Accounting
•. . Recommendation(s) Response
k WO
2.The duties are adequately Permit Counter staff are responsible for It is recommended that Management consider Although a record of receipts independent from the
segregated in the entering applications in SunGuard,assessing whether the segregation of duties conflict is general ledger is produced in the Permit Counter
authorization,execution, fees,collecting fees and issuing permits. appropriate.Currently,the same role has revenue collections process,Finance acknowledges
custody,recording,and Accounting staff are responsible for collecting custody of assets and posts the transactions in some improvement to segregation of duties can be
reconciliation of transactions. receipts from the Permit Counter,validating SunGuard.With the new ERP,Management made. With the development and implementation
the receipts collected,depositing and posting should determine whether to redesign the of the new entity-wide ERP planned during FY 2019-
cash receipts in SunGuard.A separate process with conflicting duties segregated or 20,several existing standard operating procedures
accountant performs the monthly cash add monitoring controls to minimize the risks. will be reviewed and modified and new ones will be
reconciliation. created,including that for cash handling and deposit
posting. In line with this process and contingent
upon the capabilities of the new ERP,we are
currently designing a new process whereby the
Finance staff recording receipts received from the
Permit Counter no longer receives actual cash or
negotiable instruments,but rather copies of checks
for mailed in payments and payment receipts for
customer payments made over the counter.In
addition,the person recording receipts will also
receive a report of collections for that same period
from the Permit Counter.An employee independent
from the collections and recording function at the
Permit Counter as well as general ledger recording
will bring the deposit to the bank. Finance expects
this new process to go live with the implementation
of the new ERP expected July 1,2020.
11
October 3, 2019 Regular Board Meeting Agenda Packet- Page 165 of 263
Best Control Practice Summary and Recommendations
Revenue — Permit Counter and Accounting
Best Control Practices Control Observations Recommenclation(s) Management Response
3.New/updated rates are There is a written procedure on how The new ERP is expected to allow for rates to be entered Management agrees that rate review procedures
entered by individuals other rates are updated in SunGuard. well in advance of the effective date.This will allow for addressing these matters are important. With the
than those responsibilities for New/updated rates entered by the new rates entered to be tested or reviewed in advance. development and implementation of the new entity-
collecting receipts.Rates Development Services Supervisor are The process to review and/or test new rates entered wide ERP planned during FY 2019-20 several existing
entered are reviewed and/or entered after close of business on the should be documented.Signing off on the review of the processes will be reviewed and modified and several
tested and the review is last day of the prior fiscal year and rates provides evidence that the review was performed new ones will be created,including that for rate
evidenced by the sign-off of before the open of business on the and that the correct rates were entered into the system. review. The new ERP is projected to go-live on July 1,
the reviewer. first business day of the new fiscal In addition,the new ERP should allow for current rates to 2020.
year.The rates entered by the be applied to older applications versus defaulting to prior
Development Services Supervisor are rates based on when the application was entered.This Management agrees that an SOP for rate increases
reviewed by the Sewer Service Charge will allow for further limitations on access to manually should be created and will develop this process by
Billing Engineering Assistant. override rates.In the meantime,it is recommended that April 1,2020 to implement for the FY 2020-21 rate
Documentation of the rates entered Management consider a periodic review of rates outside increases.
are maintained for three months. of board approved rates for accuracy,at least on a
However,there is no evidence of sample basis. When the new permitting software is implemented,as
review. part of the ERP upgrades,this process will be
Annual rate change duties are reviewed.
segregated from those involved in
billing.Only the Development Services
Supervisor and Engineering Services
Supervisor can make changes to rates
overall.However,due to limitations
within SunGuard,rates for individual
transactions can be overridden by
Permit Counter staff as needed.
