Loading...
HomeMy WebLinkAboutCOM 0860.000 2008-2010 rNt Y•OF N4 .. d Colleen M. Schrandt �-'I '/` * Legislative Auditor Mailing Address: ° Tf ° F „P' Business Address: Hawai'i County Building r . 1266 Kamehameha Avenue 25 Aupuni Street Lo ztfv of ' X ni t 1 Ironworks Building, Room A -I Hilo, Hawai'i 96720 Hilo, Hawaii 96720 OFFICE OF THE LEGISLATIVE AUDITOR Telephone: (808) 961 -8386 Facsimile: (808) 961 -8905 cam'- MEMORANDUM c ' r ri Date: June 28, 2010 To: J Yoshimoto, Council Chairperson, ,5 and Members of the Hawai`i County Council From: Colleen Schrandt, Legislative Auditor OVA Subject: Limited Scope Performance Audit of the Department of Water Supply's Internal Controls for Cash Handling and Financial Information Technology (IT) Systems. Enclosed please find the Office of the Legislative Auditor's Limited Scope Performance Audit of the Department of Water Supply's Internal Controls for Cash Handling and Financial Information Technology (IT) Systems. We request that the audit report be placed on the agenda of the appropriate Council Committee on August 2, 2010, since the Department of Water Supply has requested that our office first present the audit report to its Water Board on July 27, 2010. Thank you for your consideration in this matter. CMS:jec Enclosures xc w /enclosure: Mayor William P. Kenoi Managing Director William Takaba Comm. No. 3 (4)° Ref. To: • FCC Ref. 1}41 Serving the Interests of the People of Our Island Hawai `i County is an Equal Opportunity Provider and Employer h 7 Limited Scope Performance Audit of the Department of Water Supply's Internal Controls for Cash Handling and Financial Informational Technology (IT) Systems EXECUTIVE SUMMARY This limited scope performance audit was performed in accordance with Hawaii County Charter, section 3 -18 and Generally Accepted Government Auditing Standards (GAGAS). - The Department of Water Supply was designated for review based on a County -wide risk assessment conducted by the Office of the Legislative Auditor in FY 2007 -2008. DEPARTMENT OF WATER SUPPLY Hawaii County Charter article VIII provides for a semi - autonomous Department of Water Supply (DWS) consisting of a nine - member Water Board, a Manager, and necessary staff, and establishes a separate Water Fund to be utilized solely for water purposes that includes revenues from the operation of the County's water system and State and Federal water grants or appropriations. AUDIT SCOPE During the audit entrance conference, DWS management stated that it had discovered a theft of money in the Customer Service Branch of its Finance Division; the employee responsible had been terminated; and the illegality had been reported to appropriate County of Hawaii officials for investigation. The complaint filed by the Prosecutor's Office charged that a theft had occurred "on or between July 1, 1997 through August 15, 2009 ", in a continuing course of conduct. In a no contest plea, the employee agreed to pay restitution of $78,868.40, which County officials confirm has been reimbursed to DWS. The employee was convicted of Theft in the First Degree. On the request of DWS management, the Legislative Auditor's Office agreed to focus our examination on the adequacy of current internal controls relating to cash handling and financial information (IT) systems within the DWS Finance Division and Information Systems Branch. The audit period covers July 1, 2008 through February 28, 2010. AUDIT OBJECTIVES • Assess the control environment, including management's policies and procedures for establishment and maintenance of an effective internal control system. • Assess the adequacy of internal controls relating to cash handling activities. • Assess the adequacy of internal controls of systems and application activities relating to financial IT systems. AUDIT METHODOLOGY • Review of DWS documentation and practices; County and State laws and records; and government best practices relating to cash handling and financial IT technology. • Interview and observation of Hawaii County personnel, and interview of Honolulu City and County personnel and financial IT systems experts. AUDIT CRITERIA • Government Auditing Standards (July 2007 Revision), also known as Yellow Book, published by the U.S. Government Accountability Office. • Internal Control Criteria: o Committee of Sponsoring Organization Internal Control (COSO) Integrated Framework. o Government Finance Officers Association (GFOA) Recommended Practice: Revenue Policy — Cash Receipts Policy (January 2007). o Sarbanes -Oxley (SOX) — Segregation of Duties Matrix. o Information System Audit and Control Association (ISACA) — IT Segregation of Duties Matrix, and Security and Business Continuity Plans. o Control Objectives for Information and related Technology (COBIT) Framework. GENERAL FINDINGS In response to its discovery of employee theft, DWS proposed significant policy and process improvements to its cash handling activities, but has yet to fully implement all proposed controls. As a result, current cash handling practices (including security of cash assets; reconciliation of transactions; financial reporting and documentation; segregation of duties; and management oversight) are still insufficient to prevent and detect mishandling or misappropriations of customer payments in a timely manner. In addition, current financial IT systems controls (including protocols for security, access rights, back -up, and disaster recovery; automation of its operations; and integration of its financial systems and financial reporting capabilities) are also insufficient to prevent and detect potentially larger financial misappropriations or other fraudulent activities in a timely manner. CASH HANDLING — RECOMMENDATIONS Control Environment: DWS must assess all risks to its cash assets; identify preventive and detective controls relating to its cash handling processes; and develop and implement formal written policies and procedures to regularly monitor cash handling operations at all levels and in all functions within its Finance Division. Security of Customer Payments /Segregation of Duties: DWS needs to secure all customer payments in lockable cash boxes in secure locations to prevent or deter mishandling and misappropriation. Each employee with cash handling duties should be assigned a separate cash box and separate login or password to the Public Utility Billing System (PUBS). DWS also needs to reassess its combining of cashiering and customer service duties in District offices. Reconciliation of Transactions: DWS needs to provide audit trails for all PUBS transactions processed by each Cashier and review all transactional changes authorized by Supervisors. DWS needs to record and track customer payments from their first point of receipt (by payment type /number /amount) for independent reconciliation to customer payments posted to customer accounts and daily bank deposits (by payment type /number /amount). Financial Reporting: DWS needs to be able to track all water billing and other revenue - generating activities and transactions to ensure the completeness and accuracy of its financial data and the proper collection of all fees owed. DWS should also consider automating its manual receipt processes to gain further efficiencies. IT FINANCIAL SYSTEMS - RECOMMENDATIONS Control Environment: DWS should complete a thorough risk assessment of its financial IT systems and related processes; document any control deficiencies; and develop and implement formal written policies and procedures to regularly review and audit financial transactions and IT system changes at all levels and in all functions within its Finance Division and Information Systems Branch. IT System Integration: DWS has three financial IT systems — the Public Utility Billing System (PUBS), Select Financial System, and Water Commitment System — which are separately maintained and not integrated. If current inefficiencies cannot be remedied with integration and configuration changes, DWS should consider procurement of a new integrated utility billing, 2 financial, and water commitment system. DWS should also evaluate options for automating its business functions to improve posting between its utility billing and financial systems; tracking of water commitments and other revenue - generating transactions; and reporting on its manual receipt processes. IT Security Policy: DWS needs to develop and implement a formal written IT security policy. All employees with financial IT access should have individual logins and should not share passwords. IT settings should require password changes on a regular basis, and automatic lockouts after a specified period of nonuse. IT administrator access rights should be limited, and IT system changes should be accompanied by audit trails that are reviewed for proper authorization. All financial IT servers should be locked in an air - conditioned server room with restricted employee access. IT Recovery and Business Continuity Plans: DWS needs to develop and implement formal written back -up and retention policies for its financial IT systems. Back -up tapes should be stored off -site in a secure location outside the tsunami zone, and restoration from back -up tapes should be routinely tested to ensure that critical systems can be restored. DWS also needs to develop a concise business continuity plan to address continuation of operations in the aftermath of various business disruption and disaster scenarios. Segregation of Duties: The function of financial IT system administrator should be moved from the Waterworks Controller, who currently also serves as financial IT application administrator, to multiple employees in the Information Systems Branch. DWS RESPONSE The Department of Water Supply generally agreed with audit findings, stating that: "Overall, this report provides an excellent opportunity for us to update and improve controls in the department." However, DWS cited current workloads and upgrade costs for improvement of financial management and billing procedures and systems as challenges to the early implementation of audit recommendations, which working conditions were acknowledged by auditors in the report. CONCLUSION The Water Board and its Manager are responsible for establishing a proper control environment within the Department of Water Supply that provides the discipline and structure required to properly account for customer monies and other cash assets. Fundamental to meeting this management responsibility is the establishment of a continuous review process that identifies new or changing financial and operational risks; updates internal control activities to minimize risks; and implements updated policies and procedures in a timely manner. Policies and procedures need to be clearly communicated, so employees understand their roles in the cash handling and financial control systems as well as the consequences for failed compliance. In addition, the Water Board and its Manager must provide the optimum combination of resources within its Finance Division — including personnel and automated financial IT systems — to ensure the completeness, accuracy, and timeliness of its financial information. It is imperative that County officials expand their operational missions of providing public services to include the safeguarding of public assets through effective risk management and internal control systems. Colleen M. Schrandt Legislative Auditor County of Hawaii June 2010 3 1 1 Limited Scope Performance Audit of the Department of Water Supply's Internal Controls for Cash Handling and Financial IT Systems A Report to the 1 Hawaii County Council 1 1 1 1 1 June 2010 1 vp THE OFFICE OF THE LEGISLATIVE AUDITOR 1 COUNTY OF HAWAII 1 1 Table of Contents 1 CHAPTER 1: AUDIT PLAN I Background 1 Audit Scope 1 I Audit Objectives 2 Audit Methodology 3 Government Auditing Criteria 4 1 CHAPTER 2: INTERNAL CONTROL CRITIERA 1 COSO Internal Control — Integrated Framework 6 Government Finance Officers Association (GFOA) I Cash Receipts Policy (January 2007) 8 Sarbanes -Oxley (SOX) Segregation of Duties Matrix 9 IT Segregation of Duties Matrix 10 Control Objectives for Information and related Technology I (COBIT) Framework 11 Information System Audit and Control Association (ISACA) Security Policy 11 1 Business Continuity Plans 11 1 CHAPTER 3: DEPARTMENT OF WATER SUPPLY Overview 13 I Organization 14 Water Board 14 Administration 15 I Finance Division 16 Operations Division 16 Engineering Division 17 I Department of Water Supply Financial Statement (June 30, 2008 & 2007) 18 Department of Water Supply Organization Charts 19 to 22 III CHAPTER 4: CASH HANDING SYSTEMS 1 Overview 23 Department of Water Supply Finance Division 24 Five Basic Principles of Good Cash Handling 25 1 Findings and Recommendations 25 to 41 1 i 1 CHAPTER 5: INFORMATION TECHNOLOGY (IT) FINANCIAL SYSTEMS Overview 42 Department of Water Supply IT Financial Systems 42 Findings and Recommendations 44 to 56 CHAPTER 6: CONCLUSION 57 to 59 DEPARTMENT OF WATER SUPPLY RESPONSE 60 to 66 1 1 1 1 1 1 1 1 1 1 ii 1 CHAPTER 1: AUDIT PLAN 11 CHAPTER 1 AUDIT PLAN Background This limited scope performance audit was performed in accordance with Hawaii County Charter section 3 -18 and Generally Accepted Government Auditing Standards (GA GAS). The Department of Water Supply was designated for review based on a County -wide risk assessment conducted by the Office of the Legislative Auditor in FY 2007 -2008. The Office of the Legislative Auditor acknowledges and appreciates the cooperation and assistance of the Manager and staff of the Department of Water Supply during the course of this performance audit. 1r Audit Scope This limited scope performance audit of the County of Hawaii Department of Water Supply examines the adequacy of current internal controls relating to its cash handling and financial information technology (IT) systems. The audit period covers July 1, 2008 through February 28, 2010. During the audit entrance conference between the Department of Water Supply and the Legislative Auditor's Office, DWS management informed the auditors that it had discovered a theft of money in the Customer Service Branch of its Finance Division, and that the employee responsible had been terminated. DWS management also advised that it was conducting an internal investigation to gather information for the Hawaii County Police Department. The complaint filed by the Hawaii County Prosecutor's Office charged that a theft had occurred on or between July 1, 1997 through August 15, 2009, in a continuing course of conduct. In a no contest plea, the employee agreed to pay restitution in the amount of $78,868.40, which County officials confirm has been reimbursed to the Department of Water Supply. The employee was convicted of Theft in the First Degree. On the request of DWS management, the Legislative Auditor's Office agreed to focus performance auditing efforts on the DWS Finance Division and, more specifically, internal controls related to its cash handling and financial IT systems. 1 1 1 1 CHAPTER 1: AUDIT PLAN Audit Objectives • Assess the control environment, including management's policies and procedures for establishment and maintenance of an effective internal control system. • Assess the adequacy of internal controls relating to cash handling activities, including: o Adequacy of written policies and procedures. o Functional compliance with written policies and procedures. o Adequacy of separation of duties and reporting, reconciliations, and reviews of cash handling activities. o Safeguarding of cash. o Timely receipt and deposit of cash. o Adequacy of internal controls over cash handling activities of satellite offices. • Assess the adequacy of internal controls of systems and application activities relating to the Department's financial IT systems, including: o Adequacy of policies and procedures for IT security, passwords, access rights, user groups, backups, and disaster recovery. o Adequacy of separation of duties over IT financial systems activities. o Adequacy of physical security over IT computer server rooms, workstations, and networks. o Adequacy of systems processes to monitor and report on IT systems activities. o Adequacy of internal controls of networked IT systems. 2 CHAPTER 1: AUDIT PLAN Audit Methodology • Review departmental documentation, provided by the Department of Water Supply and its Finance Division and Information Systems Branch. • Review Cash Handling and Information Technology Best Practices, including source materials and /or interviews of personnel from: Imo o U.S. Government Accountability Office (GAO). 1 o Government Finance Officers Association (GFOA). o Committee of Sponsoring Organizations of the Treadway Commission (COSO). o Information System Audit and Control Association (ISACA). o IT Governance Institute (ITGI). 1 o Gartner Group. o City and County of Honolulu, Department of Water Supply. 1 • Review State and County laws and records: 1 o Hawaii Revised Statutes. o Hawaii County Charter. o Hawaii Circuit Court of the Third Circuit. • Interview and observation of County personnel, including Department of Water Supply administrators and support staff, the Waterworks Controller, Assistant Controller, District Supervisors, Customer Service Supervisor, Customer Service Representatives, Cashiers, Waterworks Information Systems Manager, and County of Hawaii Treasurer and Managing 1 Director. 1 1 1 3 1 CHAPTER 1: AUDIT PLAN Government Auditing Criteria Government Auditing Standards (July 2007 Revision), referred to as the "Yellow Book ", published by the United States Government Accountability Office, by the Comptroller General of the United States: • Government Auditing Standards, Section 1.30, Performance Audits: "Internal control comprises the plans, policies, methods and procedures used to meet the organization's mission, goals and objectives... Examples of audit objectives related to internal control include an assessment of the extent to which internal control provides reasonable assurance about whether: (a) organizational missions, goals, and objectives are achieved effectively and efficiently; (b) resources are used in compliance with laws, regulations, or other requirements; (c) resources, including sensitive information accessed or stored outside the organization's physical perimeter, are safeguarded against unauthorized acquisition, use, or disposition; (d) management information, such as performance measures, and public reports are complete, accurate, and consistent to support performance and decision making; (e) the integrity of information from computerized systems is achieved; and (f) contingency planning for information systems provides essential back -up to prevent unwarranted disruption of the activities and functions that the systems support." • Government Auditing Standards, Section 7.20, Internal Control: "... Controls over the safeguarding of assets and resources include policies and procedures that the audited entity has implemented to reasonably prevent or promptly detect unauthorized acquisition, use, or disposition of assets and resources." • Government Auditing Standards, Section 7.21, Internal Control: "In performance audits, a deficiency in internal control exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent, detect, or correct (1) impairments of effectiveness or efficiency of operations, (2) misstatements in financial or performance information, or (3) violations of laws and regulations, on a timely basis. A deficiency in design exists when (a) a control necessary to meet the control objective is missing or (b) an existing control is not properly designed so that, even if the control operates as designed, the control objective is not met. A deficiency in operation exists when a properly designed control does not operate as designed, or when the person performing the control does not possess the 4 CHAPTER 1: AUDIT PLAN necessary authority or qualifications to perform the control effectively." • Government Auditing Standards, Section 7.23, Information Systems Controls: "... Information systems controls consist of those internal controls that are dependent on information systems processing and include general controls and application controls. Information systems general controls are the policies and procedures that apply to all or a large segment of an entity's information systems. General controls help ensure the proper operation of information systems by creating the environment for proper operation of application controls. General controls include security management, logical and physical access, configuration management, segregation of duties, and 1 contingency planning. Application controls, sometimes referred to as business process controls, are those controls that are incorporated directly into computer applications to 1 help ensure the validity, completeness, accuracy, and confidentiality of transactions and data during application processing. Application controls include controls over input, processing, output, master data, application interfaces, and data management system interfaces." 