The URL can be used to link to this page

Home My WebLink About06.a. Receive overview of Accounts Payable Internal Controls Page 1 of 18 Item 6.a. ,e4VIOCENTRAL SAN Raiiiiiiii June 22, 2021 TO: FINANCE COMMITTEE FROM: KEVIN MIZUNO, FINANCE MANAGER PHILIP LEIBER, DIRECTOR OF FINANCE AND ADMINISTRATION REVIEWED BY: ROGER S. BAILEY, GENERAL MANAGER SUBJECT: RECEIVE OVERVIEW OF ACCOUNTS PAYABLE INTERNAL CONTROLS At the December 15, 2020 Finance Committee meeting, during the review of expenditures, newly- appointed Finance Committee Member McGill requested an overview of internal controls over the accounts payable function arising from the new enterprise resource planning (ERP) system implemented in September 2020. To meet this request, staff undertook a risk assessment of the accounts payable function (Attachment 1). For each major accounts payable business cycle, the risk assessment identifies inherent risks as well as the internal control(s)that attempts to mitigate the inherent risk. I n some cases, several internal controls are in place that address a risk. I n other cases, a single internal control may exist that addresses more than one risk. In completing this risk assessment, the Finance Division also sought feedback from other core Central San stakeholder divisional staff including: Internal Audit, Information Technology, Purchasing, and Human Resources. To maintain independence, Central San's Internal Auditor did not opine on the design, implementation or adequacy of asserted internal controls, but did review the initial list of inherent risks developed by the Finance Division, and provided additional risks where applicable. The attached presentation (Attachment 2) provides an overview of the accounts payable function within the new ERP system and highlights some of the key internal controls identified in the risk assessment document. As the implementation of an ERP is considered to increase audit risk, Central San's independent auditors (Maze &Associates) are anticipated to assess the design and implementation of internal controls in the new system as part of their audit of the FY 2020-21 financial statements. Furthermore, Maze & Associates are expected to perform a review of the design of internal controls over the accounts payable function in late 2021. Inconsideration of these forthcoming reviews to be performed by parties independent of the Finance Division function, and in consideration of cyber security threats recently communicated to the Board by Central San's Information Technology Division Manager, staff is hopeful the attached risk assessment and presentation provide an overview sufficient to provide some level of assurance to Finance Committee Members at this time. Management is not asserting that all possible accounts payable risks are addressed by internal controls that have been implemented. Rather, under the principle that the cost of an internal control should not outweigh its benefits, Management is confident that the most significant inherent risks of the accounts payable function are addressed by"key" internal controls. The internal control structure of the new ERP system will continue to be monitored and re-assessed as staff become more familiar with its capabilities and management will continue to look for opportunities to improve operational efficiencies while balancing June 22, 2021 Regular FINANCE Committee Meeting Agenda Packet- Page 146 of 165 Page 2 of 18 the need to maintain strong internal controls. GOAL TWO:Environmental Stewardship Strategy 1—Achieve 100%compliance in all regulations GOAL THREE: Fiscal Responsibility Strategy 2—Ensure integrity and transparency in financial management ATTACHMENTS: 1. Accounts Payable Risk Assessment Matrix 2. Presentation June 22, 2021 Regular FINANCE Committee Meeting Agenda Packet- Page 147 of 165 Attachment 1 Central San Accounts Payable Risk Assessment in Oracle Assessment of internal controls over payables cycle,created in response to Finance Committee inquiries at the 12/15/20 meeting Business Cycle Business Risk Mitigating Control(s) Comments/Residual Risk Assessment Control Type Supplier Invoice Invoices are not received or 1. Though not strictly enforced by policy, Finance has Finance encourages all divisions to have supplier invoices emailed Manual Processing processed in a timely promoted the centralization of all invoice delivery to a directly to a centralized restricted-access email account monitored manner single shared but restricted access email account by multiple Finance staff daily. Periodically, suppliers will submit 2. A list of recurring bills is maintained and actively invoices directly to the division that oversees their work, which monitored by the Finance