HomeMy WebLinkAbout2010-01-AU Limited Scope Performance Audit of Department of Water Supply's Internal Controls for Cash Handling and Financial IT SystemsLimited Scope Performance Audit of
the Department of Water Supply's
Internal Controls for Cash Handling
and Financial IT Systems
A Report to the
Hawaii County
Council
June 2010
THE OFFICE OF THE
LEGISLATIVE AUDITOR
COUNTY OF HAWAII
Blank page
Table of Contents
CHAPTER 1: AUDIT PLAN
Background................................................ ............................... 1
AuditScope ................................................ ............................... 1
AuditObjectives ......................................... ............................... 2
AuditMethodology ...................................... ............................... 3
Government Auditing Criteria ..................... ............................... 4
CHAPTER 2: INTERNAL CONTROL CRITIERA
COSO Internal Control — Integrated Framework ....................... 6
Government Finance Officers Association (GFOA)
Cash Receipts Policy (January 2007) .... ............................... 8
Sarbanes -Oxley (SOX) Segregation of Duties Matrix ................ 9
IT Segregation of Duties Matrix .................. ............................... 10
Control Objectives for Information and related Technology
(COBIT) Framework ............................. ............................... 11
Information System Audit and Control Association (ISACA)
SecurityPolicy ..................................... ............................... 11
Business Continuity Plans .......................... ............................... 11
CHAPTER 3: DEPARTMENT OF WATER SUPPLY
Overview.................................................... ...............................
13
Organization............................................... ...............................
14
WaterBoard ........................................ ...............................
14
Administration ..................................... ...............................
15
Finance Division ................................... ...............................
16
Operations Division ............................. ...............................
16
Engineering Division ........................... ...............................
17
Department of Water Supply Financial Statement
(June 30, 2008 & 2007) .......................... ...............................
18
Department of Water Supply Organization Charts ............. 19 to 22
CHAPTER 4: CASH HANDING SYSTEMS
Overview.................................................... ............................... 23
Department of Water Supply Finance Division .......................... 24
Five Basic Principles of Good Cash Handling ........................... 25
Findings and Recommendations . ............................... 25 to 41
CHAPTER 5: INFORMATION TECHNOLOGY (IT) FINANCIAL SYSTEMS
Overview.................................................... ............................... 42
Department of Water Supply IT Financial Systems ................... 42
Findings and Recommendations ......... ............................... 44 to 56
CHAPTER 6: CONCLUSION
57 to 59
DEPARTMENT OF WATER SUPPLY RESPONSE ............................ 60 to 66
CHAPTER 1: AUDIT PLAN
CHAPTER 1
AUDIT PLAN
Background This limited scope performance audit was performed in
accordance with Hawaii County Charter section 3 -18 and
Generally Accepted Government Auditing Standards (GAGAS).
The Department of Water Supply was designated for review
based on a County -wide risk assessment conducted by the Office
of the Legislative Auditor in FY 2007 -2008. The Office of the
Legislative Auditor acknowledges and appreciates the cooperation
and assistance of the Manager and staff of the Department of
Water Supply during the course of this performance audit.
Audit Scope This limited scope performance audit of the County of Hawaii
Department of Water Supply examines the adequacy of current
internal controls relating to its cash handling and financial
information technology (IT) systems. The audit period covers
July 1, 2008 through February 28, 2010.
During the audit entrance conference between the Department of
Water Supply and the Legislative Auditor's Office, DWS
management informed the auditors that it had discovered a theft
of money in the Customer Service Branch of its Finance Division,
and that the employee responsible had been terminated. DWS
management also advised that it was conducting an internal
investigation to gather information for the Hawaii County Police
Department. The complaint filed by the Hawaii County
Prosecutor's Office charged that a theft had occurred on or
between July 1, 1997 through August 15, 2009, in a continuing
course of conduct. In a no contest plea, the employee agreed to
pay restitution in the amount of $78,868.40, which County officials
confirm has been reimbursed to the Department of Water Supply.
The employee was convicted of Theft in the First Degree. On the
request of DWS management, the Legislative Auditor's Office
agreed to focus performance auditing efforts on the DWS Finance
Division and, more specifically, internal controls related to its cash
handling and financial IT systems.
CHAPTER 1: AUDIT PLAN
Audit Objectives
• Assess the control environment, including management's
policies and procedures for establishment and maintenance of
an effective internal control system.
• Assess the adequacy of internal controls relating to cash
handling activities, including:
• Adequacy of written policies and procedures.
• Functional compliance with written policies and
procedures.
• Adequacy of separation of duties and reporting,
reconciliations, and reviews of cash handling activities.
• Safeguarding of cash.
• Timely receipt and deposit of cash.
• Adequacy of internal controls over cash handling activities
of satellite offices.
• Assess the adequacy of internal controls of systems and
application activities relating to the Department's financial
IT systems, including:
o Adequacy of policies and procedures for IT security,
passwords, access rights, user groups, backups, and
disaster recovery.
o Adequacy of separation of duties over IT financial systems
activities.
o Adequacy of physical security over IT computer server
rooms, workstations, and networks.
o Adequacy of systems processes to monitor and report on
IT systems activities.
o Adequacy of internal controls of networked IT systems.
2
Audit Methodology
CHAPTER 1: AUDIT PLAN
• Review departmental documentation, provided by the
Department of Water Supply and its Finance Division and
Information Systems Branch.
• Review Cash Handling and Information Technology Best
Practices, including source materials and /or interviews of
personnel from:
• U.S. Government Accountability Office (GAO).
• Government Finance Officers Association (GFOA).
• Committee of Sponsoring Organizations of the Treadway
Commission (COSO).
• Information System Audit and Control Association
(ISACA).
• IT Governance Institute (ITGI).
• Gartner Group.
• City and County of Honolulu, Department of Water Supply.
• Review State and County laws and records:
• Hawaii Revised Statutes.
• Hawaii County Charter.
• Hawaii Circuit Court of the Third Circuit.
• Interview and observation of County personnel, including
Department of Water Supply administrators and support staff,
the Waterworks Controller, Assistant Controller, District
Supervisors, Customer Service Supervisor, Customer Service
Representatives, Cashiers, Waterworks Information Systems
Manager, and County of Hawaii Treasurer and Managing
Director.
CHAPTER 1: AUDIT PLAN
Government Auditing
Criteria Government Auditing Standards (July 2007 Revision),
referred to as the "Yellow Book ", published by the United
States Government Accountability Office, by the Comptroller
General of the United States:
Government Auditinq Standards, Section 1.30,
Performance Audits: "Internal control comprises the
plans, policies, methods and procedures used to meet the
organization's mission, goals and objectives... Examples
of audit objectives related to internal control include an
assessment of the extent to which internal control provides
reasonable assurance about whether: (a) organizational
missions, goals, and objectives are achieved effectively and
efficiently; (b) resources are used in compliance with laws,
regulations, or other requirements; (c) resources, including
sensitive information accessed or stored outside the
organization's physical perimeter, are safeguarded against
unauthorized acquisition, use, or disposition; (d) management
information, such as performance measures, and public
reports are complete, accurate, and consistent to support
performance and decision making; (e) the integrity of
information from computerized systems is achieved; and (f)
contingency planning for information systems provides
essential back -up to prevent unwarranted disruption of the
activities and functions that the systems support."
Government Auditina Standards. Section 7.20. Internal
Control: "... Controls over the safeguarding of assets
and resources include policies and procedures that the
audited entity has implemented to reasonably prevent or
promptly detect unauthorized acquisition, use, or
disposition of assets and resources. "
Government Auditing Standards, Section 7.21, Internal
Control: "In performance audits, a deficiency in internal
control exists when the design or operation of a control
does not allow management or employees, in the normal
course of performing their assigned functions, to prevent,
detect, or correct (1) impairments of effectiveness or
efficiency of operations, (2) misstatements in financial or
performance information, or (3) violations of laws and
regulations, on a timely basis. A deficiency in design exists
when (a) a control necessary to meet the control objective is
missing or (b) an existing control is not properly designed so
that, even if the control operates as designed, the control
objective is not met. A deficiency in operation exists when a
properly designed control does not operate as designed, or
when the person performing the control does not possess the
D
CHAPTER 1: AUDIT PLAN
necessary authority or qualifications to perform the control
effectively."
Government Auditin_g Standards, Section 7.23,
Information Systems Controls: "... Information systems
controls consist of those internal controls that are
dependent on information systems processing and
include general controls and application controls.
Information systems general controls are the policies and
procedures that apply to all or a large segment of an entity's
information systems. General controls help ensure the proper
operation of information systems by creating the environment
for proper operation of application controls. General controls
include security management, logical and physical access,
configuration management, segregation of duties, and
contingency planning. Application controls, sometimes
referred to as business process controls, are those controls
that are incorporated directly into computer applications to
help ensure the validity, completeness, accuracy, and
confidentiality of transactions and data during application
processing. Application controls include controls over input,
processing, output, master data, application interfaces, and
data management system interfaces."
CHAPTER 2: INTERNAL CONTROL CRITIERIA
CHAPTER 2
INTERNAL CONTROL CRITERIA
COSO Internal Control —
Integrated
Framework The Committee of Sponsoring Organizations of the Treadway
Commission (COSO) is a volunteer private- sector organization
comprised of several professional associations, including the
American Accounting Association; American Institute of Certified
Public Accountants (AICPA); Financial Executives International
(FEI); Institute of Management Accountants (IMA); and Institute of
Internal Auditors (IIA). Its mission is to guide executive
management and governance entities in the establishment of
more effective, efficient, and ethical business operations on a
global basis. It sponsors and disseminates frameworks and
guidance based on in -depth research, analysis, and best
practices.
The COSO Internal Control — Integrated Framework provides that
internal control consists of five interrelated components, which are
derived from the way management runs a business and are
integrated with the management process:
Component No. 1: Control Environment — The control
environment sets the tone of an organization and is the
foundation for all other components of internal control,
providing discipline and structure. Control environment factors
include the integrity, ethical values and competence of the
organization's people; management's philosophy and
operating style; the way management assigns authority and
responsibility and organizes and develops its people; and the
attention and direction provided by its board of directors.
Component No. 2: Risk Assessment — Every entity faces a
variety of risks from external and internal sources that must be
assessed. A precondition to risk assessment is the
establishment of organizational objectives that are linked at
different levels and are internally consistent. Risk assessment
is the identification and analysis of relevant risks to the
achievement of management objectives, forming a basis for
determining how risks should be managed.
Component No. 3: Control Activities — Control activities are
the policies and procedures that help ensure management's
directives are carried out. They help ensure that necessary
actions are taken to address risks to the achievement of
0
CHAPTER 2: INTERNAL CONTROL CRITERIA
organizational objectives. Control activities occur throughout
the organization at all levels and in all functions. They include
a range of activities as diverse as approvals; authorizations;
verifications; reconciliations; reviews of operating
performance; security of assets; and segregation of duties.
Component No. 4: Information and Communication —
Pertinent information must be identified, captured, and
communicated in a form and timeframe that enable employees
to carry out their responsibilities in an effective and efficient
manner. Information systems produce reports containing
operational, financial, and compliance - related information that
help management run and control the organization. Effective
communication must also occur in a broader sense by flowing
down, across, and up the organization. All personnel must
receive a clear message from management that control
responsibilities must be taken seriously. They must
understand their own role in the internal control system, as
well as how their individual activities relate to the work of
others in the organization.
Component No. 5: Monitoring — Internal control systems
need to be monitored — a process that assesses the quality of
system performance over time. This is accomplished through
ongoing monitoring activities, separate evaluations, or a
combination of the two. Ongoing monitoring occurs during the
course of operations, and includes regular management and
supervisory activities as well as other employee activities. The
scope and frequency of separate evaluations will depend
primarily on an assessment of risks and the effectiveness of
ongoing monitoring procedures. Internal control deficiencies
should be reported upstream, with serious matters reported to
top management and governmental leaders.
Source: http:// www. coso. org/ IC- IntegratedFramework- summary.htm
7
CHAPTER 2: INTERNAL CONTROL CRITIERIA
Government Finance Officers Association
(GFOA)
Cash Receipts Policy
(January 2007)
0
"Background... As part of performing government services,
management must provide for appropriate mechanisms,
automated and manual, to collect all funds for services performed
and ensure the proper controls exist over all receipts."
"Recommendation... Internal controls: All aspects of cash
receipts shall be subject to proper internal controls with standard
controls documented and followed by revenue generating
departments:
• Segregation of duties — authorization, recording, custodian
functions, and reconciliation.
• Daily processing — daily cash /collection total reconciled to
subsequent deposit.
• Timely depositing of funds received ...
• Reconciliation to the general ledger and other supporting
accounting ledgers shall be performed in a timely manner.
• Physical security procedures during work hours and non-
working hours for all funds received and change drawers
maintained.
• Automated system resources should be utilized where
practical to provide better processing and reconciliation
support as well as providing a more efficient and effective
manner to manage receipts...
• Upon any suspicion of fraud, the department supervisor would
timely notify the appropriate personnel (e.g., internal audit, law
enforcement) for further investigation.
• If there is any suspicion regarding non - compliance of internal
directives, the departmental supervisor will notify the
appropriate personnel (e.g., internal audit) for further review."
Sarbanes -Oxley
(SOX)
Segregation of Duties
Matrix
CHAPTER 2: INTERNAL CONTROL CRITERIA
"Recommendation... Depositing of Funds for Services:
Remote cash and cheque collection points should be
established where appropriate customer service benefits are
evident. Documented internal controls need to be established
with such collection points. The ultimate remittance or deposit
of such collection receipts should be documented and
systematically performed by the applicable officials..."
"A fundamental element of internal control is the segregation of
certain key duties. The basic idea underlying segregation of duties
is that no employee or group should be in a position both to
perpetrate and to conceal errors or fraud in the normal course of
their duties. In general, the principal incompatible duties to be
segregated include:
• Custody of assets.
• Authorization or approval of related transactions affecting
those assets.
• Recording or reporting of related transactions.
• Execution of the transaction or transaction activity."
"Separation of Duties for Access Control Enforcement in Workflow
Environments ", R.A. Botha and J.H.P. Eloff, IBM Systems Journal,
Volume 40, Issue 3, March 2001
"Separation of duty, as a security principle, has as its primary
objective the prevention of fraud and errors. This objective is
achieved by disseminating the tasks and associated privileges for
a specific business process among multiple users. This principle is
demonstrated in the traditional example of separation of duty
found in the requirement of two signatures on a check."
9
CHAPTER 2: INTERNAL CONTROL CRITIERIA
IT SEGREGATION OF DUTIES MATRIX
Note: Cells marked with an "X" indicate roles and tasks that are incompatible with each other,
and where segregation of duties is advised.