1 1 1 1 1 1 1 1 1 5 1 CHAPTER 2: INTERNAL CONTROL CRITIERIA CHAPTER 2 INTERNAL CONTROL CRITERIA COSO Internal Control — Integrated Framework The Committee of Sponsoring Organizations of the Treadway Commission (COSO) is a volunteer private- sector organization comprised of several professional associations, including the American Accounting Association; American Institute of Certified Public Accountants (AICPA); Financial Executives International (FEI); Institute of Management Accountants (IMA); and Institute of Internal Auditors (IIA). Its mission is to guide executive management and governance entities in the establishment of more effective, efficient, and ethical business operations on a global basis. It sponsors and disseminates frameworks and guidance based on in -depth research, analysis, and best practices. The COSO Internal Control — Integrated Framework provides that internal control consists of five interrelated components, which are derived from the way management runs a business and are integrated with the management process: • Component No. 1: Control Environment — The control environment sets the tone of an organization and is the foundation for all other components of internal control, providing discipline and structure. Control environment factors include the integrity, ethical values and competence of the organization's people; management's philosophy and operating style; the way management assigns authority and responsibility and organizes and develops its people; and the attention and direction provided by its board of directors. • Component No. 2: Risk Assessment — Every entity faces a variety of risks from external and internal sources that must be assessed. A precondition to risk assessment is the establishment of organizational objectives that are linked at different levels and are internally consistent. Risk assessment is the identification and analysis of relevant risks to the achievement of management objectives, forming a basis for determining how risks should be managed. • Component No. 3: Control Activities — Control activities are the policies and procedures that help ensure management's directives are carried out. They help ensure that necessary actions are taken to address risks to the achievement of 6 CHAPTER 2: INTERNAL CONTROL CRITERIA organizational objectives. Control activities occur throughout the organization at all levels and in all functions. They include a range of activities as diverse as approvals; authorizations; verifications; reconciliations; reviews of operating performance; security of assets; and segregation of duties. • Component No. 4: Information and Communication — Pertinent information must be identified, captured, and communicated in a form and timeframe that enable employees to carry out their responsibilities in an effective and efficient manner. Information systems produce reports containing operational, financial, and compliance - related information that help management run and control the organization. Effective communication must also occur in a broader sense by flowing down, across, and up the organization. All personnel must receive a clear message from management that control responsibilities must be taken seriously. They must understand their own role in the internal control system, as well as how their individual activities relate to the work of others in the organization. 1 • Component No. 5: Monitoring — Internal control systems need to be monitored — a process that assesses the quality of system performance over time. This is accomplished through ongoing monitoring activities, separate evaluations, or a combination of the two. Ongoing monitoring occurs during the course of operations, and includes regular management and supervisory activities as well as other employee activities. The scope and frequency of separate evaluations will depend primarily on an assessment of risks and the effectiveness of ongoing monitoring procedures. Internal control deficiencies should be reported upstream, with serious matters reported to top management and governmental leaders. Source: http://www.coso.orq/IC mmary. htm 1 1 1 1 1 7 1 CHAPTER 2: INTERNAL CONTROL CRITIERIA Government Finance Officers Association (GFOA) Cash Receipts Policy (January 2007) "Background... As part of performing government services, management must provide for appropriate mechanisms, automated and manual, to collect all funds for services performed and ensure the proper controls exist over all receipts." "Recommendation... Internal controls: All aspects of cash receipts shall be subject to proper internal controls with standard controls documented and followed by revenue generating departments: • Segregation of duties — authorization, recording, custodian functions, and reconciliation. • Daily processing — daily cash /collection total reconciled to subsequent deposit. • Timely depositing of funds received ... • Reconciliation to the general ledger and other supporting accounting ledgers shall be performed in a timely manner. • Physical security procedures during work hours and non- working hours for all funds received and change drawers maintained. • Automated system resources should be utilized where practical to provide better processing and reconciliation support as well as providing a more efficient and effective manner to manage receipts... • Upon any suspicion of fraud, the department supervisor would timely notify the appropriate personnel (e.g., internal audit, law enforcement) for further investigation. • If there is any suspicion regarding non - compliance of internal directives, the departmental supervisor will notify the appropriate personnel (e.g., internal audit) for further review." 8 CHAPTER 2: INTERNAL CONTROL CRITERIA "Recommendation... Depositing of Funds for Services: ' • Remote cash and cheque collection points should be established where appropriate customer service benefits are evident. Documented internal controls need to be established with such collection points. The ultimate remittance or deposit of such collection receipts should be documented and systematically performed by the applicable officials... 1 Sarbanes -Oxley (SOX) Segregation of Duties Matrix "A fundamental element of internal control is the segregation of certain key duties. The basic idea underlying segregation of duties is that no employee or group should be in a position both to perpetrate and to conceal errors or fraud in the normal course of their duties. In general, the principal incompatible duties to be segregated include: • Custody of assets. • Authorization or approval of related transactions affecting those assets. • Recording or reporting of related transactions. • Execution of the transaction or transaction activity." "Separation of Duties for Access Control Enforcement in Workflow Environments", R.A. Botha and J.H.P. Eloff, IBM Systems Journal, Volume 40, Issue 3, March 2001 "Separation of duty, as a security principle, has as its primary objective the prevention of fraud and errors. This objective is achieved by disseminating the tasks and associated privileges for a specific business process among multiple users. This principle is demonstrated in the traditional example of separation of duty found in the requirement of two signatures on a check." 1 1 1 9 1 CHAPTER 2: INTERNAL CONTROL CRITIERIA IT SEGREGATION OF DUTIES MATRIX Figure 1 —Roles vs. Activities Matrix System System MA re Adeiristialer Abiristrator Security Slam § Pgiitel011 Stapiig Frcductin kiamger Prcgrammer Officer Use( Uses Application X X X X X X X Receives Updates—Datatu X X Receives Updates—Applbtion X X Initiates Change Authorims Change X X X X X Tests Updates—Database X X X X X X X Tests Updates—Application X X X X X X X Implements Updates—Datake X X X X X X X Implements Updates—Appliction X X X X X X X Access to Source Code X X X X Administrative Access—Database (VS-Staging X X X X X X Administrative Access—Database 01S-Prodeion X X X X X X Administrativ e At cess—Application DS-Staging X X X X X X Administrative Access—Application DS-Production X X X X X X Administrative Access—Staging Database X X X X X Administrative Access—Staging Application X X X X X Administrative Access—Pioducl ion Database X X X X X X Admin istrative kcess—Muct WI Application X X X X X X Mon ilors Changes and Security Even—Database X-if not also X- if not also X monitored by the monitored try the %duty officer security officer Monitors Changes and Security Events--Application X•if not also X-if not also X monitored tiy the monitored by the securkv officer security officer III 1 Note: Cells marked with an "X" indicate roles and tasks that are incompatible with each other, and where segregation of duties is advised. II Source: ISACA's Common Ground on Segregation of Duties in Application Management, by Richard Savage, Volume 4, 2007. 10 CHAPTER 2: INTERNAL CONTROL CRITERIA Control Objectives for Information and Related Technology (COBIT) Framework The COBIT Framework, published by the IT Governance Institute (ITGI), states: "It is management's responsibility to safeguard all the assets of the enterprise. To discharge this responsibility as well as to achieve its expectations, management must establish an adequate system of internal control." 1 1 Information System Audit and Control Association (ISACA) Security Policy "Creating and Enforcing an Effective Information Security Policy" Information Systems Control Journal, Volume 6, 2005 "The main goal of a corporate security policy is to protect data by defining procedures, guidelines and practices for configuring and managing security in the corporate environment. It is imperative 1 that the policy defines the organization's philosophy and requirements for securing information assets. It is also important that the policy outlines how it will apply to corporate employees, processes and environments. Consequences for failed compliance must also be addressed." 1 Business Continuity Plans "IS Auditing Guideline Business Continuity Plan (BCP) Review from IT Perspective" Information System Audit and Control Association (ISACA) "Business continuity planning refers to the process of developing advance arrangements and procedures that enable an organization to respond to an interruption in such a manner that critical business functions continue with planned levels of interruption or essential change. In simpler terms, BCP is the act of proactively strategizing a method to prevent, if possible, and manage the consequences of a disaster, limiting the consequences to the extent that a business can absorb the impact..." "In today's interconnected economy, organizations are more vulnerable than ever to the possibility of technical difficulties disrupting business. Any disaster, from floods or fire to viruses 1 and cyber- terrorism, can affect the availability, integrity and confidentiality of information that is critical to business..." 1 1 11 CHAPTER 2: INTERNAL CONTROL CRITIERIA "Auditing Business Continuity," Information Systems Control Journal, Volume 1, 2005 Information System Audit and Control Association (ISACA) "Every organization should have a business continuity plan that seeks to ensure that its information systems are available and running at all times to support and enable the business to function and grow. In spite of all precautions and preventive controls, disasters can occur. Some disasters cannot be controlled and /or prevented. In such cases, the business continuity plan should also enable recovery of information systems within an acceptable time frame to avoid any serious damage to the business." 12 CHAPTER 3: DEPARTMENT OF WATER SUPPLY CHAPTER 3 DEPARTMENT OF WATER SUPPLY OVERVIEW The following departmental overview is posted on the Department of Water Supply website - http: / /www.hawaiidws.orq /: "The Department of Water Supply is a semi - autonomous agency of the County of Hawaii [o#] which operates by rules and I regulations as adopted by the Water Board. As a semi- autonomous agency, the Department operates and maintains its water systems with revenues generated wholly through water I sales. The primary function of the Department is to provide safe domestic water service through its 24 water systems and 67 sources scattered throughout the island. The individual water I systems are not interconnected except in the more densely populated districts of South Hilo and Kona. 1 The Department continually strives to provide dependable, high quality, potable water at a reasonable cost. With the enactment of the Safe Drinking Water Act, certain standards were set for all I water purveyors. The Department has also concentrated efforts and directed resources towards providing uninterrupted water service." 1 Hawaii Revised Statutes (HRS) chapter 54, Water Systems, Part III, Hawaii County Board of Water Supply, section 54 -63, Rates, I provides: "The board of water supply may fix and adjust rates and charges for the furnishing of water and for water services so that the revenues derived therefrom shall be sufficient to make the I waterworks and water systems self- supporting and to meet all expenditures authorized by this part..." I HRS section 54 -58, Accounts, revenues, and expenditures, provides: "... All revenues or moneys derived from the waterworks or otherwise appropriated for the board, other than I funds derived from the sale of bonds, and excepting moneys appropriated by Act 5 of the Special Session Laws of 1950 for the construction of a water system for the districts of North and South I Kona, shall be paid into the treasury of the county and maintained by the treasurer in a waterworks fund. The funds shall be expended for the following purposes: (1) For payment of interest and sinking fund on all bonds issued for the acquisition or 1 construction of waterworks and extensions thereto; (2) For the payment of the operating and maintenance expenses of the waterworks, repairs, replacements, additions, and extensions; 1 1 13 CHAPTER 3: DEPARTMENT OF WATER SUPPLY (3) For accident reserve, pension charges, and compensation and insurance; (4) For purchase or development of new sources of water; and (5) For a reserve fund." Hawaii County Charter section 8 -4, Water Fund, provides: "There shall be established a separate water fund which shall be utilized solely for water purposes. State and Federal water grants or appropriations and revenues from operation of the water system shall be included in the water fund." Hawaii County Charter section 8 -5, Administrative Supervision, provides: "The department of water supply shall come under the general supervision and control of the mayor, through the managing director." The Managing Director confirmed that the Department of Water Supply's operational budget is "fully self - supporting ", and that no General Fund monies (including real property tax revenues) are directly transferred to DWS for DWS operations. [See attached: KPMG Financial Statements — June 30, 2008 and 2007] ORGANIZATION [Summarized from DWS website - http: / /www.hawaiidws.orq/j [Underscored are DWS units which are the subject of this audit.] WATER BOARD As provided in Hawaii County Charter article VIII, the members of the Water Board are appointed by the Mayor and approved by the County Council, with membership of the Water Board representative of each of the nine County Council districts. The DWS Manager, the Director of Public Works, and the Planning Director of the County of Hawaii serve on the Water Board as ex- officio members without the power to vote. The Water Board is responsible for the appointment of the Manager of the Department, who in turn appoints a Deputy with the confirmation of the Water Board. The Water Board shall: (a) manage, control and operate the waterworks of the County and all property thereof; (b) adopt rules and regulations which shall have the force and effect of law relating to the management, control, operation, preservation and protection of the waterworks of the County; (c) adopt an annual operating and capital budget for the Department, subject to the hearing and advertising provisions of County Charter section 10 -4; (d) have the power to acquire by eminent domain, purchase, lease or otherwise, and to sell, lease, or otherwise convey real property in the name of the Water Board; (e) have the authority to issue revenue bonds under the name of the Water Board; and (f) have such other powers and duties as may be provided by law. 14 CHAPTER 3: DEPARTMENT OF WATER SUPPLY ADMINISTRATION Overall and daily administration of the Department is under the direction of the Manager and Deputy Manager, who are responsible for the discharge of the rules and regulations and policies as adopted by the Water Board and the provisions of the County Charter. The Manager and Deputy Manager report directly to the Water Board and also serve as advisors. They provide direction to the Department's three major divisions — Finance, Operations, and Engineering — through their respective Division Heads. The Administration Division is comprised of the Manager, Deputy Manager, Administrative Services Branch, Contract Services Branch, Public Relations Branch, Human Resources Branch, and Information Systems Branch. Administrative Services Branch Serves as the secretary to the Water Board of the County of Hawaii; and provides administrative and secretarial services, supervision of Manager's office personnel, and other support to the Manager. Administrative Services also provides secretarial and clerical services and support to the Deputy Manager and the three Division Heads and their staff. Contracts Services Branch Serves as custodian of contracts; coordinates and processes contracts for construction, professional services, material, and equipment; and provides related support to the three Divisions. Public Relations Branch Plans, develops, and conducts a comprehensive public information program that includes a variety of informational, educational, and interpretive activities for the Department; maintains working relationships with members of the media, community groups, and other individuals in the public and private sectors; and performs other related duties as required. r Human Resources Branch Serves as custodian of records and personnel transactions; reviews and processes personnel actions; reviews and processes 1 workers' compensation claims; drafts policies and procedures regarding personnel matters; and provides support to the Department's Safety Committee. Information