HomeMy WebLinkAbout2010-01-ES Executive Summary - Limited Scope Performance Audit of Department of Water Supply's Internal Controls for Cash Handling and Financial IT Systems
Limited Scope Performance Audit of the Department of Water Supply’s
Internal Controls for Cash Handling and Financial Informational Technology (IT) Systems
EXECUTIVE SUMMARY
This limited scope performance audit was performed in accordance with Hawai‘i County Charter
section 3-18 and Generally Accepted Government Auditing Standards (GAGAS). The
Department of Water Supply was designated for review based on a County-wide risk
assessment conducted by the Office of the Legislative Auditor in FY 2007-2008.
DEPARTMENT OF WATER SUPPLY
Hawai‘i County Charter article VIII provides for a semi-autonomous Department of Water Supply
(DWS) consisting of a nine-member Water Board, a Manager, and necessary staff, and
establishes a separate Water Fund to be utilized solely for water purposes that includes
revenues from the operation of the County’s water system and State and Federal water grants
or appropriations.
AUDIT SCOPE
During the audit entrance conference, DWS management stated that it had discovered a theft of
money in the Customer Service Branch of its Finance Division; the employee responsible had
been terminated; and the illegality had been reported to appropriate County of Hawai‘i officials
for investigation. The complaint filed by the Prosecutor’s Office charged that a theft had
occurred “on or between July 1, 1997 through August 15, 2009”, in a continuing course of
conduct.In a no contest plea, the employee agreed to pay restitution of $78,868.40, which
County officials confirm has been reimbursed to DWS. The employee was convicted of Theft in
the First Degree. On the request of DWS management, the Legislative Auditor’s Office agreed
to focus our examination on the adequacy of current internal controls relating to cash handling
and financial information (IT) systems within the DWS Finance Division and Information
Systems Branch. The audit period covers July 1, 2008 through February 28, 2010.
AUDIT OBJECTIVES
Assess the control environment, including management’s policies and procedures for
establishment and maintenance of an effective internal control system.
Assess the adequacy of internal controls relating to cash handling activities.
Assess the adequacy of internal controls of systems and application activities relating to
financial IT systems.
AUDIT METHODOLOGY
Review of DWS documentation and practices; County and State laws and records; and
government best practices relating to cash handling and financial IT technology.
Interview and observation of Hawai‘i County personnel, and interview of Honolulu City and
County personnel and financial IT systems experts.
AUDIT CRITERIA
Government Auditing Standards (July 2007 Revision), also known as Yellow Book,
published by the U.S. Government Accountability Office.
Internal Control Criteria:
Committee of Sponsoring Organization Internal Control (COSO) Integrated Framework.
o
Government Finance Officers Association (GFOA) Recommended Practice: Revenue
o
Policy – Cash Receipts Policy (January 2007).
Sarbanes-Oxley (SOX)– Segregation of Duties Matrix.
o
Information System Audit and Control Association (ISACA) – IT Segregation of Duties
o
Matrix, and Security and Business Continuity Plans.
Control Objectives for Information and related Technology (COBIT) Framework.
o
GENERAL FINDINGS
In response to its discovery of employee theft, DWS proposed significant policy and process
improvements to its cash handling activities, but has yet to fully implement all proposed controls.
As a result, current cash handling practices (including security of cash assets; reconciliation of
transactions; financial reporting and documentation; segregation of duties; and management
oversight) are still insufficient to prevent and detect mishandling or misappropriations of
customer payments in a timely manner. In addition, current financial IT systems controls
(including protocols for security, access rights, back-up, and disaster recovery; automation of its
operations; and integration of its financial systems and financial reporting capabilities) are also
insufficient to prevent and detect potentially larger financial misappropriations or other
fraudulent activities in a timely manner.
CASH HANDLING – RECOMMENDATIONS
Control Environment: DWS must assess all risks to its cash assets; identify preventive and
detective controls relating to its cash handling processes; and develop and implement formal
written policies and procedures to regularly monitor cash handling operations at all levels and in
all functions within its Finance Division.
