The URL can be used to link to this page

Home My WebLink About03.c. Receive Procurement Card Internal Audit ReportPage 1 of 15 Item 3.c. F__1_448�411C_S0 June 20, 2023 TO: FINANCE COMMITTEE FROM: BENJAMIN JOHNSON, INTERNALAUDITOR REVIEWED BY: PHI LI P LEI BER, DEPUTY GENERAL MANAGER, ADMINISTRATION ROGER S. BAILEY, GENERAL MANAGER SUBJECT: RECEIVE PROCUREMENT CARD INTERNAL AUDIT REPORT Attached is the 2023 Procurement Card Audit Final Report. Internal Audit assessed the design of internal controls surrounding the Procurement Card (P-Card) Program and whether transactions made by the District were in compliance with established policies and procedures. The P-Card Program was last reviewed by internal audit in 2018, with involvement by outside auditor Maze & Associates. Subsequently, the District has employed a full-time Internal Auditor in an effort to keep regular, independent reviews of key programs and processes a priority. Because of relatively higher risks associated with the Procurement Card Program, Internal Audit will perform an audit of this program every two years moving forward. Strategic Plan Tie -In GOAL FOUR: Governance and Fiscal Responsibility Strategy 1 - Promote and uphold ethical behavior, openness, and accessibility, Strategy 3 - Maintain financial stability and sustainability ATTACHMENTS: 1. 2023 Procurement Card Audit Report 2. Presentation June 20, 2023 Regular FINANCE Committee Meeting Agenda Packet - Page 85 of 106 Page 2 of 15 Attachment 1 110ENTRAL SAN INTERNAL AUDIT REPORT DATE: May 26, 2023 TO: Kevin Mizuno, Finance Manager Stephanie King, Contracts and Procurement Administrator Olivia Ruiz, Accounting Supervisor FROM: Benjamin Johnson, Internal Auditor SUBJECT: 2023 PROCUREMENT CARD AUDIT FINAL REPORT Enclosed is the 2023 Procurement Card Audit Final Report. Internal Audit assessed the design of internal controls surrounding the Procurement Card (P-Card) Program and whether transactions made by the District were in compliance with established policies and procedures. The Procurement Card (P-Card) Program was last reviewed by Internal Audit in 2018. Subsequently, the District has employed a full-time Internal Auditor in an effort to keep regular, independent reviews of key programs and processes a priority. Because of the high risks associated with the Procurement Card Program, Internal Audit will perform an audit of this program every two years moving forward. The actions taken and/or planned are responsive to the observations in the report. There will be regular follow-up to discuss remediation efforts and send reminders, as needed. Internal Audit would like to thank the Finance Division staff for their partnership during the length of this project. If you have any questions, please contact me at (925) 229-7120. Benjamin Johnson Internal Auditor Enclosure cc: Roger S. Bailey, General Manager Philip Leiber, Deputy General Manager, Administration and Finance June 20, 2023 Regular FINANCE Committee Meeting Agenda Packet - Page 86 of 106 Page 3 of 15 2023 PROCUREMENT CARD AUDIT FINAL REPORT Date: May 26, 2023 INTRODUCTION Audit Objective The objective of this engagement was to assess the design of internal controls surrounding the Procurement Card (P-Card) Program and whether transactions made by the District were in compliance with established policies and procedures. Background In late-2022, the Purchasing Division was merged with the Finance Division to establish better cohesion for processes that involve both Divisions, such as those surrounding the Procurement Card Program. This took place during period of transactions subject to audit (calendar year 2022). As of the beginning of Q1 2023, the District had 135 P-Cards issued by the Purchasing group to various staff. The purpose of this program is to provide a more efficient, timely, and cost-effective method of obtaining and paying for large volume, low dollar supplies and materials used by the District. A formal Procurement Card User Guide dated September 29, 2020, outlines the procedures and processes in which cardholders are to adhere to when making purchases with their procurement cards. Internal Audit noted the following key controls and permissions during a review of the user guide and during interviews with Finance Division Staff: • Cardholders are required to reconcile monthly P-Card statements with their Oracle P-Card Expense Report ("Procurement Transaction Logs" pre -Oracle), and upload these documents along with all invoices, credit slips, receipts, and any other supporting documents into the Oracle system. • Cardholders' supervisors are required to review the monthly P-Card bank statements and expense reports and compare them with the attached supporting documents in Oracle. Supervisors also validate the appropriateness of each purchase. Once the review is