Systems Branch Maintains and operates the Department's Wide Area Network (WAN) including all equipment attached to the Local Area Network (LAN); develops, maintains, and operates the Department's 1 Geographic Information System and keeps its data updated; and provides information systems support to the entire Department. [See attached: Position Organization Chart] 1 1 1 15 CHAPTER 3: DEPARTMENT OF WATER SUPPLY FINANCE DIVISION Is directed by the Finance Division Head - Waterworks Controller, and provides three primary financial functions for the Department — Customer Service, Management Accounting, and Computer Service (or Support Services). [See attached: Organization Chart] Customer Service Branch Conducts the Department's billing operations and their related functions, including customer sign -up; meter reading; collection and accounting for cash; preaudit of consumer accounts; maintaining and updating consumer records (water sales); maintaining accounts receivable records and processing billings (work orders); preparing revenue estimates; handling customer service complaints; and performing credit investigations and follow up on delinquent accounts. [See attached: Position Organization Chart] Management Accounting Branch Maintains the general books of the water utility in accordance with the Uniform System of Accounts for Class A and B Water Utilities, as recommended by the National Association of Railroad and Utilities Commissioners, and with applicable laws, rules, and regulations; prepares monthly and annual financial statistical reports on a timely basis; maintains fiscal control of storeroom and storage yards; prepares payrolls and related reports; develops and accumulates cost data; processes requisitions for purchase of materials and supplies; prepares contract documents for and procures all waterworks materials and equipment by formal contracts; preaudits and processes invoices for payments prepares disbursement vouchers for all expenditures; and reviews, revises, and implements changes in management information system. [See attached: Position Organization Chart] Support Services or Computer Service Branch Maintains and operates all data processing equipment in serving the functions of various other operating units in the Department; provides technical assistance in evaluating accounting systems for the purpose of converting from a manual operation to an automated computer system; and plans and coordinates the installation of the Department's financial information processing system. [See attached: Position Organization Chart] OPERATIONS DIVISION Is directed by the Operations Division Head -Chief of Operations, and is divided into three sections — Field Operations, Plant Operations, and Maintenance. It provides safe potable water to consumers 24 hours a day, including operations and maintenance of the water distribution systems, transmission mains, sources, reservoirs, pumps, treatment plants, communication and controls; and coordinates work with the Engineering and Finance Divisions. 16 CHAPTER 3: DEPARTMENT OF WATER SUPPLY Field Operations Section Maintains and repairs water service meters; mains; service laterals; pipelines and appurtenances; fire hydrants; intakes and springs; road and reservoir sites; and provides some customer service. Plant Operations Section Installs, maintains, and operates pump stations; treatment and chlorination plants; electrical, electronics and mechanical equipment; hydraulic and electrical controls of pumps; telemetering; reservoirs and pipelines. It also operates and maintains Supervisory Control and Data Acquisition (SCADA) systems and the Department's two -way radio communication system and appurtenances. Maintenance Section Investigates, inspects, maintains, and repairs reservoirs; building structures; facilities; and some mechanical and electrical shop equipment such as fire extinguishers; and supports fire hydrant repairs. ENGINEERING DIVISION Is directed by the Engineering Division Head -Civil Engineer VII, 1 and is comprised of five Branches that support the entire Department — Engineering; Water Resources and Planning; Land; Water Quality and Assurance; and Support. Engineering Branch Determines whether water systems turned over to the Department comply with Department requirements and standards. It executes the design and construction of water system projects in 1 accordance with the Department's Standards and Priority Program for current water projects; conducts continual review of water systems; and provides solutions to water system problems. ' Water Resources and Planning Branch Establishes and maintains programs to assure that present and 1 future water needs will be satisfied. It assures that water systems are brought up to current standards for pressure, volume, fire protection, and quality. Land Branch Supports the Water Resources and Planning Branch and the Engineering Branch where field survey and land acquisition are involved; and maintains records of the Department's real property. Water Quality Assurance and Control Branch Develops and implements programs to comply with the federal 1 Safe Drinking Water Act, including direction and coordination of several functions involving the microbiological laboratory, chemical laboratory, and environmental programs. Support Branch Supports and aids all sections based on priorities established by the Engineering Division Head. 1 1 17 CHAPTER 3: DEPARTMENT OF WATER SUPPLY DEPARTMENT OF WATER SUPPLY COUNTY OF HAWAII (A Component Unit of the Country of Hawaii, State of Hawaii) .._ Management's Discussion and Analysis June 30, 2008 and 2007 Condensed Financial Information The following are summaries from the Department's financial stateinems as of and for the years ended June 30, 2008, 2007, and 2006: t+. 2008 2007 2006 ... Assets: Capital assets, net $ 204,980,889 198,146,445 196,418,1 16 i Other assets 79,738,743 81,435,224 74,344,720 Total assets 284,719,632 279,581,669 270,762,836 .. Liabilities: Long -term debt 41 ,247,094 42,308,135 41.549,919 ar. Customers' deposits payable from restricted assets 19,739,823 16,207,996 14,403,033 Other liabilities 8,607,005 7,460,133 7,343,872 Total liabilities 69,593,922 65,976,264 63,296,824 Net assets: Invested in capital assets, net of related debt 186,215,025 179,984,628 180,181,457 Unrestricted 28,910,685 33,620,777 27,284,555 Total net assets $ 215,125,710 213.®05,05 207,466,012 - Changes in net assets: Operating revenues water sales $ 37,724,830 37.642,805 33,291,676 Total operating expenses 42,966.607 38,251,318 37,534,821 Operating loss (5,241,777) (608,513) (4,243.145) or Total nonoperating revenues 8,896.067 8,965,423 8,760,782 Total nonoperating expenses (2,133,985) (2,217,517) (1,669,152) Change in net assets 1,520,305 6,139,393 2,848,485 ., Net assets at beginning of year 213 ,605,405 207,466,012 204,617,527 Net assets at end of year $ 215,125,710 213,605,405 207,466,012 Source: KPMG Department of Water Supply County of Hawaii (A Component Unit of the County of Hawai`i, State of Hawai'i) Financial Statements June 30, 2008 and 2007 (With Independent Auditors' Report Thereon) dated February 13, 2009 18 I CHAPTER 3: DEPARTMENT OF WATER SUPPLY l. 1 1 V - 2 ti 6 1 k. ro a . i 1 _ bd ,1‘ c.. .. ..h ..... ..... , .... , , . - ......,, c.,› ,...„ .,.,.-..:,....,....„,,... - .•••>.,..n .--: - r) ---;: c ) - ci ) v, —'—' — ter. , .. O c .b ro o o 1 dal 1 1 g I:.4 1 1 1 1 19 CHAPTER 3: DEPARTMENT OF WATER SUPPLY c> 9 ,c) _ c.n cn 0 co v) 2 g' P. n ..j n tr1 pv O P _____ — z r: rz, n 2 cn 6 y. v) Iii■ w g z (-) NV 0 P as, 0 r <-) -,k -. VD 0; Cr, z 0 O. ^0 00 , .C. •• CO a. V) 0 r" . v) n D po 0 ' .ir wi. =. — -1 H 5 - a o -0 t) 0 o a. z n z n u) o 0 tri n 1 c9 z v) 2 0 • -1 n z o ... . 4 2. r X H v) t 6 R g g ,n — 0 hi ;.. [1. .; ,,I, po 7 .., , n a ,_ rri r r, o - 0: E g co n v) t:1 < •-.-4 'T1 c.: c(i cr. IS E cr fi ra 9 Po 0 tr, 0 rn Z GI —3 tri 0 V) .. tn V:, Oo P 2, 00 Z ■•• n ' _. 0 x •-i -c MI 0 2 - n - 7 (-) (4 rri 3-3 4 „... z c s ... x , 4D 0 -- a 8- , — 3 n ci) — 0 . 1-1 z t'l cl v) -0 x pv 0 a — -4 z -4 7 $. 20 — CHAPTER DEPARTMENT o WATER SUPPLY [ L • I 2 I I /( }\\ \\{ \ I \ mG ° , ( \ � \ \ \ / ° E § §§ o §\ D» /( \ \ o §2 - m � \ f z /j \\ cA g 3 yz ? > e 4J n o \ o - \§\i _) ( } > _ &> §z \� § \ \ \/ Z .0 _ n « r - ` � > ® r / 3§ i G )( 2 / q / ( $ � \ a- 3 = z _ xo 1 zk 1 I \ 1 > § _ I i I I CHAPTER 3: DEPARTMENT OF WATER SUPPLY g 5? Ni ... on u) on on on un cn 8,9- 8888p,- c al cir4 = woci 5 = 'q iVI:13' P00 '''' 4—'0 Cf) g rrF 0 8— 0000".1, o 0000 ,,,,, v2 4 fi _ zi7 ;7:: ,,,,w— - 4. * Oo — a' `6' r n _ On . _ n = 0. 6n cALrn XI § 88F8 n tri -0 2 , cA E cc 0 4 4. -in z >z,24o o :71p,l'&5m5; 10 () e)c rAFA F. .,..., r. u r'' Sr., ■7'. OnonZ z toF—_.?". cA. p:1•$. (A4-,, x, , ___ ,..... ...„ ,.. no ac tr) M?. <4 Fi I t1- , ''rrir K42 We g• M8 wO' 4 ? 0 0 '44 S' b croo r66" cr(4.5 cow 'cr.,. -ri w n z REi Rgi REA h4 --.1 o ,c,i5 U t,4 0 4. 0 ,_, ,r—co) --,cia PdcA 0.--■ .-< a ..) PV g — IV . 4 .. iV. mm n 0 0 -5 ,-? n n 5 13 o --, CO 22 CHAPTER 4: CASH HANDLING SYSTEMS CHAPTER 4 CASH HANDLING SYSTEMS OVERVIEW An internal controls review related to cash handling assesses the adequacy and effectiveness of cash handling controls to support achievement of management's objectives, such as safeguarding or protecting cash from misappropriation, theft, and fraud, while at the same time, providing public services and programs in an ■ effective and efficient manner. Therefore, it is important for management to clearly define its objectives relating to "cash" (currency, coin, checks, and credit card payments); identify any ' risks relating to achievement of its objectives; and implement relevant, cost - effective controls to reduce risks to an acceptable level and provide the greatest degree of assurance that ' management objectives will be met. Of all governmental assets, cash is the most vulnerable to mishandling, misappropriation, and theft; and therefore, safeguarding of cash should be one of management's foremost objectives. In response to our request for documentation of departmental controls, policies, and procedures relating to cash handling, DWS management provided various copies of operational procedures and related written communications transmitting said procedures dated from June 29, 1999 through January 14, 2010. In 1999, the ' Finance Division revised its cash handling procedures in response to repeated cash overages and shortages; but DWS management did not fully enforce revised control procedures or recognize the ' significance of its risk exposure. During our entrance conference on September 30, 2009, DWS management informed the auditors that it had recently discovered a theft of money by one of its Cashiers. The complaint filed by the Hawaii County Prosecutor's Office charged that a theft had occurred on or between July 1, 1997 through August 15, 2009, in a continuing course of conduct. In a no contest plea, the employee agreed to pay restitution in the amount of $78,868.40, which County officials confirm has been reimbursed to DWS. In response to discovery of the theft, the ' Finance Division and its Management Accounting Branch developed further revised cashiering procedures dated January 14, 2010. However, DWS management has still not fully implemented revised procedures — including segregation of duties 1 and independent recordation of customer mail -in payments — citing lack of adequate personnel to implement improved controls. ' Management establishes the control environment of an organization, sets its ethical tone, and provides discipline and structure in the organization through its development and implementation of policies and procedures that set forth ' 23 CHAPTER 4: CASH HANDLING SYSTEMS operational requirements and ethical expectations. Effective communication of clearly defined policies and procedures by management enables members of the organization to understand their role in the organization's internal control system. Continuous monitoring of its internal control system further ensures that policies and procedures and control mechanisms remain relevant and effective in managing risk and supporting management objectives. The Department of Water Supply Finance Division The DWS Finance Division consists of a Waterworks Controller and an Assistant Waterworks Controller, who provide oversight over three branches: Customer Service, Management Accounting, and Support Services (or Computer Service). The primary focus of the cash handling portion of this performance audit is on the Customer Service Branch. [See Chapter 3 Attachments: DWS Finance Division Organization Chart and Customer Service Branch Position Organization Chart.] Cash collection occurs in the Hilo office and the Waimea and Kona District offices. At the Hilo office, Cashiers I and II handle all transactions relating to walk -in and mail -in cash and check payments, with the Customer Service Supervisor and the Assistant Customer Service Supervisor only assisting with processing of payments when short- staffed. At the Hilo office, all mail -in payments are received by the Administrative Services Branch Receptionist, who sorts regular mail from water bill payments and forwards water bill payments to the Cashiers for processing. Mail -in payments received at the Waimea and Kona District offices are forwarded through a bonded courier service to the Hilo office for processing. At the Waimea and Kona District offices, Customer Services Representatives I and II perform cashiering duties for walk -in payments in addition to customer service duties (such as processing applications for new water meter sign -up, researching customer complaints, and handling water leakage reports). The Waimea District office is staffed with two Customer Service Representatives, and a Clerk Meter Reader who serves as an alternate cashier. The Kona District office is staffed with three Customer Service Representatives, and a Clerk Meter Reader who serves as an alternate cashier. 24 I CHAPTER 4: CASH HANDLING SYSTEMS I FIVE BASIC PRINCIPLES OF GOOD CASH HANDLING I • SEGREGATION OF DUTIES • SECURITY • RECONCILIATION 1 • MANAGEMENT REVIEW • DOCUMENTATION 1 FINDING Segregation of duties between opening and posting of ft mail -in payments is inadequate. Water bill payments are processed by the Customer Service I Branch of the Finance Division. Currently, only the Hilo office processes mail -in payments, with the Waimea and Kona District offices forwarding their mail -in payments through a bonded courier I service to the Hilo office for processing. In the Hilo office, incoming water bill payments received from the post office or from the Waimea and Kona District offices through a bonded courier ' service are forwarded unopened from the Administrative Services Branch Receptionist to the Customer Service Branch Cashiers. Cashier I opens half of the mail payments, and Cashier II opens the other half. Any checks received are reviewed for accuracy and I completeness, and the Cashiers independently process and post payments to customer accounts when not serving walk -in customers at the Customer Service payment window. According I to the Assistant Controller, the Hilo office processes on average approximately 132 walk -in transactions per day and approximately 750 total walk -in and mail -in transactions per day. The Hilo office I averages from $1,383 to $6,300 in cash deposits and $56,000 to $373,000 in check deposits per day, while the Waimea and Kona District offices average from $3,000 to $5,800 in combined cash I and check deposits per day. DWS procedures dated October 20, 2009, DWS Checks and I Cash Receipts Control — Recommendations for Change, included a proposed control for segregating cash handling duties related to mail -in payments in the Hilo office. The procedure proposed that the Receptionist assume responsibility for opening all mail -in I payments and logging customer account numbers, forms of payment (cash, check, or credit card), and payment amounts before forwarding payments to the Cashiers for processing in the I Department's Public Utility Billing System (PUBS) and inclusion in the daily deposit. However, DWS management stated that implementation of this control procedure has been indefinitely I postponed due to demands on the Receptionist's current workload. While management has properly identified an existing risk to mail -in payments and proposed a preventive control, it has not implemented the necessary segregation of cash handling 1 25 CHAPTER 4: CASH HANDLING SYSTEMS duties and independent reconciliation of customer payments to decrease the risks of misappropriation or fraud. RECOMMENDATION DWS managernent needs to analyze its current processes and implement sufficient control procedures to ensure that mail -in payments are posted, deposited, and reconciled in a timely manner. This process analysis could include a reevaluation of preventive and detective controls discussed in its revised procedures dated October 20, 2009, DWS Checks and Cash Receipts Control — Recommendations for Change, which included purchasing of a lock box service and scanning of all incoming mail envelopes. Upon determination of the most cost - effective control procedure or combination of control procedures, the Finance Division needs to promptly implement them to ensure greater accountability and security of customer monies. Criteria: Internal Control Criteria — COSO Component No. 2: "Risk Assessment — Every entity faces a variety of risks from external and internal sources that must be assessed... Risk assessment is the identification and analysis of relevant risks to the achievement of management objectives, forming a basis for determining how risks should be managed." Criteria: Internal Control Criteria — GFOA Cash Receipts Policy: "Internal controls: All aspects of cash receipts shall be subject to proper internal controls with standard controls documented and followed by revenue generating departments: o Segregation of duties — authorization, recording, custodian functions, and reconciliation. o Daily processing — daily cash /collection total reconciled to subsequent deposit. o Timely depositing of funds received ... o Reconciliation to the general ledger and other supporting accounting ledgers shall be performed in a timely manner." 26 CHAPTER 4: CASH HANDLING SYSTEMS FINDING Oversight and monitoring of the mail -in payment process by Finance Division managers is inadequate. DWS procedures dated June 29, 1999, Cashier Procedures, included detailed procedures for proper accounting and verification of the cash deposit process, but none included any responsibilities for oversight or reconciliation of the mail -in payment process by Finance Division managers. According to the ' Assistant Controller, there are roughly 620 daily mail -in payments (750 total mail -in and walk -in, less 132 walk -in payments) received in the Hilo office, averaging from $1,383 to $6,300 in cash deposits and $56,000 to $373,000 in check deposits per day, of which the majority are water bill payments. However, after mail -in payments are processed, Finance Division managers do not verify or reconcile the actual number and amount of payments received ' against the actual number and amount of payments posted by Cashiers. ' Following issuance of its revised procedures dated October 20, 2009, DWS Checks and Cash Receipts Control Recommendations for Change, the Finance Division and its Management Accounting Branch have implemented certain oversight and monitoring procedures. The Assistant Controller now performs a daily review and reconciles the Cash Receipts Journal report generated by the Public Utility Billing System (PUBS) for each Cashier to the daily deposit slips. The Assistant Controller also maintains a spreadsheet to track all cash, checks, credit cards, and other manual receipts submitted for deposit in the daily cash packet by each Cashier. However, these control procedures still fail to address reconciliation of the actual number and amount of mail -in payments received at their first point of 1 receipt in the Customer Service Branch to the actual number and amount of mail -in payments posted to customer accounts by each Cashier. DWS management has failed to require that sufficient independent data be collected and reported to permit efficient ' monitoring and review of the mail -in payment process. Without proper oversight, there is no assurance that mail -in payments are accurately and completely accounted for in a timely manner after receipt. Management's failure to implement necessary control procedures has created a weak control environment and elevated the risk of customer monies being mishandled or misappropriated. 