HomeMy WebLinkAbout04.a. (Handout) Updated Audit Report Contract Mgmt Controls - Final Item 4.a. Updated Presentation CONTRACT MANAGEMENT CONTROLS INTERNAL AUDIT REPORT FEBRUARY 21 , 2020 Internal Audit Report Overview Internal Audit has completed a review of certain areas within Central San's Purchasing process as it relates to contracts and agreements. Refer to page four (4) for the scope of this review. The process and the related internal controls are documented as the Purchasing Policy and Procedures Manual which is available to all employees. In addition, the Engineering Procedure reflects the requirements per the Purchasing Manual as it relates to Engineering agreements. Recommendations were made to enhance the existing process and improve the segregation of duties. In addition, it is anticipated that some recommendations will be achieved through the automation of certain manual processes with the new ERP. Audit Report Summary Summary of Observations and Recommendations Need for documentation of procedures or 1 updates Segregation of Duties 2 IT Related Controls 3 General Process and/or Control 4, 5, 6, 8 Improvements Automation Opportunities 7 Scope and Objectives Scope of Work The review was performed on contracts for goods and services and Performed professional consulting agreements. • The review included processes and controls involved in the purchase request, authorization of the contract or agreement and authorization of related payments. • Controls related to the Purchase Order process were not considered. In addition, this was not a review of Accounts Payable or Accounting controls in general. Review Objectives • Identify the internal controls in the areas reviewed. • Assess the adequacy of the internal controls identified. • Identify opportunities to strengthen the internal controls. 4 Summary of Work Performed The following procedures were performed during this review: General Pro • Interviewed key personnel. • Observed personnel performing duties. • Reviewed existing policies and procedures, management reports, and other relevant documentation. • Reviewed internal controls and performed testing. Testing • Performed detailed transaction testing for a selection of contracts and agreements commencing between January- August 31, 2019 and a selection of invoices from these contracts. • Reviewed system reports to validate that the list of contracts and agreements is complete. • Reviewed system access reports for potential segregation of duties conflicts. Contract Authorization Testing Performed Invoice Authorization Authorization of Contracts • Reviewed a sample of contracts/agreements issued between 1/1/19 and 8/31/19 for the following: • Proper approval of the purchase request • Proper approval of the contract • Sourcing approach documented and agrees with Purchasing Policy Invoice Authorization • From the samples selected above tested a sample of invoices paid within the testing period between 1/1/19 and 10/31/19 for proper approval. Results Summary Refer to pages 12, 15, 17-18, and 21. Due to system reporting limitations, the sample was selected from the contracts list, a manually compiled report. A report identifying contracts with exceptions to the competitive bidding could not be generated from the system. Therefore, Internal Audit was unable to independently test exceptions to competitive bidding for proper documentation. Refer also to page 7 for the work performed to verify the manual report. 6 Revisions & Management Testing Performed Reporting Validation of the Contract Population • Compared the manual contracts list to certain HTE reports (SunGard) of contracts and agreements with start dates between 1/1/19 and 8/31/19. Revisions and Management Reporting • Revisions - Due to system limitations, a report could not be obtained from the system identifying all revisions during the testing period, an independent sample of revisions could not be selected for testing. Therefore, the quarterly Board reports manually prepared by Purchasing from Q1, Q2 and Q3 2019 which notifies the Board of Professional Consulting Agreements between $50k and �100k were reviewed to identify revisions during the scope period to validate approval of these agreements. • Management Reporting - Compared the quarterly Board reports noted above from Q1, Q2 and Q3 to the HTE reports between 1/1/19 and 8/31/2019 to determine whether all new agreements on the HTE reports within the applicable threshold were reported to the Board. Results Summary Refer to page 19. Internal Audit determined that contracts/agreements on the contracts list were also in the system and vice versa. Reasonable explanations, i.e. timing, were obtained for contracts/agreements not captured on both. Internal Audit confirmed that the new agreements per the HTE reports were captured on the quarterly Board reports. In addition, it was determined that the revisions captured on the quarterly reports were authorized. However, as noted above, Internal Audit was unable to confirm through an independent review as the system is unable to produce a report detailing revisions for independent selection. System User Testing Performed AccRevess Review of System Access Reports • Obtained and reviewed the Accounts Payable (AP) Security and Purchasing Security reports. • The user listings for the following menus were reviewed. Vendor Master File Purchase Order (PO) Entry Disbursement Processing Menu Government Management & Budgetary Accounting (GMBA) Transaction Menu • User access listings were reviewed to identify former employees and current employees no longer in the department with access to these menus. • User access listings were reviewed to identify potential conflicting roles. Results Summary Refer to pages 13-14 and 16. s Background Statistics Purchasing Department Background Information* Headcount: