The URL can be used to link to this page

Home My WebLink About04.a. Receive the Internal Audit Report on Contract Management Controls Page 1 of 22 Item 4.a. Av CENTRAL SAN March 24, 2020 TO: FINANCE COMMITTEE FROM: ERICA BROOKS PETERS, SENIOR INTERNALAUDITOR REVIEWED BY: KEVIN MIZUNO, FINANCE MANAGER PHILIP LEIBER, DIRECTOR OF FINANCE AND ADMINISTRATION ANN SASAKI, DEPUTY GENERAL MANAGER ROGER S. BAILEY, GENERAL MANAGER SUBJECT: RECEIVE THE INTERNAL AUDIT REPORT ON CONTRACT MANAGEMENT CONTROLS Attached is the presentation for the above item. ATTACHMENTS: 1. Internal Audit Report March 24, 2020 Regular FINANCE Committee Meeting Agenda Packet- Page 113 of 141 CONTRACT MANAGEMENT CONTROLS INTERNAL AUDIT REPORT FEBRUARY 21 , 2020 0 b fa- �6�� C4 L March 24, 2020 Regular FINANCE Committee Meeting Agenda Packet- Page 114 of 141 Internal Audit Report Overview Internal Audit has completed a review of certain areas within Central San's Purchasing process as it relates to contracts and agreements. Refer to page four (4) for the scope of this review. The process and the related internal controls are documented as the Purchasing Policy and Procedures Manual which is available to all employees. In addition, the Engineering Procedure reflects the requirements per the Purchasing Manual as it relates to Engineering agreements. Recommendations were made to enhance the existing process and improve the segregation of duties. In addition, it is anticipated that some recommendations will be achieved through the automation of certain manual processes with the new ERP. March 24, 2020 Regular FINANCE Committee Meeting Agenda Packet- Page 115 of 141 Audit Report Summary Summary of Observations and Recommendations Need for documentation of procedures or 1 updates Segregation of Duties 2 IT Related Controls 3 General Process and/or Control 4, 5, 6, 8 Improvements Automation Opportunities 7 March 24, 2020 Regular FINANCE Committee Meeting Agenda Packet- Page 116 of 141 Scope and Objectives Scope of Work The review was performed on contracts for goods and services and Performed professional consulting agreements. • The review included processes and controls involved in the purchase request, authorization of the contract or agreement and authorization of related payments. • Controls related to the Purchase Order process were not considered. In addition, this was not a review of Accounts Payable or Accounting controls in general. Review Objectives • Identify the internal controls in the areas reviewed. • Assess the adequacy of the internal controls identified. • Identify opportunities to strengthen the internal controls. 4 March 24, 2020 Regular FINANCE Committee Meeting Agenda Packet- Page 117 of 141 Summary of Work Performed The following procedures were performed during this review: General Pro • Interviewed key personnel. • Observed personnel performing duties. • Reviewed existing policies and procedures, management reports, and other relevant documentation. • Reviewed internal controls and performed testing. Testing • Performed detailed transaction testing for a selection of contracts and agreements commencing between January- August 31, 2019 and a selection of invoices from these contracts. • Reviewed system reports to validate that the list of contracts and agreements is complete. • Reviewed system access reports for potential segregation of duties conflicts. March 24, 2020 Regular FINANCE Committee Meeting Agenda Packet- Page 118 of 141 Contract Authorization Testing Performed Invoice Authorization Authorization of Contracts • Reviewed a sample of contracts/agreements issued between 1/1/19 and 8/31/19 for the following: • Proper approval of the purchase request • Proper approval of the contract • Sourcing approach documented and agrees with Purchasing Policy Invoice Authorization • From the samples selected above tested a sample of invoices paid within the testing period between 1/1/19 and 10/31/19 for proper approval. Results Summary Refer to pages 12, 15, 17-18, and 21. Due to system reporting limitations, the sample was selected from the contracts list, a manually compiled report. A report identifying contracts with exceptions to the competitive bidding could not be generated from the system. Therefore, Internal Audit was unable to independently test exceptions to competitive bidding for proper documentation. Refer also to page 7 for the work performed to verify the manual report. 6 March 24, 2020 Regular FINANCE Committee Meeting Agenda Packet- Page 119 of 141 Revisions & Management Testing Performed Reporting Validation of the Contract Population • Compared the manual contracts list to certain HTE reports of contracts and agreements with start dates between 1/1/19 and 8/31/19. Revisions and Management Reporting • Revisions - Due to system limitations, a report could not be obtained from the system identifying all revisions during the testing period, an independent sample of revisions could not be selected for testing. Therefore, the quarterly Board reports manually prepared by Purchasing from Q1, Q2 and Q3 2019 which notifies the Board of Professional Consulting Agreements between $50k and �100k were reviewed to identify revisions during the scope period to validate approval of these agreements. • Management Reporting - Compared the quarterly Board reports noted above from Q1, Q2 and Q3 to the HTE reports between 1/1/19 and 8/31/2019 to determine whether all new agreements on the HTE reports within the applicable threshold were reported to the Board. Results Summary Refer to page 19. Internal Audit determined that contracts/agreements on the contracts list were also in the system and vice versa. Reasonable explanations, i.e. timing, were obtained for