Source: ISACA's Common Ground on Segregation of Duties in Application Management, by
Richard Savage, Volume 4, 2007.
10
CHAPTER 2: INTERNAL CONTROL CRITERIA
Control Objectives for Information
and Related Technology
(COBIT)
Framework The COBIT Framework, published by the IT Governance Institute
(ITGI), states: "It is management's responsibility to safeguard all
the assets of the enterprise. To discharge this responsibility as
well as to achieve its expectations, management must establish
an adequate system of internal control."
Information System Audit and
Control Association
(ISACA)
Security Policy "Creating and Enforcing an Effective Information Security Policy"
Information Systems Control Journal, Volume 6, 2005
"The main goal of a corporate security policy is to protect data by
defining procedures, guidelines and practices for configuring and
managing security in the corporate environment. It is imperative
that the policy defines the organization's philosophy and
requirements for securing information assets. It is also important
that the policy outlines how it will apply to corporate employees,
processes and environments. Consequences for failed
compliance must also be addressed."
Business Continuity
Plans "IS Auditing Guideline
from IT Perspective"
Association (ISACA)
Business Continuity Plan (BCP) Review
Information System Audit and Control
"Business continuity planning refers to the process of developing
advance arrangements and procedures that enable an
organization to respond to an interruption in such a manner that
critical business functions continue with planned levels of
interruption or essential change. In simpler terms, BCP is the act
of proactively strategizing a method to prevent, if possible, and
manage the consequences of a disaster, limiting the
consequences to the extent that a business can absorb the
impact..."
"In today's interconnected economy, organizations are more
vulnerable than ever to the possibility of technical difficulties
disrupting business. Any disaster, from floods or fire to viruses
and cyber- terrorism, can affect the availability, integrity and
confidentiality of information that is critical to business..."
11
CHAPTER 2: INTERNAL CONTROL CRITIERIA
"Auditing Business Continuity," Information Systems Control
Journal, Volume 1, 2005 Information System Audit and Control
Association (ISA CA)
"Every organization should have a business continuity plan that
seeks to ensure that its information systems are available and
running at all times to support and enable the business to function
and grow. In spite of all precautions and preventive controls,
disasters can occur. Some disasters cannot be controlled and /or
prevented. In such cases, the business continuity plan should also
enable recovery of information systems within an acceptable time
frame to avoid any serious damage to the business."
12
CHAPTER 3: DEPARTMENT OF WATER SUPPLY
CHAPTER 3
DEPARTMENT OF WATER SUPPLY
OVERVIEW The following departmental overview is posted on the Department
of Water Supply website - http: / /www.hawaiidws.org /:
"The Department of Water Supply is a semi - autonomous agency
of the County of Hawaii [,f] which operates by rules and
regulations as adopted by the Water Board. As a semi-
autonomous agency, the Department operates and maintains its
water systems with revenues generated wholly through water
sales. The primary function of the Department is to provide safe
domestic water service through its 24 water systems and 67
sources scattered throughout the island. The individual water
systems are not interconnected except in the more densely
populated districts of South Hilo and Kona.
The Department continually strives to provide dependable, high
quality, potable water at a reasonable cost. With the enactment of
the Safe Drinking Water Act, certain standards were set for all
water purveyors. The Department has also concentrated efforts
and directed resources towards providing uninterrupted water
service. "
Hawaii Revised Statutes (HRS) chapter 54, Water Systems, Part
III, Hawaii County Board of Water Supply, section 54 -63, Rates,
provides: "The board of water supply may fix and adjust rates and
charges for the furnishing of water and for water services so that
the revenues derived therefrom shall be sufficient to make the
waterworks and water systems self - supporting and to meet all
expenditures authorized by this part..."
HRS section 54 -58, Accounts, revenues, and expenditures,
provides: "... All revenues or moneys derived from the
waterworks or otherwise appropriated for the board, other than
funds derived from the sale of bonds, and excepting moneys
appropriated by Act 5 of the Special Session Laws of 1950 for the
construction of a water system for the districts of North and South
Kona, shall be paid into the treasury of the county and maintained
by the treasurer in a waterworks fund. The funds shall be
expended for the following purposes: (1) For payment of interest
and sinking fund on all bonds issued for the acquisition or
construction of waterworks and extensions thereto; (2) For the
payment of the operating and maintenance expenses of the
waterworks, repairs, replacements, additions, and extensions;
13
CHAPTER 3: DEPARTMENT OF WATER SUPPLY
(3) For accident reserve, pension charges, and compensation and
insurance; (4) For purchase or development of new sources of
water; and (5) For a reserve fund."
Hawaii County Charter section 8 -4, Water Fund, provides: "There
shall be established a separate water fund which shall be utilized
solely for water purposes. State and Federal water grants or
appropriations and revenues from operation of the water system
shall be included in the water fund."
Hawaii County Charter section 8 -5, Administrative Supervision,
provides: "The department of water supply shall come under the
general supervision and control of the mayor, through the
managing director."
The Managing Director confirmed that the Department of Water
Supply's operational budget is "fully self - supporting ", and that no
General Fund monies (including real property tax revenues) are
directly transferred to DWS for DWS operations.
[See attached. KPMG Financial Statements - June 30, 2008 and 2007]
ORGANIZATION [Summarized from DWS website - http: 11www.hawaiidws.orp/1
[Underscored are DWS units which are the subject of this audit.I
WATER BOARD As provided in Hawaii County Charter article VIII, the members of
the Water Board are appointed by the Mayor and approved by the
County Council, with membership of the Water Board
representative of each of the nine County Council districts. The
DWS Manager, the Director of Public Works, and the Planning
Director of the County of Hawaii serve on the Water Board as ex-
officio members without the power to vote. The Water Board is
responsible for the appointment of the Manager of the
Department, who in turn appoints a Deputy with the confirmation
of the Water Board. The Water Board shall: (a) manage, control
and operate the waterworks of the County and all property thereof;
(b) adopt rules and regulations which shall have the force and
effect of law relating to the management, control, operation,
preservation and protection of the waterworks of the County; (c)
adopt an annual operating and capital budget for the Department,
subject to the hearing and advertising provisions of County
Charter section 10 -4; (d) have the power to acquire by eminent
domain, purchase, lease or otherwise, and to sell, lease, or
otherwise convey real property in the name of the Water Board;
(e) have the authority to issue revenue bonds under the name of
the Water Board; and (f) have such other powers and duties as
may be provided by law.
14
CHAPTER 3: DEPARTMENT OF WATER SUPPLY
ADMINISTRATION Overall and daily administration of the Department is under the
direction of the Manager and Deputy Manager, who are
responsible for the discharge of the rules and regulations and
policies as adopted by the Water Board and the provisions of the
County Charter. The Manager and Deputy Manager report directly
to the Water Board and also serve as advisors. They provide
direction to the Department's three major divisions — Finance,
Operations, and Engineering — through their respective Division
Heads. The Administration Division is comprised of the Manager,
Deputy Manager, Administrative Services Branch, Contract
Services Branch, Public Relations Branch, Human Resources
Branch, and Information Systems Branch.
Administrative Services
Branch Serves as the secretary to the Water Board of the County of
Hawai'i; and provides administrative and secretarial services,
supervision of Manager's office personnel, and other support to
the Manager. Administrative Services also provides secretarial
and clerical services and support to the Deputy Manager and the
three Division Heads and their staff.
Contracts Services Branch Serves as custodian of contracts; coordinates and processes
contracts for construction, professional services, material, and
equipment; and provides related support to the three Divisions.
Public Relations Branch Plans, develops, and conducts a comprehensive public
information program that includes a variety of informational,
educational, and interpretive activities for the Department;
maintains working relationships with members of the media,
community groups, and other individuals in the public and private
sectors; and performs other related duties as required.
Human Resources Branch Serves as custodian of records and personnel transactions;
reviews and processes personnel actions; reviews and processes
workers' compensation claims; drafts policies and procedures
regarding personnel matters; and provides support to the
Department's Safety Committee.
Information Systems Branch Maintains and operates the Department's Wide Area Network
(WAN) including all equipment attached to the Local Area Network
(LAN); develops, maintains, and operates the Department's
Geographic Information System and keeps its data updated; and
provides information systems support to the entire Department.
[See attached: Position Organization Chart]
15
CHAPTER 3: DEPARTMENT OF WATER SUPPLY
FINANCE DIVISION Is directed by the Finance Division Head - Waterworks Controller,
and provides three primary financial functions for the Department
— Customer Service, Management Accounting, and Computer
Service (or Support Services). [See attached: Organization Chart]
Customer Service
Branch Conducts the Department's billing operations and their related
functions, including customer sign -up; meter reading; collection
and accounting for cash; preaudit of consumer accounts;
maintaining and updating consumer records (water sales);
maintaining accounts receivable records and processing billings
(work orders); preparing revenue estimates; handling customer
service complaints; and performing credit investigations and follow
up on delinquent accounts. [See attached: Position Organization
Chart]
Manaaement Accountin
Branch Maintains the general books of the water utility in accordance with
the Uniform System of Accounts for Class A and B Water Utilities,
as recommended by the National Association of Railroad and
Utilities Commissioners, and with applicable laws, rules, and
regulations; prepares monthly and annual financial statistical
reports on a timely basis; maintains fiscal control of storeroom and
storage yards; prepares payrolls and related reports; develops
and accumulates cost data; processes requisitions for purchase of
materials and supplies; prepares contract documents for and
procures all waterworks materials and equipment by formal
contracts; preaudits and processes invoices for payments;
prepares disbursement vouchers for all expenditures; and
reviews, revises, and implements changes in management
information system. [See attached: Position Organization Chart]
SUDDOrt Services or
Comauter Service
Branch Maintains and operates all data processing equipment in serving
the functions of various other operating units in the Department;
provides technical assistance in evaluating accounting systems for
the purpose of converting from a manual operation to an
automated computer system; and plans and coordinates the
installation of the Department's financial information processing
system. [See attached: Position Organization Chart]
OPERATIONS DIVISION Is directed by the Operations Division Head -Chief of Operations,
and is divided into three sections — Field Operations, Plant
Operations, and Maintenance. It provides safe potable water to
consumers 24 hours a day, including operations and maintenance
of the water distribution systems, transmission mains, sources,
reservoirs, pumps, treatment plants, communication and controls;
and coordinates work with the Engineering and Finance Divisions.
16
CHAPTER 3: DEPARTMENT OF WATER SUPPLY
Field Operations Section Maintains and repairs water service meters; mains; service
laterals; pipelines and appurtenances; fire hydrants; intakes and
springs; road and reservoir sites; and provides some customer
service.
Plant Operations Section Installs, maintains, and operates pump stations; treatment and
chlorination plants; electrical, electronics and mechanical
equipment; hydraulic and electrical controls of pumps;
telemetering; reservoirs and pipelines. It also operates and
maintains Supervisory Control and Data Acquisition (SCADA)
systems and the Department's two -way radio communication
system and appurtenances.
Maintenance Section Investigates, inspects, maintains, and repairs reservoirs; building
structures; facilities; and some mechanical and electrical shop
equipment such as fire extinguishers; and supports fire hydrant
repairs.
ENGINEERING DIVISION Is directed by the Engineering Division Head -Civil Engineer VII,
and is comprised of five Branches that support the entire
Department — Engineering; Water Resources and Planning; Land;
Water Quality and Assurance; and Support.
Engineering Branch Determines whether water systems turned over to the Department
comply with Department requirements and standards. It executes
the design and construction of water system projects in
accordance with the Department's Standards and Priority Program
for current water projects; conducts continual review of water
systems; and provides solutions to water system problems.
Water Resources and
Planning Branch Establishes and maintains programs to assure that present and
future water needs will be satisfied. It assures that water systems
are brought up to current standards for pressure, volume, fire
protection, and quality.
Land Branch Supports the Water Resources and Planning Branch and the
Engineering Branch where field survey and land acquisition are
involved; and maintains records of the Department's real property.
Water Quality Assurance
and Control Branch Develops and implements programs to comply with the federal
Safe Drinking Water Act, including direction and coordination of
several functions involving the microbiological laboratory,
chemical laboratory, and environmental programs.
Support Branch Supports and aids all sections based on priorities established by
the Engineering Division Head.
17
CHAPTER 3: DEPARTMENT OF WATER SUPPLY
DFPARTMFNT OF WATER SUPPLY
COUNTY OF HAWAVI
(A Component Unit ofthe Country of Hawaii. State of Hawaii)
Management's Discussion and Analysis
June 30, 2008 and 2007
Condensed Pinancial Information
The following are summaries from the Department's financial statements as of and for the years ended June 30,
2008, 2007, and 2006:
Assets:
Capital assets, net
Other assets
Total assets
Liabilities:
Long -term debt
Customers' deposits payable from
restricted assets
Other liabilities
Total liabilities
Net assets:
Invested in capital assets, net of related debt
Unrestricted
Total net assets
Changes in net assets:
Operating revenues — water sales
Total operating cxpcnses
Operating loss
Total nonoperating revenues
fatal nonoperating expenses
Change in net assets
Net assets at beginning of year
Net assets at end of year
2008
2007
2006
$ 204,980,889
198,146,445
196,418,116
79,738,743
81,435,224
74,344,720
284 „719,632
279,581.669
270,762,836
41,247,094
42.308,135
41,549,919
19,739,823
16,207,996
14,403,033
8,607,005
7,460,133
7,343,872
69,593,922
65,976,264
63,296,824
186,215,025
179,984,628
1 80,181,457
28,910.685
33,620,777
27,284,555
$ 215.125.710
213,605.405
207,466,012
$ 37,724,830
37,642,805
33,291,676
42,966,607
38,251,318
37.534,821
(5,241;777)
(608,513)
(4,241,145)
8,896,067
8,965,423
8,760,782
(2,1 33,985)
(2,217,517)
(1.669,152)
1,520,305
6,139,393
2,848,485
213,605,405
207,466,012
204,617,527
5 215,125,710
213,605,405
207,466,012
Source: KPMG Department of Water Supply County of Hawaii (A Component Unit of the County of
Hawaii. State of Hawaii) Financial Statements June 30, 2008 and 2007 (With Independent Auditors'
Report Thereon) dated February 13, 2009
IN
rn
S -00875
Assisiantva #otks'
Controller,
EW3
WS -61478
UiATTACrEMENT
CUSTOMER SIMRVICE
ACCO N I G
SUPPORT,
BRANCH
BRANCH
SERVICES
BRANCH
(CHART 1V -A)
(CHART IV-B)
Meter Reading
Collections rind
Purchasing and
Pa }Toll and Cast
Accountant 111,
Billing Support
Section
Delmquent
Budgetary Control
Distribution
SR22
Section
Accounts Section
Section
Section
WS -04349
Computer
Customer
Auxiliary Support
Operator I, Ski
Accounting and
services Section
kTS t3Q8$?