12
October 3, 2019 Regular Board Meeting Agenda Packet- Page 166 of 263
Best Control Practice Summary and Recommendations
Revenue — Permit Counter and Accounting
—,est Control Pm�tic�es Control •. Response
4.Access is reviewed A review of user access was previously performed It is recommended that Management Management agrees that regular periodic reviews
periodically and the access of removing access for individuals without a business perform periodic reviews of access. of individuals authorized to access key systems is
former employees is removed need to the Permit Counter application.However, Management should determine the good practice,and will ensure the means to do so
immediately. there is not currently a process for routinely frequency and ownership of this review. conveniently is designed into the new ERP,and
reviewing the user access listing or the removal of The review should continue after the new
access for former employees or job changes. At the system is implemented. specified as an ongoing control. Until then,IT will
time of testing,some individuals that are no longer Also,remove access of former employees circulate a report quarterly from the existing HTE
employed by CCCSD have access to Permit Counter immediately upon departure. system to relevant managers for review. The
applications in SunGuard. existing access reports sorted by module are not
Maintain documentation each role and clear and readily understandable,so IT will work to
application access ensure users have pull a simpler report that may be limited to"who
the appropriate leveell of access. has access to HTE"as a whole,which will at a
minimum allow for former employees to be
disabled from further access.
In addition,HR will update the termination checklist
to include verification of removal of HTE access.
October 3, 2019 Regular Board Meeting Agenda Packet- Page 167 of 263
Best Control Practice Summary and Recommendations
Revenue — Permit Counter and Accounting
ilmm�est Control� Control •. Response
5.Cash receipts Receipt batches are closed by the Permit Due to the time-sensitive nature of cash receipts A back-up will be trained to ensure cash receipts are picked
(including cash and Counter twice a week.A log of credit card (posting and depositing),it is recommended that up on a defined schedule in the event the primary
checks)are secured transactions is maintained and balanced at Management cross-train a backup to ensure that they Accounting staff person is unavailable to do so due to an
until ready for the end of each business day. are promptly collected,processed and deposited. absence.
deposit.Proper Cash receipts are locked by the Permit In addition,a detailed procedure on the role and Documentation of the procedure will specify the
identification is Counter until collected by Accounting. requirements should be documented.Refer also to item expectation for timely completion of the collection,deposit
reviewed prior to the Accounting collects the batches twice a #1 and item#2. and posting process.
acceptance of checks. week. However,as only one employee Strengthen the control of signing off on receipts The control will be strengthened by having the accounting
Payments for fees are performs the role of batch collection, collected by validating the total dollar amount of staff person validate the dollar total upon collection.
promptly processed processing and depositing,the batches are cash/checks when collected versus when posted and Identification will be required when accepting personal
and recorded in the not always processed within this timeline. deposited. checks.
proper accounting The Permit Counter staff and the Accounting It is recommended that Management require
period. There is a g q Management will continue to consider whether
Technician sign off when Accounting collects identification when accepting personal checks. acceptance of cash is advisable.Given the nature of the
daily processing of the funds.However,the amount of the
funds and all funds Due to the inherently risky nature of cash,Management transactions conducted at the permit counter,it would
receipts collected are not validated until the has expressed concern over whether to continue to appear that requiring payments to be in non-cash forms is
must be deposited funds are ready for posting and depositing.
timely. accept cash at the Permit Counter.Internal Audit is not reasonable.This policy level decision should be taken to the
Accounting secures the permit counter aware of any requirements to accept cash and considers Board as there was just only$6,000 in cash taken in the last
receipts until deposited. this a Management decision as to whether the fiscal year.
A valid ID is not required for the acceptance acceptance of cash is prudent.If Management decides
of checks. Most checks obtained are large not to accept cash,Internal Audit recommends that
business checks versus personal checks. Management further research whether this would
conflict with any applicable laws.
Refer also to#1 regarding policy/procedure for cash
handling practices.