contracts/agreements not captured on both. Internal Audit confirmed that the new agreements per the HTE reports were captured on the quarterly Board reports. In addition, it was determined that the revisions captured on the quarterly reports were authorized. However, as noted above, Internal Audit was unable to confirm through an independent review as the system is unable to produce a report detailing revisions for independent selection. March 24, 2020 Regular FINANCE Committee Meeting Agenda Packet- Page 120 of 141 System User Testing Performed AccRevess Review of System Access Reports • Obtained and reviewed the Accounts Payable Security and Purchasing Security reports. • The user listings for the following menus were reviewed. Vendor Master File PO Entry Disbursement Processing Menu GMBA Transaction Menu • User access listings were reviewed to identify former employees and current employees no longer in the department with access to these menus. • User access listings were reviewed to identify potential conflicting roles. Results Summary Refer to pages 13-14 and 16. s March 24, 2020 Regular FINANCE Committee Meeting Agenda Packet- Page 121 of 141 Background Statistics Purchasing Department Background Information* Headcount: Division Manager plus two (2) Senior Buyer FTEs and one (1) Temporary Senior Buyer. • Due to higher turnover in 2019 (two (2) out of three (3) Senior Buyers), a significant amount of time was required to train new employees during the year. • In 2019 CY, 536 PRs were processed with 341 new POs, BPOs, Contracts or Agreements created. • Several significant contracts and agreements were completed in 2019 such as Household Hazardous Waste transportation, disposal, and supplemental labor, Enterprise Resource Planning (ERP) system and implementation, and Reprographic Services. The Division transitioned to DocuSign in April of 2019 and updated the Purchasing Policy in November 2019. • Significant improvement has been made processing on time renewals of agreements and contracts prior to the expiration date as the Division started sending reminders to project managers on a consistent basis in advance and following up prior to expiration. • The Division has continued to receive 5 stars for service in average user feedback as recorded by the ticketing request system. * Background information is provided by Management. A validation of this information was not performed. 9 March 24, 2020 Regular FINANCE Committee Meeting Agenda Packet- Page 122 of 141 Process Overview ( 1/2 ) Contracts and Professional Service Agreements r Purchasing Request Sourcing • The Purchasing Requisition (PR) is entered in HTE by the • The request is sourced by Purchasing based on the requesting department and supporting documentation is dollar amount and type of procurement* submitted to Purchasing • For Request for Quotations (RFQ), the lowest • Purchasing verifies the appropriate approval has been responsive, responsible bidder is selected received, along with the appropriate documentation • For Request for Proposals (RFP), a selection is made based on various criteria including qualifications, experience, approach, cost, etc. *The front end of the process is slightly different for most Engineering related agreements in that these are typically sourced by Engineering directly 10 March 24, 2020 Regular FINANCE Committee Meeting Agenda Packet- Page 123 of 141 Process Overview ( 2/2 ) Contracts and Professional Service Agreements 1 Contract is Drafted&Routed for Review/Approval Contract is Authorize M A h1L • Risk reviews non-standard insurance related terms and • The fully executed contract is sent to the conditions consultant/contractor** • Legal reviews non-standard terms and conditions • Contracts with a start/end period are added to the • Purchasing routes for consultant/contractor signature in contract list which is online accordance with staff authority. Legal signature is required if the General Manager's approval is required or if otherwise requested ** Insurance certificates(not covered in this review)are required prior to the start of work.This information is tracked in the insurance tracking log to ensure ongoing compliance. 11 March 24, 2020 Regular FINANCE Committee Meeting Agenda Packet- Page 124 of 141 Best Control Practice Summary and Recommendations Contract Management Controls Best Control Practices A L Control •. Recommendation(s)/Response and Actions to be Taken, 1. The policies and procedures are documented The following documented policies and procedures Update the Purchasing and Engineering Procedures and followed. were observed to include the current solicitation requirements. * Purchasing Policy(updated 11/19, includes the It is also recommended that the requirement of Minimum Solicitation Requirements) Legal's review and the form (i.e.email,etc.)to *Purchasing Policies and Procedures(P&P) Manual, evidence Risk's review of non-standard insurance which includes solicitation guidelines.Approved related terms and conditions be documented.Refer 2/03 to recommendation#6. *Engineering Procedures(based on the 2003 Refer also to#5 for additional recommendations Purchasing P&P manual) around the documentation of the vendor file *Delegation of Authority Policy(updated 01/20) maintenance,new vendor set up and modification *Accounting procedures on invoice entry (2012) of vendor information and#7 for documentation on key reports. The Purchasing Policies and Procedures manual indicates the requirements for approvals and Management Response authorizations,RFPs and consultant selection, contract development,and contract administration Pending which includes contract monitoring by establishing controls,i.e. milestones, reporting of work process and to monitor costs. 