Records Section
Data Processing
Control Clerk 1, SR12
WS -00829
WS-04210
Data Entry
lip rator> SR08
WS�0203i
0630/2009
-14-
COUNTY OF HAWAII
DEPARTMENT OF WATER SUPPLY
FINANCE DIVISION
CUSTOMER SERVICE BRANCH
POSITION ORGANIZATION CHART
CUSTOMER SERVICE
BRANCH
*Customer Service
Supervisor, SRI
WS -01049
Assistant Customer Service
Supervisor, SR16
WS -02483
METER READING COLLECTIONS AND
SECTION DELINQUENT ACCOUNTS
SECTION
Meter Reader II, SRI 2
Credit and Collection Clerk, SR13
WS-01041
WS-04268
WS -02283 TAN
Cashier 11, SR12
Meter Reader 1. SRIO
WS -03099
WS -01042
WS -02282
Cashier 1, SRI
WS-00878
*Provides technical supervision to Operations Personnel
within the Customer and Clerical Service Sections in
Districts II and III
M
W O6 > 3W2009 -1 c-
W
H
a
a
x
U
CUSTOMER ACCOUNTING
AND RECORDS SECTION
Customer Service
Representative I1, SR13
WS-00883
Customer Service
Representative I, SRI
WS -00880
WS -00893
WS-02756
CHART IV-A
AUXILIARY SUPPORT
SERVICES
SECTION
Clerk - :deter Reader. SRI
WS -02087
WS-02901
O
N
M
w
H
a
Q
U
0630`2009
COUNTY OF HAWAII
DEPARTMENT OF WATER SUPPLY
FINANCE DIVISION
MANAGEMENT .ACCOUNTING BRANCH
POSITION ORGANIZATION CHART
MANAGEMENT
ACCOUNTING BRANCH
Accountant IV,_ SR24
WS -02420
Accountant II. SR20
WS -00877
PURCHASING AND
BUDGETARY CONTROL
SECTION
Waterworks Purchasing
Agent, SR22
WS-01469
Buyer - Purchasing
Clerk, SR14
WS-00892
Account Clerk, SRI I
WS-04185
-16-
PAYROLL AND COST
DISTRIBUTION
SECTION
Senior Account Clerk, SRI
WS -00881
Account Clerk_ SRI 1
WS -02I04
CHART IV-R
N
COUNTY OF HAWAII
DEPARTMENT OF WATER SUPPLY
ADMINISTRATION DIVISION
HUMAN, RESOURCES BRANCH
INFORMATION SYSTEMS BRANCH
POSITION ORGANIZATION CHART
HUMAN RESOURCES
BRANCH
Human Resources
:Manager I, EM -01
WS-03190
Human Resources
Technician I, SRI
WS -04516
Human Resources
Assistant, SR13
WS -04149
Student
Helper If
520017
520018
520019
S20020
520021
520022
520023
S20024
520025
520026
520027
520028
Student
Helper I
510034
SI0015
510016
06/30 %2009
INFORMATION
SYSTEMS BRANCH
Waterworks Information Systems
Manager, EM03
WS -04792
GEOGRAPHIC INFORMATION
SYSTEMS (GIS) SERVICES
SECTION
GIS Analyst III, SP-24
WS -04141
GIS Analyst II, SR22
WS -04130
GIS Analyst I, SR-20
WS -04129
Cartographic Drafting
Technician III, SR17
WS-04128
I
Cartographic Drafting j
Technician II, SRI 5
WS -04126
I
WS-04127
_6_
CHART I1 -B
INFORMATION TECHNOLOGY
SUPPORT SECTION
Information Systems
Analyst V, SR 24
WS-02124
Information Systems Support
Technician III, SR17
WS-04795
Information Systems Support
Technician 11, SRI5
WS-04'794
Information Systems Support
Technician 1, SR13
WS- 04-93
N
N
CHAPTER 4: CASH HANDLING SYSTEMS
CHAPTER 4
CASH HANDLING SYSTEMS
OVERVIEW An internal controls review related to cash handling assesses the
adequacy and effectiveness of cash handling controls to support
achievement of management's objectives, such as safeguarding
or protecting cash from misappropriation, theft, and fraud, while at
the same time, providing public services and programs in an
effective and efficient manner. Therefore, it is important for
management to clearly define its objectives relating to "cash"
(currency, coin, checks, and credit card payments); identify any
risks relating to achievement of its objectives; and implement
relevant, cost - effective controls to reduce risks to an acceptable
level and provide the greatest degree of assurance that
management objectives will be met. Of all governmental assets,
cash is the most vulnerable to mishandling, misappropriation, and
theft; and therefore, safeguarding of cash should be one of
management's foremost objectives.
In response to our request for documentation of departmental
controls, policies, and procedures relating to cash handling, DWS
management provided various copies of operational procedures
and related written communications transmitting said procedures
dated from June 29, 1999 through January 14, 2010. In 1999, the
Finance Division revised its cash handling procedures in response
to repeated cash overages and shortages; but DWS management
did not fully enforce revised control procedures or recognize the
significance of its risk exposure. During our entrance conference
on September 30, 2009, DWS management informed the auditors
that it had recently discovered a theft of money by one of its
Cashiers. The complaint filed by the Hawaii County Prosecutor's
Office charged that a theft had occurred on or between July 1,
1997 through August 15, 2009, in a continuing course of conduct.
In a no contest plea, the employee agreed to pay restitution in the
amount of $78,868.40, which County officials confirm has been
reimbursed to DWS. In response to discovery of the theft, the
Finance Division and its Management Accounting Branch
developed further revised cashiering procedures dated
January 14, 2010. However, DWS management has still not fully
implemented revised procedures — including segregation of duties
and independent recordation of customer mail -in payments —
citing lack of adequate personnel to implement improved controls.
Management establishes the control environment of an
organization, sets its ethical tone, and provides discipline and
structure in the organization through its development and
implementation of policies and procedures that set forth
23
CHAPTER 4: CASH HANDLING SYSTEMS
operational requirements and ethical expectations. Effective
communication of clearly defined policies and procedures by
management enables members of the organization to understand
their role in the organization's internal control system. Continuous
monitoring of its internal control system further ensures that
policies and procedures and control mechanisms remain relevant
and effective in managing risk and supporting management
objectives.
The Department of Water Supply Finance Division
The DWS Finance Division consists of a Waterworks Controller
and an Assistant Waterworks Controller, who provide oversight
over three branches: Customer Service, Management Accounting,
and Support Services (or Computer Service). The primary focus
of the cash handling portion of this performance audit is on the
Customer Service Branch. [See Chapter 3 Attachments: DWS
Finance Division Organization Chart and Customer Service Branch
Position Organization Chart.]
Cash collection occurs in the Hilo office and the Waimea and
Kona District offices. At the Hilo office, Cashiers I and II handle all
transactions relating to walk -in and mail -in cash and check
payments, with the Customer Service Supervisor and the
Assistant Customer Service Supervisor only assisting with
processing of payments when short- staffed. At the Hilo office, all
mail -in payments are received by the Administrative Services
Branch Receptionist, who sorts regular mail from water bill
payments and forwards water bill payments to the Cashiers for
processing. Mail -in payments received at the Waimea and Kona
District offices are forwarded through a bonded courier service to
the Hilo office for processing. At the Waimea and Kona District
offices, Customer Services Representatives I and 11 perform
cashiering duties for walk -in payments in addition to customer
service duties (such as processing applications for new water
meter sign -up, researching customer complaints, and handling
water leakage reports). The Waimea District office is staffed with
two Customer Service Representatives, and a Clerk Meter Reader
who serves as an alternate cashier. The Kona District office is
staffed with three Customer Service Representatives, and a Clerk
Meter Reader who serves as an alternate cashier.
24
CHAPTER 4: CASH HANDLING SYSTEMS
FIVE BASIC PRINCIPLES OF GOOD CASH HANDLING
• SEGREGATION OF DUTIES
• SECURITY
• RECONCILIATION
• MANAGEMENT REVIEW
• DOCUMENTATION
FINDING Segregation of duties between opening and posting of
mail -in payments is inadequate.
Water bill payments are processed by the Customer Service
Branch of the Finance Division. Currently, only the Hilo office
processes mail -in payments, with the Waimea and Kona District
offices forwarding their mail -in payments through a bonded courier
service to the Hilo office for processing. In the Hilo office,
incoming water bill payments received from the post office or from
the Waimea and Kona District offices through a bonded courier
service are forwarded unopened from the Administrative Services
Branch Receptionist to the Customer Service Branch Cashiers.
Cashier I opens half of the mail payments, and Cashier II opens
the other half. Any checks received are reviewed for accuracy and
completeness, and the Cashiers independently process and post
payments to customer accounts when not serving walk -in
customers at the Customer Service payment window. According
to the Assistant Controller, the Hilo office processes on average
approximately 132 walk -in transactions per day and approximately
750 total walk -in and mail -in transactions per day. The Hilo office
averages from $1,383 to $6,300 in cash deposits and $56,000 to
$373,000 in check deposits per day, while the Waimea and Kona
District offices average from $3,000 to $5,800 in combined cash
and check deposits per day.
DWS procedures dated October 20, 2009, DINS Checks and
Cash Receipts Control — Recommendations for Change, included
a proposed control for segregating cash handling duties related to
mail -in payments in the Hilo office. The procedure proposed that
the Receptionist assume responsibility for opening all mail -in
payments and logging customer account numbers, forms of
payment (cash, check, or credit card), and payment amounts
before forwarding payments to the Cashiers for processing in the
Department's Public Utility Billing System (PUBS) and inclusion in
the daily deposit. However, DWS management stated that
implementation of this control procedure has been indefinitely
postponed due to demands on the Receptionist's current
workload. While management has properly identified an existing
risk to mail -in payments and proposed a preventive control, it has
not implemented the necessary segregation of cash handling
25
CHAPTER 4: CASH HANDLING SYSTEMS
duties and independent reconciliation of customer payments to
decrease the risks of misappropriation or fraud.
RECOMMENDATION DWS management needs to analyze its current processes and
implement sufficient control procedures to ensure that mail -in
payments are posted, deposited, and reconciled in a timely
manner. This process analysis could include a reevaluation of
preventive and detective controls discussed in its revised
procedures dated October 20, 2009, DWS Checks and Cash
Receipts Control — Recommendations for Change, which included
purchasing of a lock box service and scanning of all incoming mail
envelopes. Upon determination of the most cost - effective control
procedure or combination of control procedures, the Finance
Division needs to promptly implement them to ensure greater
accountability and security of customer monies.
Criteria: Internal Control Criteria — COSO Component No. 2:
"Risk Assessment — Every entity faces a variety of risks from
external and internal sources that must be assessed... Risk
assessment is the identification and analysis of relevant risks to
the achievement of management objectives, forming a basis for
determining how risks should be managed."
Criteria: Internal Control Criteria — GFOA Cash Receipts Policy:
"Internal controls: All aspects of cash receipts shall be subject to
proper internal controls with standard controls documented and
followed by revenue generating departments:
• Segregation of duties — authorization, recording, custodian
functions, and reconciliation.
• Daily processing — daily cash /collection total reconciled to
subsequent deposit.
• Timely depositing of funds received ...
• Reconciliation to the general ledger and other supporting
accounting ledgers shall be performed in a timely manner."
26
CHAPTER 4: CASH HANDLING SYSTEMS
FINDING Oversight and monitoring of the mail -in payment
Process by Finance Division managers is inadequate.
DWS procedures dated June 29, 1999, Cashier Procedures,
included detailed procedures for proper accounting and
verification of the cash deposit process, but none included any
responsibilities for oversight or reconciliation of the mail -in
payment process by Finance Division managers. According to the
Assistant Controller, there are roughly 620 daily mail -in payments
(750 total mail -in and walk -in, less 132 walk -in payments) received
in the Hilo office, averaging from $1,383 to $6,300 in cash
deposits and $56,000 to $373,000 in check deposits per day, of
which the majority are water bill payments. However, after mail -in
payments are processed, Finance Division managers do not verify
or reconcile the actual number and amount of payments received
against the actual number and amount of payments posted by
Cashiers.
Following issuance of its revised procedures dated October 20,
2009, DWS Checks and Cash Receipts Control —
Recommendations for Change, the Finance Division and its
Management Accounting Branch have implemented certain
oversight and monitoring procedures. The Assistant Controller
now performs a daily review and reconciles the Cash Receipts
Journal report generated by the Public Utility Billing System
(PUBS) for each Cashier to the daily deposit slips. The Assistant
Controller also maintains a spreadsheet to track all cash, checks,
credit cards, and other manual receipts submitted for deposit in
the daily cash packet by each Cashier. However, these control
procedures still fail to address reconciliation of the actual number
and amount of mail -in payments received at their first point of
receipt in the Customer Service Branch to the actual number and
amount of mail -in payments posted to customer accounts by each
Cashier.
DWS management has failed to require that sufficient
independent data be collected and reported to permit efficient
monitoring and review of the mail -in payment process. Without
proper oversight, there is no assurance that mail -in payments are
accurately and completely accounted for in a timely manner after
receipt. Management's failure to implement necessary control
procedures has created a weak control environment and elevated
the risk of customer monies being mishandled or misappropriated.
27
CHAPTER 4: CASH HANDLING SYSTEMS
RECOMMENDATION When a risk is identified, management should promptly evaluate
potential financial and operational impacts, and if warranted,
assess possible control processes and procedures to sufficiently
reduce risk to an acceptable level as well as assess the costs of
implementing preventive and detective controls. In determining
whether control costs outweigh identified risks, management
should consider all — not just financial - risks and impacts. If it fails
to implement at least basic controls to address areas of identified
risk, management may communicate to employees that it is not
concerned with achieving objectives or safeguarding assets.
With respect to the mail -in customer payment process, DWS
management needs to review and evaluate all current processes
to ensure adherence of actual operations to written policies and
procedures; evaluate whether current written policies and
procedures are effective and efficient; identify any unaddressed
operational and financial risks; and determine what controls are
necessary to provide sufficient monitoring and oversight. This
monitoring and oversight function should be performed by
personnel who do not have access or authority to receive or post
mail -in payments to customer accounts or prepare bank deposits.
Criteria. Audit Plan — Government Auditing Standards.
Controls over the safeguarding of assets and resources
include policies and procedures that the audited entity has
implemented to reasonably prevent or promptly detect
unauthorized acquisition, use, or disposition of assets and
resources. "
Criteria. Internal Control Criteria — GFOA Cash Receipts Policy:
"Internal controls: All aspects of cash receipts shall be subject to
proper internal controls with standard controls documented and
followed by revenue generating departments:...
