KAREN E. RUSHING. Clerk of the Circuit Court and County Comptroller. Limited Review of. Controls over Backflow Test Billing. Environmental Utilities

Transcription

1 KAREN E. RUSHING Clerk of the Circuit Court and County Comptroller Limited Review of Controls over Backflow Test Billing Environmental Utilities Integrated Water Division Audit Services Karen E. Rushing Clerk of the Circuit Court and County Comptroller Ex Officio County Auditor Lori Brooks, CPA, CIA, CGAP, CRMA Director of Internal Audit Audit Team Paul F. DeLeo, CPA, CISA Information Systems Auditor May 28, 2013

2 TABLE OF CONTENTS Page Executive Summary 3 Audit Results 4 Opportunity for Improvement 6 Page 2

3 Executive Summary As requested by the County Administrator, the Clerk of the Circuit Court and County Comptroller s Internal Audit Department has conducted a limited review of controls over backflow test billing. Various issues over the past several years have led to incorrect billing and credit adjustments to utility customer accounts. As a result of our review, we have determined the design of internal controls for utilities billing does not ensure adequate segregation of duties between the initiation and authorization of adjustments to customer accounts. Previously, Internal Audit completed an audit of the Backflow Prevention Program in June, Our prior report noted that the significant expansion of service has put a strain on staff resources and in turn impacted the control structure through the absence of formal procedures, criteria and monitoring activities. We stated that monitoring and reporting mechanisms could be implemented to evaluate key processes and staff to promote accuracy, efficiency and effectiveness. Additionally, in the 2009 Comprehensive Annual Financial Report (CAFR), the external auditors cited a similar control deficiency. The auditors recommended management of the Utility System implement a formal review and approval process for adjustments to customer accounts, including the implementation of a control procedure whereby the Utilities Technology Manager reviews the supporting documentation for each adjustment on a daily basis. The 2010 CAFR indicates the finding was cleared, noting corrective action had been implemented. The aforementioned procedure, however, was not sufficiently comprehensive to also address adjustments to customer accounts made by the billing system vendor, at the direction of the Utilities Technology Manager. This oversight in the process was not recognized until thousands of customers had been issued credits for backflow preventer tests that had been billed, but not performed in the prior year. These credits were issued at the direction of the Utilities Technology Manager, with no additional oversight or approval of the credits or their accuracy outside the business unit. The result was a large number of erroneous credits issued to customer accounts. The root cause was employees relative inexperience with similar scenarios, coupled with previously unidentified inconsistencies in customer data recorded separately in two systems; and inadequate reconciliation processes that failed to detect this. Enterprise Information Technology (EIT) management is working with Utilities personnel to determine the adjustments necessary to rectify the problem. The above scenario illustrates the potential unintended consequences that can result from allowing business units to self-manage their information systems. Establishing a more centralized IT governance process would enable EIT and business unit management to work together to provide input and make decisions that are most advantageous for the organization as a whole. Page 3

4 Summary and Results Summary and Results The Clerk of the Circuit Court and County Comptroller s Internal Audit Department has completed an audit of the Backflow Preventer Testing Program. The purpose of the audit was to identify internal control deficiencies that led to erroneous credits to customer accounts. The audit was planned and conducted in accordance with Generally Accepted Government Auditing Standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. As a result of our review, we have determined the design of internal controls for utilities billing does not ensure adequate segregation of duties between the initiation and authorization of adjustments to customer accounts. Potential unintended consequences may result from allowing business units to self-manage their information systems. Establishing a more centralized IT governance process enables EIT and business unit management to work together to provide input and make decisions, which are most advantageous for the organization as a whole. Background To comply with Florida Department of Environmental Protection (FDEP) and Florida Department of Health (FDOH) rules, each Florida utility must implement a crossconnection program to prevent cross-connections and backflow into the public water system. In particular, the utility is responsible for the record keeping, compilation and reporting of the requisite annual tests that must be performed on the customer s backflow device. It is the owner s responsibility to have their device tested annually and provide a report to the utility indicating it is functioning properly. In 2007 Sarasota County created a Backflow Preventer Testing Program, in an effort to assist utility customers in fulfilling their obligations under the rules. Customers were given the opportunity to have the County provide the annual testing and have the cost included in their monthly utility billing. Several events over the past few years resulted in erroneous charges, and related credit adjustments, for backflow device testing never completed. Additionally, some credit adjustments were issued in error. On or about April 9, 2013, after being contacted by a customer eligible for a backflow test charge credit who had not yet received it, Utilities Management researched and discovered many utility accounts should have received credits but did not. Additionally, they learned many accounts, which received credit adjustments in February 2013, may have received the credit in error. As a result, management requested a staff member perform comparisons of the data files that were used to create the credit adjustment file sent to Sungard (vendor that provides the Page 4