October 3, 2019 Regular Board Meeting Agenda Packet- Page 168 of 263
Best Control Practice Summary and Recommendations
Revenue — Permit Counter and Accounting
Best Control Practices Control •. Response
6.Billing is automated Fees are pre-entered into SunGuard and the Because the current billing process is largely manual,it The ERP project includes the implementation of
and integrated with applicable fees are selected by the Permit Counter is recommended that Management consider whether the Oracle Community Development&
internal and external staff within the system when an application is the new ERP can include system checks to ensure all Permitting module,which will be integrated with
information systems. submitted.SunGuard performs the calculations of applicable fees are included. the remainder of the Oracle Cloud ERP. Design
fees based upon the application entered. To remove the manual handoff around adding new and implementation is underway effective July
Applications and permits are sequentially parcels to the tax roll,management should consider 2019,with the Permitting Module scheduled for
numbered by SunGuard automatically.The whether the new ERP should be integrated with the completion in the fall of 2020.The extent of
application number becomes the permit number system that is used for sewer billing. system checks to ensure completeness of
upon issuance.No permit number is used more A detective control exist whereby when comparing the transactions will be reviewed and assessed.
than once.Permits are not issued until payment in APNs from the county to the land file,any missing A solution for utility billing of the Sewer Service
full has been received,though additional fees may parcels would be identified as an exception.Upon Charge/creation of a file for inclusion on the tax
be required upon inspections. research,the parcel would be updated within the next rolls is still under consideration. It is not
Adding residential customers to the tax roll for the year and added to the sewer service charge tax roll.It is included in the scope of the approved ERP
Sewer Service Charge is a manual process which recommended that Management consider whether this project as of July 2019. The goal of having an
relies on notification by a completed application timeline is appropriate for completeness purposes or automated process that avoids manual steps will
being placed within the box in the Permit Counter whether to monitor for this on a periodic basis. be a key objective in considering the most
office.For projects with four(4)or more parcels, appropriate system to implement.
using the blue subdivision form,the Permit As the parcel data is pulled every year right
Counter monitors that the parcels are added to before billing,this is the appropriate time to
sewer billing. confirm all new parcels have been captured for
the billing process.Any rejects discovered are
addressed as part of the roll to tax process for
sewer service charge billing.
15
October 3, 2019 Regular Board Meeting Agenda Packet- Page 169 of 263
Best Control Practice Summary and Recommendations
Revenue — Permit Counter and Accounting
Best Control Practices Control Observations 3mmendation(s) Response
7.Management reports The Development Services Supervisor uses reports to monitor The posting of the revenue to the general Management agrees that an additional
are available and used to permit issuance,status and inspection activity each month. ledger(GL)is a manual process.Therefore,a monitoring control for use by Accounting
monitor the process. Also,the Development Services Supervisor compares the formal monitoring control is recommended would be of value. Using the monthly report
Capacity fees per the cash receipts report to the monthly to ensure that revenue is captured of activity created by Permit Counter to
revenue reports published by Accounting.Accounting is accurately and is complete. compare to the total revenues posted to the
contacted when there are discrepancies. It is recommended that this review include General Ledger would constitute a useful
A report of the development activity is sent to Executive all cash receipts per the Permit Counter(or supplemental detective control,and will
Management from Planning&Development Services each "sales")to the accounting reports capturing begin doing so. Any discrepancies will be
month.The report is informational providing a count on the what was posted to the GL to ensure that documented and signed off on by the
permit activity and RUEs along with revenue collected including revenues posted are accurate and complete. Finance Administrator or Finance Manager.
details on capacity fees. Documentation should be maintained as to With the adoption of the new Oracle Cloud
Accounting prepares the bank reconciliation for each fund on a the reason for any differences.This will help ERP, we expect that integration between
monthly basis.Though not reviewing specifically for accuracy, ensure reconciling items are cleared the the Permitting module and the General
the Accountant matches the bank deposits per the bank to the following month and identify any potential Ledger may remove the need for the manual
batch detail as entered by the Accounting Technician when issues. posting process.
preparing the bank reconciliation. Additionally,Management intends to
implement the Oracle Bank Reconciliation
module which should enhance and automate
the bank reconciliation process.
October 3, 2019 Regular Board Meeting Agenda Packet- Page 170 of 263