1 1 1 27 CHAPTER 4: CASH HANDLING SYSTEMS RECOMMENDATION When a risk is identified, management should promptly evaluate potential financial and operational impacts, and if warranted, assess possible control processes and procedures to sufficiently reduce risk to an acceptable level as well as assess the costs of implementing preventive and detective controls. In determining whether control costs outweigh identified risks, management should consider all — not just financial - risks and impacts. If it fails to implement at least basic controls to address areas of identified risk, management may communicate to employees that it is not concerned with achieving objectives or safeguarding assets. With respect to the mail -in customer payment process, DWS management needs to review and evaluate all current processes to ensure adherence of actual operations to written policies and procedures; evaluate whether current written policies and procedures are effective and efficient; identify any unaddressed operational and financial risks; and determine what controls are necessary to provide sufficient monitoring and oversight. This monitoring and oversight function should be performed by personnel who do not have access or authority to receive or post mail -in payments to customer accounts or prepare bank deposits. Criteria: Audit Plan — Government Auditing Standards: "... Controls over the safeguarding of assets and resources include policies and procedures that the audited entity has implemented to reasonably prevent or promptly detect unauthorized acquisition, use, or disposition of assets and resources." Criteria: Internal Control Criteria — GFOA Cash Receipts Policy: "Internal controls: All aspects of cash receipts shall be subject to proper internal controls with standard controls documented and followed by revenue generating departments:... Recommendation... Depositing of Funds for Services: o Remote cash and cheque collection points should be established where appropriate customer service benefits are evident. Documented internal controls need to be established with such collection points. The ultimate remittance or deposit of such collection receipts should be documented and systematically performed by the applicable officials..." 28 CHAPTER 4: CASH HANDLING SYSTEMS FINDING Physical security over mail -in checks during the payment posting process is inadequate. Due to the daily volume of mail -in check payments received in the Hilo Office from the post office or from the Waimea and Kona District offices through a bonded courier service, mail -in checks are divided equally between the two Hilo Cashiers, who sort and post the checks at their desks. Normally, only one Cashier sorts and posts checks at a given time, while the other Cashier tends the customer service payment window. Each Cashier is assigned SIB a separate plastic container that is large and wide enough to hold I all checks assigned to the Cashier. However, the plastic containers cannot be locked and are left unattended. It should be noted that DWS management has implemented I recognized control practices of timely depositing of cash on a daily basis and any undeposited "cash" is properly safeguarded during "non- working" hours as it is placed in secured safes for which I access controls are in place for the Hilo office and Waimea and Kona District offices. However, current physical security over mail -in customer payments in process during "working hours" is II inadequate. Checks should be treated as cash since they are negotiable items, and should be kept in a secured and locked location to prevent inadvertent or intentional mishandling or I misappropriation. As stated earlier, the Assistant Controller reported that the Hilo office averages from $56,000 to $373,000 in check deposits per day, and failure to adequately safeguard 1 customer payments will continue to expose the Department to risks of misappropriation or fraud. I RECOMMENDATION It is the responsibility of DWS management to assess current risks to customer monies; analyze its current cash handling processes; and implement adequate control processes to ensure the physical security of customer cash and other negotiable instruments at all 1 times. In addition to establishing a proper control environment and implementing adequate policies and procedures, management needs to continually monitor control processes to I ensure that they remain relevant and effective in safeguarding cash assets. ' Criteria: Internal Control Criteria — GFOA Cash Receipts Policy: "Internal controls: All aspects of cash receipts shall be subject to proper internal controls with standard controls documented and I followed by revenue generating departments:... o Physical security procedures during work hours and non- , working hours for all funds received and change drawers maintained." 1 1 29 CHAPTER 4: CASH HANDLING SYSTEMS Criteria: Internal Control Criteria — COSO Component No. 5: "Monitoring — Internal control systems need to be monitored — a process that assesses the quality of system performance over time. This is accomplished through ongoing monitoring activities, separate evaluations, or a combination of the two. Ongoing monitoring occurs during the course of operations, and includes regular management and supervisory activities as well as other employee activities. The scope and frequency of separate evaluations will depend primarily on an assessment of risks and the effectiveness of ongoing monitoring procedures..." FINDING Cash handling procedures for walk -in and mail -in payments are not consistently formalized in writing or enforced in all offices of the Customer Service Branch. Each Cashier is assigned a separate "Cash Can" to provide change for customers making walk -in payments. At the beginning of the work day, each Cash Can contains $250. During the course of the work day, Cashiers place cash or checks received from walk -in customers into their assigned Cash Cans. Each Cashier is also given a unique ink stamp that indicates the date and the word "PAID" to use for stamping customer water bill stubs. Revised DWS policy and procedures dated June 29, 1999, Cashier Procedures, call for accountability by instructing Cashiers to be responsible for their assigned and lockable Cash Cans. The policy states: "Each cashier will be the only person authorized to access the contents of their cash can. Sharing of the cash can between two or more cashiers at the same time is prohibited. Cash cans may be transferred from one cashier to another only if both cashiers count and document the transfer on the `Cashier's Exchange Log'. Discrepancies should be reported to the District Supervisor immediately ". DWS Finance Division documentation dated October 29, 2009, titled "DWS Checks and Cash Receipts Control Recommendations for Change ", sets out recommended policies and procedures and indicates that several of the recommended changes had already been implemented. However, no written documentation communicating said changes to staff was provided to the auditors; and upon inquiry, the Assistant Controller stated that communication to staff was strictly verbal. Subsequently, a written communication titled "Revised Cashier Procedures" dated January 14, 2010, was distributed to DWS staff, but did not specifically address the exchanging or sharing of Cash Cans. The Assistant Controller indicated this was not necessary since the policy specifically instructs that any "Clerk Meter Reader assisting customers should direct payment collection to the Cashier ". 30 CHAPTER 4: CASH HANDLING SYSTEMS However, based on observation of cashiering activities at District offices, a designated "Cashier" with an assigned Cash Can is not always available, and Cash Cans continue to be shared by and accessible to multiple personnel. In interviews with Customer Service Branch personnel, the auditors were told that there are only two Cash Cans available at each customer payment collection site, but there are times when a third employee needs to step in as alternate Cashier using one of the Cash Cans. During a follow -up interview on March 5, 2010, supervisory personnel in the Customer Service Branch also reported that the Cashier's Exchange Log is no longer used when transferring a Cash Can from one employee to the other. ' One goal of cash handling controls is to ensure accountability by providing an audit trail that permits reconciliation of transactions processed by each Cashier to the physical cash. However, based on personnel interviews and observation of cashiering activities by the auditors, it appears that policies and procedures ' and control activities (such as the Cashier's Exchange Log) are not consistently adhered to by Customer Service Branch personnel or enforced by Finance Division managers. This absence of audit trails for cashiering activities reduces the Finance Division's ability to hold individual employees accountable for discrepancies and increases the risks for mishandling or misappropriation of customer monies. As stated above, the Hilo office averages from $1,383 to $6,300 in cash deposits and $56,000 to $373,000 in check deposits per day, and the Waimea and Kona District offices average from $3,000 to $5,800 in combined cash and check deposits per day. Without consistent policies and procedures in place for controlling access to and exchanging of Cash Cans by Cashiers, not only are the accountability and protection of Cashiers compromised, DWS management appears to communicate that safeguarding of ' customer payments is not a priority. One District office indicated that its procedure when exchanging Cash Cans is to print out a Cashier's Summary Report that displays cash and check totals, ' which are then reconciled to the contents of the Cash Can. The Cashier then signs or initials and dates this print -out that is kept in the Cash Can, and the next Cashier signs or initials and dates the print -out to verify its contents. ' RECOMMENDATION Finance Division managers need to implement policies and procedures that provide an adequate audit trail of transactions for ' each Cashier. Finance Division managers should also assess the aforementioned District Office control procedure for Cash Cans and determine if it could be adopted by all offices in the Customer Service Branch. Adherence to this control procedure would provide an audit trail of transactions for each Cashier that would permit reconciliation to the contents of each Cash Can. Another possible control procedure would be to establish a third "Cash 31 CHAPTER 4: CASH HANDLING SYSTEMS Can" to be used as a back -up for any alternate Cashier when additional coverage is needed. Adherence to and enforcement of improved control procedures will improve accountability and security of the customer payment process and better communicate DWS management's objective to safeguard customer monies. Criteria: Internal Control Criteria — COSO Component No. 3: "Control activities are the policies and procedures that help ensure management's directives are carried out. They help ensure that necessary actions are taken to address risks to the achievement of organizational objectives. Control activities occur throughout the organization at all levels and in all functions. They include a range of activities as diverse as approvals; authorizations; verifications; reconciliations; reviews of operating performance; security of assets; and segregation of duties." Criteria: Internal Control Criteria — COSO Component No. 4: "Information and Communication — Pertinent information must be identified, captured, and communicated in a form and timeframe that enable employees to carry out their responsibilities in an effective and efficient manner. Information systems produce reports containing operational, financial, and compliance- related information that help management run and control the organization." FINDING Computer system security at walk -in customer service payment windows is inadequate. The Public Utility Billing System (PUBS) is logged onto at the beginning of each work day using the Cashier's login, and is not programmed with an automatic lockout mechanism after a specified period of nonuse. The current PUBS application also does not require entry of an authorized user identifier or password for entering of each transaction. At the Hilo office and Waimea and Kona District offices, the auditors observed that Cashiers at walk -in payment windows leave their computers logged onto PUBS when leaving to do other tasks. Although a screen saver is used, the payment screen remains accessible simply by hitting any computer key, creating the potential for unauthorized access and unauthorized transactions to be entered into PUBS. If the Customer Service Supervisor or other personnel is covering for the Cashier, they can transact business under the Cashier's login. As a result, there is no audit trail of transactions by Cashier login, reducing overall accountability and the ability of individual Cashiers to control transactions entered under their own logins. 32 CHAPTER 4: CASH HANDLING SYSTEMS RECOMMENDATION DWS financial IT systems personnel need to develop and implement policies that address adequate physical and application access controls, including transactional level passwords to provide individual audit trails and an automatic lockout mechanism for each Cashier's terminal in order to protect Cashiers as well as hold them accountable for discrepancies in customer payments. DWS management needs to ensure support of and adherence to physical and application access control policies by providing ' employees with regular training and monitoring control activities. DWS management must also periodically review, assess, and evaluate control processes, policies, and procedures for their continued relevance, effectiveness, and efficiency in safeguarding 1 assets. Criteria: Internal Control Criteria — Information System Audit and Control Association (ISACA) Security Policy: "The main goal of a corporate security policy is to protect data by defining procedures, guidelines and practices for configuring and ' managing security in the corporate environment. It is imperative that the policy defines the organization's philosophy and requirements for securing information assets. It is also important that the policy outlines how it will apply to corporate employees, processes and environments. Consequences for failed compliance must also be addressed." FINDING Control procedures relating to computer passwords and logins are not consistently formalized in writing or enforced in all offices of the Customer Service Branch. Finance Division managers have not adequately monitored or enforced the use of individual passwords or logins, and Customer Service Branch personnel have even acknowledged the sharing of passwords at one of the District offices. Auditors were told that passwords are being shared for certain logins at one District office, with the District supervisor and staff sharing the password to the Public Utility Billing System (PUBS) in the event personnel are out sick or on vacation. This practice is contrary to the purpose of passwords or logins; that is, the ability to secure ' system access and provide an audit trail of all activities conducted under assigned passwords or logins. Individual passwords and logins are a fundamental part of data security, monitoring, and control, and are basic to protecting data integrity by reducing the hi risks of unauthorized access and unauthorized transactions. RECOMMENDATION DWS management needs to enforce standard IT policy against the sharing of passwords and logins, and enforce standard accounting practices for using audit trails to scrutinize system entries when financial discrepancies are detected. In so doing, 1 33 CHAPTER 4: CASH HANDLING SYSTEMS management can better communicate its commitment to safeguarding its cash assets. Further discussion of financial IT system controls follows in Chapter 5. Criteria: Internal Control Criteria — ISACA Security Policy: "The main goal of a corporate security policy is to protect data by defining procedures, guidelines and practices for configuring and managing security in the corporate environment..." Criteria: Internal Control Criteria — COSO Component No. 3: "Control activities are the policies and procedures that help ensure management's directives are carried out. They help ensure that necessary actions are taken to address risks to the achievement of organizational objectives..." FINDING Segregation of cash handling duties at District offices is not regularly monitored for proper controls. In the Hilo office, there are separate positions and duties for Cashiers and Customer Services Representatives. In the Waimea and Kona District offices, there are no Cashiers, but only Customer Service Representatives who are also assigned cashiering duties. While most of their duties are customer service related (including processing applications for new water meter sign -up, researching customer complaints, and handling water leakage reports), Customer Service Representatives in Waimea and Kona also perform cashiering duties, including walk -in cash handling and payment processing, balancing and reporting of transactions, and preparing of bank deposits. In addition, Meter Readers in Waimea and Kona cover for Customer Service Representatives during lunch hours or other absences. DWS management stated that cashiering and customer service duties are combined in Waimea and Kona to better utilize personnel, given the reduced volume of walk -in transactions processed by the District offices and the forwarding of all mail -in customer payments to the Hilo office for processing. This lack of segregated duties among the various personnel in the Waimea and Kona District offices poses financial and operational risks related to conflicts in asset custody and manipulation of accounting records, given their physical access to cash, access to various financial IT applications, and multiple authorization levels. The lack of segregated duties in the Hilo office also poses financial and operational risks, since the Customer Service Supervisor who covers for Cashiers has the authority to approve any adjustments to Cashier transactions. However, these inherent risks related to segregation of duties can be managed through the implementation and monitoring of additional cash 34 CHAPTER 4: CASH HANDLING SYSTEMS handling and financial IT system controls, including, but not limited to, the enforcement of Cash Can transfer procedures; prohibition ' against sharing of logins and passwords; and oversight and reconciliation of customer payment transactions by Finance Division managers. While the Finance Division's Revised Cashier ' Procedures dated January 14, 2010, includes the reconciliation of all reported cash transactions to the daily