complete, supervisors can approve for payment or request additional support. • Finance staff performs a secondary review to verify that all required documentation has been uploaded and that the purchases are reasonable in appearance. They will also verify that a supervisor has approved for payment before processing the statement and making the payment. • Training is provided to employees prior to providing the P-Card to the cardholder. • Finance Division (Purchasing) staff performs reviews and monitoring of purchases to observe potential split transactions (multiple purchases of 2023 Procurement Card Audit FINAL Report June 20, 2023 Regular FINANCE Committee Meeting Agenda Packet - Page 87 of 106 Page 4 of 15 the same item for the purpose of avoiding a P-Card single transaction limit). • The P-Cards automatically exclude specific high risk or cash -related transactions so that any attempts to purchase in these areas will be automatically declined. Audit Scope, Internal Audit, with the assistance of Maze and Associates, performed a Limitations, and procurement card transactional review and a review of the design of internal Methodology controls surrounding the following processes: • Policies and procedures • Cardholder agreements • Spending limits • Training • Reconciliation of charges • Allowability review of charges • Card inventory oversight • Terminations The audit was performed using the following methods: • Reviewed available policies, guidelines, and procedures • Interviewed team members and performed process walkthroughs • Assessed the reasonableness of the processes within the scope of the audit with respect to efficiency and the reduction of key operational risks • Obtained a "Vendor Activity Listing" for procurement card transactions for the calendar year 2022. From this listing we noted a total population totaling $2.3 million comprising approximately 4,060 transactions and selected 60 (-1.5% of the transaction total) procurement card purchases totaling approximately $105,327 (-4.6% of the dollar total) for testing. In selecting the transactions, we ensured a representative sample by selecting purchases based on different cardholders, dates, vendors, and dollar amounts. For these 60 transactions, we performed the following: a. Tested compliance with policies and procedures b. Verified that there was proper supporting documentation and approval for each transaction c. Determined that use of a procurement card was a compliant method of purchase for the specific transaction based on the item's description and amount INTERNAL AUDIT RESULTS Summary While there were no compliance issues with the sampled transactions, based on the testing performed and the assessment of the design of internal controls surrounding the Procurement Card Program, there are nonetheless opportunities for process improvements to the program. Internal Audit 2023 Procurement Card Audit FINAL Report 3 June 20, 2023 Regular FINANCE Committee Meeting Agenda Packet - Page 88 of 106 Page 5 of 15 recommends that Purchasing and Accounting staff involved in P-Card administration continue to coordinate with one another to further enhance efficiency and oversight over the program by addressing the findings contained within this report. Finance appears committed to improving processes and consistently seeks out feedback from independent perspectives. Out of the 60 procurement card transactions that were sampled and tested, there were no errors found with respect to compliance with established policies and procedures. Internal Audit reviewed the design of internal controls surrounding the Procurement Card Program. Findings and recommendations were made surrounding the following: • Consistent and timely notification to the P-Card administrators of the Finance Division when a cardholder's employment is terminated • Regular cardholder reviews to determine if maintaining a P-Card remains appropriate for existing cardholders • Regular trainings for existing cardholders to reinforce policy expectations and updates • Regular reviews and updates to applicable policies and procedures • Inclusion of escalation language in applicable policies and procedures for violations • Maintaining an independent inventory of cardholders Additionally, although the following does not rise to the level of a formal finding, the following recommendation may help to enhance efficiency: • Finance staff may want to coordinate with Division leaders to develop short lists of product/service categories that their cardholders typically purchase, which may help streamline processes when Finance staff review procurement card purchases for allowability. The risk each finding presents to the organization is weighted using the following system: • 1— High Risk • 2 — Moderate Risk • 3 — Low Risk Finding 1: Consistent and timely