12 March 24, 2020 Regular FINANCE Committee Meeting Agenda Packet- Page 125 of 141 Best Control Practice Summary and Recommendations Contract Management Controls Best Control Practices Control •. --commendation(s)/Response and Actions to be Taken 2.The duties are adequately segregated The departments are structured so as to segregate the role It is recommended that Management consider in the authorization,execution,custody, to request/approve the request for goods and services,the whether the segregation of duties conflicts are recording,and reconciliation of procurement goods and services and payment of the appropriate given the staffing,system limitations and transactions. related invoices. However,conflicting duties were observed mitigating controls or if the process can be in the system access reports allowing for invoice entry in redesigned with the new ERP. Purchasing and vendor maintenance by Accounting Management should consider whether purchases personnel responsible for preparing invoices for payment. that originate within Purchasing should be approved outside of the Division, regardless of the dollar The system allows for Purchasing to approve purchase amount. requisitions.Though the appropriate level of approval has Refer also to the Vendor Maintenance been received from the Division requesting the Purchase Recommendation#5. within HTE,the system requires a 2"d approval.Purchasing can also approve purchases within the Manager's authority. Management Response Pending March 24, 2020 Regular FINANCE Committee Meeting Agenda Packet- Page 126 of 141 Best Control Practice Summary and Recommendations Contract Management Controls est Control Practices Control Observations RecommenclatioandMIS: 3.Access is reviewed periodically and the Based on review of the access per the AP Security and It is recommended that Management perform periodic access of former employees is removed Purchasing Security HTE reports,there are former reviews of user access. Management should immediately. employees on the user access listing in the menus determine the frequency and ownership of this review. reviewed as well as current employees that have In addition,access of former employees should be transitioned to another division and therefore,may no removed immediately upon departure.Access for longer require the access previously granted. employees that have transitioned to a different division should also be removed if the access is not required in the new role. Documentation of the role and the related access should be maintained to assist Management with the periodic review.The review should continue after the new system is implemented. Management Response Pending March 24, 2020 Regular FINANCE Committee Meeting Agenda Packet- Page 127 of 141 Best Control Practice Summary and Recommendations Contract Management Controls ntrol Observatiol Recommenclation(s)/Response and Actions to . 4.Selection of suppliers is documented and a A threshold has been established for obtaining Perform a periodic review of bid requests and RFPs to competitive bidding process is used to maintain competitive bids and quotations for expenditures. validate compliance with the policy for the independent vendor selection. This is documented in the Purchasing Policy. contracts/agreements that do not require Board Bids and RFPs are advertised through BidSync for authority.The purpose of this review would not be to Purchasing and PlantBids for Engineering. evaluate the selections made but to ensure the policy Qualifications Based Selections are documented and procedures(i.e. minimum number of bids/quotes, with a selection matrix that indicates the points etc.)are being followed. awarded for each RFP. The Sole Source Request form is required for non- Management Response competitive purchases. For after the fact purchases,the Unauthorized Purchase Approval Pending Form is required and must be approved by the Manager and Director(GM if>$50k). March 24, 2020 Regular FINANCE Committee Meeting Agenda Packet- Page 128 of 141 Best Control Practice Summary and Recommendations Contract Management Controls —WBest Control Practices Control Observations— Recommendation(s)/Response and Actions to be Taken IL A S.Vendor Maintenance is performed periodically. Vendor Maintenance(adding new vendors, Review the vendor master file and remove vendors modifying vendors and deleting old vendors)can that are no longer used. be done outside of Purchasing.(See The process to add new,delete old and modify existing recommendation#2 Segregation of Duties) vendors should be documented along with the documentation required to evidence approval of new Changes to the vendor master file are not or to modify existing vendor information. reviewed on a periodic basis. Consider a review of changes made to the vendor master file independent of the Division responsible for vendor maintenance.The process including the frequency,ownership and evidence of review should be documented. Management Response Pending March 24, 2020 Regular FINANCE Committee Meeting Agenda Packet- Page 129 of 141 Best Control Practice Summary and Recommendations Contract Management Controls est Control Practices Control Observations .. . be Taken 6.Purchasing Requisitions(PR), The authorization levels required for purchase Though automation is expected for the PR approval Contracts/Agreements,and Invoices are requisitions(PRs),contracts/agreements and invoices process,there may still be a need to manually verify reviewed and approved by the appropriate are defined in the Signature Authority Matrix. that approvals were obtained as it relates to the levels of Management as determined per contracts and agreements.The proper