Loading...
HomeMy WebLinkAbout2010-01-ES Executive Summary - Limited Scope Performance Audit of Department of Water Supply's Internal Controls for Cash Handling and Financial IT Systems Limited Scope Performance Audit of the Department of Water Supply’s Internal Controls for Cash Handling and Financial Informational Technology (IT) Systems EXECUTIVE SUMMARY This limited scope performance audit was performed in accordance with Hawai‘i County Charter section 3-18 and Generally Accepted Government Auditing Standards (GAGAS). The Department of Water Supply was designated for review based on a County-wide risk assessment conducted by the Office of the Legislative Auditor in FY 2007-2008. DEPARTMENT OF WATER SUPPLY Hawai‘i County Charter article VIII provides for a semi-autonomous Department of Water Supply (DWS) consisting of a nine-member Water Board, a Manager, and necessary staff, and establishes a separate Water Fund to be utilized solely for water purposes that includes revenues from the operation of the County’s water system and State and Federal water grants or appropriations. AUDIT SCOPE During the audit entrance conference, DWS management stated that it had discovered a theft of money in the Customer Service Branch of its Finance Division; the employee responsible had been terminated; and the illegality had been reported to appropriate County of Hawai‘i officials for investigation. The complaint filed by the Prosecutor’s Office charged that a theft had occurred “on or between July 1, 1997 through August 15, 2009”, in a continuing course of conduct.In a no contest plea, the employee agreed to pay restitution of $78,868.40, which County officials confirm has been reimbursed to DWS. The employee was convicted of Theft in the First Degree. On the request of DWS management, the Legislative Auditor’s Office agreed to focus our examination on the adequacy of current internal controls relating to cash handling and financial information (IT) systems within the DWS Finance Division and Information Systems Branch. The audit period covers July 1, 2008 through February 28, 2010. AUDIT OBJECTIVES Assess the control environment, including management’s policies and procedures for establishment and maintenance of an effective internal control system. Assess the adequacy of internal controls relating to cash handling activities. Assess the adequacy of internal controls of systems and application activities relating to financial IT systems. AUDIT METHODOLOGY Review of DWS documentation and practices; County and State laws and records; and government best practices relating to cash handling and financial IT technology. Interview and observation of Hawai‘i County personnel, and interview of Honolulu City and County personnel and financial IT systems experts. AUDIT CRITERIA Government Auditing Standards (July 2007 Revision), also known as Yellow Book, published by the U.S. Government Accountability Office. Internal Control Criteria: Committee of Sponsoring Organization Internal Control (COSO) Integrated Framework. o Government Finance Officers Association (GFOA) Recommended Practice: Revenue o Policy – Cash Receipts Policy (January 2007). Sarbanes-Oxley (SOX)– Segregation of Duties Matrix. o Information System Audit and Control Association (ISACA) – IT Segregation of Duties o Matrix, and Security and Business Continuity Plans. Control Objectives for Information and related Technology (COBIT) Framework. o GENERAL FINDINGS In response to its discovery of employee theft, DWS proposed significant policy and process improvements to its cash handling activities, but has yet to fully implement all proposed controls. As a result, current cash handling practices (including security of cash assets; reconciliation of transactions; financial reporting and documentation; segregation of duties; and management oversight) are still insufficient to prevent and detect mishandling or misappropriations of customer payments in a timely manner. In addition, current financial IT systems controls (including protocols for security, access rights, back-up, and disaster recovery; automation of its operations; and integration of its financial systems and financial reporting capabilities) are also insufficient to prevent and detect potentially larger financial misappropriations or other fraudulent activities in a timely manner. CASH HANDLING – RECOMMENDATIONS Control Environment: DWS must assess all risks to its cash assets; identify preventive and detective controls relating to its cash handling processes; and develop and implement formal written policies and procedures to regularly monitor cash handling operations at all levels and in all functions within its Finance Division. Security of Customer Payments/Segregation of Duties: DWS needs to secure all customer payments in lockable cash boxes in secure locations to prevent or deter mishandling and misappropriation. Each employee with cash handling duties should be assigned a separate cash box and separate login or password to the Public Utility Billing System (PUBS). DWS