notification to the P-Card administrators of the Finance Division when a cardholder's employment is terminated 2023 Procurement Card Audit FINAL Report June 20, 2023 Regular FINANCE Committee Meeting Agenda Packet - Page 89 of 106 4 Page 6 of 15 1— High Risk Prior to this review, Finance's P-Card administration staff did not receive formal notifications when a cardholder has left the organization. Timely deactivation of a purchasing card account when a cardholder leaves the District is essential to reducing the risk of inappropriate charges made. After this discovery, Human Resources added the appropriate Finance Division staff to an email they typically send out twice a month that lists all employment status changes for all employees, which includes when employees leave the District. There may be a delay between an employee's last day and Finance receiving a notification that they are no longer a District employee. Recommendation: Management may want to develop an automated mechanism to timely alert appropriate Finance Division staff when cardholders leave the District. If this effort takes substantial time to implement, Finance may want to coordinate with Human Resources to ensure more timely communication of cardholder departures in the interim. Management's Response / Action Plan: Management is working to implement Oracle functionality that would record the issuance of various items to employees at hiring and during their employment so that these items can be tracked and recalled upon termination. IT and Human Resources are leading this effort. Additionally, as noted previously, effective April 2023 Human Resources began including key P-Card administration staff in a bi-weekly email communicating new hires, terminations, and other significant payroll changes in a specified two -week timeframe coinciding with the current pay period. While not all employees listed as being terminated are P-Card holders, Finance's P-Card administration staff have begun reconciling this email notification to their P-Card records to ensure P-Card holders are removed as needed. This will serve as the primary process termination tracking process until HR and IT implement the onboarding/offboarding Oracle tracking functionality described previously. Target Date: Completed Responsible Owner: Kevin Mizuno, Finance Manager Internal Audit's Response: Management's action plan appears reasonable. Internal Audit independently verified that the P-Card tracking effort is underway and that all key stakeholders are supportive. Therefore, this finding is closed as of the date of this report. Finding 2: Regular cardholder reviews to determine if maintaining a P-Card remains appropriate for existing cardholders 2023 Procurement Card Audit FINAL Report June 20, 2023 Regular FINANCE Committee Meeting Agenda Packet - Page 90 of 106 Page 7 of 15 3 — Low Risk Cardholder reviews to determine if maintaining a P-Card remains appropriate for existing cardholders are currently only performed on an ad -hoc basis. If a cardholder leaves their respective Division for any reason and they no longer have a business need for possessing a procurement card, the District is exposed to the unnecessary risk of the card being stolen, lost, or used inappropriately by the cardholder. Recommendation: Assigned P-Card administrators within the Finance Division should work with Division Managers/Department Directors to perform a District -wide review periodically (not less than every three years) to determine if there is a business need for existing cardholders to maintain such accounts. P-Card administrators can use an independent cardholder inventory, as mentioned in the Recommendation section of Finding #6 below, to identify current cardholders and coordinate with Division team leaders to assess operational needs as they relate to card issuance. Management's Response / Action Plan: Management agrees with the proposed recommendation to conduct this review periodically (not less than every three years). The P-Card administrator recently conducted a District -wide review in July 2022, providing each Division Manager and Department Director with a list of all their employees that have P-Cards. This report summarized usage per employee, including the number of transactions each employee made on their P-Card over a period of a year and the total dollar amount. It also included the employees' P-Card limits. We will conduct this review periodically (not less than every three years). Target Date: Completed Responsible Owner: Kevin Mizuno, Finance Manager Internal Audit's Response: Management's approach appears reasonable, and this finding is closed as of the date of this report. Finding 3: Regular trainings for existing cardholders to reinforce policy expectations and updates 2 — Moderate Risk The District has not provided regular training for existing cardholders to reinforce policy expectations and updates. Depending on how long a cardholder has been employed by the District, there may be a long lapse in time since receiving their initial training when the original card was issued. Therefore, any future updates to applicable policies and procedures may not be communicated timely and/or consistently to existing cardholders. 