Division Manager plus two (2) Senior Buyer FTEs and one (1) Temporary Senior Buyer. • Due to higher turnover in 2019 (two (2) out of three (3) Senior Buyers), a significant amount of time was required to train new employees during the year. • In 2019 CY, 536 PRs were processed with 341 new POs, BPOs, Contracts or Agreements created. • Several significant contracts and agreements were completed in 2019 such as Household Hazardous Waste transportation, disposal, and supplemental labor, Enterprise Resource Planning (ERP) system and implementation, and Reprographic Services. The Division transitioned to DocuSign in April of 2019 and updated the Purchasing Policy in November 2019. • Significant improvement has been made processing on time renewals of agreements and contracts prior to the expiration date as the Division started sending reminders to project managers on a consistent basis in advance and following up prior to expiration. • The Division has continued to receive 5 stars for service in average user feedback as recorded by the ticketing request system. * Background information is provided by Management. A validation of this information was not performed. 9 Process Overview ( 1/2 ) Contracts and Professional Service Agreements r Purchasing Request Sourcing • The Purchasing Requisition (PR) is entered in HTE by the • The request is sourced by Purchasing based on the requesting department and supporting documentation is dollar amount and type of procurement* submitted to Purchasing • For Request for Quotations (RFQ), the lowest • Purchasing verifies the appropriate approval has been responsive, responsible bidder is selected received, along with the appropriate documentation • For Request for Proposals (RFP), a selection is made based on various criteria including qualifications, experience, approach, cost, etc. *The front end of the process is slightly different for most Engineering related agreements in that these are typically sourced by Engineering directly 10 Process Overview ( 2/2 ) Contracts and Professional Service Agreements 1 Contract is Drafted&Routed for Review/Approval Contract is Authorize M A hIL • Risk reviews non-standard insurance related terms and • The fully executed contract is sent to the conditions consultant/contractor** • Legal reviews non-standard terms and conditions • Contracts with a start/end period are added to the • Purchasing routes for consultant/contractor signature in contract list which is online accordance with staff authority. Legal signature is required if the General Manager's approval is required or if otherwise requested ** Insurance certificates(not covered in this review)are required prior to the start of work.This information is tracked in the insurance tracking log to ensure ongoing compliance. 11 Best Control Practice Summary and Recommendations Contract Management Controls Best Control Practices A L Control •. Recommendation(s)/Response and Actions to be Taken, 1. The policies and procedures are documented The following documented policies and procedures Update the Purchasing and Engineering Procedures and followed. were observed to include the current solicitation requirements. * Purchasing Policy(updated 11/19, includes the It is also recommended that the requirement of Minimum Solicitation Requirements) Legal's review and the form (i.e.email,etc.)to *Purchasing Policies and Procedures(P&P) Manual, evidence Risk's review of non-standard insurance which includes solicitation guidelines.Approved related terms and conditions be documented.Refer 2/03 to recommendation#6. *Engineering Procedures(based on the 2003 Refer also to#5 for additional recommendations Purchasing P&P manual) around the documentation of the vendor file *Delegation of Authority Policy(updated 01/20) maintenance,new vendor set up and modification *Accounting procedures on invoice entry (2012) of vendor information and#7 for documentation on key reports. The Purchasing Policies and Procedures manual indicates the requirements for approvals and Management Response authorizations,RFPs and consultant selection, contract development,and contract administration There will be a number of updates to the Purchasing which includes contract monitoring by establishing procedures as a result of business process changes controls,i.e. milestones, reporting of work process in the new ERP. These updates will include the and to monitor costs. recommendations specified. 12 Best Control Practice Summary and Recommendations Contract Management Controls Best Control Practices Control •. --commendation(s)/Response and Actions to be Taken 2.The duties are adequately segregated The departments are structured so as to segregate the role It is recommended that Management consider in the authorization,execution,custody, to request/approve the request for goods and services,the whether the segregation of duties conflicts are recording,and reconciliation of procurement goods and services and payment of the appropriate given the staffing,system limitations and transactions. related invoices. However,conflicting duties were observed mitigating controls or if the process can be in the system access reports allowing for invoice entry in redesigned with the new ERP. Purchasing and vendor maintenance by Accounting Management should consider whether purchases personnel responsible for preparing invoices for payment. that originate within Purchasing should be approved outside of the Division, regardless of the dollar The system allows for Purchasing to approve purchase amount. requisitions.Though the appropriate level of approval has Refer also to the Vendor Maintenance been received from the Division requesting the Purchase Recommendation#5. within HTE,the system requires a 2"d approval.Purchasing can also approve purchases within the Manager's