deposit by the Assistant Controller, they still do not ensure that reporting on all customer payment transactions at their first point of receipt is 100% ' complete, and this verification process is further complicated by the overlapping duties of various cash handling personnel and their multiple accesses to financial systems controls and authorizations as discussed above. RECOMMENDATION DWS management needs to complete a thorough process analysis of its Waimea and Kona District offices to assess the operational and financial risks related to the combined customer service and cashiering duties of its Customer Service ' Representatives and the cashiering duties assumed by its Meter Readers in the absence of Customer Service Representatives. DWS management also needs to complete a thorough process ' analysis of its Hilo office to assess the operational and financial risks related to the cashiering duties assumed by the Customer Service Supervisor and Assistant Supervisor in the absence of Cashiers. Based on these risk assessments, management must implement appropriate cost - effective preventive and detective controls, and /or develop improved control policies and procedures related to segregation of cash handling activities. If sufficient cost- effective controls cannot be implemented to reduce risk to acceptable levels within the current combined duties scenario, then management should at least designate or reallocate one ' position as primary Cashier in each of the Waimea and Kona District offices and require Finance Division managers to review transactional changes authorized by the Customer Service 1 Supervisor and Assistant Supervisor. Criteria: Internal Control Criteria — Separation of Duties for Access Control Enforcement in Workflow Environments: "Separation of duty, as a security principle, has as its primary objective the prevention of fraud and errors. This objective is ' achieved by disseminating the tasks and associated privileges for a specific business process among multiple users... " 1 1 1 1 35 CHAPTER 4: CASH HANDLING SYSTEMS FINDING Water billing transactions are not submitted to a "real time" financial system to ensure efficient recording, processing, reconciling, monitoring, and reporting of all customer payments. The Public Utility Billing System (PUBS) is set up as a batch processing system. As walk -in and mail -in payments are received for water bills, they are entered into the PUBS application as a "batch" or a sort of suspense account rather than being posted to customer accounts in "real time ". At a certain time each day, all transactions that have been entered since the last "batch" was posted are grouped (batched) and posted to the appropriate customer accounts. Reports are run showing summaries of all customer transactions included in the batch as well as details of the amounts of cash, checks, and credit cards associated with those transactions. Each office has its own cut -off time to ensure that its deposits are made by the end of each work day. Any water bill payments that are processed after the cut -off time are processed in a new batch, which is carried over to the bank deposit for the following work day. An average of 750 daily transactions is contained in a daily "batch" and deposit for the Hilo office. Batch processing is considered outdated in current accounting practice, since tit holds a number of transactions in limbo until the "batch" is posted (routinely on the next work day). Among the risks associated with batch processing is the manipulation of batch data and the misappropriation of assets in the absence of sufficient controls. For example, until the recent revision of Finance Division procedures, daily batch reports (incoming totals by payment type) were not reconciled to daily bank deposits (total deposits by payment type). Thus, a Cashier could accept a walk - in cash payment, enter it as a check payment in PUBS, and replace the cash with a subsequent mail -in check payment before posting of the next batch report. This is a common embezzlement scheme that in the absence of adequate controls can continue undetected for an extended period of time. The fact that DWS has still not implemented sufficient cash handling controls — from segregation of duties for mail -in payments to the sharing of Cash Cans, logins, and passwords — perpetuates an environment susceptible to the mishandling or misappropriation of customer payments that can escape early detection. RECOMMENDATION DWS management should conduct an analysis of all of its cash handling activities, control processes, and financial systems to identify areas of significant risk and their potential impact on operations as well as an analysis of improved cost - effective controls to reduce risks to acceptable levels. For example, if batch processing is still to be used, management needs to ensure that reports are generated for each Cashier and each financial system 36 CHAPTER 4: CASH HANDLING SYSTEMS used (such as PUBS or manual receipts), detailing the amounts of cash, checks, and credit cards and any transaction adjustments posted to each batch. This information should be reconciled to each Cashier's Cash Can as well as each daily deposit. All adjusting entries need to be reviewed by Finance Division managers for reasonableness, proper authorization, and supporting documentation. Adherence to policies and procedures that prohibit the sharing of Cash Cans and computer logins and passwords by Cashiers must also be enforced. ' As of January 2010, Finance Division managers require that PUBS batch reports be run daily for each computer terminal, and ' a summary report be prepared for each Cashier — detailing payments by process (PUBS vs. manual receipt) that are further broken down by cash, check, and credit card totals — for ' reconciliation to individual Cash Can totals and the daily bank deposit by the Assistant Controller. However, as discussed earlier, these control procedures still fail to reconcile the actual number and amount of mail -in payments received at their first point of receipt in the Customer Service Branch to the actual number and amount of mail -in payments posted to customer accounts by each Cashier. Security issues relating to the sharing of Cash Cans and computer logins and passwords by Cashiers also remain unaddressed and 1 appropriate access controls need to be implemented. Criteria: Internal Control Criteria — COSO Component No. 3: 1 "... Control activities occur throughout the organization at all levels and in all functions. They include a range of activities as diverse as approvals; authorizations; verifications; reconciliations; reviews of operating performance; security of assets; and segregation of duties." Criteria: Internal Control Criteria — COSO Component No. 4: "Information and Communication — Pertinent information must be identified, captured, and communicated in a form and timeframe that enable employees to carry out their responsibilities in an effective and efficient manner. Information systems produce reports containing operational, financial, and compliance- related information that help management run and control the organization." 1 1 1 1 37 CHAPTER 4: CASH HANDLING SYSTEMS FINDING Other revenue - generating activities and transactions originating in other DWS Divisions are not submitted to an integrated financial system to ensure efficient recording, processing, reconciling, monitoring, and reporting of all customer assessments and payments. Current processes for tracking activities relating to certain revenue - generating services are not integrated and lack adequate reconciliation and review. It is imperative that DWS management establish processes that clearly identify each revenue - generating activity (i.e.; water commitments, stand pipes, residential metering); identify the triggers for generation of receivables for each activity (i.e.; subdivision and building permit approvals); document the revenue - triggering event and actual total charges for all water services; provide appropriate segregation of duties between personnel documenting revenue - generating activities and personnel inputting financial receivable information; and provide regular reconciliation and review of "triggering documentation'" against "financial documentation" to ensure the completeness and accuracy of data and proper collection of fees owed. Only the collection of payments received for these revenue - generating activities appears to be adequately safeguarded and addressed by the Finance Division in its revised policies and procedures dated January 14, 2010, Revised Cashier Procedures. According to the Assistant Controller, manual receipts average approximately $200 in cash and credit cards and approximately $10,000 in checks per day among the Hilo office and Waimea and Kona District offices. Manual receipts are preprinted and sequentially numbered; and all are retained (including voided receipts). Procedures have been improved to require confirmation that all sequentially numbered receipts are accounted for and all receipt amounts are coded by revenue type and reconciled to daily deposits. Further monitoring is provided by the DWS 1 Engineering Division through its review of a copy of the daily cash packet, which includes all daily transactions processed by the Hilo office and Waimea and Kona District offices (such as water commitments, metered water sales, power charges, and finance charges for late payments). If a discrepancy is discovered, the Engineering Division contacts the Customer Service Supervisor to research, report on, and resolve the discrepancy. According to the Customer Service Supervisor, written procedures for manual receipts are specific as to the type of revenue - generating activity for which each payment is received. However, there are no process or flow maps documenting from start to finish the handling of manual receipts issued for all DWS services or activities through the various DWS Divisions to permit an assessment of process gaps or inefficiencies. This process mapping is 1 38 1 CHAPTER 4: CASH HANDLING SYSTEMS necessary to assess the completeness of revenues and receivables reported and the risks associated with their collection. RECOMMENDATION DWS management should perform a formal assessment of all of its cash handling processes, including a sufficient review of operations to reasonably ensure that all revenue - generating activities are being billed; corresponding payments are being received and recorded; and proper receipts are being generated. DWS management should also attempt to achieve further efficiencies by using its automated applications to replace the use of manual receipts. All automated processing applications should be fully integrated with the Department's financial management 1 application to ensure accurate and efficient transfer of transaction data from processing applications to the general ledger. However, until such time as full integration is accomplished, management 1 needs to develop and implement written control procedures that address the use and reconciliation of all manual receipts, including posting of receipts in the Department's financial system and 1 confirmation of corresponding cash deposits. A key benefit of financial IT systems is the effective and efficient automation of financial transaction processes, and the ability to update and modify existing systems to better align them with management objectives. The Control Objectives for Information ' and related Technology (COBIT) Framework, published by the IT Governance Institute, provides a detailed set of financial IT controls and control techniques for the information systems management environment, including performance measurements ' that identify how well an IT function is supporting business requirements. Criteria: Internal Control Criteria — Control Objectives for Information and related Technology (COBIT) Framework: "It is management's responsibility to safeguard all the assets of ' the enterprise. To discharge this responsibility as well as to achieve its expectations, management must establish an adequate system of internal control." ' Criteria: Internal Control Criteria — GFOA Cash Receipts Policy: "As part of performing government services, management must provide for appropriate mechanisms, automated and manual, to collect all funds for services performed and ensure the proper controls exist over all receipts... All aspects of cash receipts shall be subject to proper internal controls with standard controls documented and followed by revenue generating departments: o Automated system resources should be utilized where practical to provide better processing and reconciliation support as well as providing a more efficient and effective manner to manage receipts..." 1 39 CHAPTER 4: CASH HANDLING SYSTEMS FINDING The Department of Water Supply's overall control environment is inadequate. DWS management has not established a control environment that clearly communicates its commitment to accountability through the development and enforcement of clearly defined cash handling policies, procedures, and controls. DWS management has not fully met its governmental objective to safeguard assets as a result of its inattention to risk assessment and failure to adequately address internal controls for segregating, monitoring, reporting, and reviewing its cash handling activities. As early as 1999, the Finance Division revised its cash handling procedures in response to repeated cash overages and shortages, but managers failed to fully enforce revised procedures or recognize the significance of its risk exposure. Subsequent to its discovery of theft by one of its Cashiers, the Finance Division again revised its cash handling procedures in October 20, 2009, and January 14, 2010, but DWS management has yet to fully implement mitigating controls included in its revised procedures to adequately address identified areas of significant risk. Further, while Finance Division managers state they are aware that DWS needs to undertake a comprehensive risk assessment of its activities as well as a systematic review of preventive and detective controls to determine their cost - effectiveness and applicability to current business operations, DWS has not developed a timeline or plan for accomplishing these risk management activities. RECOMMENDATION At a minimum, the Finance Division needs to conduct a full process review of its cash handling activities in order to identify current inefficiencies and areas of inherent risk. This process review needs to be followed by process modifications to increase performance and accountability through improvements in efficiency and security, and to decrease risk exposure through the identification, evaluation, and implementation of appropriate control activities. It must be emphasized here that while the Finance Division continues to work toward improving its cash handling processes, the Waterworks Controller and Assistant Controller are hampered by workload, personnel, and time constraints. Therefore, it is imperative that DWS management provide the Waterworks Controller and Assistant Controller with the necessary tools, including the optimum combination of personnel and automated financial IT systems, to assist them to better account for and safeguard cash assets. Leadership in establishing the control 1 environment — the ethical tone — of the organization must be set by management, which in the case of the Department of Water Supply, rests with the Water Board and its Manager. In our audit entrance conference, DWS management acknowledged that internal control systems are problematic in government agencies 40 CHAPTER 4: CASH HANDLING SYSTEMS because government agencies tend to focus on their missions of providing and improving services to the public, not improving internal controls. The Committee of Sponsoring Organizations (COSO) — which is comprised of five professional financial accounting organizations — provides the following guidance: "Internal control can help an entity achieve its performance and profitability targets, and prevent loss of resources. It can help ensure reliable financial reporting. And it can help ensure that the ' enterprise complies with laws and regulations, avoiding damage to its reputation and other consequences. In sum, it can help an entity get to where it wants to go, and avoid pitfalls and surprises along the way." ' Criteria: Internal Control Criteria — COSO Component No. 1: "The control environment sets the tone of an organization and is the foundation for all other components of internal control, providing discipline and structure. Control environment factors include the integrity, ethical values and competence of the ' organization's people; management's philosophy and operating style; the way management assigns authority and responsibility and organizes and develops its people; and the attention and direction provided by its board of director&" 1 1 1 1 1 1 1 i 41 CHAPTER 5: INFORMATION TECHNOLOGY (IT) FINANCIAL SYSTEMS CHAPTER 5 INFORMATION TECHNOLOGY (IT) FINANCIAL SYSTEMS OVERVIEW Automation with computer technology has become a necessity for government organizations to carry out their operations effectively and efficiently and to process, maintain, and report essential financial information in a timely manner. As a consequence, the reliability of computerized data and the systems that process, maintain, and report these data is a major concern within an audit. 1 Department of Water Supply IT Financial Systems The Department of Water Supply's IT financial applications and financial computer servers are administered by the Waterworks Controller, and not the DWS Information Systems Branch. Harris Computer Systems, headquartered in Toronto, Canada, has been contracted to provide support and maintenance for the Department's primary financial systems. The Information Systems Branch maintains and supports the Department's non - financial applications. In addition, the Information Systems Branch maintains and supports the Department's local -and wide -area networks used for connectivity to all financial and non - financial applications as well as all workstations connected to the financial and non - financial systems. [See Chapter 3 Attachments: DWS Finance Division Organization Chart and Information Systems Branch Position Organization Chart.] The Department of Water Supply has three financial - related IT systems, including the Public Utility Billing System (PUBS), Select Financial System, and Water Commitment System. The PUBS is used for recording meter readings and for water billing and payment processing (with Cashiers and Customer Service Representatives entering approximately 750 water bill payments per business day). The Select Financial System is an integrated suite of modules used for General Ledger, Payroll, Inventory, Purchasing, Accounts Payable, and Bank Reconciliation. The Water Commitment System is used by the DWS Engineering Division to record information and payments made by developers for water commitments for future service to planned parcels and subdivisions. However, manual receipts are written for water commitment payments as well as various other payments. The three financial IT systems are separately maintained and are currently not integrated. 