Recommendation... Depositing of Funds for Services:
o Remote cash and cheque collection points should be
established where appropriate customer service benefits are
evident. Documented internal controls need to be established
with such collection points. The ultimate remittance or deposit
of such collection receipts should be documented and
systematically performed by the applicable officials..."
W
CHAPTER 4: CASH HANDLING SYSTEMS
FINDING Physical security over mail -in checks during the
Payment posting process is inadequate.
Due to the daily volume of mail -in check payments received in the
Hilo Office from the post office or from the Waimea and Kona
District offices through a bonded courier service, mail -in checks
are divided equally between the two Hilo Cashiers, who sort and
post the checks at their desks. Normally, only one Cashier sorts
and posts checks at a given time, while the other Cashier tends
the customer service payment window. Each Cashier is assigned
a separate plastic container that is large and wide enough to hold
all checks assigned to the Cashier. However, the plastic
containers cannot be locked and are left unattended.
It should be noted that DWS management has implemented
recognized control practices of timely depositing of cash on a daily
basis and any undeposited "cash" is properly safeguarded during
"non- working" hours as it is placed in secured safes for which
access controls are in place for the Hilo office and Waimea and
Kona District offices. However, current physical security over
mail -in customer payments in process during "working hours" is
inadequate. Checks should be treated as cash since they are
negotiable items, and should be kept in a secured and locked
location to prevent inadvertent or intentional mishandling or
misappropriation. As stated earlier, the Assistant Controller
reported that the Hilo office averages from $56,000 to $373,000 in
check deposits per day, and failure to adequately safeguard
customer payments will continue to expose the Department to
risks of misappropriation or fraud.
RECOMMENDATION It is the responsibility of DWS management to assess current risks
to customer monies; analyze its current cash handling processes;
and implement adequate control processes to ensure the physical
security of customer cash and other negotiable instruments at all
times. In addition to establishing a proper control environment
and implementing adequate policies and procedures,
management needs to continually monitor control processes to
ensure that they remain relevant and effective in safeguarding
cash assets.
Criteria: Internal Control Criteria — GFOA Cash Receipts Policy:
"Internal controls: All aspects of cash receipts shall be subject to
proper internal controls with standard controls documented and
followed by revenue generating departments:...
o Physical security procedures during work hours and non-
working hours for all funds received and change drawers
maintained. "
29
CHAPTER 4: CASH HANDLING SYSTEMS
Criteria: Internal Control Criteria — COSO Component No. 5:
"Monitoring — Internal control systems need to be monitored — a
process that assesses the quality of system performance over
time. This is accomplished through ongoing monitoring activities,
separate evaluations, or a combination of the two. Ongoing
monitoring occurs during the course of operations, and includes
regular management and supervisory activities as well as other
employee activities. The scope and frequency of separate
evaluations will depend primarily on an assessment of risks and
the effectiveness of ongoing monitoring procedures..."
FINDING Cash handling procedures for walk -in and mail -in
Payments are not consistently formalized in writing or
enforced in all offices of the Customer Service Branch.
Each Cashier is assigned a separate "Cash Can" to provide
change for customers making walk -in payments. At the beginning
of the work day, each Cash Can contains $250. During the
course of the work day, Cashiers place cash or checks received
from walk -in customers into their assigned Cash Cans. Each
Cashier is also given a unique ink stamp that indicates the date
and the word "PAID" to use for stamping customer water bill stubs.
Revised DWS policy and procedures dated June 29, 1999,
Cashier Procedures, call for accountability by instructing Cashiers
to be responsible for their assigned and lockable Cash Cans. The
policy states: "Each cashier will be the only person authorized to
access the contents of their cash can. Sharing of the cash can
between two or more cashiers at the same time is prohibited.
Cash cans may be transferred from one cashier to another only if
both cashiers count and document the transfer on the `Cashier's
Exchange Log'. Discrepancies should be reported to the District
Supervisor immediately ".
DWS Finance Division documentation dated October 29, 2009,
titled "DWS Checks and Cash Receipts Control
Recommendations for Change ", sets out recommended policies
and procedures and indicates that several of the recommended
changes had already been implemented. However, no written
documentation communicating said changes to staff was provided
to the auditors; and upon inquiry, the Assistant Controller stated
that communication to staff was strictly verbal. Subsequently, a
written communication titled "Revised Cashier Procedures" dated
January 14, 2010, was distributed to DWS staff, but did not
specifically address the exchanging or sharing of Cash Cans. The
Assistant Controller indicated this was not necessary since the
policy specifically instructs that any "Clerk Meter Reader assisting
customers should direct payment collection to the Cashier'.
30
CHAPTER 4: CASH HANDLING SYSTEMS
However, based on observation of cashiering activities at District
offices, a designated "Cashier' with an assigned Cash Can is not
always available, and Cash Cans continue to be shared by and
accessible to multiple personnel. In interviews with Customer
Service Branch personnel, the auditors were told that there are
only two Cash Cans available at each customer payment
collection site, but there are times when a third employee needs to
step in as alternate Cashier using one of the Cash Cans. During a
follow -up interview on March 5, 2010, supervisory personnel in the
Customer Service Branch also reported that the Cashier's
Exchange Log is no longer used when transferring a Cash Can
from one employee to the other.
One goal of cash handling controls is to ensure accountability by
providing an audit trail that permits reconciliation of transactions
processed by each Cashier to the physical cash. However,
based on personnel interviews and observation of cashiering
activities by the auditors, it appears that policies and procedures
and control activities (such as the Cashier's Exchange Log) are
not consistently adhered to by Customer Service Branch
personnel or enforced by Finance Division managers. This
absence of audit trails for cashiering activities reduces the
Finance Division's ability to hold individual employees accountable
for discrepancies and increases the risks for mishandling or
misappropriation of customer monies.
As stated above, the Hilo office averages from $1,383 to $6,300 in
cash deposits and $56,000 to $373,000 in check deposits per day,
and the Waimea and Kona District offices average from $3,000 to
$5,800 in combined cash and check deposits per day. Without
consistent policies and procedures in place for controlling access
to and exchanging of Cash Cans by Cashiers, not only are the
accountability and protection of Cashiers compromised, DWS
management appears to communicate that safeguarding of
customer payments is not a priority. One District office indicated
that its procedure when exchanging Cash Cans is to print out a
Cashier's Summary Report that displays cash and check totals,
which are then reconciled to the contents of the Cash Can. The
Cashier then signs or initials and dates this print -out that is kept in
the Cash Can, and the next Cashier signs or initials and dates the
print -out to verify its contents.
RECOMMENDATION Finance Division managers need to implement policies and
procedures that provide an adequate audit trail of transactions for
each Cashier. Finance Division managers should also assess the
aforementioned District Office control procedure for Cash Cans
and determine if it could be adopted by all offices in the Customer
Service Branch. Adherence to this control procedure would
provide an audit trail of transactions for each Cashier that would
permit reconciliation to the contents of each Cash Can. Another
possible control procedure would be to establish a third "Cash
31
CHAPTER 4: CASH HANDLING SYSTEMS
Can" to be used as a back -up for any alternate Cashier when
additional coverage is needed. Adherence to and enforcement of
improved control procedures will improve accountability and
security of the customer payment process and better
communicate DWS management's objective to safeguard
customer monies.
Criteria. Internal Control Criteria — COSO Component No. 3.
"Control activities are the policies and procedures that help ensure
management's directives are carried out. They help ensure that
necessary actions are taken to address risks to the achievement
of organizational objectives. Control activities occur throughout
the organization at all levels and in all functions. They include a
range of activities as diverse as approvals; authorizations;
verifications; reconciliations; reviews of operating performance;
security of assets; and segregation of duties."
Criteria. Internal Control Criteria — COSO Component No. 4.
"Information and Communication — Pertinent information must be
identified, captured, and communicated in a form and timeframe
that enable employees to carry out their responsibilities in an
effective and efficient manner. Information systems produce
reports containing operational, financial, and compliance- related
information that help management run and control the
organization. "
FINDING Computer system security at walk -in customer service
Payment windows is inadequate.
The Public Utility Billing System (PUBS) is logged onto at the
beginning of each work day using the Cashier's login, and is not
programmed with an automatic lockout mechanism after a
specified period of nonuse. The current PUBS application also
does not require entry of an authorized user identifier or password
for entering of each transaction. At the Hilo office and Waimea
and Kona District offices, the auditors observed that Cashiers at
walk -in payment windows leave their computers logged onto
PUBS when leaving to do other tasks. Although a screen saver is
used, the payment screen remains accessible simply by hitting
any computer key, creating the potential for unauthorized access
and unauthorized transactions to be entered into PUBS. If the
Customer Service Supervisor or other personnel is covering for
the Cashier, they can transact business under the Cashier's login.
As a result, there is no audit trail of transactions by Cashier login,
reducing overall accountability and the ability of individual
Cashiers to control transactions entered under their own Iogins.
32
CHAPTER 4: CASH HANDLING SYSTEMS
RECOMMENDATION DWS financial IT systems personnel need to develop and
implement policies that address adequate physical and application
access controls, including transactional level passwords to provide
individual audit trails and an automatic lockout mechanism for
each Cashier's terminal in order to protect Cashiers as well as
hold them accountable for discrepancies in customer payments.
DWS management needs to ensure support of and adherence to
physical and application access control policies by providing
employees with regular training and monitoring control activities.
DWS management must also periodically review, assess, and
evaluate control processes, policies, and procedures for their
continued relevance, effectiveness, and efficiency in safeguarding
assets.
Criteria. Internal Control Criteria — Information System Audit and
Control Association (ISACA) Security Policy.
"The main goal of a corporate security policy is to protect data by
defining procedures, guidelines and practices for configuring and
managing security in the corporate environment. It is imperative
that the policy defines the organization's philosophy and
requirements for securing information assets. It is also important
that the policy outlines how it will apply to corporate employees,
processes and environments. Consequences for failed
compliance must also be addressed."
FINDING Control procedures relating to computer passwords and
logins are not consistently formalized in writing or
enforced in all offices of the Customer Service Branch.
Finance Division managers have not adequately monitored or
enforced the use of individual passwords or logins, and Customer
Service Branch personnel have even acknowledged the sharing of
passwords at one of the District offices. Auditors were told that
passwords are being shared for certain logins at one District
office, with the District supervisor and staff sharing the password
to the Public Utility Billing System (PUBS) in the event personnel
are out sick or on vacation. This practice is contrary to the
purpose of passwords or logins; that is, the ability to secure
system access and provide an audit trail of all activities conducted
under assigned passwords or logins. Individual passwords and
logins are a fundamental part of data security, monitoring, and
control, and are basic to protecting data integrity by reducing the
risks of unauthorized access and unauthorized transactions.
RECOMMENDATION DWS management needs to enforce standard IT policy against
the sharing of passwords and logins, and enforce standard
accounting practices for using audit trails to scrutinize system
entries when financial discrepancies are detected. In so doing,
33
CHAPTER 4: CASH HANDLING SYSTEMS
management can better communicate its commitment to
safeguarding its cash assets. Further discussion of financial IT
system controls follows in Chapter 5.
Criteria. Internal Control Criteria — ISA CA Security Policy:
"The main goal of a corporate security policy is to protect data by
defining procedures, guidelines and practices for configuring and
managing security in the corporate environment..."
Criteria. Internal Control Criteria — COSO Component No. 3:
"Control activities are the policies and procedures that help ensure
management's directives are carried out. They help ensure that
necessary actions are taken to address risks to the achievement
of organizational objectives..."
FINDING Segregation of cash handling duties at District offices is
not regularly monitored for proper controls.
In the Hilo office, there are separate positions and duties for
Cashiers and Customer Services Representatives. In the Waimea
and Kona District offices, there are no Cashiers, but only
Customer Service Representatives who are also assigned
cashiering duties. While most of their duties are customer service
related (including processing applications for new water meter
sign -up, researching customer complaints, and handling water
leakage reports), Customer Service Representatives in Waimea
and Kona also perform cashiering duties, including walk -in cash
handling and payment processing, balancing and reporting of
transactions, and preparing of bank deposits. In addition, Meter
Readers in Waimea and Kona cover for Customer Service
Representatives during lunch hours or other absences. DWS
management stated that cashiering and customer service duties
are combined in Waimea and Kona to better utilize personnel,
given the reduced volume of walk -in transactions processed by
the District offices and the forwarding of all mail -in customer
payments to the Hilo office for processing.
This lack of segregated duties among the various personnel in the
Waimea and Kona District offices poses financial and operational
risks related to conflicts in asset custody and manipulation of
accounting records, given their physical access to cash, access to
various financial IT applications, and multiple authorization levels.
The lack of segregated duties in the Hilo office also poses
financial and operational risks, since the Customer Service
Supervisor who covers for Cashiers has the authority to approve
any adjustments to Cashier transactions. However, these
inherent risks related to segregation of duties can be managed
through the implementation and monitoring of additional cash
34
CHAPTER 4: CASH HANDLING SYSTEMS
handling and financial IT system controls, including, but not limited
to, the enforcement of Cash Can transfer procedures; prohibition
against sharing of Iogins and passwords; and oversight and
reconciliation of customer payment transactions by Finance
Division managers. While the Finance Division's Revised Cashier
Procedures dated January 14, 2010, includes the reconciliation of
all reported cash transactions to the daily deposit by the Assistant
Controller, they still do not ensure that reporting on all customer
payment transactions at their first point of receipt is 100%
complete, and this verification process is further complicated by
the overlapping duties of various cash handling personnel and
their multiple accesses to financial systems controls and
authorizations as discussed above.
RECOMMENDATION DWS management needs to complete a thorough process
analysis of its Waimea and Kona District offices to assess the
operational and financial risks related to the combined customer
service and cashiering duties of its Customer Service
Representatives and the cashiering duties assumed by its Meter
Readers in the absence of Customer Service Representatives.
DWS management also needs to complete a thorough process
analysis of its Hilo office to assess the operational and financial
risks related to the cashiering duties assumed by the Customer
Service Supervisor and Assistant Supervisor in the absence of
Cashiers. Based on these risk assessments, management must
implement appropriate cost - effective preventive and detective
controls, and /or develop improved control policies and procedures
related to segregation of cash handling activities. If sufficient cost -
effective controls cannot be implemented to reduce risk to
acceptable levels within the current combined duties scenario,
then management should at least designate or reallocate one
position as primary Cashier in each of the Waimea and Kona
District offices and require Finance Division managers to review
transactional changes authorized by the Customer Service
Supervisor and Assistant Supervisor.
Criteria: Internal Control Criteria — Separation of Duties for Access
Control Enforcement in Workflow Environments.