2023 Procurement Card Audit FINAL Report June 20, 2023 Regular FINANCE Committee Meeting Agenda Packet - Page 91 of 106 Page 8 of 15 Management recognized this process gap prior to this audit and is developing a training program to be administered regularly. Recommendation: Continue to develop procurement card training program in accordance with the most current policies and procedures and begin performing trainings at least every three years. Management's Response / Action Plan: Management agrees with the finding and proposed recommendation. Currently, new cardholders receive training on P-Cards for District purchases. This training is comprehensive, detailing the types of purchases that are not allowed as well as each person's designated dollar limits. After receiving this training, staff will sign an agreement, committing to abide by District P-Card policies and procedures, and only after completing both the training and signing the agreement, will be issued a new card. In 2023, the Finance Division launched "Finance @ Your Service" training modules to occur every even month, with the first trainings covering Project Management (February) and Procurement (April). An upcoming module will be focused on P-Card training and is scheduled for October of this year, which will repeat annually. Target Date: October 2023 Responsible Owner: Kevin Mizuno, Finance Manager Internal Audit's Response: The action plan above is appropriate. Finding 4: Regular reviews and updates to applicable policies and procedures 2 — Moderate Risk The Procurement Card User Guide, a key District employee -facing guidance document developed by Finance (previously Purchasing), is dated September 29, 2020. Not establishing a formal, regular review process of this document may lead to inaccurate written guidance when compared with current operational expectations. One section of the document states that it is not necessary for cardholders to submit their bank statements to Finance along with their reconciliation packages when charges were made within a given month. However, Finance currently requires cardholders to include bank statements when submitting their packages. Recommendation: The Finance Division should perform a holistic review of the Procurement Card User Guide annually to ensure the language accurately reflects current procedures and expectations. A review log may be included in the document to identify who reviewed the document, when, and any changes that were made in relation to the previous version. 2023 Procurement Card Audit FINAL Report June 20, 2023 Regular FINANCE Committee Meeting Agenda Packet - Page 92 of 106 Page 9 of 15 Management's Response / Action Plan: Management agrees with the finding and proposed recommendation. Two potential solutions are being considered. Management is contemplating whether it is more effective to update the Procurement Card User Guide to include a section requiring a periodic review, whether it is preferable to implement a more condensed Administrative Procedures document outlining internal administrative requirements, or whether both are appropriate. The User Guide would be focused on providing guidance to cardholders, while an Administrative Procedures document would focus on providing guidance to program administrators. Target Date: 9/29/2023 (by close of Q1 of FY 2023-24) Responsible Owner: Kevin Mizuno, Finance Manager Internal Audit's Response: Internal Audit appreciates the considerations identified in the action plan and will review remediation efforts to the adequate reduction of identified risk. Finding 5: Inclusion of escalation language in applicable policies and procedures for violations 1— High Risk The District does not have escalation language identified in the Procurement Card User Guide to address policy violations. Although we identify that an attempt to commit fraud may result in immediate cancellation of the procurement card and disciplinary action, additional specificity surrounding the District's response is not identified. Recommendation: Include escalation language in the Procurement Card User Guide to clearly define the District's response to various procurement card violations. Escalation language should include details surrounding the number of violations before action is taken, timing of the District's response, investigatory process, appeal process, etc. Management's Response / Action Plan: Management agrees with the Internal Audit finding and will amend the Procurement Card User Guide (or new Administrative Procedures, should that be executed) to add escalatory language covering potential consequences cardholders may face if P-Card expense reports are not submitted for processing by the submission deadline, repeated instances of accidental personal charges, and other circumstances. Target Date: 9/29/2023 (by close of Q1 of FY 2023-24) Responsible Owner: Kevin Mizuno, Finance Manager Internal Audit's Response: The action plan appears reasonable. 