The URL can be used to link to this page

Home My WebLink About04.c. Receive Accounts Payable Internal Audit ReportItem 4.c. J une 21, 2022 T O: F I NA NC E C O MMI T T E E F RO M :B E NJ A MI N J O HNS O N, I NT E R NA L A UD I TO R RE V IE WE D B Y:P HI L I P L E I B E R , D I R E C TO R O F F I NA NC E A ND A D MI NI S T R AT I O N R O G E R S. B A I L E Y, G E NE R A L MA NA G E R S UB J E C T: R E C E I V E A C C O UNT S PAYA B L E I NT E R NA L A UD I T R E P O RT Attached is the F iscal Year (F Y) 2021-22 A ccounts Payable A udit F inal R eport. I nternal Audit identified and assessed the design and operating effectiveness of internal controls surrounding the accounts payable process. Management’s responses to the recommendations have been reviewed and have been included in the audit report. T he actions taken and/or planned are responsive to the observations in the report. T here will be regular follow-up to discuss remediation ef f orts and send reminders, as needed. Strategic Plan Tie-I n G O A L TH R EE: Fiscal R esponsibility Strategy 1 – Maintain financial stability and sustainability , Strategy 2 – Ensure integrity and transparency in financial management AT TAC HM E NT S : D escription 1. F Y 2021-22 A ccounts Payable A udit R eport 2. P resentation June 21, 2022 Regular FINANCE Committee Meeting Agenda Packet - Page 87 of 101 Page 1 of 10 Attachment 1 FY 2021-22 Accounts Payable Audit Final Report 1 INTERNAL AUDIT REPORT DATE: March 25, 2022 TO: Phil Leiber, Director of Finance and Administration Kevin Mizuno, Finance Manager FROM: Benjamin Johnson, Internal Auditor SUBJECT: FY 2021-22 ACCOUNTS PAYABLE AUDIT FINAL REPORT Enclosed is the Fiscal Year (FY) 2021-22 Accounts Payable Audit Final Report. Internal Audit identified and assessed the design and operating effectiveness of internal controls surrounding the accounts payable process. Management’s responses to our recommendations have been reviewed and have been included in the audit report. The actions taken and/or planned are responsive to the observations in the report. There will be regular follow-up to discuss remediation efforts and send reminders, as needed. Internal Audit would like to thank the Finance Department for their partnership during the length of this project. If you have any questions, please contact me at (925) 229 -7120. Benjamin Johnson Internal Auditor Enclosure cc: Roger S. Bailey, General Manager June 21, 2022 Regular FINANCE Committee Meeting Agenda Packet - Page 88 of 101 Page 2 of 10 Attachment 1 FY 2021-22 Accounts Payable Audit Final Report 2 FY 2021-22 ACCOUNTS PAYABLE AUDIT FINAL REPORT DATE: March 25, 2022 INTRODUCTION Audit Objective The objective of this engagement was to identify and assess the design and operating effectiveness of internal controls surrounding the accounts payable process. Background In FY 2020-21, Central San migrated most of its financial and Human Resources- related processes from SunGard to the Oracle Fusion Cloud (Oracle). Since implementation, Finance management has worked closely with Information Technology and the Enterprise Resource Planning (ERP) consultants (Emtec) to enhance accounts payable (A/P) functionality within the system and identify/correct any system deficiencies. As of the date of this report, the expenditure approval mechanism within Oracle requires multi-point review by appropriate management and Finance team members before payment. The Finance team processes approximately 10 to 30 invoices daily with one team member handling the bulk of entries, and two others in a supporting role assisting with recurring non-purchase order invoices and p-card transactions. The staff that processes most invoices has been with Central San for approximately six years. This is a mature process and notable improvements have been made to the processes surrounding the legacy SunGard system. Audit Scope, Limitations and Methodology Internal Audit assessed the accounts payable process to verify that internal controls met organizational objectives and addressed key risks, with a focus on the following activity and processes as of Q1 FY 2021-22: • Policies and procedures • System access • Payment processing • Signature authority • Petty cash reimbursements • Reporting • Travel and expense reimbursements • Reconciliations The audit was performed using the following methods: • Reviewed available policies, guidelines, and procedures • Interviewed team members and performed process walkthroughs • Assessed the reasonableness of the processes within the scope of the audit • Selected 20 samples of transactions and tested internal controls surrounding: a. Reasonableness and proper approval of expenditures b. Existence of sufficient supporting documentation c. Payment amount accuracy and timeliness • Reported on audit results and discussed recommendations June 21, 2022 Regular FINANCE Committee Meeting Agenda Packet - Page 89 of 101 Page 3 of 10 Attachment 1 FY 2021-22 Accounts Payable Audit Final Report 3 INTERNAL AUDIT RESULTS Summary Based on Internal Audit’s assessment of the design and operating effectiveness of internal controls surrounding the accounts payable process, minor improvements to the process are needed to minimize risk to the organization. Overall, management over the accounts payable process appears robust and there is a strong invoice approval system in place. Observations and recommendations were made regarding the following: • Policies and procedures • Physical check payment runs The risk each finding presents to the organization is weighted using the following system: • 1 – High Risk • 2 – Moderate Risk • 3 – Low Risk Finding 1: Policies and procedures 3 – Low Risk Although some documentation exists, policies and procedures surrounding the accounts payable process have not been formalized or regularly reviewed/updated to reflect Oracle system changes, as of the date of this report. Key staff appear to have a firm understanding of their role in the accounts payable process utilizing informal processes and