authority. Management Response Management agrees with this recommendation. Due to current system limitations,the conflicts regarding segregation of duties will be addressed in the new ERP. Best Control Practice Summary and Recommendations Contract Management Controls est Control Practices Control Observations RecommenclatioandMIS: 3.Access is reviewed periodically and the Based on review of the access per the AP Security and It is recommended that Management perform periodic access of former employees is removed Purchasing Security HTE reports,there are former reviews of user access. Management should immediately. employees on the user access listing in the menus determine the frequency and ownership of this review. reviewed as well as current employees that have In addition,access of former employees should be transitioned to another division and therefore,may no removed immediately upon departure.Access for longer require the access previously granted. employees that have transitioned to a different division should also be removed if the access is not required in the new role. Documentation of the role and the related access should be maintained to assist Management with the periodic review.The review should continue after the new system is implemented. Management Response Management agrees with this recommendation. Currently,a comprehensive review of all users'accesses are being reviewed for the ERP implementation. A review process will be put in place to ensure upkeep in the new ERP and staff will maintain documentation of roles and related access. Best Control Practice Summary and Recommendations Contract Management Controls ntrol Observatiol Recommenclation(s)/Response and Actions to . 4.Selection of suppliers is documented and a A threshold has been established for obtaining Perform a periodic review of bid requests and RFPs to competitive bidding process is used to maintain competitive bids and quotations for expenditures. validate compliance with the policy for the independent vendor selection. This is documented in the Purchasing Policy. contracts/agreements that do not require Board Bids and RFPs are advertised through BidSync for authority.The purpose of this review would not be to Purchasing and PlantBids for Engineering. evaluate the selections made but to ensure the policy Qualifications Based Selections are documented and procedures(i.e. minimum number of bids/quotes, with a selection matrix that indicates the points etc.)are being followed. awarded for each RFP. The Sole Source Request form is required for non- Management Response competitive purchases. For after the fact purchases,the Unauthorized Purchase Approval Management agrees with this recommendation and Form is required and must be approved by the will perform periodic reviews of contracts and Manager and Director(GM if>$50k). agreements to ensure compliance with policies and procedures. For Engineering,this information is contained within the project files,and Engineering staff will provide a summary of this information based on a new engineering procedure that will allow Purchasing to review for compliance with policy and procedure requirements. Best Control Practice Summary and Recommendations Contract Management Controls - est Control Practices Control •. Recommenclation(s)/Response and Actions to be Taken k! A W J& j 5.Vendor Maintenance is performed Vendor Maintenance(adding new vendors, Review the vendor master file and remove vendors that are no periodically. modifying vendors and deleting old vendors)can longer used. be done outside of Purchasing.(See The process to add new,delete old and modify existing vendors recommendation#2 Segregation of Duties) should be documented along with the documentation required to evidence approval of new or to modify existing vendor information. Changes to the vendor master file are not Consider a review of changes made to the vendor master file reviewed on a periodic basis. independent of the Division responsible for vendor maintenance.The process including the frequency,ownership and evidence of review should be documented. Management Response Currently,staff is performing a comprehensive review of the vendor database. This includes removing vendors no longer used and cleaning up the vendor file for import into the new ERP. The process to add,delete,and change vendor information in the new ERP will be documented. The process change in the new ERP will address the segregation of duties issue mentioned. The expectation is that all requests to change the vendor file will go through a documented approval process through Purchasing. Management may consider an independent review of changes made to the vendor master file. Best Control Practice Summary and Recommendations Contract Management Controls est Control Practices Control Observations .. . be Taken 6.Purchasing Requisitions(PR), The authorization levels required for purchase Though automation is expected for the PR approval Contracts/Agreements,and Invoices are requisitions(PRs),contracts/agreements and invoices process,there may still be a need to manually verify reviewed and approved by the appropriate are defined in the Signature Authority Matrix. that approvals were obtained as it relates to the levels of Management as determined per contracts and agreements.The proper approval of the internal policy. PR approvals are entered into HTE though a manual request should be confirmed prior to establishing a review is required due to system limitations to verify the contract or an agreement. required level of approval has been obtained.In testing The requirements around Legal's review of contracts it was observed that for one contract the 2nd level of should be documented.The form(i.e.email,etc.)to approval for the PR was obtained one day after the evidence Risk's review of non-standard insurance contract was approved.As the contract was being related terms and conditions should be documented. executed Purchasing identified that the PR did not have Refer to recommendation#1 related to Policies and the required level of approval although multiple Procedures. requests were made to the authorizing department.The approval in HTE was subsequently obtained. The approvals for contracts/agreements are obtained in DocuSign which allows for the assigning and tracking of approvals and are based on the signature authority. Contracts and agreements requiring the DGM/GM approval are reviewed by Legal. Risk performs Best Control Practice Summary and Recommendations Contract Management Controls Control Observatio .. . . 