42 CHAPTER 5: INFORMATION TECHNOLOGY (IT) FINANCIAL SYSTEMS The Waterworks Controller said that the PUBS and Select Financial System were procured in fiscal year 2000 for ' approximately $650,000 from the Harris Computer Systems company headquartered in Toronto, Canada. The recurring annual maintenance and support for these two systems is ' approximately $40,000 per year. These systems currently run on an IBM RISC System /6000 minicomputer running IBM's UNIX operating system variant AIX. The PUBS was set up for storing water customer information, recording water meter readings, generating water bills, making adjustments, and receiving water bill payments. The PUBS was not set up for recording water commitment payments and other payments. While capabilities were not available when the systems were implemented, Harris Computer Systems has since developed functionality to automate posting between the PUBS and Select Financial System. However, the Waterworks Controller stated that he has opted not to implement the functionality due to having insufficient knowledge of the automated posting process. The Water Commitment System runs on an IBM AS 400 middle - size computer. The Waterworks Controller stated that there are plans to migrate water commitment records to a custom Microsoft Access database created by the Information Systems Branch. However, it should be noted that Microsoft Access is not considered an enterprise -level application; the custom system is not integrated with the other financial systems; and custom development of financial applications may pose maintenance and upgrade issues as well as security risks. For example, other County departments have had to postpone upgrading Microsoft Access database software, and instead have IT personnel custom install old versions of the Microsoft Access database software on 1 newly purchased workstation computers in order to use previously developed custom Microsoft Access databases. The lack of version compatibility necessitates the continued use of older versions of Microsoft Access on each personal computer (PC) in order to keep it active. In general, multiple versions of Microsoft Access cannot function on a PC without extraordinary system set- "! up, such as multiple drive partitions and separate Windows operating system installations. Prior to assuming his current position, the Waterworks Controller 1 was involved with the implementation of the Department's financial systems and had a working knowledge of the PUBS and Select Financial System applications as well as the AIX operating ' system. He is the only employee with a working knowledge of system administration for all of the Department's financial systems. As Waterworks Controller, he retained the duties of both 1 the financial system administrator and the application administrator and also administers the Water Commitment System application and IBM AS 400 computer server. 1 ' 43 CHAPTER 5: INFORMATION TECHNOLOGY (IT) FINANCIAL SYSTEMS The DWS Information Systems Branch does not support or have administrator access to the Department's financial computer systems and applications. The Information Systems Branch only administers the non - financial applications, network, servers running the Microsoft Windows operating system, and PC workstations running Microsoft Windows. The Information Systems Branch supports e -mail, Internet access, and other non- financial applications. The Department's Microsoft Windows servers are located in a locked air - conditioned server room. The Information Systems Branch requires that Computer Access Request Forms be filled out and signed for computer system access changes. Network passwords are required to be changed every 90 days. The Waterworks Controller acknowledges that his current role as systems administrator for financial systems needs to be moved to the Information Systems Branch. He stated that there are plans to migrate the PUBS and Select Financial System from the RISC System /6000 minicomputer running IBM's AIX to a server running the Linux operating system that is supported by the Information Systems Branch. As noted above, the Information Systems Branch has developed a custom Microsoft Access database for the future migration of the Water Commitment System to a Microsoft Windows platform administered by the Information Systems Branch. FINDING Segregation of financial systems duties is insufficient. The Department of Water Supply Tacks proper segregation of duties for its IT financial system functions. The Waterworks Controller is both the System Administrator and Application Administrator for the Public Utility Billing System (PUBS), Select Financial System, and Water Commitment System. A System Administrator is responsible for the provision, installation /configuration, operation, and maintenance of systems hardware (i.e.; IBM RISC System /6000 and IBM AS 400 computers); systems software (i.e.; AIX and OS 400 operating system software); and related infrastructure. An Application Administrator has full access to all functions (i.e.; PUBS, Select Financial System, and Water Commitment System), including system set -up and user set -up tasks. Security may be compromised when one employee serves as both System Administrator and Application Administrator, since the employee could potentially make a financial system change and delete the audit trail of log files. Combining the duties of System Administrator and Application Administrator may also permit the implementation of software program changes that impact financial records and, at the same time, permit the destruction of electronic data needed for detective controls. Security is further 44 IMP CHAPTER 5: INFORMATION TECHNOLOGY (IT) FINANCIAL SYSTEMS compromised when there is no review of the Controller's activities other than during the annual financial audit, which is based on Imo levels of materiality relative to financial statements as a whole. It must be emphasized here that no such impropriety was noted during the audit. However, the risks of misappropriation or fraud relating to the lack of proper segregation of DWS financial system functions are unacceptably high. RECOMMENDATION The function of System Administrator should be moved from the Waterworks Controller to multiple employees in the Information Systems Branch. It should be noted that the Waterworks Controller has been working to move these system administration ' functions to the Information Systems Branch. The function of Application Administrator should be separated, if ' possible, from functions that create segregation of duties issues depicted and discussed in the IT Segregation of Duties Matrix, the ISACA's Segregation of Duties Control Matrix, and the SOX Segregation of Duties Matrix in Chapter 2. For example: • The employees entering water bill adjustments should be separated from the Application Administrator function. • The function of reviewing IT system application changes should be separated from the function of actually making the application changes. Criteria: Internal Control Criteria — IT Segregation of Duties Matrix by the Information Systems Audit and Control Association (ISACA): "Potential segregation of duties issues may exist if the System Administrator function is combined with control group functions, application programmer, help desk and support manager, data entry, computer operator, database administrator, or systems 1 programmer." FINDING Policies and procedures relating to financial systems security, passwords, access rights, backups, and disaster recovery are insufficient. DWS management has not required and developed sufficient policies and procedures for financial IT system security, passwords, access rights, backups, and disaster recovery. Although the Information Systems Branch has written policies and procedures, the Information Systems Branch does not currently administer and provide support functions for the Department's financial servers and applications. 1 45 1 CHAPTER 5: INFORMATION TECHNOLOGY (IT) FINANCIAL SYSTEMS Financial Systems The IBM RS /6000 and IBM AS 400 financial computer servers are Security located in an unlocked office with access by various employees. Physical access to servers can potentially be used to hack into the system or cause damage to the system. However, the Information Systems Branch has provided for adequate physical security for the non - financial IT systems. The Microsoft Windows servers administered by the Information Systems Branch are located in a locked air - condition server room with access restricted to appropriate personnel. Passwords The Waterworks Controller stated that employees are informally instructed not to share logins and passwords. However, this informal verbal policy does not appear to have been communicated to all employees, nor does there appear to be any monitoring or review process. During our interviews with DWS employees, we found that certain employees shared logins and passwords to the Public Utility Billing System (PUBS). A Customer Service Representative stated that she shared a login and password with a District Supervisor. When employees share logins and passwords, it is difficult or impossible to determine who actually made a financial system transaction or change. For example, it would not be possible by reviewing system data to determine whether a water bill adjustment was made by the Customer Service Representative or the District Supervisor who share the same login and password. Additionally, Cashiers' workstations are not logged -out or timed -out when Cashiers take breaks or have lunch, which creates the potential for unauthorized system access. 1 There is no IT policy setting that requires financial application passwords be changed. Passwords do not regularly expire due to a system password policy setting, and there is no informal or formal written policy requiring people to regularly change passwords on the PUBS, Select Financial System, and Water Commitment System. Currently, if a password does fall into the wrong hands, the password would continue to remain active. Access Rights The PUBS has nine listed Application Administrators. Application 1 Administrators have full financial application access to make changes to set -up and configuration, financial transactions and records, or any other application function. IT security experts recommend that administrator access be limited to a small number of employees who are responsible for granting proper application access privileges or who need administrator access for their job functions. Having nine PUBS Application Administrators creates a lax control environment, where employees have more access rights than needed for their respective job descriptions. 1 1 46 1 I CHAPTER 5: INFORMATION TECHNOLOGY (IT) FINANCIAL SYSTEMS 1 The Waterworks Controller said that he did not audit or review financial application changes made by the Application I Administrators. For example, an Application Administrator could adjust a customers water bill or make any other application change without a review of the system change. This lack of 1 control and oversight to detect potential misuse of financial applications increases the risks of misappropriations as well as inappropriate financial system changes and inaccurate or . misstated financial data. Back -ups There is no written back -up and retention policy for the PUBS, Select Financial System, and Water Commitment System. The ■ current back -up procedure appears insufficient to guarantee restoration of key financial systems. The Waterworks Controller said that he takes the current day's back -up tapes home each day. I If a system problem occurs and the back -up tape is also defective, a financial system may not be restorable in a timely manner and critical data could be lost. A back -up tape retention policy and procedure is necessary to ensure that financial data is safe from destruction and that I financial systems can be adequately restored following natural disasters or systems failure. The Hawaii County Data Systems Department has a back -up and retention policy and procedure that could be reviewed, modified, and adopted by the Department of I Water Supply. The Hawaii County Police Department currently provides secure storage for back -up tapes for the Data Systems Department and may be able to provide secure tape storage for 1 the Department of Water Supply as well. Disaster Recovery DWS currently has no continuity of business and /or disaster IP recovery policy or plan for its IT financial systems. What will i. happen if an office fire destroys the two financial systems servers? What will happen if someone maliciously destroys data on the I server and the current back -up tapes? What will happen if the System Administrator is unable to come to work? These are questions that must be answered for scenarios that may disrupt I business operations, and are essential to guide the development of a plan to minimize or mitigate risks and provide adequate solutions to disruptions in business functions. 1 The Waterworks Controller is the only System Administrator for all of the Department's IT financial systems. In addition to what is likely an excessive workload, this means that if the Waterworks . I Controller was unable to come to work, there would not be another employee or an on- island vendor support person who could back -up system transactions for the day or respond to problems on -site. Most organizations have the System Administrator function in their Information Systems Branch with more than one System Administrator (if possible) to facilitate 1 continuity of business should a System Administrator be unable to 47 CHAPTER 5: INFORMATION TECHNOLOGY (IT) FINANCIAL SYSTEMS come to work. Although the software vendor supports the system and applications, having only one employee with System Administrator access and knowledge of the Department's financial IT systems poses a significant risk to business continuity. The lack of a business continuity and disaster recovery plan could potentially result in significant business disruptions and /or loss of critical financial data and records. RECOMMENDATION Financial Systems Security Finance Division managers and the Information Systems Branch should develop adequate written policies and procedures relating to the Department's IT financial systems. Formal policies and procedures are critical for ensuring IT financial system security and safeguarding critical financial data from inappropriate access and /or changes. Enforceable policies ensure that vulnerabilities are identified and addressed with a goal to reduce risks to the IT financial system. Once a security policy is in place, heightened security awareness also serves as a deterrent and increases the likelihood of individual compliance throughout the organization. The IT financial servers should be located in a locked air - conditioned server room with access restricted to only employees with a job description that entails needing access to the server room. Because the System Administrator function should be moved to the Information Systems Branch, the IT financial system servers should be moved to the Information Systems Branch's locked air - conditioned server room. Access should likely be limited to only the Information Systems Branch's System Administrators and the DWS Manager. Employees who may only need access for an occasionally occurring purpose could be permitted access as needed by authorized employees. Passwords Password policy should include the requirement that employees 1 have individual logins and not share passwords. Password policy settings should require password changes on a regular basis. Employees should log -out and /or be timed -out of any IT financial systems when they go on break or have lunch. Access Rights The number of Application Administrators should be limited to those employees requiring administrator access rights. Application Administrator access rights should likely only be provided to a few employees that need full application access in order to set up the access rights of other employees and /or make application configuration changes. 1 1 48 CHAPTER 5: INFORMATION TECHNOLOGY (IT) FINANCIAL SYSTEMS 1 Back - ups Finance Division managers and the Information Systems Branch should develop a back -up and recovery policy and procedure that 1 address, at a minimum, the following: • Tapes should be stored off -site in a secure location outside the ' tsunami zone in case of various disasters, such as fires, floods, hurricanes, tsunamis, earthquakes, and volcanic eruptions. 1 • Restoring systems from back -up tapes should be routinely tested to ensure that critical systems can be restored. Disaster Recovery DWS management and the Information Systems Branch should develop a brief and concise Continuity of Business and Disaster Recovery Plan that includes IT financial systems to address continuation of business operations in the aftermath of various business disruption and disaster scenarios. This should be a functional plan that is routinely updated and tested on a regular basis, and not a cumbersome plan drafted by a consultant that collects dust on a shelf without being used. ' Criteria: Audit Plan — Government Auditing Standards (Yellow Book) section 7.23: "General controls help ensure the proper operation of information ' systems by creating the environment for proper operation of application controls. General controls include security management, logical and physical access, configuration management, segregation of duties, and contingency planning. Application controls, sometimes referred to as business process controls, are those controls that are incorporated directly into computer applications to help ensure the validity, completeness, accuracy, and confidentiality of transactions and data during application processing. Application controls include controls over input, processing, output, master data, application interfaces, and data management system interfaces." Criteria: Internal Control Criteria — ISACA Security Policy: "The main goal of a corporate security policy is to protect data by defining procedures, guidelines and practices for configuring and managing security in the corporate environment... It is also important that the policy outlines how it will apply to corporate employees, processes and environments." Criteria. COBIT Mapping: Overview of International IT Guidance, 2nd Edition: "Information should be backed up, and the backup files should be tested regularly... Removable media should be handled with special care." ' 49 CHAPTER 5: INFORMATION TECHNOLOGY (IT) FINANCIAL SYSTEMS Criteria: Internal Control Criteria - "IS Auditing Guideline Business Continuity Plan (BCP) Review from IT Perspective" (ISACA): "In today's interconnected economy, organizations are more vulnerable than ever to the possibility of technical difficulties disrupting business. Any disaster, from floods or fire to viruses and cyber- terrorism, can affect the availability, integrity and confidentiality of information that is critical to business..." Criteria: Internal Control Criteria - Business Continuity Plans Auditing Business Continuity ", Information Systems Control Journal (ISACA): "Every organization should have a business continuity plan that seeks to ensure that its information systems are available and running at all times to support and enable the business to function and grow. In spite of all precautions and preventive controls, disasters can occur. Some disasters cannot be controlled and /or prevented. In such cases, the business continuity plan should also enable recovery of information systems within an acceptable time frame to avoid any serious damage to the business." FINDING Security for the local area and wide area networks providing connectivity to the IT financial and non- financial systems appeared sufficient. Interviews and initial review of system security policies and procedures indicated that the Information Systems Branch uses good security measures for the local and wide area networks. The Information Systems Branch utilizes firewalls; restricted access to network infrastructure; Computer Access Change Request Form authorizations; retention of change requests for