Division increases the risk that an invoice may not be received by Finance. Finance personnel could also potentially misplace an invoice after it is received. If a supplier has not been paid for goods delivered or services rendered,they will generally call accounts payable directly, who will research the matter further. As multiple staff are involved in the accounts payable function, Finance maintains a collaborative list of recurring bills. The list identifies all recurring non-PO suppliers and allows staff to see if the invoice was accrued and expensed in the month to which it pertains, or expensed(and paid)in a subsequent month. Invoices are not approved The system has been configured to automatically remind There are automatic approval reminders issued to invoice approvers Automated timely once entered approvers of pending invoices and escalate to the next at the 24 hr and 48 hr mark(business hours). Furthermore,invoices level after a specific time has passed pending approval are automatically escalated at the 72 hr mark. While it is a relatively tight timeframe, and some employees have expressed concern with the shortness, these automated reminder and escalation rules have been generally been proven to be effective to ensure the timeliness of supplier payments. Invoices are not approved The system requires all invoices to be approved by one In critical circumstances, to avoid delinquencies, defaults or other Automated or more authorized personnel prior to both posting and adverse scenarios,the Finance Manager and Accounting Supervisor issuing payment. have the ability to manually override and approve a pending invoice for payment. In these circumstances, the practice is to upload a copy of the subsequent divisional approval of the invoice to the payables module. Manual overrides are rare, and are separately traceable and periodically reviewed by Finance staff. Page 1 of 10 June 22, 2021 Regular FINANCE Committee Meeting Agenda Packet- Page 148 of 165 Attachment 1 Business Cycle Business Risk Mitigating Control(s) Comments/Residual Risk Assessment Control Type Invoices are approved by The system requires all invoices to be approved by one System invoice approval workflow configuration works up the Automated the wrong person or more authorized personnel prior to both posting and organizational hierarchy in-line with the invoice approval matrix issuing payment. approved by the General Manager. Workflow is driven by the "requestor" identified by the invoice submitting division or PO (if applicable)and assigned by the AP Accounting Technician. Fictitious invoices are 1. The system requires all invoices to be approved by There are multiple compensating controls in place over this key risk. Automated entered one or more authorized personnel prior to both posting These internal controls are a significant enhancement over the and issuing payment. legacy system's controls as they are built into the configuration of 2. Invoice approval authority is limited to those specified the system,which results in the automatic rejection of a transaction in the master approval authority matrix. unless security parameters are met. Approval limits have been 3. Invoice entry is limited to specific Finance division configured into the Payables module as outlined in an approval personnel who do not approve invoices. matrix enacted by the General Manager. 4. Invoices must be attributable to specific suppliers,and only the Purchasing Manager has the authority to create Accounts Payable staff do not have the authority or ability to suppliers. approve invoices in the system. While Accounts Payable staff can issue supplier registration requests, creation of suppliers must be electronically approved by the Purchasing Manager. Duplicate invoices entered The system prevents duplicate invoices from being This is a basic and standard control for ERP systems, but effective. Automated and approved entered/processed Invoice numbers must be identical for the system to prevent duplicate entries. Page 2 of 10 June 22, 2021 Regular FINANCE Committee Meeting Agenda Packet- Page 149 of 165 Attachment 1 Business Cycle Business Risk Mitigating Control(s) Comments/Residual Risk Assessment Control Type Accruals are missed A list of recurring bills is maintained and actively As multiple staff are involved in the accounts payable function, Manual monitored by the Finance Division. Finance maintains a collaborative list of recurring bills. The list identifies all recurring non-PO suppliers and allows staff to see if the invoice was accrued and expensed in the month to which it pertains, or expensed(and paid)in a subsequent month. Unlike for publicly-traded corporations, where interim financial reports