2023 Procurement Card Audit FINAL Report June 20, 2023 Regular FINANCE Committee Meeting Agenda Packet - Page 93 of 106 Page 10 of 15 Finding 6: Maintaining an independent inventory of cardholders 1— High Risk The District does not maintain an inventory of cardholders independent of online banking records. Although banking records may be helpful in determining which District employees currently have active procurement cards, these records do not indicate status of employment nor when a cardholder leaves the District. Therefore, if Finance's P-Card administrators do not cancel a procurement card upon a cardholder's termination of employment, Finance does not maintain any independent records to identify the error later and immediately cancel the card. This situation presents the risk that a cardholder who is no longer an employee of the District, would have the ability to make unauthorized charges up to the daily limit until Finance performs their monthly auditing of P-Card expense reports necessary to pay US Bank. In addition, Management does not have an opportunity to regularly verify that the cardholder inventory is accurate and that procurement card cancellations are performed timely. Recommendation: Finance should create and maintain an independent inventory of cardholders that includes which cardholders have left the District, when their last day was, and when the appropriate cards were cancelled. Management should have the ability to review an inventory of cardholders to determine accuracy and card cancellation timeliness, which can be performed monthly. Management's Response / Action Plan: Finance agrees with the finding, however, disagrees with the recommended solution to maintain a separate record of terminations relating to P-Cards. All P-Card issuances are tracked in the robust US Bank "Access Online" portal, which tracks all cards issued, credit limits, and provides several audit reports on P-Card census information and changes. Therefore, it is management's position that maintaining a separate record is not an effective use of limited staff time and resources given conflicting priorities. In addition to the online database already available, it is management's position that at least three other compensating controls help reduce this risk to an acceptable level. One compensating control is detective in nature. If a terminated employee were to retain a P-Card inadvertently, P-Card credit limits and monthly P-Card processing help reduce risk of material undetected theft. P-Card limits established upon the issuance of P-Cards, both monthly and per transaction, limit the amount that a potential terminated employee could charge on their P-Card. Additionally, as part of the monthly P-Card processing protocols, all P- Card charges are uploaded from the banking portal to Oracle for processing. Any unclaimed and unreported P-Card transactions would be identified and flagged by the P-Card auditor for further investigation. 2023 Procurement Card Audit FINAL Report June 20, 2023 Regular FINANCE Committee Meeting Agenda Packet - Page 94 of 106 -11 Page 11 of 15 Additionally, as noted previously in finding #1, management is working to implement Oracle functionality that would record the issuance of various items to employees at hiring and during their employment so that these items can be tracked and recalled upon termination. IT and Human Resources are leading this effort. Target Date: Completed Responsible Owner: Kevin Mizuno, Finance Manager Internal Audit's Response: Internal Audit appreciates Finance's proactive and reactive efforts to minimize risk while acknowledging resource limitations. Although management's approach differs from the recommendations made, the internal controls designed clearly aim to reduce identified risk to an acceptable level. Therefore, this finding is closed as of the date of this report and any related procurement card violations will be reviewed in future audits. 