"Separation of duty, as a security principle, has as its primary
objective the prevention of fraud and errors. This objective is
achieved by disseminating the tasks and associated privileges for
a specific business process among multiple users... "
35
CHAPTER 4: CASH HANDLING SYSTEMS
FINDING Water billing transactions are not submitted to a "real
time" financial system to ensure efficient recording,
processing, reconciling, monitoring, and reporting of all
customer payments.
The Public Utility Billing System (PUBS) is set up as a batch
processing system. As walk -in and mail -in payments are received
for water bills, they are entered into the PUBS application as a
"batch" or a sort of suspense account rather than being posted to
customer accounts in "real time ". At a certain time each day, all
transactions that have been entered since the last "batch" was
posted are grouped (batched) and posted to the appropriate
customer accounts. Reports are run showing summaries of all
customer transactions included in the batch as well as details of
the amounts of cash, checks, and credit cards associated with
those transactions. Each office has its own cut -off time to ensure
that its deposits are made by the end of each work day. Any
water bill payments that are processed after the cut -off time are
processed in a new batch, which is carried over to the bank
deposit for the following work day. An average of 750 daily
transactions is contained in a daily "batch" and deposit for the Hilo
office.
Batch processing is considered outdated in current accounting
practice, since it holds a number of transactions in limbo until the
"batch" is posted (routinely on the next work day). Among the
risks associated with batch processing is the manipulation of
batch data and the misappropriation of assets in the absence of
sufficient controls. For example, until the recent revision of
Finance Division procedures, daily batch reports (incoming totals
by payment type) were not reconciled to daily bank deposits (total
deposits by payment type). Thus, a Cashier could accept a walk -
in cash payment, enter it as a check payment in PUBS, and
replace the cash with a subsequent mail -in check payment before
posting of the next batch report. This is a common embezzlement
scheme that in the absence of adequate controls can continue
undetected for an extended period of time. The fact that DWS has
still not implemented sufficient cash handling controls — from
segregation of duties for mail -in payments to the sharing of Cash
Cans, logins, and passwords — perpetuates an environment
susceptible to the mishandling or misappropriation of customer
payments that can escape early detection.
RECOMMENDATION DWS management should conduct an analysis of all of its cash
handling activities, control processes, and financial systems to
identify areas of significant risk and their potential impact on
operations as well as an analysis of improved cost - effective
controls to reduce risks to acceptable levels. For example, if batch
processing is still to be used, management needs to ensure that
reports are generated for each Cashier and each financial system
36
CHAPTER 4: CASH HANDLING SYSTEMS
used (such as PUBS or manual receipts), detailing the amounts of
cash, checks, and credit cards and any transaction adjustments
posted to each batch. This information should be reconciled to
each Cashier's Cash Can as well as each daily deposit. All
adjusting entries need to be reviewed by Finance Division
managers for reasonableness, proper authorization, and
supporting documentation. Adherence to policies and procedures
that prohibit the sharing of Cash Cans and computer logins and
passwords by Cashiers must also be enforced.
As of January 2010, Finance Division managers require that
PUBS batch reports be run daily for each computer terminal, and
a summary report be prepared for each Cashier — detailing
payments by process (PUBS vs. manual receipt) that are further
broken down by cash, check, and credit card totals — for
reconciliation to individual Cash Can totals and the daily bank
deposit by the Assistant Controller. However, as discussed earlier,
these control procedures still fail to reconcile the actual number
and amount of mail -in payments received at their first point of
receipt in the Customer Service Branch to the actual number and
amount of mail -in payments posted to customer accounts by each
Cashier.
Security issues relating to the sharing of Cash Cans and computer
logins and passwords by Cashiers also remain unaddressed and
appropriate access controls need to be implemented.
Criteria: Internal Control Criteria — COSO Component No. 3.
Control activities occur throughout the organization at all levels
and in all functions. They include a range of activities as diverse
as approvals; authorizations; verifications; reconciliations; reviews
of operating performance; security of assets; and segregation of
duties. "
Criteria: Internal Control Criteria — COSO Component No. 4:
"Information and Communication — Pertinent information must be
identified, captured, and communicated in a form and timeframe
that enable employees to carry out their responsibilities in an
effective and efficient manner. Information systems produce
reports containing operational, financial, and compliance- related
information that help management run and control the
organization. "
37
CHAPTER 4: CASH HANDLING SYSTEMS
FINDING Other revenue - generating activities and transactions
originating in other DWS Divisions are not submitted to
an integrated financial system to ensure efficient
recording, processing, reconciling, monitoring, and
reporting of all customer assessments and payments.
Current processes for tracking activities relating to certain
revenue - generating services are not integrated and lack adequate
reconciliation and review. It is imperative that DWS management
establish processes that clearly identify each revenue - generating
activity (i.e.; water commitments, stand pipes, residential
metering); identify the triggers for generation of receivables for
each activity (i.e.; subdivision and building permit approvals);
document the revenue - triggering event and actual total charges
for all water services; provide appropriate segregation of duties
between personnel documenting revenue - generating activities
and personnel inputting financial receivable information; and
provide regular reconciliation and review of "triggering
documentation" against "financial documentation" to ensure the
completeness and accuracy of data and proper collection of fees
owed.
Only the collection of payments received for these revenue -
generating activities appears to be adequately safeguarded and
addressed by the Finance Division in its revised policies and
procedures dated January 14, 2010, Revised Cashier Procedures.
According to the Assistant Controller, manual receipts average
approximately $200 in cash and credit cards and approximately
$10,000 in checks per day among the Hilo office and Waimea and
Kona District offices. Manual receipts are preprinted and
sequentially numbered; and all are retained (including voided
receipts). Procedures have been improved to require confirmation
that all sequentially numbered receipts are accounted for and all
receipt amounts are coded by revenue type and reconciled to
daily deposits. Further monitoring is provided by the DWS
Engineering Division through its review of a copy of the daily cash
packet, which includes all daily transactions processed by the Hilo
office and Waimea and Kona District offices (such as water
commitments, metered water sales, power charges, and finance
charges for late payments). If a discrepancy is discovered, the
Engineering Division contacts the Customer Service Supervisor to
research, report on, and resolve the discrepancy. According to
the Customer Service Supervisor, written procedures for manual
receipts are specific as to the type of revenue - generating activity
for which each payment is received. However, there are no
process or flow maps documenting from start to finish the handling
of manual receipts issued for all DWS services or activities
through the various DWS Divisions to permit an assessment of
process gaps or inefficiencies. This process mapping is
W
CHAPTER 4: CASH HANDLING SYSTEMS
necessary to assess the completeness of revenues and
receivables reported and the risks associated with their collection.
RECOMMENDATION DWS management should perform a formal assessment of all of
its cash handling processes, including a sufficient review of
operations to reasonably ensure that all revenue - generating
activities are being billed; corresponding payments are being
received and recorded; and proper receipts are being generated.
DWS management should also attempt to achieve further
efficiencies by using its automated applications to replace the use
of manual receipts. All automated processing applications should
be fully integrated with the Department's financial management
application to ensure accurate and efficient transfer of transaction
data from processing applications to the general ledger. However,
until such time as full integration is accomplished, management
needs to develop and implement written control procedures that
address the use and reconciliation of all manual receipts, including
posting of receipts in the Department's financial system and
confirmation of corresponding cash deposits.
A key benefit of financial IT systems is the effective and efficient
automation of financial transaction processes, and the ability to
update and modify existing systems to better align them with
management objectives. The Control Objectives for Information
and related Technology (COBIT) Framework, published by the IT
Governance Institute, provides a detailed set of financial IT
controls and control techniques for the information systems
management environment, including performance measurements
that identify how well an IT function is supporting business
requirements.
Criteria. Internal Control Criteria — Control Objectives for Information
and related Technology (COBIT) Framework:
"It is management's responsibility to safeguard all the assets of
the enterprise. To discharge this responsibility as well as to
achieve its expectations, management must establish an
adequate system of internal control."
Criteria. Internal Control Criteria — GFOA Cash Receipts Policy:
"As part of performing government services, management must
provide for appropriate mechanisms, automated and manual, to
collect all funds for services performed and ensure the proper
controls exist over all receipts... All aspects of cash receipts shall
be subject to proper internal controls with standard controls
documented and followed by revenue generating departments:
o Automated system resources should be utilized where
practical to provide better processing and reconciliation
support as well as providing a more efficient and effective
manner to manage receipts..."
C
CHAPTER 4: CASH HANDLING SYSTEMS
FINDING The Department of Water Supply's overall control
environment is inadequate.
DWS management has not established a control environment that
clearly communicates its commitment to accountability through the
development and enforcement of clearly defined cash handling
policies, procedures, and controls. DWS management has not
fully met its governmental objective to safeguard assets as a
result of its inattention to risk assessment and failure to
adequately address internal controls for segregating, monitoring,
reporting, and reviewing its cash handling activities. As early as
1999, the Finance Division revised its cash handling procedures in
response to repeated cash overages and shortages, but
managers failed to fully enforce revised procedures or recognize
the significance of its risk exposure. Subsequent to its discovery of
theft by one of its Cashiers, the Finance Division again revised its
cash handling procedures in October 20, 2009, and January 14,
2010, but DWS management has yet to fully implement mitigating
controls included in its revised procedures to adequately address
identified areas of significant risk. Further, while Finance Division
managers state they are aware that DWS needs to undertake a
comprehensive risk assessment of its activities as well as a
systematic review of preventive and detective controls to
determine their cost - effectiveness and applicability to current
business operations, DWS has not developed a timeline or plan
for accomplishing these risk management activities.
RECOMMENDATION At a minimum, the Finance Division needs to conduct a full
process review of its cash handling activities in order to identify
current inefficiencies and areas of inherent risk. This process
review needs to be followed by process modifications to increase
performance and accountability through improvements in
efficiency and security, and to decrease risk exposure through the
identification, evaluation, and implementation of appropriate
control activities.
It must be emphasized here that while the Finance Division
continues to work toward improving its cash handling processes,
the Waterworks Controller and Assistant Controller are hampered
by workload, personnel, and time constraints. Therefore, it is
imperative that DWS management provide the Waterworks
Controller and Assistant Controller with the necessary tools,
including the optimum combination of personnel and automated
financial IT systems, to assist them to better account for and
safeguard cash assets. Leadership in establishing the control
environment — the ethical tone — of the organization must be set
by management, which in the case of the Department of Water
Supply, rests with the Water Board and its Manager. In our audit
entrance conference, DWS management acknowledged that
internal control systems are problematic in government agencies
.E
CHAPTER 4: CASH HANDLING SYSTEMS
because government agencies tend to focus on their missions of
providing and improving services to the public, not improving
internal controls. The Committee of Sponsoring Organizations
(COSO) — which is comprised of five professional financial
accounting organizations — provides the following guidance:
"Internal control can help an entity achieve its performance and
profitability targets, and prevent loss of resources. It can help
ensure reliable financial reporting. And it can help ensure that the
enterprise complies with laws and regulations, avoiding damage to
its reputation and other consequences. In sum, it can help an
entity get to where it wants to go, and avoid pitfalls and surprises
along the way."
Criteria: Internal Control Criteria — COSO Component No. I.
"The control environment sets the tone of an organization and is
the foundation for all other components of internal control,
providing discipline and structure. Control environment factors
include the integrity, ethical values and competence of the
organization's people; management's philosophy and operating
style; the way management assigns authority and responsibility
and organizes and develops its people; and the attention and
direction provided by its board of directors."
41
CHAPTER 5: INFORMATION TECHNOLOGY (IT) FINANCIAL SYSTEMS
CHAPTER 5
INFORMATION TECHNOLOGY (IT) FINANCIAL SYSTEMS
OVERVIEW Automation with computer technology has become a necessity for
government organizations to carry out their operations effectively
and efficiently and to process, maintain, and report essential
financial information in a timely manner. As a consequence, the
reliability of computerized data and the systems that process,
maintain, and report these data is a major concern within an audit.
Department of Water Supply
IT Financial Systems The Department of Water Supply's IT financial applications and
financial computer servers are administered by the Waterworks
Controller, and not the DWS Information Systems Branch. Harris
Computer Systems, headquartered in Toronto, Canada, has been
contracted to provide support and maintenance for the
Department's primary financial systems. The Information Systems
Branch maintains and supports the Department's non - financial
applications. In addition, the Information Systems Branch
maintains and supports the Department's local -and wide -area
networks used for connectivity to all financial and non - financial
applications as well as all workstations connected to the financial
and non - financial systems. [See Chapter 3 Attachments: DWS
Finance Division Organization Chart and Information Systems Branch
Position Organization Chart.]
The Department of Water Supply has three financial - related IT
systems, including the Public Utility Billing System (PUBS), Select
Financial System, and Water Commitment System. The PUBS is
used for recording meter readings and for water billing and
payment processing (with Cashiers and Customer Service
Representatives entering approximately 750 water bill payments
per business day). The Select Financial System is an integrated
suite of modules used for General Ledger, Payroll, Inventory,
Purchasing, Accounts Payable, and Bank Reconciliation. The
Water Commitment System is used by the DWS Engineering
Division to record information and payments made by developers
for water commitments for future service to planned parcels and
subdivisions. However, manual receipts are written for water
commitment payments as well as various other payments. The
three financial IT systems are separately maintained and are
currently not integrated.
42
CHAPTER 5: INFORMATION TECHNOLOGY (IT) FINANCIAL SYSTEMS
The Waterworks Controller said that the PUBS and Select
Financial System were procured in fiscal year 2000 for
approximately $650,000 from the Harris Computer Systems
company headquartered in Toronto, Canada. The recurring
annual maintenance and support for these two systems is
approximately $40,000 per year. These systems currently run on
an IBM RISC System /6000 minicomputer running IBM's UNIX
operating system variant AIX. The PUBS was set up for storing
water customer information, recording water meter readings,
generating water bills, making adjustments, and receiving water
bill payments. The PUBS was not set up for recording water
commitment payments and other payments. While capabilities
were not available when the systems were implemented, Harris
Computer Systems has since developed functionality to automate
posting between the PUBS and Select Financial System.
However, the Waterworks Controller stated that he has opted not
to implement the functionality due to having insufficient knowledge
of the automated posting process.
The Water Commitment System runs on an IBM AS 400 middle -
size computer. The Waterworks Controller stated that there are
plans to migrate water commitment records to a custom Microsoft
Access database created by the Information Systems Branch.