approval of the internal policy. PR approvals are entered into HTE though a manual request should be confirmed prior to establishing a review is required due to system limitations to verify the contract or an agreement. required level of approval has been obtained.In testing The requirements around Legal's review of contracts it was observed that for one contract the 2nd level of should be documented.The form(i.e.email,etc.)to approval for the PR was obtained one day after the evidence Risk's review of non-standard insurance contract was approved.As the contract was being related terms and conditions should be documented. executed Purchasing identified that the PR did not have Refer to recommendation#1 related to Policies and the required level of approval although multiple Procedures. requests were made to the authorizing department.The approval in HTE was subsequently obtained. The approvals for contracts/agreements are obtained in DocuSign which allows for the assigning and tracking of approvals and are based on the signature authority. Contracts and agreements requiring the DGM/GM approval are reviewed by Legal. Risk performs March 24, 2020 Regular FINANCE Committee Meeting Agenda Packet- Page 130 of 141 Best Control Practice Summary and Recommendations Contract Management Controls Control Observatio .. . . 11L e L L Taken 6(CONT).Purchasing Requisitions(PR), a review of the insurance related terms and conditions when the Provide further guidance(i.e.training or Contracts/Agreements,and Invoices are insurance requested is not based on the standard terms and checklist,etc.)to ensure the review of approved by the appropriate levels of conditions. invoices is consistent across Divisions. Management as determined per internal policy. Invoices are approved with a hard copy signature which is validated manually by the Accounting Technician.The Project Management Response Manager's review of invoices is based on the type of work and complexity of the agreement or contract.This may involve a Pending review comparing the work progress to the contract cost to date to determine if an invoice is billed correctly or a line by line detailed review of the rates as billed on the invoice to determine the invoice is correct. Invoices over$2500 are reviewed by the Finance Manager.As observed in testing,if the individual invoice is not signed by the Finance Manager,the evidence of review is noted on the expenditure approval listing which is also signed by the Finance Manager. March 24, 2020 Regular FINANCE Committee Meeting Agenda Packet- Page 131 of 141 Best Control Practice Summary and Recommendations Contract Management Controls Recommendation(s)/Response and Actions to be Take�., 7.Management reports are available and The Contracts List is a spreadsheet manually compiled and Automate reporting where possible to allow for the used to monitor the process from the updated by Purchasing with the new contracts and monitoring of all contracts/agreements and revisions request to the authorization of contracts agreements added upon execution and removed once the for compliance with internal policies and procedures and completion. contract or agreement is complete.The contract list is and external regulations. reviewed monthly to monitor for the expiration date of Automated reporting would further ensure the timely, the contract or agreement.This review identifies contracts accurate and complete reporting of new agreements and agreements that may need to be extended and/or and amendments and the processing of renewals.This revised through an amendment or those that may require will also allow for Purchasing to identify process an RFP in advance of the contract lifetime expiration. improvement opportunities. Document how information is gathered in the The Board is notified of new professional agreements over reporting process to improve the timeliness and $50k up to$100k($200k starting in calendar year 2020) completeness of the information presented in key along with amendments for dollar amounts approved reports. within GM authority on a quarterly basis.The report is manually compiled.The risk of manually compiled reports Management Response is that they can be incomplete,excluding relevant and necessary information.Since April 2019, Purchasing has added a manual review of the agreements in DocuSign to Pending help ensure that all applicable agreements are captured.In addition,any previously missed agreements are to be March 24, 2020 Regular FINANCE Committee Meeting Agenda Packet- Page 132 of 141 Best Control Practice Summary and Recommendations Contract Management Controls ContrAjOIN, Recommendation(s)/Response and Actions to be Taken 7(CONT).Management reports are reported in a subsequent quarter.This was observed when available and used to monitor the process some new and amended agreements from calendar year from the request to the authorization of Q1 and Q2 2019 were not captured and reported until Q3. contracts and completion. Refer also to pages 6 and 7 regarding the system limitations around reporting and sample selections. 20 March 24, 2020 Regular FINANCE Committee Meeting Agenda Packet- Page 133 of 141 Best Control Practice Summary and Recommendations Contract Management Controls — Best Control Practices Control Observations Recommenclation(s)/Response 8.Contract templates are reviewed periodically The review of templates is ad-hoc, based on Consider a periodic(i.e.annual)review of the legal and updated as needed. notification of changes in new laws or other language in the contract templates to ensure the requirements. language is current. Management Response Pending March 24, 2020 Regular FINANCE Committee Meeting Agenda Packet- Page 134 of 141