must be full accrual and be independently audited, public agencies do not generally enforce strict full accrual accounting for interim reporting. Finance does strive to employ accrual accounting and hold a fiscal month open for a few days at the close of interim months in order to capture all known invoices, however a full accrual close is not strictly enforced for interim months. At year end in July there is a strong emphasis to accrue all applicable invoices back to the prior year to ensure proper cut-off and completeness for the annual audited financial statements. Debit memos are not 1.Invoices are required for all supplier payments. Under most circumstances, invoices are required for all payments Combination tracked or recorded 2. The system requires all invoices to be approved by and Finance staff are instructed not to pay based on supplier one or more authorized personnel prior to both posting statements or debit memo alone. Any debit memos would require and issuing payment. an accompanying invoice with an outstanding balance. In addition, the system requires that all invoices are approved by an authorized party outside of the Accounts Payables function to be posted and paid. Following these rules, any unpaid prior balances must be reviewed, coded, and authorized by an employee with signatory powers. Page 3 of 10 June 22, 2021 Regular FINANCE Committee Meeting Agenda Packet- Page 150 of 165 Attachment 1 Business Cycle Business Risk Mitigating Control(s) Comments/Residual Risk Assessment Control Type Purchase returns are not 1. Per Central San Policy, unless specifically pertaining to By policy, centralizing all inbound payments to one function deters Combination properly recorded a permit counter or household hazardous waste employees from being able to accept supplier checks for any transaction, all inbound payments must be directed to returns. The strict documented chain of custody process helps to the attention of "Accounts Receivable" and follow a deter potential forgery and theft of receipts. strict documented chain of custody protocol. 2. All goods invoices connected to a PO must undergo a All returns of "supplies & materials", with the exception of most 3-way match (invoice to PO to goods receipt) prior to office supplies, are managed by the Warehouse (Purchasing payment. The system will not allow payments on PO Division) who are responsible for handling goods and updating supplies invoices that are unmatched. inventory records and are not involved in payment or receipts 3. All goods receipts connected to a P0, including processing. returns,are handled by Warehouse personnel. Receiving report and vendor 1.All goods invoices connected to a PO must undergo a A 3-way match ensures goods ordered are actually received and Combination invoice do not match 3-way match (invoice to PO to goods receipt) prior to recorded prior to issuing a payment on the underlying invoice. 3- payment. The system will not allow payments on PO way matches are required for all purchases of goods and materials supplies invoices that are unmatched. connected to a PO. The system will only allow payment on invoice 2. The functions of invoice approvals, goods receipts, quantities that match to a receipt and only specified personnel in and invoice recording are segregated. the Warehouse (Purchasing Division) are authorized to issue goods receipts and adjust quantities and invoice pricing. Operational divisions requesting goods/services approve invoices (supervisor or higher),the Warehouse(Purchasing Division)receives goods(related to a P0,covering most goods),and Accounts Payable (Finance Division)records invoices/payments. Page 4 of 10 June 22, 2021 Regular FINANCE Committee Meeting Agenda Packet- Page 151 of 165 Attachment 1 Business Cycle Business Risk Mitigating Control(s) Comments/Residual Risk Assessment Control Type Issuing Supplier Fraudulent invoices are paid 1. The system requires all invoices to be approved by There are multiple compensating controls in place over this key risk, Combination Payments one or more authorized personnel prior to both posting including controls that are both manual as well as automated. and issuing payment. Approval limits have been configured into the Payables module as 2.Invoice approval authority is limited to those specified outlined in the master approval matrix enacted by the General in the master approval authority matrix. Manager. 3. Payment of all invoices > $2.5k must be reviewed by the Finance Manager. 