also needs to reassess its combining of cashiering and customer service duties in District offices. Reconciliation of Transactions: DWS needs to provide audit trails for all PUBS transactions processed by each Cashier and review all transactional changes authorized by Supervisors. DWS needs to record and track customer payments from their first point of receipt (by payment type/number/amount) for independent reconciliation to customer payments posted to customer accounts and daily bank deposits (by payment type/number/amount). Financial Reporting: DWS needs to be able to track all water billing and other revenue- generating activities and transactions to ensure the completeness and accuracy of its financial data and the proper collection of all fees owed. DWS should also consider automating its manual receipt processes to gain further efficiencies. IT FINANCIAL SYSTEMS - RECOMMENDATIONS Control Environment: DWS should complete a thorough risk assessment of its financial IT systems and related processes; document any control deficiencies; and develop and implement formal written policies and procedures to regularly review and audit financial transactions and IT system changes at all levels and in all functions within its Finance Division and Information Systems Branch. IT System Integration: DWS has three financial IT systems – the Public Utility Billing System (PUBS), Select Financial System, and Water Commitment System – which are separately maintained and not integrated. If current inefficiencies cannot be remedied with integration and configuration changes, DWS should consider procurement of a new integrated utility billing, 2 financial, and water commitment system. DWS should also evaluate options for automating its business functions to improve posting between its utility billing and financial systems; tracking of water commitments and other revenue-generating transactions; and reporting on its manual receipt processes. IT Security Policy: DWS needs to develop and implement a formal written IT security policy. All employees with financial IT access should have individual logins and should not share passwords. IT settings should require password changes on a regular basis, and automatic lockouts after a specified period of nonuse. IT administrator access rights should be limited, and IT system changes should be accompanied by audit trails that are reviewed for proper authorization. All financial IT servers should be locked in an air-conditioned server room with restricted employee access. IT Recovery and Business Continuity Plans: DWS needs to develop and implement formal written back-up and retention policies for its financial IT systems. Back-up tapes should be stored off-site in a secure location outside the tsunami zone, and restoration from back-up tapes should be routinely tested to ensure that critical systems can be restored. DWS also needs to develop a concise business continuity plan to address continuation of operations in the aftermath of various business disruption and disaster scenarios. Segregation of Duties:The function of financial IT system administrator should be moved from the Waterworks Controller, who currently also serves as financial IT application administrator, to multiple employees in the Information Systems Branch. DWS RESPONSE The Department of Water Supply generally agreed with audit findings, stating that: “Overall, this report provides an excellent opportunity for us to update and improve controls in the department.” However, DWS cited current workloads and upgrade costs for improvement of financial management and billing procedures and systems as challenges to the early implementation of audit recommendations, which working conditions were acknowledged by auditors in the report. CONCLUSION The Water Board and its Manager are responsible for establishing a proper control environment within the Department of Water Supply that provides the discipline and structure required to properly account for customer monies and other cash assets. Fundamental to meeting this management responsibility is the establishment of a continuous review process that identifies new or changing financial and operational risks; updates internal control activities to minimize risks; and implements updated policies and procedures in a timely manner. Policies and procedures need to be clearly communicated, so employees understand their roles in the cash handling and financial control systems as well as the consequences for failed compliance. In addition, the Water Board and its Manager must provide the optimum combination of resources within its Finance Division – including personnel and automated financial IT systems – to ensure the completeness, accuracy, and timeliness of its financial information. It is imperative that County officials expand their operational missions of providing public services to include the safeguarding of public assets through effective risk management and internal control systems. Colleen M. Schrandt Legislative Auditor County of Hawai‘i June 2010 3