However, it should be noted that Microsoft Access is not
considered an enterprise -level application; the custom system is
not integrated with the other financial systems; and custom
development of financial applications may pose maintenance and
upgrade issues as well as security risks. For example, other
County departments have had to postpone upgrading Microsoft
Access database software, and instead have IT personnel custom
install old versions of the Microsoft Access database software on
newly purchased workstation computers in order to use previously
developed custom Microsoft Access databases. The lack of
version compatibility necessitates the continued use of older
versions of Microsoft Access on each personal computer (PC) in
order to keep it active. In general, multiple versions of Microsoft
Access cannot function on a PC without extraordinary system set-
up, such as multiple drive partitions and separate Windows
operating system installations.
Prior to assuming his current position, the Waterworks Controller
was involved with the implementation of the Department's
financial systems and had a working knowledge of the PUBS and
Select Financial System applications as well as the AIX operating
system. He is the only employee with a working knowledge of
system administration for all of the Department's financial
systems. As Waterworks Controller, he retained the duties of both
the financial system administrator and the application
administrator and also administers the Water Commitment System
application and IBM AS 400 computer server.
43
CHAPTER 5: INFORMATION TECHNOLOGY (IT) FINANCIAL SYSTEMS
The DWS Information Systems Branch does not support or have
administrator access to the Department's financial computer
systems and applications. The Information Systems Branch only
administers the non - financial applications, network, servers
running the Microsoft Windows operating system, and PC
workstations running Microsoft Windows. The Information
Systems Branch supports e-mail, Internet access, and other non-
financial applications. The Department's Microsoft Windows
servers are located in a locked air - conditioned server room. The
Information Systems Branch requires that Computer Access
Request Forms be filled out and signed for computer system
access changes. Network passwords are required to be changed
every 90 days.
The Waterworks Controller acknowledges that his current role as
systems administrator for financial systems needs to be moved to
the Information Systems Branch. He stated that there are plans to
migrate the PUBS and Select Financial System from the RISC
System /6000 minicomputer running IBM's AIX to a server running
the Linux operating system that is supported by the Information
Systems Branch. As noted above, the Information Systems
Branch has developed a custom Microsoft Access database for
the future migration of the Water Commitment System to a
Microsoft Windows platform administered by the Information
Systems Branch.
FINDING Segregation of financial systems duties is insufficient.
The Department of Water Supply lacks proper segregation of
duties for its IT financial system functions. The Waterworks
Controller is both the System Administrator and Application
Administrator for the Public Utility Billing System (PUBS), Select
Financial System, and Water Commitment System. A System
Administrator is responsible for the provision,
installation /configuration, operation, and maintenance of systems
hardware (i.e.; IBM RISC System /6000 and IBM AS 400
computers); systems software (i.e.; AIX and OS 400 operating
system software); and related infrastructure. An Application
Administrator has full access to all functions (i.e.; PUBS, Select
Financial System, and Water Commitment System), including
system set -up and user set -up tasks. Security may be
compromised when one employee serves as both System
Administrator and Application Administrator, since the employee
could potentially make a financial system change and delete the
audit trail of log files. Combining the duties of System
Administrator and Application Administrator may also permit the
implementation of software program changes that impact financial
records and, at the same time, permit the destruction of electronic
data needed for detective controls. Security is further
..
CHAPTER 5: INFORMATION TECHNOLOGY (IT) FINANCIAL SYSTEMS
compromised when there is no review of the Controller's activities
other than during the annual financial audit, which is based on
levels of materiality relative to financial statements as a whole. It
must be emphasized here that no such impropriety was noted
during the audit. However, the risks of misappropriation or fraud
relating to the lack of proper segregation of DWS financial system
functions are unacceptably high.
RECOMMENDATION The function of System Administrator should be moved from the
Waterworks Controller to multiple employees in the Information
Systems Branch. It should be noted that the Waterworks
Controller has been working to move these system administration
functions to the Information Systems Branch.
The function of Application Administrator should be separated, if
possible, from functions that create segregation of duties issues
depicted and discussed in the IT Segregation of Duties Matrix, the
ISACA's Segregation of Duties Control Matrix, and the SOX
Segregation of Duties Matrix in Chapter 2. For example:
The employees entering water bill adjustments should be
separated from the Application Administrator function.
The function of reviewing IT system application changes
should be separated from the function of actually making the
application changes.
Criteria. Internal Control Criteria — IT Seareaation of Duties Matrix b
the Information Systems Audit and Control Association
IS( ACA).
"Potential segregation of duties issues may exist if the System
Administrator function is combined with control group functions,
application programmer, help desk and support manager, data
entry, computer operator, database administrator, or systems
programmer. "
FINDING Policies and procedures relating to financial systems
security, passwords, access rights, backups, and
disaster recovery are insufficient.
DWS management has not required and developed sufficient
policies and procedures for financial IT system security,
passwords, access rights, backups, and disaster recovery.
Although the Information Systems Branch has written policies and
procedures, the Information Systems Branch does not currently
administer and provide support functions for the Department's
financial servers and applications.
45
CHAPTER 5: INFORMATION TECHNOLOGY (IT) FINANCIAL SYSTEMS
Financial Systems The IBM RS /6000 and IBM AS 400 financial computer servers are
Security located in an unlocked office with access by various employees.
Physical access to servers can potentially be used to hack into the
system or cause damage to the system.
However, the Information Systems Branch has provided for
adequate physical security for the non - financial IT systems. The
Microsoft Windows servers administered by the Information
Systems Branch are located in a locked air - condition server room
with access restricted to appropriate personnel.
Passwords The Waterworks Controller stated that employees are informally
instructed not to share logins and passwords. However, this
informal verbal policy does not appear to have been
communicated to all employees, nor does there appear to be any
monitoring or review process. During our interviews with DWS
employees, we found that certain employees shared logins and
passwords to the Public Utility Billing System (PUBS). A
Customer Service Representative stated that she shared a login
and password with a District Supervisor. When employees share
logins and passwords, it is difficult or impossible to determine who
actually made a financial system transaction or change. For
example, it would not be possible by reviewing system data to
determine whether a water bill adjustment was made by the
Customer Service Representative or the District Supervisor who
share the same login and password. Additionally, Cashiers'
workstations are not logged -out or timed -out when Cashiers take
breaks or have lunch, which creates the potential for unauthorized
system access.
There is no IT policy setting that requires financial application
passwords be changed. Passwords do not regularly expire due to
a system password policy setting, and there is no informal or
formal written policy requiring people to regularly change
passwords on the PUBS, Select Financial System, and Water
Commitment System. Currently, if a password does fall into the
wrong hands, the password would continue to remain active.
Access Rights The PUBS has nine listed Application Administrators. Application
Administrators have full financial application access to make
changes to set -up and configuration, financial transactions and
records, or any other application function. IT security experts
recommend that administrator access be limited to a small
number of employees who are responsible for granting proper
application access privileges or who need administrator access for
their job functions. Having nine PUBS Application Administrators
creates a lax control environment, where employees have more
access rights than needed for their respective job descriptions.
CHAPTER 5: INFORMATION TECHNOLOGY (IT) FINANCIAL SYSTEMS
The Waterworks Controller said that he did not audit or review
financial application changes made by the Application
Administrators. For example, an Application Administrator could
adjust a customer's water bill or make any other application
change without a review of the system change. This lack of
control and oversight to detect potential misuse of financial
applications increases the risks of misappropriations as well as
inappropriate financial system changes and inaccurate or
misstated financial data.
Back -ups There is no written back -up and retention policy for the PUBS,
Select Financial System, and Water Commitment System. The
current back -up procedure appears insufficient to guarantee
restoration of key financial systems. The Waterworks Controller
said that he takes the current day's back -up tapes home each day.
If a system problem occurs and the back -up tape is also defective,
a financial system may not be restorable in a timely manner and
critical data could be lost.
A back -up tape retention policy and procedure is necessary to
ensure that financial data is safe from destruction and that
financial systems can be adequately restored following natural
disasters or systems failure. The Hawai'i County Data Systems
Department has a back -up and retention policy and procedure that
could be reviewed, modified, and adopted by the Department of
Water Supply. The Hawai'i County Police Department currently
provides secure storage for back -up tapes for the Data Systems
Department and may be able to provide secure tape storage for
the Department of Water Supply as well.
Disaster Recovery DWS currently has no continuity of business and /or disaster
recovery policy or plan for its IT financial systems. What will
happen if an office fire destroys the two financial systems servers?
What will happen if someone maliciously destroys data on the
server and the current back -up tapes? What will happen if the
System Administrator is unable to come to work? These are
questions that must be answered for scenarios that may disrupt
business operations, and are essential to guide the development
of a plan to minimize or mitigate risks and provide adequate
solutions to disruptions in business functions.
The Waterworks Controller is the only System Administrator for all
of the Department's IT financial systems. In addition to what is
likely an excessive workload, this means that if the Waterworks
Controller was unable to come to work, there would not be
another employee or an on- island vendor support person who
could back -up system transactions for the day or respond to
problems on -site. Most organizations have the System
Administrator function in their Information Systems Branch with
more than one System Administrator (if possible) to facilitate
continuity of business should a System Administrator be unable to
47
CHAPTER 5: INFORMATION TECHNOLOGY (IT) FINANCIAL SYSTEMS
come to work. Although the software vendor supports the system
and applications, having only one employee with System
Administrator access and knowledge of the Department's financial
IT systems poses a significant risk to business continuity. The lack
of a business continuity and disaster recovery plan could
potentially result in significant business disruptions and /or loss of
critical financial data and records.
RECOMMENDATION
Financial Systems
Security Finance Division managers and the Information Systems Branch
should develop adequate written policies and procedures relating
to the Department's IT financial systems. Formal policies and
procedures are critical for ensuring IT financial system security
and safeguarding critical financial data from inappropriate access
and /or changes. Enforceable policies ensure that vulnerabilities
are identified and addressed with a goal to reduce risks to the IT
financial system. Once a security policy is in place, heightened
security awareness also serves as a deterrent and increases the
likelihood of individual compliance throughout the organization.
The IT financial servers should be located in a locked air -
conditioned server room with access restricted to only employees
with a job description that entails needing access to the server
room. Because the System Administrator function should be
moved to the Information Systems Branch, the IT financial system
servers should be moved to the Information Systems Branch's
locked air - conditioned server room. Access should likely be
limited to only the Information Systems Branch's System
Administrators and the DWS Manager. Employees who may only
need access for an occasionally occurring purpose could be
permitted access as needed by authorized employees.
Passwords Password policy should include the requirement that employees
have individual logins and not share passwords. Password policy
settings should require password changes on a regular basis.
Employees should log -out and /or be timed -out of any IT financial
systems when they go on break or have lunch.
Access Rights The number of Application Administrators should be limited to
those employees requiring administrator access rights.
Application Administrator access rights should likely only be
provided to a few employees that need full application access in
order to set up the access rights of other employees and /or make
application configuration changes.
CHAPTER 5: INFORMATION TECHNOLOGY (IT) FINANCIAL SYSTEMS
Back -ups Finance Division managers and the Information Systems Branch
should develop a back -up and recovery policy and procedure that
address, at a minimum, the following:
• Tapes should be stored off -site in a secure location outside the
tsunami zone in case of various disasters, such as fires,
floods, hurricanes, tsunamis, earthquakes, and volcanic
eruptions.
• Restoring systems from back -up tapes should be routinely
tested to ensure that critical systems can be restored.
Disaster Recovery DWS management and the Information Systems Branch should
develop a brief and concise Continuity of Business and Disaster
Recovery Plan that includes IT financial systems to address
continuation of business operations in the aftermath of various
business disruption and disaster scenarios. This should be a
functional plan that is routinely updated and tested on a regular
basis, and not a cumbersome plan drafted by a consultant that
collects dust on a shelf without being used.
Criteria: Audit Plan — Government Auditing Standards (Yellow Book)
section 7.23:
"General controls help ensure the proper operation of information
systems by creating the environment for proper operation of
application controls. General controls include security
management, logical and physical access, configuration
management, segregation of duties, and contingency planning.
Application controls, sometimes referred to as business process
controls, are those controls that are incorporated directly into
computer applications to help ensure the validity, completeness,
accuracy, and confidentiality of transactions and data during
application processing. Application controls include controls over
input, processing, output, master data, application interfaces, and
data management system interfaces. "
Criteria. Internal Control Criteria — ISACA Security Policy.
"The main goal of a corporate security policy is to protect data by
defining procedures, guidelines and practices for configuring and
managing security in the corporate environment... It is also
important that the policy outlines how it will apply to corporate
employees, processes and environments."
Criteria. COBIT Mapping: Overview of International IT Guidance, 2nd Edition:
"Information should be backed up, and the backup files should be
tested regularly... Removable media should be handled with
special care. "
i •
CHAPTER 5: INFORMATION TECHNOLOGY (IT) FINANCIAL SYSTEMS
Criteria. Internal Control Criteria — "IS Auditing Guideline Business
Continuity Plan (BCP) Review from IT Perspective" (ISACA).
"In today's interconnected economy, organizations are more
vulnerable than ever to the possibility of technical difficulties
disrupting business. Any disaster, from floods or fire to viruses
and cyber- terrorism, can affect the availability, integrity and
confidentiality of information that is critical to business..."
Criteria. Internal Control Criteria - Business Continuity Plans - " Auditinq
Business Continuity'; Information Systems Control Journal (ISACA):
"Every organization should have a business continuity plan that
seeks to ensure that its information systems are available and
running at all times to support and enable the business to function
and grow. In spite of all precautions and preventive controls,
disasters can occur. Some disasters cannot be controlled and /or
prevented. In such cases, the business continuity plan should also
enable recovery of information systems within an acceptable time
frame to avoid any serious damage to the business."
FINDING Security for the local area and wide area networks
Providing connectivity to the IT financial and non-
financial systems appeared sufficient.
Interviews and initial review of system security policies and
procedures indicated that the Information Systems Branch uses
good security measures for the local and wide area networks.
The Information Systems Branch utilizes firewalls; restricted
access to network infrastructure; Computer Access Change
Request Form authorizations; retention of change requests for
audit purposes; antivirus software; system required password
changes; and other security procedures. The internal controls of
the Information Systems Branch were relevant to this audit only in
that the Information Systems Branch supports the network
connectivity and the workstations connecting to the Department's
IT financial systems.
RECOMMENDATION Although an initial review of the current procedures appeared
adequate, the Information Systems Branch should develop a
formal written policy and procedure regarding network security.
The Information Systems Branch could also provide basic training
for employees on common IT security issues and protocols.
Criteria. Internal Control Criteria — Information Svstem Audit and Control
Association (ISACA) Security Policy:
"The main goal of a corporate security policy is to protect data by
defining procedures, guidelines and practices for configuring and
managing security in the corporate environment. It is imperative
that the policy defines the organization's philosophy and
50
CHAPTER 5: INFORMATION TECHNOLOGY (IT) FINANCIAL SYSTEMS
requirements for securing information assets. It is also important
that the policy outlines how it will apply to corporate employees,
processes and environments. Consequences for failed
compliance must also be addressed. "
FINDING Processes to monitor, report, and review systems
activities are insufficient.