4. Checks>$2.5k require review/initialing by Director of Finance prior to being delivered to the County for countersignature. Duplicate payments made System prevents duplicate invoices from being System will only allow payments to be issued against validated and Automated entered/processed approved invoices. Once an invoice has been approved and paid, it's status is updated to "paid" preventing further payments from being issued. Unauthorized checks are 1.Access to manual pre-printed check stock is limited to There are multiple compensating controls in place over this risk, Manual issued two key Finance personnel involved in the payables including a combination of manual as well as automated controls. process. Manual checks are stored in a restricted-access location in a safe 2. Cash accounts are reconciled monthly by an with a digital combination with unique access codes issued to Accountant not involved in the AP recording process. authorized Finance personnel. 3. Regular checks are blank stock and must be printed directly out of Oracle. Access to print checks is restricted to specific authorized personnel in Finance Division. 4.Checks>$2.5k require review/initialing by Director of Finance prior to being delivered to the County for countersignature. Page 5 of 10 June 22, 2021 Regular FINANCE Committee Meeting Agenda Packet- Page 152 of 165 Attachment 1 Business Cycle Business Risk Mitigating Control(s) Comments/Residual Risk Assessment Control Type Payments are made late or 1. Standard payment terms on contracts at Central San Standardizing payment terms on all Central San contracts allows for Manual missed are"net 30"from the date of invoice receipt. some level of predictability for invoice processing. "Net 30" terms 2.Every check run,all entered and approved invoices are from the date of invoice receipt and supplier payments are normally paid,regardless of the due date. issued weekly (reduced temporarily to bi-weekly during the 3. A list of recurring bills is maintained and actively pandemic). This timeframe generally allows for a sufficient monitored by the Finance Division turnaround time for timely payment processing. Furthermore, Central San has a long-standing past precedent policy of paying all approved invoices every check run, regardless of the due date on the invoice. This also helps reduce the number of entered and approved invoices that become delinquent. Periodically, suppliers will submit invoices directly to the division they work with, which may increase the risk that an invoice is not received by Finance. Finance personnel could also potentially misplace an invoice after it is received. However, if a supplier has not been paid for goods delivered or services rendered,they will call accounts payable directly,who will research the matter further. As multiple staff are involved in the accounts payable function, Finance maintains a collaborative list of recurring bills. This list allows staff to collaborate on the status of recurring bills and shows whether an invoice was accrued and expensed in the month to which it pertains,or expensed(and paid)in a subsequent month. Processing P-card expense transactions On a monthly basis, all US Bank transactions are Previously,it was a manual process to enter p-card transactions per Combination Procurement are incomplete uploaded to Oracle via data import, ensuring all the monthly US Bank report and p-card expense reports into the Card transactions are recorded. accounts payable subledger to pay US Bank. While the import Transactions process is initiated manually,the nature of it being an import helps ensure completeness of expenses. Page 6 of 10 June 22, 2021 Regular FINANCE Committee Meeting Agenda Packet- Page 153 of 165 Attachment 1 Business Cycle Business Risk Mitigating Control(s) Comments/Residual Risk Assessment Control Type Cardholders make 1. All p-card expense reports must be reviewed and The Oracle expenses module, which is used to administer p-card Combination unauthorized transactions authorized by a cardholder's supervisor prior to posting transactions, is integrated with the Oracle HCM module enabling 2. The system requires all p-card transactions to be automatic routing of monthly p-card expense reports cardholder audited by a designed auditor in the Finance Division supervisors for approval after submission. Each employee is prior to posting. assigned a unique Oracle identification, so there is a higher 3. All p-card purchases must be accompanied by confidence that the person approving the report is authorized and supporting documentation. does in fact supervise the cardholder. Previously, this was entirely manual, opening up the possibility that an approving supervisor's signature was forged or approved by the wrong person otherwise. P-card transactions cannot be submitted without uploaded supporting documentation unless a "missing receipts" box is selected. In this case, cardholders are required to