2023 Procurement Card Audit FINAL Report June 20, 2023 Regular FINANCE Committee Meeting Agenda Packet - Page 95 of 106 10 Page 12 of 15 Attachment 2 Procurement Card Audit Report Final report issued 05/26/23 Background In late-2022, the Purchasing Division was merged with the Finance Division to establish better cohesion for processes that involve both Divisions, such as those surrounding the Procurement Card Program. This took place during the period of transactions subject to this audit (calendar year 2022). As of the beginning of Q1 2023, the District had 135 procurement wf cards (P-Cards) issued by the Purchasing group to various staff. The _ purpose of this program is to provide a more efficient, timely, and cost-effective method of obtaining and paying for large volume, low dollar supplies and materials used by the District. June 20, 2023 Regular FINANCE Committee Meeting Agenda Packet - Page 96 of 106 Page 13 of 15 Procurement Card Audit Report Final report issued 05/26/23 Audit Objective The objective of this engagement was to assess the design of internal controls surrounding the Procurement Card (P-Card) Program and whether transactions made by the District were in compliance with established policies and procedures. Audit Scope Internal Audit, with the assistance of Maze and Associates, performed a procurement card transactional review and a review of the design of internal controls surrounding the following processes: Policies and procedures Cardholder agreements Spending limits Training Reconciliation of charges Allowability review of charges Card inventory oversight Terminations 3 1 Procurement Card Audit Report �. Final report issued 05/26/23 Audit Scope (Continued) _ Assessed the reasonableness of the processes within the scope of the audit with respect to efficient and the reduction of key operational p Y Y p risks Obtained a "Vendor Activity Listing" for procurement card ` transactions for the calendar year 2022. From this listing we noted a total population totaling $2.3 million comprising approximately 4,060 transactions and selected 60 (-1.5% of the transaction total) procurement card purchases totaling approximately $105,327 (-4.6% of the dollar total) for testing. In selecting the transactions, we ;.._ ensured a representative sample by selecting purchases based on different cardholders, dates, vendors, and dollar amounts. For these '. 60 transactions, we tested for compliance with established policies and procedures. 4 June 20, 2023 Regular FINANCE Committee Meeting Agenda Packet - Page 97 of 106 2 Page 14 of 15 Procurement Card Audit Report Final report issued 05/26/23 Audit Results Transactional testing - Out of the 60 procurement card transactions that were sampled and tested, there were no errors found with respect to compliance with established policies and procedures. Design of internal controls - Six findings reported noting a theme surrounding oversight of the program: i i Consistent and timely notification to the P-Card administrators of the: Finance Division when a cardholder's employment is terminated (High Risk) - Closed Regular cardholder reviews to determine if maintaining a P-Card remains - appropriate for existing cardholders (Low Risk) — Closed Regular trainings for existing cardholders to reinforce policy expectations and updates (Moderate Risk) —_ Regular reviews and updates to applicable policies and procedures (Moderate Risk) Inclusion of escalation language in applicable policies and procedures for violations (High Risk) Maintaining an independent inventory of cardholders (High Risk) - Closed Procurement Card Audit Report Final report issued 05/26/23 Next Steps Internal Audit will continue to follow-up with open finding owners via: Quarterly meetings with executive management and managers that have audit findings with approaching due dates as an opportunity for remediation updates and open dialogue Email reminders sent out to appropriate management and executive management three weeks before each finding component is due Meetings with finding owners to provide additional clarification, as needed Internal Audit will continue to work closely with the Finance Division as an independent resource Emergency Management Program — Risk of non-compliance with regulatory expectation appears low and there are no immediate concerns noted Contract management — Audit project planned for Q3 of this calendar year Permit Counter - Review planned for Q4 of this calendar year June 20, 2023 Regular FINANCE Committee Meeting Agenda Packet - Page 98 of 106 3 Page 15 of 15 Biannual Findings Report Overview 33 findings reported since Q1 2021 26 findings have been closed 6 findings have future due dates 1 finding is currently overdue as of 12.31.22 Management remains proactive and responsive in remedlating audit findings Roger Bailey, Phil Leiber, and I meet quarterly with finding owners to track remediation progress and create space for open dialog Findings By Closure Status • Findings reported and closed • Findings with future due dates • Overdue findings June 20, 2023 Regular FINANCE Committee Meeting Agenda Packet - Page 99 of 106 4