Current financial processes do not include sufficient transaction
reports for review, audit trails, and review of transactions. The
Waterworks Controller stated that the current Public Utility Billing
System (PUBS) will not generate a report of all transactions made
by an employee in a given time period. However, if this is the
case, since PUBS records the login id of each transaction, a
custom report should be able to be generated by Harris Computer
Systems that shows all transactions made by an individual user.
PUBS transactions and changes made by Cashiers are
periodically reviewed by the Customer Service Supervisor.
However, the Waterworks Controller stated that he did not audit or
review systems changes made by other employees (i.e.; he does
not review water adjustments that are entered in PUBS by the
Customer Service Supervisor). System changes made by the
Waterworks Controller are also not reviewed by DWS
management. Additionally, the multiple financial systems (PUBS,
Select Financial System, and Water Commitment System) and
their related manual processes hinder the efficient production of
detailed reports that would permit regular and frequent review of
transactions and changes.
The lack of adequate preventive controls such as segregation of
duties and sufficient login and password security measures and
the lack of automation and systems integration, coupled with the
lack of adequate detective controls such as monitoring, reviewing,
and reporting of financial systems transactions, has created a
control environment at risk for fraudulent activities that may not be
detected in a timely manner.
RECOMMENDATION DWS management should develop policies and procedures for
reviewing and auditing transactions and system changes at all
levels within the Department. Adequate review is needed for
financial system transactions and changes made by supervisors,
application administrators, system administrators, and the
Waterworks Controller. Financial system changes should have an
audit trail that shows who authorized the change and who made
the change. An audit and review process for financial systems
changes should be developed and implemented ensuring regular
and frequent review of any changes for proper authorization and
completeness.
51
CHAPTER 5: INFORMATION TECHNOLOGY (IT) FINANCIAL SYSTEMS
Criteria. Internal Control Criteria - Control Obiectives for Information
and related Technology ( COBIT) Framework
"It is management's responsibility to safeguard all the assets of
the enterprise. To discharge this responsibility as well as to
achieve its expectations, management must establish an
adequate system of internal control." COBIT also emphasizes the
need to review the design of audit trails while identifying the
automated solutions.
Criteria. Internal Control Criteria — COSO Component No. 4:
"Information and Communication — Pertinent information must be
identified, captured, and communicated in a form and timeframe
that enable employees to carry out their responsibilities in an
effective and efficient manner. Information systems produce
reports containing operational, financial, and compliance- related
information that help management run and control the
organization..."
Criteria. Internal Control Criteria — COSO Component No. 5.
"Monitoring — Internal control systems need to be monitored — a
process that assesses the quality of system performance over
time. This is accomplished through ongoing monitoring activities,
separate evaluations, or a combination of the two. Ongoing
monitoring occurs during the course of operations, and includes
regular management and supervisory activities as well as other
employee activities. The scope and frequency of separate
evaluations will depend primarily on an assessment of risks and
the effectiveness of ongoing monitoring procedures..."
FINDING Systems integration is insufficient to provide automated
systems reconciliation and combined reporting of
financial transactions.
The Public Utility Billing System (PUBS), Select Financial System,
and Water Commitment System are not integrated. This lack of
integration creates duplication of work and inefficiencies in
financial reporting. For example, a manual receipt would be
written for a large water commitment payment; the commitment
would also be entered into the Water Commitment System; and
the payment would be summarized and manually posted to the
Select Financial System's General Ledger.
Reconciliation of all the financial transactions recorded on each
separate IT system is difficult, with only summarized manual
entries made from the PUBS, Water Commitment System, and
manual receipts being posted to the General Ledger. If an
employee records a water commitment in the Water Commitment
52
CHAPTER 5: INFORMATION TECHNOLOGY (IT) FINANCIAL SYSTEMS
System, there are no IT system checks that ensure that
transactions are also recorded in the Select Financial System.
The Waterworks Controller stated that he does not audit or review
changes made by Application Administrators in each system. This
poses the risk of financial transactions made in one financial
system not being consistent with the transactions made in one of
the other financial systems. This increases not only the risk for
errors, but also the difficulty and time required to monitor and
reconcile transactions, which, in turn, increase the risk that
misappropriation or fraud may occur and go undetected for
significant periods of time.
RECOMMENDATION DWS should evaluate contracting with Harris Computer Systems
to implement the existing module to integrate the Public Utility
Billing System (PUBS) with the Select Financial System and
provide training related to automated posting to the Select
Financial System General Ledger. Harris Computer Systems
should also be requested to advise the Department on recording
and tracking water commitment information and transactions, as
well as other manual receipts, in either the Select Financial
System or PUBS. DWS should implement reports and review
processes to reconcile transactions in PUBS with the Select
Financial System as well as bank transactions. A daily
reconciliation of transactions to bank deposits should be
supported by integrated systems that provide for a single report of
daily cash, checks, and credit payments for easy reconciliation. A
monthly reconciliation should be completed by an appropriate
employee who does not make journal entries to the Select
Financial System.
Criteria: Audit Plan - Government Auditinq Standards (Yellow Book)
section 7.21:
"In performance audits, a deficiency in internal control exists when
the design or operation of a control does not allow management or
employees, in the normal course of performing their assigned
functions, to prevent, detect, or correct (1) impairments of
effectiveness or efficiency of operations, (2) misstatements in
financial or performance information, or (3) violations of laws and
regulations, on a timely basis..."
Criteria: Internal Control Criteria — COSO Component No. 4:
"Information and Communication — Pertinent information must be
identified, captured, and communicated in a form and timeframe
that enable employees to carry out their responsibilities in an
effective and efficient manner. Information systems produce
reports containing operational, financial, and compliance- related
information that help management run and control the
organization. "
53
CHAPTER 5: INFORMATION TECHNOLOGY (IT) FINANCIAL SYSTEMS
FINDING Existing IT financial systems are inefficient for
automating business processes.
The Department of Water Supply has not efficiently automated its
business and financial transactions and activities with the Public
Utility Billing System (PUBS), Select Financial System, and Water
Commitment System. Manual receipts, manual processes, and
manual reconciliation and reporting are routine. However, the
current systems may be able to be integrated and configured to
efficiently automate business transactions and activities. This
would require a review of current processes to determine
"necessary and efficient" process components and monitoring
controls prior to automation of financial functions and integration
of financial systems.
Manual receipts are written for payments (except for the PUBS -
generated receipts for standard water bill payments). These
manual receipts include water commitment payments and new
service deposits. Monthly summarized journal entries are made
manually by the Waterworks Controller without a routine review
process. These manual receipts also create a financial
environment where cash, check, and credit card receipts are more
difficult to track and reconcile. Even with recent improvements,
the daily reconciliation process still fails to adequately address the
existence and completeness of transactions and the reconciliation
to all transactions made in the multiple financial systems and
recorded on various manual receipts.
The Waterworks Controller has been investigating options for
replacing the PUBS and Select Financial System. He has
considered using Tyler Technology's EDEN system (referred to as
FRESH by County employees), which is used by the County for
financial functions and for sewer billing. However, it should be
noted that the EDEN system is not a leading financial and utility
billing system and may be inefficient for the functional
requirements of the Department of Water Supply. It should also
be noted that during previous audits, County employees detailed
inefficiencies in the system such as the inability to provide relevant
and timely reports to support monitoring and informed decision -
making.
The Waterworks Controller stated that utilizing the City and
County of Honolulu's water utility billing system may be an option,
since the City and County of Honolulu's Water Supply provides
billing services for Maui and Kauai counties. An employee
managing the IT systems at the City and County of Honolulu's
Water Supply stated that the current system is an in -house
custom built system called the Computer Accounting System
(CAS), which is running on an obsolete DEC Alpha computer
system. He stated that the current hardware and software are no
54
CHAPTER 5: INFORMATION TECHNOLOGY (IT) FINANCIAL SYSTEMS
longer supported by the manufacturer. He said that the City and
County of Honolulu's Water Supply has just completed
procurement of a new Oracle Utilities system that will be used for
water billing for Honolulu, Maui, and Kauai counties. He said that
Maui and Kauai counties are not being required to pay for the
system, and the application will be installed on a Microsoft SQL
server. He stated that the estimated timeframe for implementation
of the new Oracle Utilities application is 18 months. He said that
the primary financial application used at the City and County of
Honolulu's Water Supply is JD Edwards One World, which was
recently acquired by the Oracle Corporation. Although the Oracle
Utilities system has been selected for utility billing on the neighbor
islands, any potential system should still be reviewed in detail to
make sure that it meets the needs and requirements of Hawai'i
County's Department of Water Supply and will efficiently and
effectively automate its business processes (such as integration
with its General Ledger module).
In addition to the selection of a system, the proper configuration of
a financial and utility billing system is extremely important to
meeting the business needs and requirements of an organization.
There are numerous examples of businesses purchasing leading
financial and utility billing systems, and then having major issues
arise regarding system configuration due to insufficient project
planning and needs analysis. Completion of business process
mapping and process improvement prior to procurement of the IT
application would help to ensure that the application is capable of
being successfully implemented as well as capable of meeting
business needs.
Inefficient business automation within its IT financial systems has
many impacts on the overall efficiency and effectiveness of the
Department of Water Supply. For example, employees must
complete more work, or more employees must be hired to support
the workload created by inefficient processes. Customers may be
required to wait longer as inefficient or manual processes are
completed. Manual transactions cannot undergo system error -
checking processes. Key decision - making information is either
not available or must be manually compiled, which may result in
less than timely management decisions based on misinformation
or incomplete information.
RECOMMENDATION It may be possible to remedy the current inefficiencies with the
Department's financial systems by consolidation, integration, and
configuration of its existing systems. DWS should consider
contracting with Harris Computer Systems to automate manual
receipt processes; automate posting from PUBS to the Select
Financial System; facilitate water commitment transactions; and
improve reporting. DWS should also map business processes
and assess the potential for automating processes with the current
financial and utility billing systems.
55
CHAPTER 5: INFORMATION TECHNOLOGY (IT) FINANCIAL SYSTEMS
If the inefficiencies with current financial systems cannot be
remedied with integration and configuration changes, DWS should
consider procurement of a new integrated financial and utility
billing system. Any procurement should include an in -depth
business needs and requirements analysis, and preferably an on-
site visit and review of the working system at a comparable
municipal water utility company.
Because the selection of a financial /utility billing system will have
such a profound impact on the future efficient operations of the
Department of Water Supply, great care should be taken in
determining IT system requirements and evaluating any
prospective systems. At a minimum, DWS should evaluate the
leading software financial applications, including SAP, Oracle, and
PeopleSoft. Leading systems have successfully been deployed at
numerous comparable sites. SAP and Oracle both have products
for the business role of water utility billing. Gartner Group
analysts gave eMeter, Itron, and Oracle Utilities a positive rating
for meter data management products. Microsoft Dynamics,
formerly Great Plains, is an additional vendor with utility billing
capabilities.
Criteria: The Control Obiectives for Information and related
Technology ( COBIT) Framework:
Published by the IT Governance Institute (ITGI), COBIT provides
a detailed set of controls and control techniques for the
information systems management environment, including
performance measurements that identify how well the IT function
is supporting business requirements. A key benefit of IT financial
systems is to effectively and efficiently automate financial
transactions and processes.
56
CHAPTER 6
CONCLUSION
CHAPTER 6: CONCLUSION
This limited scope performance audit of the Department of Water
Supply (DWS) found current internal controls relating to cash
handling and financial information technology (IT) systems to be
inadequate based on criteria established by various professional
accounting associations, including the U.S. Government
Accountability Office (GAO); Government Finance Officers
Association (GFOA); Information Systems Audit and Control
Association (ISACA); and Committee of Sponsoring Organizations
of the Treadway Commission (COSO).
DWS has yet to appropriately develop and implement financial
and operational controls necessary to sufficiently reduce the risk
of internal improprieties or illegal acts related to its financial assets
and information systems. Such internal control deficiencies
permitted a theft by a DWS cashier to go undetected for possibly
more than 12 years, ultimately resulting in the conviction of the
responsible employee who has paid restitution in the amount of
$78,868.40. While the DWS Finance Division responded to
discovery of the theft by proposing policy and process
improvements to cashiering activities in its Customer Service
Branch, the DWS Administration has yet to fully implement them,
and as a result, cash handling controls remain insufficient to
prevent and detect mishandling or misappropriation of customer
payments in a timely manner. While the amount of the theft may
not have been considered material, the occurrence of theft does
not appear to have served as a sufficient "red flag" to the
Department to initiate a comprehensive risk assessment of its
financial operations and systems and implement industry -
recommended financial and operational controls to reduce future
risks and better safeguard assets. Another area of significant
concern is the Department's lack of proper financial IT system
controls, which increases the risk of potentially larger financial
misappropriations or improprieties occurring without timely
detection.
To improve accountability and transparency in its financial
operations, DWS needs to assess all relevant risks to its cash
assets and financial IT systems; identify appropriate preventive
and detective controls for its cash handling and financial IT
operations; develop and implement written policies and
procedures for industry- recommended control activities (including
segregation of duties; verifications and reconciliations of all
transactions; accurate, timely, and complete financial reporting;
secure password and access right protocols; and regular
57
CHAPTER 6: CONCLUSION
monitoring of financial operations and systems at all levels and in
all functions); communicate policies and procedures to all affected
employees so they understand their roles in the internal control
system and the consequences for failed compliance; establish a
continuous review process that identifies new or changing
financial and operational risks, updates control activities to
minimize risks, and implements updated policies and procedures
in a timely manner; and provide its Finance Division with the
optimum combination of personnel and automated financial IT
systems to permit the Waterworks Controller and Assistant
Waterworks Controller to carry out their responsibilities in an
effective and efficient manner.
In its response to audit recommendations, DWS generally agreed
with audit findings, stating that: "Overall, this report provides an
excellent opportunity for us to update and improve controls in the
department." However, DWS cited current workloads and
upgrade costs for improvement of financial management and
billing procedures and systems as challenges to the early
implementation of audit recommendations, which working
conditions were acknowledged by auditors in the report. The
Legislative Auditor's Office is currently facilitating the process
mapping by DWS personnel of its cash handling procedures,
emphasizing the necessity for the Department to conduct a global
risk assessment of all of its revenue - generating activities from
levying to collection of receivables as a basis for the Department's
development of relevant internal control policies and procedures.
Ownership of internal control systems and procedures by the
Department, its Manager, and its Board is an essential first step to
a collective understanding that internal controls are interrelated
and must be addressed in all functions and at all levels within the
Department, including the interface between cash - handling
activities and financial IT capabilities and the risks associated with
both.