upload a Justification for Missing Receipt form which must be approved (manually)by their supervisor. Cardholders circumvent The system requires all p-card transactions to be audited While the process of auditing p-card expense reports is manual Combination purchasing policies by a designated auditor in the Finance Division prior to requiring knowledge of the p-card policies and some judgment,the posting. system will disallow any transactions from posting unless they are marked "audited" by a designated Expenses "Auditor". Only specified Finance Division personnel are assigned this role in Oracle. Excessive purchases are Each p-card has an individual purchase limit and a 30 day While the process of assigning a transaction limit is manual Combination made via p-card transaction limit that is established and can only be requiring knowledge of the p-card policies and some judgment, US modified by the Purchasing Division Bank will disallow any transactions in excess of the specified transactional or monthly thresholds. Only specified Purchasing Division staff are authorized to set and change single purchase or 30 day limits. Cards issued to fictitious 1. All new card issuances must be authorized by the By centralizing the authority to issue p-cards to specific assigned Combination employees Purchasing Division. personnel within the Purchasing Division this effectively segregates 2. All p-card expense reports must be reviewed and the duties from the Finance Division, which is responsible for authorized by a cardholder's supervisor prior to posting. auditing and posting transactions. Furthermore, the system has 3. P-card charges must are automatically assigned to been configured to require supervisory approval on all p-cards, existing employees in the system within the HCM which would aid in the detection of any illegitimate p-card charges system. by either a fictitious or terminated employee. Lastly, all p-card charges must be assigned to an employee in the system, and only the Human Resources division, through Oracle HCM, is authorized to create employees. Page 7 of 10 June 22, 2021 Regular FINANCE Committee Meeting Agenda Packet- Page 154 of 165 Attachment 1 Business Cycle Business Risk Mitigating Control(s) Comments/Residual Risk Assessment Control Type Fraudulent transactions are 1. To be posted, all p-card expense reports must be The Oracle expenses module, which is used to administer p-card Combination not detected and/or reviewed and authorized by their supervisor. transactions, is integrated with the Oracle HCM module enabling corrected in a timely 2. The system requires all p-card transactions to be automatic routing of monthly p-card expense reports cardholder manner audited by a designed auditor in the Finance Division supervisors for approval after submission. Each employee is prior to posting. assigned a unique Oracle identification, so there is a higher 3. The p-card policy specifies that expense reports are confidence that the person approving the report is authorized and due to Finance no later than the 10th following the does in fact supervise the cardholder. Previously, this was entirely statement end date(typically the 22nd or 23rd) manual, opening up the possibility that an approving supervisor's signature was forged or approved by the wrong person otherwise. Amongst other criteria, the audit performed by Finance staff includes verifying appropriate approval, that appropriate back-up was attached, that the expense coding is correct, and that the purchase is in accordance with the p-card policy. Finance has a protocol in place to follow up with cardholders prior to and subsequent to expense reports becoming"delinquent". This process involves an escalation of communications up the chain as time passes. Repeat offenders or cardholders that do not submit a p-card expense report are reported to Purchasing who may revoke card privileges. Page 8 of 10 June 22, 2021 Regular FINANCE Committee Meeting Agenda Packet- Page 155 of 165 Attachment 1 Business Cycle Business Risk Mitigating Control(s) Comments/Residual Risk Assessment Control Type Terminated employees 1. Employees are required to relinquish their p-cards to A termination checklist is maintained by Human Resources that Combination making P-card transactions Human Resources during their exit interview. includes the requirement to collect a p-card, if one was issued to 2. All p-card expense reports must be reviewed and the employee. The p-card is then destroyed by Human Resources authorized by a cardholder's supervisor prior to posting. who communicates with the Purchasing Division to deactivate the 3.The Purchasing Division sets single transaction and 30- card. day credit limits and is the