5 Summary and Results billing system) for processing. Subsequently, in April 2013, staff provided Utilities Management with a report showing possibly 3000 of 8000 duplicate credit records, indicating some customers received credits in error. It was later determined a staff member made a mistake using Microsoft Excel to identify customer accounts eligible for credits. This error resulted in approximately $100,000 in erroneous credits to customer accounts. Audit Objectives, Scope and Methodology The objective of our audit was to determine the circumstances leading to billing errors that affected thousands of customers. While performing the review, we found that previous audit recommendations, intended to prevent problems like this, had not been fully implemented. The common root cause was a deficiency in IT governance practices resulting from business units autonomy in managing their information systems. The scope of the review covered activities occurring in fiscal years 2008 through During our review, we performed the following procedures: Obtained an understanding of the backflow preventer testing program and the County s Administrator s concerns about erroneous credits issued to customers. Ascertained that a vendor (Sungard) maintains and supports the billing application (HTE/Naviline) using their IT infrastructure and it stores customer data within a database maintained by EIT on the County s IT infrastructure. Interviewed Utilities management and staff directly involved in the issuance of credits. Searched archive system for messages that corroborated key aspects of interviewees explanation of events related to the issuance of erroneous credit adjustments. Observed Utilities and EIT managers perform a detailed analysis of issues associated with the erroneous credits and develop a tactical plan for addressing them. Met with EIT management to validate auditor s perception of sub-optimal and inconsistent control practices resulting from business units autonomy in managing their information systems and Internal Audit s proposed solution. Met with EIT and Administration leaders to discuss Internal Audit s forthcoming IT governance recommendations. Page 5

6 Opportunities for Improvement Opportunities for Improvement The audit identified the following main areas of focus for improved management controls: County-wide IT Planning and Governance Segregation of duties related to non-routine system and data changes Reconciliation of backflow prevention device testing and related customer billing Utilities personnel were tasked with designing and operating a Backflow Preventer Testing Program. Although knowledgeable in their field of expertise, most, if not all, had relatively little prior training and experience in system requirements analysis and design. The resulting technology solution, ultimately implemented, lacked a process for automatically reconciling data maintained separately in the billing system and the work order management system. Additionally, the County s decentralized approach to information systems management precluded evaluation of whether using Maximo was the optimal solution, when considered in the context of an enterprise-wide strategic IT plan. A critical issue identified by Internal Audit is the absence of an enterprise-wide policy prohibiting managers from unilaterally deciding to make non-routine changes to financial data and/or system configuration (either directly or through a third party). We recommend that a formal policy be implemented which requires any such changes to be approved in advance by the County Administrator or his designees. To mitigate risks associated with implementing a non-routine change, management should consider requiring testing and rollback plans as prerequisites for approval. Approved changes to financial data should be well documented and readily available for auditors potential review. Maximo, HTE/Naviline and any other system that transfers data to/from these systems should participate in EIT s recurring Change Advisory Board (CAB) meetings. ITIL, a widely accepted framework of good practices for managing IT operations offers a potential means of avoiding such a situation via Change Advisory Board (CAB) meetings. These facilitate communication, approval and scheduling of proposed changes to these systems and reduce the risk of authorized changes adversely affecting other processes and/or systems. System administrators or others considered to be Subject Matter Experts (SMEs) for an enterprise s systems convene to discuss proposed changes, potential dependencies or conflicts with other systems or processes, verify completion of prerequisites such as having a rollback plan and then approving and scheduling these changes. The department responsible for maintaining Maximo does not use an issue tracking system to enable users and system administrators to record incidents, problems and changes made to the system. As such, it would be very difficult to identify the cause of this or other related problems that occurred five years ago. Managers of departments that maintain their own systems should consider adopting EIT policies and procedures relevant to their systems. EIT could conduct training sessions for employees of other departments who have a role in maintaining information systems or managing these employees. Page 6

7 Opportunities for Improvement Other Observations Sarasota County Ordinance requires all tested backflow preventers be labeled or tagged by the tester with numbered labels or tags supplied by the County. This led to confusion about program participation. As such, the County no longer supplies these tags to licensed testers for use on devices of customers opting out of the County s backflow testing program. The County is not in compliance with current ordinance language. Audit Recommendations: Internal Audit recommends County Management: 1. Strengthen IT governance and strategic planning by continuing to transition responsibility for the maintenance and support of business units information systems back to EIT. 2. Establish an enterprise-wide policy requiring pre-approval of non-routine changes to production data or system controls by the County Administrator or his designees. 3. Consider discontinuing the monthly customer billing for testing and bill customers in full only after testing has been performed. 4. Require that Maximo support requests be recorded in EIT s issue tracking system. 5. Consider revising the Sarasota County Ordinance language to be consistent with current practice. Page 7