audit purposes; antivirus software; system required password changes; and other security procedures. The internal controls of the Information Systems Branch were relevant to this audit only in that the Information Systems Branch supports the network connectivity and the workstations connecting to the Department's IT financial systems. RECOMMENDATION Although an initial review of the current procedures appeared adequate, the Information Systems Branch should develop a formal written policy and procedure regarding network security. The Information Systems Branch could also provide basic training for employees on common IT security issues and protocols. Criteria: Internal Control Criteria — Information System Audit and Control Association (ISACA) Security Policy: "The main goal of a corporate security policy is to protect data by defining procedures, guidelines and practices for configuring and managing security in the corporate environment. It is imperative that the policy defines the organization's philosophy and 50 CHAPTER 5: INFORMATION TECHNOLOGY (IT) FINANCIAL SYSTEMS requirements for securing information assets. It is also important that the policy outlines how it will apply to corporate employees, ' processes and environments. Consequences for failed compliance must also be addressed." FINDING Processes to monitor, report, and review systems ' activities are insufficient. Current financial processes do not include sufficient transaction reports for review, audit trails, and review of transactions. The Waterworks Controller stated that the current Public Utility Billing System (PUBS) will not generate a report of all transactions made by an employee in a given time period. However, if this is the 1 case, since PUBS records the login id of each transaction, a custom report should be able to be generated by Harris Computer Systems that shows all transactions made by an individual user. ' PUBS transactions and changes made by Cashiers are periodically reviewed by the Customer Service Supervisor. However, the Waterworks Controller stated that he did not audit or review systems changes made by other employees (i.e.; he does not review water adjustments that are entered in PUBS by the Customer Service Supervisor). System changes made by the ' Waterworks Controller are also not reviewed by DWS management. Additionally, the multiple financial systems (PUBS, Select Financial System, and Water Commitment System) and their related manual processes hinder the efficient production of detailed reports that would permit regular and frequent review of transactions and changes. ' The lack of adequate preventive controls such as segregation of duties and sufficient login and password security measures and the lack of automation and systems integration, coupled with the lack of adequate detective controls such as monitoring, reviewing, and reporting of financial systems transactions, has created a control environment at risk for fraudulent activities that may not be ' detected in a timely manner. RECOMMENDATION DWS management should develop policies and procedures for reviewing and auditing transactions and system changes at all levels within the Department. Adequate review is needed for financial system transactions and changes made by supervisors, application administrators, system administrators, and the ' Waterworks Controller. Financial system changes should have an audit trail that shows who authorized the change and who made the change. An audit and review process for financial systems changes should be developed and implemented ensuring regular and frequent review of any changes for proper authorization and completeness. 1 1 51 CHAPTER 5: INFORMATION TECHNOLOGY (IT) FINANCIAL SYSTEMS Criteria: Internal Control Criteria - Control Objectives for Information and related Technology (COBIT) Framework "It is management's responsibility to safeguard all the assets of the enterprise. To discharge this responsibility as well as to achieve its expectations, management must establish an adequate system of internal control." COBIT also emphasizes the need to review the design of audit trails while identifying the automated solutions. Criteria: Internal Control Criteria — COSO Component No. 4: "Information and Communication — Pertinent information must be identified, captured, and communicated in a form and timeframe that enable employees to carry out their responsibilities in an effective and efficient manner. Information systems produce reports containing operational, financial, and compliance- related information that help management run and control the organization..." Criteria: Internal Control Criteria — COSO Component No. 5: "Monitoring — Internal control systems need to be monitored — a process that assesses the quality of system performance over time. This is accomplished through ongoing monitoring activities, separate evaluations, or a combination of the two. Ongoing monitoring occurs during the course of operations, and includes regular management and supervisory activities as well as other employee activities. The scope and frequency of separate evaluations will depend primarily on an assessment of risks and the effectiveness of ongoing monitoring procedures..." FINDING Systems integration is insufficient to provide automated systems reconciliation and combined reporting of financial transactions. The Public Utility Billing System (PUBS), Select Financial System, and Water Commitment System are not integrated. This lack of integration creates duplication of work and inefficiencies in 1 financial reporting. For example, a manual receipt would be written for a large water commitment payment; the commitment would also be entered into the Water Commitment System; and the payment would be summarized and manually posted to the Select Financial System's General Ledger. Reconciliation of all the financial transactions recorded ecorded on each separate IT system is difficult, with only summarized manual entries made from the PUBS, Water Commitment System, and manual receipts being posted to the General Ledger. If an employee records a water commitment in the Water Commitment 52 CHAPTER 5: INFORMATION TECHNOLOGY (IT) FINANCIAL SYSTEMS System, there are no IT system checks that ensure that transactions are also recorded in the Select Financial System. The Waterworks Controller stated that he does not audit or review changes made by Application Administrators in each system. This poses the risk of financial transactions made in one financial system not being consistent with the transactions made in one of the other financial systems. This increases not only the risk for errors, but also the difficulty and time required to monitor and reconcile transactions, which, in turn, increase the risk that misappropriation or fraud may occur and go undetected for significant periods of time. 1 RECOMMENDATION DWS should evaluate contracting with Harris Computer Systems to implement the existing module to integrate the Public Utility Billing System (PUBS) with the Select Financial System and ' provide training related to automated posting to the Select Financial System General Ledger. Harris Computer Systems should also be requested to advise the Department on recording and tracking water commitment information and transactions, as well as other manual receipts, in either the Select Financial System or PUBS. DWS should implement reports and review processes to reconcile transactions in PUBS with the Select Financial System as well as bank transactions. A daily reconciliation of transactions to bank deposits should be ' supported by integrated systems that provide for a single report of daily cash, checks, and credit payments for easy reconciliation. A monthly reconciliation should be completed by an appropriate employee who does not make journal entries to the Select ' Financial System. Criteria: Audit Plan — Government Auditing Standards (Yellow Book) ' section 7.21: "In performance audits, a deficiency in internal control exists when the design or operation of a control does not allow management or ' employees, in the normal course of performing their assigned functions, to prevent, detect, or correct (1) impairments of effectiveness or efficiency of operations, (2) misstatements in ' financial or performance information, or (3) violations of laws and regulations, on a timely basis..." ' Criteria: Internal Control Criteria — COSO Component No. 4: "Information and Communication — Pertinent information must be identified, captured, and communicated in a form and timeframe that enable employees to carry out their responsibilities in an effective and efficient manner. Information systems produce reports containing operational, financial, and compliance- related information that help management run and control the 1 organization." 1 53 CHAPTER 5: INFORMATION TECHNOLOGY (IT) FINANCIAL SYSTEMS FINDING Existing IT financial systems are inefficient for automating business processes. The Department of Water Supply has not efficiently automated its business and financial transactions and activities with the Public Utility Billing System (PUBS), Select Financial System, and Water Commitment System. Manual receipts, manual processes, and manual reconciliation and reporting are routine. However, the current systems may be able to be integrated and configured to efficiently automate business transactions and activities. This would require a review of current processes to determine "necessary and efficient" process components and monitoring controls prior to automation of financial functions and integration of financial systems. Manual receipts are written for payments (except for the PUBS - generated receipts for standard water bill payments). These manual receipts include water commitment payments and new service deposits. Monthly summarized journal entries are made manually by the Waterworks Controller without a routine review process. These manual receipts also create a financial environment where cash, check, and credit card receipts are more difficult to track and reconcile. Even with recent improvements, the daily reconciliation process still fails to adequately address the existence and completeness of transactions and the reconciliation to all transactions made in the multiple financial systems and recorded on various manual receipts. The Waterworks Controller has been investigating options for replacing the PUBS and Select Financial System. He has considered using Tyler Technology's EDEN system (referred to as FRESH by County employees), which is used by the County for financial functions and for sewer billing. However, it should be noted that the EDEN system is not a leading financial and utility billing system and may be inefficient for the functional requirements of the Department of Water Supply. It should also be noted that during previous audits, County employees detailed inefficiencies in the system such as the inability to provide relevant and timely reports to support monitoring and informed decision - making. The Waterworks Controller stated that utilizing the City and County of Honolulu's water utility billing system may be an option, since the City and County of Honolulu's Water Supply provides billing services for Maui and Kauai counties. An employee 111 managing the IT systems at the City and County of Honolulu's Water Supply stated that the current system is an in -house custom built system called the Computer Accounting System (CAS), which is running on an obsolete DEC Alpha computer system. He stated that the current hardware and software are no 1 54 CHAPTER 5: INFORMATION TECHNOLOGY (IT) FINANCIAL SYSTEMS longer supported by the manufacturer. He said that the City and County of Honolulu's Water Supply has just completed I procurement of a new Oracle Utilities system that will be used for water billing for Honolulu, Maui, and Kauai counties. He said that Maui and Kauai counties are not being required to pay for the I system, and the application will be installed on a Microsoft SQL server. He stated that the estimated timeframe for implementation of the new Oracle Utilities application is 18 months. He said that the primary financial application used at the City and County of I Honolulu's Water Supply is JD Edwards One World, which was recently acquired by the Oracle Corporation. Although the Oracle Utilities system has been selected for utility billing on the neighbor I islands, any potential system should still be reviewed in detail to make sure that it meets the needs and requirements of Hawaii County's Department of Water Supply and will efficiently and I effectively automate its business processes (such as integration with its General Ledger module). I In addition to the selection of a system, the proper configuration of a financial and utility billing system is extremely important to meeting the business needs and requirements of an organization. I There are numerous examples of businesses purchasing leading financial and utility billing systems, and then having major issues arise regarding system configuration due to insufficient project planning and needs analysis. Completion of business process I mapping and process improvement prior to procurement of the IT application would help to ensure that the application is capable of being successfully implemented as well as capable of meeting 1 business needs. Inefficient business automation within its IT financial systems has I many impacts on the overall efficiency and effectiveness of the Department of Water Supply. For example, employees must complete more work, or more employees must be hired to support I the workload created by inefficient processes. Customers may be required to wait longer as inefficient or manual processes are completed. Manual transactions cannot undergo system error- "! checking processes. Key decision - making information is either not available or must be manually compiled, which may result in less than timely management decisions based on misinformation or incomplete information. ill RECOMMENDATION It may be possible to remedy the current inefficiencies with the Department's financial systems by consolidation, integration, and 1 configuration of its existing systems. DWS should consider contracting with Harris Computer Systems to automate manual receipt processes; automate posting from PUBS to the Select I Financial System; facilitate water commitment transactions; and improve reporting. DWS should also map business processes and assess the potential for automating processes with the current I financial and utility billing systems. 55 CHAPTER 5: INFORMATION TECHNOLOGY (IT) FINANCIAL SYSTEMS If the inefficiencies with current financial systems cannot be remedied with integration and configuration changes, DWS should consider procurement of a new integrated financial and utility billing system. Any procurement should include an in -depth business needs and requirements analysis, and preferably an on- site visit and review of the working system at a comparable municipal water utility company. Because the selection of a financial /utility billing system will have such a profound impact on the future efficient operations of the Department of Water Supply, great care should be taken in determining IT system requirements and evaluating any prospective systems. At a minimum, DWS should evaluate the leading software financial applications, including SAP, Oracle, and PeopleSoft. Leading systems have successfully been deployed at numerous comparable sites. SAP and Oracle both have products for the business role of water utility billing. Gartner Group analysts gave eMeter, Itron, and Oracle Utilities a positive rating for meter data management products. Microsoft Dynamics, formerly Great Plains, is an additional vendor with utility billing capabilities. Criteria: The Control Objectives for Information and related Technology ( COBIT) Framework: Published by the IT Governance Institute (ITGI), COBIT provides a detailed set of controls and control techniques for the information systems management environment, including performance measurements that identify how well the IT function is supporting business requirements. A key benefit of IT financial systems is to effectively and efficiently automate financial transactions and processes. 56 CHAPTER 6: CONCLUSION CHAPTER 6 CONCLUSION This limited scope performance audit of the Department of Water Supply (DWS) found current internal controls relating to cash ' handling and financial information technology (IT) systems to be inadequate based on criteria established by various professional accounting associations, including the U.S. Government Accountability Office (GAO); Government Finance Officers Association (GFOA); Information Systems Audit and Control Association (ISACA); and Committee of Sponsoring Organizations 1 of the Treadway Commission (COSO). DWS has yet to appropriately develop and implement financial ' and operational controls necessary to sufficiently reduce the risk of internal improprieties or illegal acts related to its financial assets and information systems. Such internal control deficiencies permitted a theft by a DWS cashier to go undetected for possibly more than 12 years, ultimately resulting in the conviction of the responsible employee who has paid restitution in the amount of $78,868.40. While the DWS Finance Division responded to ' discovery of the theft by proposing policy and process improvements to cashiering activities in its Customer Service Branch, the DWS Administration has yet to fully implement them, ' and as a result, cash handling controls remain insufficient to prevent and detect mishandling or misappropriation of customer payments in a timely manner. While the amount of the theft may ' not have been considered material, the occurrence of theft does not appear to have served as a sufficient "red flag" to the Department to initiate a comprehensive risk assessment of its financial operations and systems and implement industry- recommended financial and operational controls to reduce future risks and better safeguard assets. Another area of significant concern is the Department's lack of proper financial IT system controls, which increases the risk of potentially larger financial misappropriations or improprieties occurring without timely detection. ' To improve accountability and transparency in its financial operations, DWS needs to assess all relevant risks to its cash ' assets and financial IT systems; identify appropriate preventive and detective controls for its cash handling and financial IT operations; develop and implement written policies and ' procedures for industry- recommended control activities (including segregation of duties; verifications and reconciliations of all transactions; accurate, timely, and complete financial reporting; secure password and access right protocols; and regular 57 1 CHAPTER 6: CONCLUSION monitoring of financial operations and systems at all levels and in all functions); communicate policies and procedures to all affected employees so they understand their roles in the internal control system and the consequences for failed compliance; establish a continuous review process that identifies new or changing financial and operational risks, updates control activities to minimize risks, and implements updated policies and procedures in a timely manner; and provide its Finance Division with the optimum combination of personnel and automated financial IT systems to permit the Waterworks Controller and Assistant Waterworks Controller to carry out their responsibilities in an effective and efficient manner. In its response to audit recommendations, DWS generally agreed with audit findings, stating that: "Overall, this report provides an excellent