only division authorized to do so. The Oracle expenses module, which is used to administer p-card transactions, is integrated with the Oracle HCM module enabling automatic routing of monthly p-card expense reports cardholder supervisors for approval after submission. Each employee is assigned a unique Oracle identification, so there is a higher confidence that the person approving the report is authorized and does in fact supervise the cardholder. Previously, this was entirely manual, opening up the possibility that an approving supervisor's signature was forged or approved by the wrong person otherwise. Each cardholder has a single transaction and 30-day purchase limit on their card that can only be modified by Purchasing. This helps to reduce the exposure of any excessive charges incurred by a disgruntled employee approaching termination. Procurement cards are 1. Per the procurement card user guide, all cardholders By delegating the responsibility to report a lost or stolen card upon Combination stolen are responsible for immediately reporting a lost or stolen issuance to cardholders,a missing card can be frozen by the issuing card directly to US Bank, which provides a 24 hour bank immediately, even if it is after business hours or during a hotline. weekend. 2.The Purchasing Division sets single transaction and 30- day credit limits and is the only division authorized to do Each cardholder has a single transaction and 30-day purchase limit so. on their card that can only be modified by Purchasing. This helps to reduce the exposure of any excessive charges incurred by a disgruntled employee approaching termination. Page 9 of 10 June 22, 2021 Regular FINANCE Committee Meeting Agenda Packet- Page 156 of 165 Attachment 1 Business Cycle Business Risk Mitigating Control(s) Comments/Residual Risk Assessment Control Type Supporting receipt evidence 1. To be posted, all p-card expense reports must be The Oracle expenses module, which is used to administer p-card Automated not provided or maintained reviewed and authorized by their supervisor. transactions, is integrated with the Oracle HCM module enabling in system 2. The system requires all p-card transactions to be automatic routing of monthly p-card expense reports cardholder audited by a designed auditor in the Finance Division. supervisors for approval after submission. Each employee is assigned a unique Oracle identification, so there is a higher confidence that the person approving the report is authorized and does in fact supervise the cardholder. Previously, this was entirely manual, opening up the possibility that an approving supervisor's signature was forged or approved by the wrong person otherwise. Amongst other criteria, the audit performed by Finance staff includes: verifying approval, reviewing back-up documentation, reviewing expense coding is correct, and verifying the purchase made was in accordance with the p-card policy. Auditor in Finance approves 1. To be posted, all p-card expense reports must be The Oracle expenses module, which is used to administer p-card Automated a disallowed transaction. reviewed and authorized by their supervisor. transactions, is integrated with the Oracle HCM module enabling 2. The Auditor cannot bypass an expense transaction automatic routing of monthly p-card expense reports cardholder that is "disallowed" (rejected) by a cardholder's supervisors for approval after submission. Each employee is supervisor. assigned a unique Oracle identification, so there is a higher confidence that the person approving the report is authorized and does in fact supervise the cardholder. Previously, this was entirely manual, opening up the possibility that an approving supervisor's signature was forged or approved by the wrong person otherwise. Page 10 of 10 June 22, 2021 Regular FINANCE Committee Meeting Agenda Packet- Page 157 of 165 Page 13 of 18 Attachment 2 ACCOUNTS PAYABLE INTERNAL CONTROL RISK ASSESSMENT Presented by Kevin Mizuno, Finance Manager Finance Committee June 22, 2021 4 ZIML INTRODUCTION • Internal controls review of new Oracle Payables function requested at December 15, 2021 Finance Committee meeting • Oracle Cloud Fusion Enterprise Resource Planning (ERP) system implemented September 1, 2020 • Modern cloud-based system, compared to on-site hosted legacy system • ERP is separate from Oracle Human Capital Management (HCM), although integrated • Many (not all) manual internal controls used in legacy system were replaced with automated electronic (paperless) controls in Oracle 2 June 22, 2021 Regular FINANCE Committee Meeting Agenda Packet- Page 158 of 165 Page 14 of 18 Attachment 2 BACKGROUND: ORACLE CLOUD FUSION • Oracle Cloud Fusion contains several integrated