efficiency- enhancing subprocesses. There is an opportunity to standardize the accounts payable process by crafting formal language surrounding signature approval limits (which are documented in a matrix and coded into the Oracle workflows), non-purchase order expenditure policies, and various standard operating procedures. Key Risks: Unclear objectives, roles, and procedures; inappropriate signature approval limits Recommendation: Detailed standard operating procedures (SOP) and Administrative Procedures (APs) surrounding the accounts payable process should be developed, updated as needed, regularly reviewed, and made available to key staff. A detailed SOP or AP would also facilitate cross-training of staff for succession planning and business continuity purposes. Management’s Response / Action Plan: June 21, 2022 Regular FINANCE Committee Meeting Agenda Packet - Page 90 of 101 Page 4 of 10 Attachment 1 FY 2021-22 Accounts Payable Audit Final Report 4 Management agrees with the Internal Auditor’s finding. As of January 2022, Management has developed a draft AP document covering the payables process and is in the process of obtaining feedback from various stakeholders including staff of the Finance Division as well as Central San’s Purchasing and Risk Management functions and the Contra Cost County Auditor-Controller’s Office. Once finalized, consistent with all Central San APs, this document will be submitted to the General Manager for review and authorization of its effectiveness and enforcement. The AP document will formalize procedures and internal controls relating to the payables process, some of which have been in place for many years as well others that are new additions following the implementation of the new ERP. Key items to be addressed include requirements and definitions for the following: segregation of duties, management approval thresholds, purchase order exemptions, supplier approvals, reconciliations, etc. Target Date / Responsible Owner: Given the level of collaboration needed between different divisions and the relatively low risk level of the finding, Finance anticipates this AP to be approved and implemented by the start of the new fiscal year, on or before July 1, 2022. This should allow for sufficient time to collect and consider feedback from key stakeholders prior to the implementation of the new AP document. – Kevin Mizuno, Finance Manager Internal Audit’s Response: Management’s action plan and target date appear reasonable. Finding 2: Physical check payment runs 3 – Low Risk Central San utilizes a robust expenditure approval system within Oracle that requires all vendor payments and reimbursements, no matter the dollar amount or nature of the request, be reviewed for appropriateness and accuracy by at least one person who is not making the payment request. Depending on the dollar value of a vendor invoice in relation to the signature approval limits, the invoice may require review and approval of multiple individuals (supervisors/managers/directors/General Manager) in the chain of command. If the payment request is for a shipment that was ordered, Finance staff performs a three-way match (invoice, purchase order, and evidence of receipt) and a two-way match (purchase order and invoice) for services. Reimbursements made to Central San employees are authorized by their respective supervisors and reviewed for reasonableness and compliance with District policy by Finance staff. Finance currently mails physical checks to make expenditure payments. Once the checks are cut, Finance management reviews invoices and checks for expenditure requests above $2,500 for proper account coding, reasonableness and accuracy, and those checks are given to the Director of Finance and Administration to review/initial. The check copies are then matched to their respective invoices by staff to ensure accuracy. Finance staff June 21, 2022 Regular FINANCE Committee Meeting Agenda Packet - Page 91 of 101 Page 5 of 10 Attachment 1 FY 2021-22 Accounts Payable Audit Final Report 5 then drives the checks over to the Contra Costa County Auditor-Controller’s Office for a very limited review and countersignature. After the checks are driven back to the District, another Finance staff matches the checks to the check copies before mailing the checks for payment. Given the strong internal controls in place prior to the County’s involvement in the payment process, the County’s countersignature process appears duplicative and inefficient. The County’s review is very limited in scope and does not meaningfully reduce the risk of fraud or inaccuracy. Inefficiencies and some risks are also introduced when considering staff’s travel time on the road. In addition, making payments with physical checks increases Finance’s review time, are not as secure as electronic payments, and increases payment response time to vendors. The County does not have a viable process in place to allow for electronic (ACH) payments for a broad number of vendors but allows for it in a limited number of predefined categories like payroll and benefits. Key Risks: Inefficiency; inaccuracy; vehicle collision Recommendation: While Central San has had a Treasury relationship with Contra Costa County since the Agency’s inception, it is not clear that this relationship adds value around the payment process. The involvement of Contra Costa County does not appear to effectively lower the risks associated with making payments. In addition, the District can set up vendors in Oracle and make electronic payments, which would substantially improve efficiency and better meet the business needs of vendors. This would also allow for better use of standard functionality in the Oracle system’s cash management module, including streamlined integrated bank reconciliations, which were not enabled due to the non-standard situation of a third party involved in the Agency’s treasury function. Management’s Response / Action Plan: Management agrees with the Internal Auditor’s finding. While Management has been aware