11L e L L Taken 6(CONT).Purchasing Requisitions(PR), a review of the insurance related terms and conditions when the Provide further guidance(i.e.training or Contracts/Agreements,and Invoices are insurance requested is not based on the standard terms and checklist,etc.)to ensure the review of approved by the appropriate levels of conditions. invoices is consistent across Divisions. Management as determined per internal policy. Invoices are approved with a hard copy signature which is validated manually by the Accounting Technician.The Project Management Response Manager's review of invoices is based on the type of work and complexity of the agreement or contract.This may involve a Management agrees with the review comparing the work progress to the contract cost to date recommendation. The PR(Purchase to determine if an invoice is billed correctly or a line by lineRequisition)approval process is being detailed review of the rates as billed on the invoice to determine reviewed for the new ERP the invoice is correct. implementation. The PR approval process will be automated to the extent possible Invoices over$2500 are reviewed by the Finance Manager.As within the new system. As part of the ERP observed in testing,if the individual invoice is not signed by the implementation,staff in user divisions will be Finance Manager,the evidence of review is noted on the trained on the new chart of accounts and the expenditure approval listing which is also signed by the Finance need for consistent coding of the invoices in Manager. accordance with the coding assigned in the PRs. Best Control Practice Summary and Recommendations Contract Management Controls Recommendation(s)/Response and Actions to be Take�., 7.Management reports are available and The Contracts List is a spreadsheet manually compiled and Automate reporting where possible to allow for the used to monitor the process from the updated by Purchasing with the new contracts and monitoring of all contracts/agreements and revisions request to the authorization of contracts agreements added upon execution and removed once the for compliance with internal policies and procedures and completion. contract or agreement is complete.The contract list is and external regulations. reviewed monthly to monitor for the expiration date of Automated reporting would further ensure the timely, the contract or agreement.This review identifies contracts accurate and complete reporting of new agreements and agreements that may need to be extended and/or and amendments and the processing of renewals.This revised through an amendment or those that may require will also allow for Purchasing to identify process an RFP in advance of the contract lifetime expiration. improvement opportunities. Document how information is gathered in the The Board is notified of new professional agreements over reporting process to improve the timeliness and $50k up to$100k($200k starting in calendar year 2020) completeness of the information presented in key along with amendments for dollar amounts approved reports. within GM authority on a quarterly basis.The report is manually compiled.The risk of manually compiled reports Management Response is that they can be incomplete,excluding relevant and necessary information.Since April 2019, Purchasing has added a manual review of the agreements in DocuSign to Management agrees with the recommendation. Our help ensure that all applicable agreements are captured.In reporting capabilities are significantly limited with our addition,any previously missed agreements are to be current system. Staff will be utilizing the new ERP to the extent possible to produce reports and analyze data. Best Control Practice Summary and Recommendations Contract Management Controls ContrAjOIN, Recommendation(s)/Response and Actions to be Taken 7(CONT).Management reports are reported in a subsequent quarter.This was observed when available and used to monitor the process some new and amended agreements from calendar year from the request to the authorization of Q1 and Q2 2019 were not captured and reported until Q3. contracts and completion. Refer also to pages 6 and 7 regarding the system limitations around reporting and sample selections. 20 Best Control Practice Summary and Recommendations Contract Management Controls — Best Control Practices Control Observations Recommenclation(s)/Response 8.Contract templates are reviewed periodically The review of templates is ad-hoc, based on Consider a periodic(i.e.annual)review of the legal and updated as needed. notification of changes in new laws or other language in the contract templates to ensure the requirements. language is current. Management Response Management agrees with the recommendation to consider a periodic review of the legal language in our contract and agreement templates. While Construction Contracts were excluded from the scope of this audit,Engineering has a Specification committee that routinely meets to update its contracts and includes representative from the Capital Projects Division,Safety,Risk Management,and Legal.