Security of Customer Payments/Segregation of Duties: DWS needs to secure all customer
payments in lockable cash boxes in secure locations to prevent or deter mishandling and
misappropriation. Each employee with cash handling duties should be assigned a separate
cash box and separate login or password to the Public Utility Billing System (PUBS). DWS also
needs to reassess its combining of cashiering and customer service duties in District offices.
Reconciliation of Transactions: DWS needs to provide audit trails for all PUBS transactions
processed by each Cashier and review all transactional changes authorized by Supervisors.
DWS needs to record and track customer payments from their first point of receipt (by payment
type/number/amount) for independent reconciliation to customer payments posted to customer
accounts and daily bank deposits (by payment type/number/amount).
Financial Reporting: DWS needs to be able to track all water billing and other revenue-
generating activities and transactions to ensure the completeness and accuracy of its financial
data and the proper collection of all fees owed. DWS should also consider automating its
manual receipt processes to gain further efficiencies.
IT FINANCIAL SYSTEMS - RECOMMENDATIONS
Control Environment: DWS should complete a thorough risk assessment of its financial IT
systems and related processes; document any control deficiencies; and develop and implement
formal written policies and procedures to regularly review and audit financial transactions and IT
system changes at all levels and in all functions within its Finance Division and Information
Systems Branch.
IT System Integration: DWS has three financial IT systems – the Public Utility Billing System
(PUBS), Select Financial System, and Water Commitment System – which are separately
maintained and not integrated. If current inefficiencies cannot be remedied with integration and
configuration changes, DWS should consider procurement of a new integrated utility billing,
2
financial, and water commitment system. DWS should also evaluate options for automating its
business functions to improve posting between its utility billing and financial systems; tracking of
water commitments and other revenue-generating transactions; and reporting on its manual
receipt processes.
IT Security Policy: DWS needs to develop and implement a formal written IT security policy. All
employees with financial IT access should have individual logins and should not share
passwords. IT settings should require password changes on a regular basis, and automatic
lockouts after a specified period of nonuse. IT administrator access rights should be limited,
and IT system changes should be accompanied by audit trails that are reviewed for proper
authorization. All financial IT servers should be locked in an air-conditioned server room with
restricted employee access.
IT Recovery and Business Continuity Plans: DWS needs to develop and implement formal
written back-up and retention policies for its financial IT systems. Back-up tapes should be
stored off-site in a secure location outside the tsunami zone, and restoration from back-up tapes
should be routinely tested to ensure that critical systems can be restored. DWS also needs to
develop a concise business continuity plan to address continuation of operations in the
aftermath of various business disruption and disaster scenarios.
Segregation of Duties:The function of financial IT system administrator should be moved from
the Waterworks Controller, who currently also serves as financial IT application administrator, to
multiple employees in the Information Systems Branch.
DWS RESPONSE
The Department of Water Supply generally agreed with audit findings, stating that: “Overall, this
report provides an excellent opportunity for us to update and improve controls in the
department.” However, DWS cited current workloads and upgrade costs for improvement of
financial management and billing procedures and systems as challenges to the early
implementation of audit recommendations, which working conditions were acknowledged by
auditors in the report.
CONCLUSION
The Water Board and its Manager are responsible for establishing a proper control environment
within the Department of Water Supply that provides the discipline and structure required to
properly account for customer monies and other cash assets. Fundamental to meeting this
management responsibility is the establishment of a continuous review process that identifies
new or changing financial and operational risks; updates internal control activities to minimize
risks; and implements updated policies and procedures in a timely manner. Policies and
procedures need to be clearly communicated, so employees understand their roles in the cash
handling and financial control systems as well as the consequences for failed compliance. In
addition, the Water Board and its Manager must provide the optimum combination of resources
within its Finance Division – including personnel and automated financial IT systems – to ensure
the completeness, accuracy, and timeliness of its financial information. It is imperative that
County officials expand their operational missions of providing public services to include the
safeguarding of public assets through effective risk management and internal control systems.
Colleen M. Schrandt
Legislative Auditor
County of Hawai‘i
June 2010
3