of the inefficiencies identified by this audit for several years, implementation of the new Oracle ERP system and responding other challenges faced during the pandemic have been the top priority of Finance over the past two years resulting in the deferral of this issue. Management has already held several meetings with the County Auditor-Controller’s Office (County ACO) and Treasurer-Tax Collector’s Office (County Treasury) to discuss changes to long-standing procedures to improve efficiencies and reduce certain risks that were particularly needed during the COVID-19 pandemic. While some improvements were made (i.e., remote deposit scanning, permitting the use of PayPal for online payments, expanded use of ACHs for recurring payroll transactions), the other inefficacies remain in place, including: the continued need for physical deliveries of checks to the County for countersignature, inefficient and overly complex bank June 21, 2022 Regular FINANCE Committee Meeting Agenda Packet - Page 92 of 101 Page 6 of 10 Attachment 1 FY 2021-22 Accounts Payable Audit Final Report 6 reconciliations, and the underutilization of certain new ERP capabilities. It is acknowledged that the County is currently implementing a new ERP system, and with this change, some improved efficiencies may be possible. Over the next year, Management intends to research the matter further and develop potential alternative solutions to the existing operational inefficiencies and risks connected to payables under the existing treasury arrangement. Given the widespread impact that changes could have on Central San’s administrative accounting procedures, any proposed changes will be presented to the Finance Committee and Board for discussion and direction prior to implementation. Target Date / Responsible Owner: Given the significant impact that changes could have on long-standing Finance/Accounting practices paired with the relatively low risk level of the finding, Finance intends to carefully analyze the situation and collect feedback from key stakeholders. This will involve exploratory meetings with the Finance Committee, County ACO and County Treasury and possibly necessitate the utilization of a third-party consultant to independently assess the issue and assist in the design and implementation of new protocols and systematic solutions. Preliminary, Finance will aim to have direction from the Finance Committee and Board on a solution by December 2023. The type of solution desired will dictate the timeframe of implementation, so it is impossible to provide an exact target date of implementation at this time. – Kevin Mizuno, Finance Manager Internal Audit’s Response: Management’s action plan appears reasonable. Given the anticipated level of complexity and number of potential parties involved with the plan presented, the appointed preliminary target date is appropriate. June 21, 2022 Regular FINANCE Committee Meeting Agenda Packet - Page 93 of 101 Page 7 of 10 1 FY 2021-22 ACCOUNTS PAYABLE AUDIT REPORT Finance Committee Meeting June 21, 2022 Benjamin Johnson, Internal Auditor FY 2021-22 ACCOUNTS PAYABLE AUDIT FINAL REPORT ISSUED 03/25/22 •Background •In FY 2020-21, Central San migrated most of its financial-related processes from SunGard to the Oracle Fusion Cloud (Oracle) •Since implementation, Finance management has worked closely with Information Technology and the Enterprise Resource Planning (ERP) consultants (Emtec) to enhance accounts payable (A/P) functionality within the system and identify/correct any system deficiencies •As of the date of this report, the expenditure approval mechanism within Oracle requires multi-point review by appropriate management and Finance team members before payment •This is a mature process and notable improvements have been made to the processes surrounding the legacy SunGard system 2 1 2 Attachment 2 June 21, 2022 Regular FINANCE Committee Meeting Agenda Packet - Page 94 of 101 Page 8 of 10 2 FY 2021-22 ACCOUNTS PAYABLE AUDIT FINAL REPORT ISSUED 03/25/22 •Audit Objective •The objective of this engagement was to identify and assess the design and operating effectiveness of internal controls surrounding the accounts payable process. •Audit Scope •Internal Audit assessed the accounts payable process to verify that internal controls met organizational objectives and addressed key risks •Selected 20 transactions and tested internal controls surrounding: •Reasonableness and proper approval of expenditures •Existence of sufficient supporting documentation •Payment amount accuracy and timeliness 3 FY 2021-22 ACCOUNTS PAYABLE AUDIT FINAL REPORT ISSUED 03/25/22 •Audit Results •Two findings reported •Although some documentation exists, policies and procedures surrounding the accounts payable process have not been formalized or regularly reviewed/updated to reflect Oracle system changes, as of the date of this report. – Low Risk •Vendor payments and employee reimbursements are independently reviewed by the District at least three times before payment. Given the strong internal controls in place prior to the County’s involvement in the payment process, the County’s countersignature process appears duplicative/inefficient. The County’s review is very limited in scope and does not meaningfully reduce the risk of fraud/inaccuracy. – Low Risk •The approval system for vendor payments and employee reimbursements appears robust and effective 4 3 4 June 21, 2022 Regular FINANCE Committee Meeting Agenda Packet - Page 95 of 101 Page 9 of 10 3 FY 2021-22 ACCOUNTS PAYABLE AUDIT FINAL REPORT ISSUED 03/25/22 •Next Steps •Management is currently developing policies and procedures surrounding this process and will research/develop potential alternative solutions to the existing operational inefficiencies and risks connected to payables under the existing County treasury arrangement •Internal Audit will continue to follow-up with management to track remediation progress 5 5 June 21, 2022 Regular FINANCE Committee Meeting Agenda Packet - Page 96 of 101 Page 10 of 10