The COSO Internal Control — Integrated Framework states that:
"Control environment factors include the integrity, ethical values
and competence of the organization's people; management's
philosophy and operating style; the way management assigns
authority and responsibility and organizes and develops its
people; and the attention and direction provided by its board of
directors." Therefore, DWS cannot rely solely on the annual
external financial audits mandated by the Hawaii County Charter
to detect and report on all financial deficiencies and recommend
improvements to all financial controls, since external auditors only
opine on matters of materiality based on annual financial
statements taken as a whole. Ensuring that assets are properly
safeguarded and effectively, efficiently, and economically
expended for their intended purposes is the responsibility of the
Water Board and its Manager. Fundamental to meeting this
responsibility is the establishment by the Water Board and its
W
CHAPTER 6: CONCLUSION
Manager of a proper control environment that provides the
necessary discipline and structure within DWS and sets the
foundation for an adequate system of internal controls.
The COSO Internal Control — Integrated Framework also states
that: "Internal control systems need to be monitored — a process
that assesses the quality of system performance over time...
Internal control deficiencies should be reported upstream, with
serious matters reported to top management and governmental
leaders." Therefore, it is imperative that County managers and
leaders (including the Mayor and Council as well as Boards and
Commissions) expand their operational missions of providing
public services to include the safeguarding of public assets
through effective risk management and internal control systems.
Colleen M. Schrandt
Legislative Auditor
June 2010
59
DEPARTMENT OF WATER SUPPLY RESPONSE
DEPARTMENT OF WATER SUPPLY • COUNTY OF HAWAII
345 KEKOANAO'A STREET, SUITE 20 • HILO, HAWAII 96720
TELEPHONE (808) 961 -8050
FAX (808) 961 -8657
June 16, 2010
o
m
Colleen Schranch
°7m
Legislative Auditor
Office of the Legislative Auditor
p
25 Aupuni Street
S
"
Hilo, Hawaii 96720
r
RE: LIMITED SCOPE PERFORMANCE AUDIT
Dear Ms. Schrandt
Thank you for the opportunity to respond to your audit of our cash handling and financial
IT systems. You provided excellent recommendations for improvements in both systems.
We provided some background information for each of the systems you examined before
commenting on specific findings-
Chapter 4.Cash Handling System
The existing cash handling; system has been in place since 1968 when our first cashier
position-was created. At that time, revenues and customers totaled approximately
$900,000 and 12,500, respectively - Today, the department's cashiers collect
approximately $39;0.00;000 from 41,000 customers while the number of cashier positions
has only incrc:ased'-to 2. `I'his'is -an examplc ofthe department's efforts to conform to its
mission statement which is "to provide safe and dependable drinking water at a
reasonable cost." Unfortunately, our focus on controlling costs impacts our ability to
provide for certain internal controls.
Page; 27..SeLrcgation of duties between opening; and posting of mail- in „paymments is
inadequate,
Agree with Legislative Auditor's finding. If there is a weakness in our cash handling, it is
on the front end when mail is received. Use of a receptionist to prepare an initial
accounting; of the mail for comparison to subsequent posting totals or use of a lock box
service are solutions that we investigated after a cashier's theft was discovered. We put
off implementing either solution due to obstacles such as conflicts with existing'. workloads, the volume of payments received by mail, available manpower, arid cost. We
will reevaluate these options.
Water, Our Most Precious Resource ... Ka Wai A Kau...
The Oepartmenl of Water Supply is an Fqu al OpFxxtunity INovidei and empaoye ..
• E
DEPARTMENT OF WATER SUPPLY RESPONSE
June 16, 2010
Page 2
For your information, our research into the lock box solution estimated the following
additional costs and requirements:
1) $30,O00 per year in additional bank fees;
2) $6,000 to redesign our water bill and create an interface for our billing system to
accept electronic payment detail from the bank; and
3) $1,000 to adjust our mailing equipment to accommodate a revised water bill and
envelope layout_
On October 20, 2009, we implemented the hollowing procedures, among others, that
prevents the kind of theft that occurred from happening again:
1) Cashing of checks was stopped.
2) Checks and cash from walk -in customers and mailed in payments are balanced
separately on a daily basis.
3) Daily collections are reconciled by cash and check to the daily cash packet and
bank deposit.
Page 27 Oversight and monitoring of the mail -in payment process by Finance Division
managers is inadequate.
This is essentially a restatement of the finding described on page 25. See comments
above.
Page 29 Physical securi ty over mail -in checks Burins., the payment pasting.prncgs.s is
inadequate.
Agree with Legislative Auditors finding. While access to the cashiering section is now
restricted, a locked container for mail provides better physical security during working
hours. We will investigate how locked containers can be situated in the cashiering area
for storage.
Gage 30 Cash handling procedures for walk -in and mail -in payments are not consistently
formalized in writing or enforced in all offices of the Customer Service Branch.
Agree with Legislative Auditor's finding. We will reevaluate and formalize written
procedures to ensure an adequate audit trail and consistency. We will also work to make
sure cashiers in District offices understand and follow the procedures for rash can
assignments.
Page 32 Computer system security at walk -in customer service payment windows is
inadequate.
Agree with Legislative Auditor's finding. With the creation of the department's
Information Systems Branch, more expertise is available for improving log -in security.
61
DEPARTMENT OF WATER SUPPLY RESPONSE
June 16, 2010
Page 3
Page 33 Control procedures relatingtp,cvmputer passwords and logins�are not
consistently formalized in writing or enforced in all offices of the Customer Services
Branch.
-1-his is essentially a restatement of the finding on page 32. See comments above.
Page 34 Segregation of cash handling duties at District Offices is not regularly monitored
for proper controls.
`'he department long ago analyzed the duties at the District offices as well as those for
backing up cashiers in Hilo. We do not feel our small offices in Waimea and Kona lend
themselves to the degree of segregation recommended. These offices perform a variety of
work without the volume to justify having separate people performing singular functions.
Normal vacation and sick leave absences further limit available personnel on a regular
basis. The Customer Service Representative I I in each District office has always served
as primary cashier responsible for deposits and related reporting.
Our arrangements for backing up cashiers in Hilo were established primarily to provide a
segregation of duties between those who create accounts (customer service
representatives) and those who post payments to accounts (cashiers). Our intent is to
prevent one person from posting payments to fraudulent accounts and generating refunds
or credit balances. By using supervisors to back -up cashiers, we have more flexible and
accountable people filling in for the cashiers. All transactional changes processed by
Customer Service supervisors are approved by the Waterworks Controller-
Pape 36 Water billinju transactions are not submitted to a "real time" financials stem to
ensure efficient recording, pmcessing, reconciling, monitoring, and reporting of all
Gusto mcr5_payments,
Unfortunately, batch processing is the way our billing system works and cannot be
changed without substantial cost and effort. Any risks need to be addressed by other
controls. Part of those controls we believe were put into place on October 20, 2009 when
we began reconciling collections, cash and check, to the daily deposit. Further
recommendations in this finding restate those found on pages 25, 30, 32, and 33. See
comments above.
Page 38 Other revenue - generating acti.vities and transactions originating-.in other DWS
Divisions are not submitted to an integrated financial system to ensure efficient
recording processing rccnncilinr�_ monitor %ng, and,_repartin r of a!I_ customer assessments
and payments.
While we agree that we do not have all our revenue processes documented on paper (we
are in the process of putting process maps together with your help), that does not mean
controls are not in place for the different kinds of funds collected by the department. Our
primary source Of funding is from our billing cycle. All other funds come from a variety
of sources with intermittent frequency under the control of other divisions. Our role is to
62
DEPARTMENT OF WATER SUPPLY RESPONSE
June 16, 2010
Page 4
record amounts when collected which you indicate "we appear to have adequately
safeguarded and addressed."
The department's other significant source of funds is collected by the Engineering
division and relates to water commitments and facilities charges. Both types of funding
are documented by written correspondence between the division and the developers or
customers regarding amounts due and received; which we believe provides assurance that
significant funds due the department are being assessed, collected, and recorded properly.
We recognize, however, that improvements can still be made by reconciling "triggering
documentation" against "financial documentation" and will investigate incorporating
such procedures into what we are doing.
The recommendation to automate manual receipts in theory makes sense if we had
problems with what we are doing now. But we have not had any problems with the
manual system we have in place nor do we see any efficiencies that would be gained. We
average 10 manual receipts a day between the Hilo, Waimea, and Kona offices which is
not enough volume for us to consider setting up cash registers to operate and maintain at
each location.
Finally, we believe our monthly bank reconciliations provide a high level of assurance
that what we receive, whether receipted manually or otherwise, is recorded properly, and
what was recorded, was deposited in the bank. This is the essential information a bank
reconciliation provides and addresses the recommendation regarding posting of receipts
and confirmation of deposits.
Page 40 rf'he Department of Water Supply's overall control environment is inadequate.
We believe the changes we've implemented in our cash handling processing beginning
October 20, 2009, have mitigated significant areas of risk_
Further, we have always prepared monthly bank reconciliations which are a significant
control over collections and bank deposits.
But we agree improvements can still be made as indicated by our response to previous
findings. We believe what we have put in place so far, combined with what still can be
done, will provide an optimal control environment.
Chanter S Information Technology (IT) Financial System
in 1999, the department replaced an old AS400 based accounting system with an
integrated financial management system that included modules such as general ledger,
payroll, inventory, purchasing, accounts payable, bank reconciliation, and billing. Hidden
within the benefits of this new technology was the responsibility for maintaining a new
operating system which the department was not prepared for, especially after all 3 people
63
DEPARTMENT OF WATER SUPPLY RESPONSE
June 16, 2010
Page 5
in the division's data processing section retired at more or less the same time. Two
clerical positions were subsequently tilled but the more important programmer position
was not in an effort to reduce costs. System administration became the responsibility of
the Waterworks Controller at that point. Over time and with the help of outside
contractors, we were able to perform basic system administration duties such as creating
new users, reviewing error logs, and replacing damaged hard drives but documenting
policies and procedures and password maintenance were not a priority.
In 2008, the department created an Information Systems Branch so that staff with IT
backgrounds could begin managing the department's electronic resources. We have
started to redistribute IT responsibilities accordingly.
Page 44 Segregation of financial systems duties is insufficient.
Agree with Legislative Auditor's finding. We have already started moving system
administration functions for the financial system to the InForrnation Systems Branch.
Page 45 Policies and procedures relating to financial systems security, passwords, access
rights, backups, and disaster recovery are insufficient.
Agree with Legislative Auditor's finding_ When the lnfnmration Systems Branch has
taken over system administration for the financial systems, such policies and procedures
can be addressed.
Page 50 Security for the local area and wide area networks providing connectivity to the
IT financial and non - financial systems appeared sufficient.
Agree with Legislative Auditor's finding. Such policies and procedures are under
development by the Information Systems Branch,
Page 51 Processes to monitor, report, and review systems activities are insufficient.
Agree with Legislative Auditor's finding. The Assistant Waterworks Controller will start
reviewing adjustments entered by Customer Service supervisors as part of our review of
daily cash packets and deposits_ The Waterworks Controller does not process any
transactions that are not prepared by others.
Pa, a 52 Systems integration is insufficient to provide automated systems reconciliation
and combined reporting of financial transactions_
In theory, systems integration is something we agree should be pursued to the extent
possible. In reality, our expertise in developing interEtces between 3 different information
systems is nonexistent. -There are loo many complications and unknowns for us to even
attempt integrating proprietary software. To Our credit. we have developed procedures,
manual though they may he, we feel allows us to reconcile and
0
DEPARTMENT OF WATER SUPPLY RESPONSE
June 16, 2010
Page 6
resolve discrepancies on a timely basis, despite the assumption that problems exist for us
in this area.
The water commitment system mentioned in this finding is a very unique application
residing on an old AS400 server. The data base includes information on various
developers, parcels of land, and amounts paid for water commitments. A reconciliation
between the amounts recorded in this system and the general ledger is performed
annually in conjunction with the department's annuaQ audit. We have not had any
problems reconciling these two systems nor does it take an unreasonable amount of time.
The Engineering division of the department is responsible for monitoring and recording
water commitment activity on the AS400. All activity on the system is supported by
written correspondence between the division and developers and serves to provide
assurance that amounts due the department are computed, assessed, and collected in a
timely manner_ As previously mentioned, however, we recognize that improvements can
still be made by reconciling "triggering documentation" against "financial
documentation" and will investigate incorporating such procedures into what we arc
doing.
An interface between P[JBS and our Select general ledger exists but is not used because
of the uncertainty that surrounded its use. We were not convinced the interface could be
used without introducing risk of contamination to both data bases. Manually recording a
journal entry and controlling the infortation between the systems was more important to
us than automating the entry. Because the interface was only generating summary journal
entries of billing activity, we do not feel we are losing information or time with a manual
entry.
Page 54 Existing IT_financial systems are inefficient for automating business processes.
This finding repeats the concerns found on pages 38 (manual receipts) and 52 (system
integration). See comments above.
This finding goes on to say that "these manual receipts also create a financial
environment where cash, check, and credit card receipts are more difficult to track and
reconcile." We do not believe this to be the case as we have been reconciling these items
on a monthly basis without any problems. We contend that our monthly bank
reconciliation provides a high level of confidence in "the existence and completeness of
transactions and the reconciliation to all transactions made in the multiple financial
systems and recorded on various manual receipts." We recognize, however, that more
assurance can be obtained by reconciling the water commitments system to the general
ledger more frequently and will investigate incorporating such procedures into what we
are doing.
65
DEPARTMENT OF WATER SUPPLY RESPONSE
June 16, 2010
Page 7
We agree that a better financial management and billing system is needed, but the cost
and effort involved with such a change is substantial. There are good options available
for the department as listed which will continue to be explored.
C one- ILicinn
We appreciate the Legislative Auditor mentioning the working conditions under which
we operate because it puts the findings in this report into context. Work loads do not
allow us to give all issues the attention needed and so we prioritize. Priorities in the
Finance division are:
a) Keeping computer applications on -line and making sure people have access to the
applications they need (pa�^roll, billing, accounts payable, purchasing, general
ledger, cashiering, customer service, meter reading)_
b) Accuracy and timeliness of financial and budgetary reporting.
c) Supervision and safety of employees.
d) Compliance with laws.
e) Minimiving cost.
Still, we believe we can do better and will make an honest effort to implement the
recommendations we consider applicable. We estimate the recommendation on page 25
could take up to 2 years to implement depending on what is done, while others can be
implemented more readily. Overall, this report provides an excellent opportunity for us to
update and improve controls in the department.
Si erely,
Milt n T. Pavao
L Ma ge
••