opportunity for us to update and improve controls in the department." However, DWS cited current workloads and upgrade costs for improvement of financial management and billing procedures and systems as challenges to the early implementation of audit recommendations, which working conditions were acknowledged by auditors in the report. The Legislative Auditor's Office is currently facilitating the process mapping by DWS personnel of its cash handling procedures, emphasizing the necessity for the Department to conduct a global risk assessment of all of its revenue - generating activities from levying to collection of receivables as a basis for the Department's development of relevant internal control policies and procedures. Ownership of ,internal control systems and procedures by the Department, its Manager, and its Board is an essential first step to a collective understanding that internal controls are interrelated and must be addressed in all functions and at all levels within the Department, including the interface between cash - handling activities and financial IT capabilities and the risks associated with both. The COSO Internal Control — Integrated Framework states that: "Control environment factors include the integrity, ethical values and competence of the organization's people; management's philosophy and operating style; the way management assigns authority and responsibility and organizes and develops its people; and the attention and direction provided by its board of directors." Therefore, DWS cannot rely solely on the annual external financial audits mandated by the Hawaii County Charter to detect and report on all financial deficiencies and recommend improvements to all financial controls, since external auditors only opine on matters of materiality based on annual financial statements taken as a whole. Ensuring that assets are properly safeguarded and effectively, efficiently, and economically expended for their intended purposes is the responsibility of the Water Board and its Manager. Fundamental to meeting this responsibility is the establishment by the Water Board and its 58 CHAPTER 6: CONCLUSION Manager of a proper control environment that provides the necessary discipline and structure within DWS and sets the ' foundation for an adequate system of internal controls. The COSO Internal Control — Integrated Framework also states ' that: "Internal control systems need to be monitored — a process that assesses the quality of system performance over time... Internal control deficiencies should be reported upstream, with serious matters reported to top management and governmental ' leaders." Therefore, it is imperative that County managers and leaders (including the Mayor and Council as well as Boards and Commissions) expand their operational missions of providing 1 public services to include the safeguarding of public assets through effective risk management and internal control systems. ' Colleen M. Schrandt Legislative Auditor June 2010 1 1 1 1 1 1 1 1 1 1 1 59 1 DEPARTMENT OF WATER SUPPLY RESPONSE O AT R r , 19 4` i ^o .� DEPARTMENT OF WATER SUPPLY • COUNTY OF HAWAI'1 •, O wHA". " � 345 KEK0ANAOA STREET, SUITE 20 • HILO, HAWAII 96720 TELEPHONE (808) 981.8050 • FAX (808) 981.8657 June 16, 2010 Co m Colleen Schrandt 2T Legislative Auditor cr. Office of the Legislative Auditor rrn 25 Aupuni Street = CS Hilo, Hawaii 96720 r n F r RE: LIMITED SCOPE PERFORMANCE AUDIT Dear Ms. Schrandt: Thank you for the opportunity to respond to your audit of our cash handling and financial 3 IT systems. You provided excellent recommendations for improvements in both systems. We provided some background infbmmation for each of the systems you examined before commenting on specific findings. ChaLricr 4.Cash H>andlingSvstern The existing cash handling system has been in place since 196ft when our first cashier position created. At that time, revenues and customers totaled approximately S900,000 and 12,500, respectively. Today, the department's cashiers collect approximately 539,000,000 from 41,000 customers while the number of cashier positions has only increased: to 2. This'is an example of the department's efforts to conform to its mission statement which is "to provide safe and dependable drinking water at a reasonable cost." Unfortunately, our focus on controlling costs impacts our ability to provide for certain internal controls. Pa_e 25•Se_re• •tian of duties y:1, • ° 'r• end .4 stin_ of mail - in •a ments' inadequate. Agree with Legislative Auditor's finding. If there is a weakness in our cash handling, it is an the front end when mail is received. Use ofa receptionist to prepare an initial accounting of the mail for comparison to subsequent posting totals or use ofa lock box service are solutions that we investigated after a cashier's theft was discovered We put off implementing either solution due to obstacles such as conflicts with existing. workloads. the volume of payments received by mail, available manpower, and cost. We will reevaluate these options. 1 ...Water, Our Most Precious Resource ... xa Wai Kane , .. '?m PaparUnenl o! Vow Supply s an Equal Opp candy povlder and ernp dyer 1 1 60 11111111MMENNI I DEPARTMENT OF WATER SUPPLY RESPONSE 1 1 June 16, 2010 1 Page 2 For your information, our research into the lock box solution estimated the following I additional costs and requirements: 1) $30,000 per year in additional bank fees; 2) $6,000 to redesign our water bill and create an interface for our billing system to c accept electronic payment detail from the bank; and 3) $1,000 to adjust our mailing equipment to accommodate a revised water bill and envelope layout. I On October 20, 2009, we implemented the following procedures, among others, that prevents the kind of theft that occurred from happening again: I 1) Cashing of checks was stopped. 2) Checks and cash from walk-in customers and mailed in payments are balanced separately on a daily basis. 3) Daily collections are reconciled by cash and check to the daily cash packet and I bank deposit. Page 27 Oversight and monitoring of the mail-inpayment process by Finance Division managers is inadequate. I This is essentially a restatement of the finding described on page 25. See comments above. ....., Page 29 Physical security over mail-in checks during the paymentposting_orocess is I inadequate. Agree with Legislative Auditor's finding. While access to the cashiering section is now restricted, a locked container for mail provides better physical security during working hours. We will investigate how locked containers can be situated in the cashiering area 1 , for storage. Page 30 Cash handling procedures for walk-in and mail-in nayments are not consistently formalized in vvritine or enforced in all offices of the Custoiner Service Branch. I Agree with Legislative Auditor's finding. We will reevaluate and lbrmahze written procedures to ensure an adequate audit trail and consistency. We will also work to make sure cashiers in District offices understand and follow the procedures for cash can assignments. I Page 32 Computer system security at walk-in customer service payment windows is inadequate. I Agree with Legislative Auditor's finding. With the creation of the department's Information Systems Branch, more expertise is available for improving log-in security. 1 1 1 1 61 DEPARTMENT OF WATER SUPPLY RESPONSE June 16, 2010 Page 3 Pa _e 33 Control rocedur r °latint tt com.0 r s' woos •ndlogins are not consistently formalized in writing or enforced in all offices of the Customer Services Branch. This is essentially a restatement of the finding on page 32. See comments above. Page 34 Segregation of cash handling duties at District offices is not regularly monitored for proper controls. The department long ago analyzed the duties at the District offices as well as those for backing up cashiers in Hilo. We do not feel our small offices in Waimea and Kona lend themselves to the degree of segregation recommended. These offices perform a variety of IMP work without the volume to justify having separate people performing singular functions. Normal vacation and sick leave absences further limit available personnel on a regular basis. The Customer Service Representative 11 in each District office has always served as primary cashier responsible for deposits and related reporting. tta Our arrangements for backing up cashiers in Hilo were established primarily to provide a segregation of duties between those who create accounts (customer service RP representatives) and those who post payments to accounts (cashiers). Our intent is to prevent one person from posting payments to fraudulent accounts and generating refunds or credit balances. By using supervisors to back -up cashiers, we have more flexible and accountable people filling in for the cashiers. All transactional changes processed by Customer Service supervisors are approved by the Waterworks Controller. ri Page 36 Water billing transactions are not submitted to a "real time" financial system to ensure efficient recording. processing, reconciling, monitoring. and reporting of all custVgmers paymen Unfortunately, batch processing is the way our billing system works and cannot be changed without substantial cost and effort. Any risks need to be addressed by other controls. Part of those controls we believe were put into place on October 20, 2009 when t� we began reconciling collections, cash and check, to the daily deposit. Further recommendations in this finding restate those found on pages 25, 30, 32, and 33. See comments above. Page 38 Other revenue - generating activities and transactions onginatingin other DWS Divisions are not submitted to an integrated financial system to ensure efficient recording. processing, reconciling, monitoring, and reporting of all customer assessments and payments. While we agree that we do not have all our revenue processes documented on paper (we are in the process of putting process maps together with your help), that does not mean controls are not in place for the different kinds of funds collected by the department. Our primary source of funding is from our billing cycle. All other funds come from a variety of sources with intermittent frequency under the control of other divisions. Our role is to ti tr 62 DEPARTMENT OF WATER SUPPLY RESPONSE June 16. 2010 Page 4 record amo mawbenoollemed which you indicate "we appear to have adequately safeguarded and addressed." ~~ Thc dcpartrneni' s other significant source of funds is colleeted by the Engineering division and relates to water commitm nts and facilities charges. Both types of t'unding are documented by written correspondence between the division and the developers or customers regarding amounts due and received, which we believe provides assurance that -- significant funds due the department are being assessed, collected, and recorded properly. We recognize, however, that improvements can still 6c made by reconciling "triggering documentation" against "financial documentation" and will investigate incorporating uwobyru,*d000inm"hat we are doing. The recommendation to automate manual receipts in theory makes sense if we had problems with what v= are doing now. But mo have not had any problems with the manual system we have in place nor do we see any efficiencies that would be gained. We average 10 manual receipts a day between the Hilo, \Vaimea, and Kona oftices which is not enough voume tor US 10 considcr sctting up cash registers to operate and mainlain at each location, Finally, we believe our monthly bank reconciliations provide a high level of assurance that what we receive, whether receipted manually or otherwise, is recorded properly, and what was recorded, was deposited in the bank, This is the essential information a bank reconciliation provides and addresses the recommendation regarding posting of receipts and confirmation ofdeposits. Page 40 The Deparunent of Water SupPly's overall control environment is inadequate. We believe the changes we've implemented in our cash handling processing beginning October ZO.2UO9, have mitigated significant areas mfrisk. Further, we have always prepared monthly bank reconciliations which are usignificant control over collectioris and bank deposits. But wr agree improvements can still \e made au indicated by our response wpre"iou, findings. We believe what we have put in place so far, combined with what still can be � done, will provide an optimal conirol environment Chanter BInformation Technology (11') Financial Systeni UulV9V,tbe d*pxmmwmn/plaoeduno\dA3400humrdmz000ntinguysmxnrvhboo integrated financial management system that ineluded modules such as general ledger, payroll, inventory, purchasing, accounts payable, bank reconciliation, and billing. Hidden within the benefits nfthis new technology was the responsibility for maintaining a new operating system which the department was not prepared for, especially after all 3 people 63 DEPARTMENT OF WATER SUPPLY RESPONSE June \0,JOl0 Page 5 in the division's data pi section retired at more or less the same time. Two clerieni positions were subsequently fihled hut the more inlportant programmer position was not in an effort to reduce costs. System administration became the responsibility of the Waterworks Controller at that point. Over time and with the help ofoutside m� contractors. we were able to perform basic system adrninisiraiiori duties such as ereating new users, reviewing crror Jogs, and replacing damaged hard drives but documenting m� policies and procedures and password maintenance were not a pnority. In 2008, the department created an Information Systems Branch so that staff with IT backgrounds could begin managing the department's electronic resources. We have started to redistribute IT responsibiliues accordingly. �w Page 448egregadmn_of financial systems duties ioinsufficient, Agree with Legislative Auditor's finding. We have already started moving system m� administration functions for the financial system to the Inforrnation Systems Branch. Page 45 Policies and procedures relating to financial systems security, passwords, access rights. kackups, and disaster reeovery are insufticient. Agree with Legislative Auditor's finding. When the Information Systems Branch has taken over system administration for the financial systems, such policies and procedures can be address d. Page 50 Securi for the Jocal area and wide area netwurks p[oviding onneetivity to the mw IT financial and non-flnancial systems appeared sufflcient. Agree with Legistative Auditor's finding. Such policies and procedures ai-e under w~ development by the lnformaiion Systems Branch. mei Page 51 Processes to mo r..repotjand review systems activities are insufficient, Agree with Legislative Auditor's finding. The Assistant Waterworks Controller will start 11 reviewing adjustments entered by Customer Service supervisors as part of our review of daily cash paekets and deposits. The Waterworks Controtler does not process any elk transactions that are not prepared by others. Page 52 Systems integration is insufficient to provide automated systems reconciliation and combined reporting of financial lransactions. In theory, systems integration is something we agree should be pursued to the extent possible. In reality, our expertise in developing iaterfaces beiween 3 differen information tw, systems is nonexistent. There are too many complications and unknowns for us to even attempt integrating proprietary software. To our credit, we have developed procedures, manual though they may be, we feel alfows us 10 reconcile and |Q , �� 4111111IM I DEPARTMENT OF WATER SUPPLY RESPONSE 1 1 June 16, 241(1 1 Page 6 resolve discrepancies on a timely basis, despite the assumption that problems exist for us I in this area. The water comtnitment system mentioned in this finding is a very unique application residing on an old AS400 server. The data base includes information on various I developers, parcels of land, and amounts paid for water commitments. A reconciliation between the amounts recorded in this system and the general ledger is performed annually in conjunction with the department's annual audit. We have not had any problems reconciling these two systems nor does it take an unreasonable amount of time. I The Engineering division of the department is responsible for monitoring and recording water commitment activity on the AS400. All activity on the system is supported by written correspondence between the division and developers and serves to provide I assurance that amounts due the department are computed, assessed, and collected in a timely manner_ As previously mentioned, however, we recognize that improvements can still be made by reconciling "triggering documentation" against "financial documentation" and will investigate incorporating such procedures into what we are doing. I An interface between PUBS and our Select general ledger exists but is not used because of the uncertainty that surrounded its use. We were not convinced the interface could be I used without introducing risk of contamination to both data bases. Manually recording a journal entry and controlling the information between the systems was more important to us than automating the entry. Because the interface was only generating summary journal entries of billing activity, we do not feel we are losing information or time with a manual I entry. Page 54 Existing IT financial systems are inefficient for automating business processes. This finding repeats the concerns found on pages 38 (manual receipts) and 52 (system ' integration). Sce comments above. This finding goes on to say that "these manual receipts also create a financial environment where cash, check, and credit card receipts are more difficult to track and I reconcile." We do not believe this to be the case as we have been reconciling these items on a monthly basis without any problems. We contend that our monthly bank reconciliation provides a high level of confidence in "the existence and completeness of transactions and the reconciliation to all transactions made in the multiple financial I systems and recorded on various manual receipts." We recognize, however, that more assurance can bt obtained by reconciling the water commitments system to the general ledger more frequently and will investigate incorporating such procedures into what we are doing. 1 1 1 1 65 DEPARTMENT OF WATER SUPPLY RESPONSE June 16, 2010 Page 7 r We agree that a better financial management and billing system is needed. but the cost and effort involved with such a change is substantial. There are good options available for the department as listed which will continue to be explored. Conclusion We appreciate the Legislative Auditor mentioning the working conditions under which 3 we operate because it puts the findings in this report into context. Work loads do not allow us to give all issues the attention needed and so we prioritize. Priorities in the Finance division are: a) Keeping computer applications on -line and making sure people have access to the 3 applications they need (payroll, billing, accounts payable, purchasing, general ledger, cashiering, customer service, meter reading). b) Accuracy and timeliness of financial and budgetary reporting. c) Supervision and safety of employees. d) Compliance with laws. e) Minimizing cost. Still, we believe we can do better and will make an honest effort to implement the recommendations we consider applicable. We estimate the recommendation on page 25 could take up to 2 years to implement depending on what is done, while others can be • implemented more readily. Overall, this report provides an excellent opportunity for us to update and improve controls in the department. Si I erely, Milt n Pavao ■ L Ma ge OP 1 1 66