sub-packages under ERP and HCM that were implemented including: Financials, Project Management, Procurement, Enterprise Performance Management 3 1 3 BACKGROUND: ORACLE ERP FINANCIALS • ERP Financials package, overseen by the Finance Division, includes several integrated subledgers • Cash Management, cannot be used by Central San currently as a voluntary participant in the 0General County Treasury Pool. Ledger Accordingly, cash is tracked manually in General Ledger. Fixed *Outbound payments 4 June 22, 2021 Regular FINANCE Committee Meeting Agenda Packet- Page 159 of 165 Page 15 of 18 Attachment 2 BACKGROUND: INTERNAL CONTROLS Purpose Type Strength Preventative Detective Automated . . Corrective 5 BACKGROUND: INTERNAL CONTROLS (CONTINUED) • No single person should be in a position of power to control a transaction from start to finish, allowing them to perpetrate and conceal fraud or theft • The cost of an internal control should not outweigh its benefits • Inherent limitations to the usefulness of internal control limitations include: 1. collusion, 2. human error, and 3. M override Management is responsible for the design, �. implementation and monitoring of internal controls 6 June 22, 2021 Regular FINANCE Committee Meeting Agenda Packet- Page 160 of 165 Page 16 of 18 Attachment 2 BUSINESS CYCLE SCOPE • The Accounts Payable function is primarily divided into three major business cycles, each administered at a subledger level •Purchase order(PO) •P-cards •All supplier invoices -Travel payments(excludes •Recurring non-PO reimbursements payroll,accounted invoices(i.e. •Computer loans for separately via utilities,benefit -Tuition/professional Journal entry premiums,public reimbursement generated by agency fees,etc.) •Miscellaneous payroll subledger) business expenses w z I 7 KEY INTERNAL CONTROLS: PAYABLES mlll= qMMIIIIIIIIIEMIr All invoices must be approved by an authorized party prior Preventative Automated to posting. Employees cannot approve invoices above their Preventative Automated authorization limits as established by the General Manager Invoice entry is limited to specific authorized Finance Preventative Automated Division personnel Accounts Payable staff do not have the authority to approve Preventative Automated invoices System will not allow duplicate supplier invoices Preventative Automated Finance Division personnel do not have the authority to Preventative Automated create suppliers .i 8 June 22, 2021 Regular FINANCE Committee Meeting Agenda Packet- Page 161 of 165 Page 17 of 18 Attachment 2 KEY INTERNAL CONTROLS: EXPENSES Control Activity .. P-card transactions are imported from US Bank directly into Preventative Combination the Oracle Expenses subledger on a monthly basis All p-card expense reports must be reviewed and authorized Preventative Automated by a cardholder's supervisor prior to posting All p-card transactions must be audited by Finance prior to Detective Combination posting P-card transactions cannot be submitted without supporting Preventative Combination documentation New card issuances can only be authorized by the Preventative Manual Purchasing Division 0P-card charges must be assigned to existing employees Preventative Automated within HCM,administered solely by Human Resources 9 1 9 KEY INTERNAL CONTROLS: PAYMENTS Control � Payments on all invoices>$2,500 must be reviewed by the Preventative Manual Finance Manager prior to mailing. All checks>$2,500 must be initialed by the Director of Preventative Manual Finance&Administration prior to being delivered to the County for countersignature. Access to manual check stock is restricted to key Finance Preventative Manual Division personnel P Cash accounts are reconciled monthly by an Accountant not Detective Manual involved in the AP recording process. Regular checks are blank stock and must be printed directly Preventative Automated out of Oracle. Access to print checks is restricted to specific authorized personnel in Finance Division. S, ' 10 June 22, 2021 Regular FINANCE Committee Meeting Agenda Packet- Page 162 of 165 Page 18 of 18 Attachment 2 MOVING FORWARD: OTHER INTERNAL CONTROL CONSIDERATIONS • New Oracle system's configuration is being continuously reassessed for improvement opportunities • Internal auditor position was filled in March 2021 • Internal audit plan developed for FY 2021-22 to assess the following areas: • IT Identity and Access Management • Accounts Payable • Payroll • Asset Inventory Management • Independent auditors expected to perform in-depth 4 assessment of design and implementation of Oracle internal controls as part of FY 2020-21 audit 1 QUESTIONS & DISCUSSION �ke 12 June 22, 2021 Regular FINANCE Committee Meeting Agenda Packet- Page 163 of 165