Hastings-on-Hudson Union Free School District Risk Assessment Update FY 2015/16 & Recommended Audit Plan

Transcription

1 Hastings-on-Hudson Union Free School District Risk Assessment Update FY 2015/16 & Recommended Audit Plan March 2016

2 June 27, 2016 Ms. Eileen Baecher Board President, Hastings-on-Hudson School District 27 Farragut Avenue, Hastings-on-Hudson, NY Dear Ms. Baecher: We have recently completed our risk assessment update and recommended internal audit plan for the Hastings-on-Hudson Union Free School District (the District ) on behalf of the Board of Education and Audit Committee. Our risk assessment of District operations identified and prioritized risks in accordance with New York s Chapter 263 of the Laws of We conducted our work in accordance with standards promulgated by the Institute of Internal Auditors. In our risk assessment update, we re-evaluated the major functional areas of District operations to determine if there were any significant changes that would impact the risk evaluation from the previous fiscal year. Based upon the results of this current fiscal year risk assessment, we have updated our proposed risk-based audit plan that is attached to this report for your review and consideration. Our risk assessment update and corresponding recommended audit plan identified the following area as a candidate for audit: Purchasing and Accounts Payable A summary for each functional area and related risk rating is attached. We are available to meet with the Audit Committee/Board to discuss the report and the recommended internal audit plan, at its convenience. We appreciate the cooperation and assistance provided by the District s staff. Very truly yours, Accume Partners 1500Broadway, Suite 903 New York, NY p: f: accumepartners.com

3 Risk Score Hastings-on-Hudson Union Free School District Executive Summary Risk Ratings Table & Chart Prior Update Current Update Functional Area Risk Risk Risk Risk Score Level Score Level Budget, Financial Accounting & 161 Medium 161 Medium Reporting Cash, Investments and Debt 130 Low 130 Low Revenue and Accounts Receivable 159 Medium 159 Medium Purchasing and Accounts Payable 183 Medium 183 Medium Human Resources and Payroll 185 Medium 185 Medium Facilities and Capital Assets 192 Medium 187 Medium Student Services 167 Medium 167 Medium Information Technology 199 Medium 199 Medium Government Aid & Grants 128 Low 128 Low 300 Composite Risk Ratings Legend High Medium Low Risk Assessment Update Report 2

4 Risk Assessment Approach We have performed an audit risk assessment update for the Hastings-on-Hudson Union Free School District ( District ), on behalf of the District Audit Committee and Board of Trustees in accordance with New York s Chapter 263 of the Laws of A risk assessment is a systematic process for identifying and controlling risk. Risk can be defined as the possibility that something could negatively affect the District. More specifically, risk can be defined as the internal and external factors that threaten the achievement of the District s mission, goals, and objectives. As the District s Internal Auditor, our primary responsibility is two-fold. First, internal audit s role is to assist the Board in ensuring that the District s risks are identified. Second, Internal Audit provides the Board and Management with a systematic assessment of risk to ensure that appropriate internal controls are in place to mitigate those risks. The recommended internal audit plan is derived from the risk assessment. The internal audit plan summarizes the recommended audits or test of controls the District should conduct to evaluate its risk management strategies. Effective and efficient internal controls, or risk management strategies, gives the Board and Management greater assurance that the District can achieve its mission, goals and objectives. The operational effectiveness of internal controls is then tested during the internal audit. Our risk assessment includes a District-wide analysis of the major District functions, processes, and controls. We consider qualitative and quantitative factors such as materiality to the financial statements, policies and procedures, strategic planning, and organizational change. Also, the risk assessment includes a quantitative risk rating that represents an aggregate assessment of risk relative to the financial and operating environment, information technology, governance, internal controls and compliance factors. In the initial risk assessment, our overall goal was to determine the degree of risk within the major functional areas of District operations. This resulted in our designing an annual audit plan to focus on those areas which were most at risk. In our risk assessment update, we re-evaluated the same functional areas to determine if there were any significant changes that would impact the risk evaluation. Internal Audit does not strictly recommend auditing only the functional areas with the highest risk rating score. Other factors affecting the recommendation include Board/Management priorities, limited resources, prior audit results, the opportunity for a greater impact in adding value to the organization, and the degree of organizational change in the functional area. All of these factors are addressed when devising the recommended audit plan. Risk Assessment Update Report 3

5 Risk Rating Methodology In performing our risk assessment we categorized the District into nine functional areas. We then utilized a rating methodology that takes into account sixteen quantitative and qualitative factors such as: policies and procedures; financial materiality; operational change; employee knowledge & training; internal controls; management reporting; and laws and regulations. The sixteen factors were individually weighted by relevance and importance. Then, a risk matrix was developed to comprise the sixteen factors across all nine functional areas. The risk matrix is used to provide a systematic evaluation of risk. Each functional area s composite risk rating score is derived from the sum of the individual ratings scores of the sixteen factors. The rating system represents an aggregate assessment of risk, with the level of risk determined by the composite risk score as defined in the table below: Composite Risk Rating Score and Level Low < 131 Medium High The qualitative and quantitative factors are individually weighted for relevance and significance. Thus, some factors will affect the overall risk rating more than others. In other words, the financial significance, materiality or criticality of a particular function to the organization s operations can increase the risk rating of a function. For example, in Payroll and Purchasing, the risk rating score for most Districts will be relatively higher than other areas because of the financial significance or materiality of these operations. This explains that some areas within the District may have higher inherent risks associated with them relative to other operations. Another factor that can increase the risk rating is the design of internal controls. Although our risk assessment does not test and evaluate the operational effectiveness of internal controls, our methodology includes the identification of internal controls, as well as an evaluation of the design of internal controls. If the District was lacking in a key control over a functional area such as adequate segregation of duties or policies and procedures, that would create more risk. In addition, we review for a system of internal controls that both prevent and detect errors. Preventative internal controls are controls that may prevent errors from occurring, whereas detective controls are controls that may detect errors once they have occurred. If the District has more controls in place that prevent errors, then the overall control environment would be stronger, and hence there would be less risk, than if the District relied solely on detective controls. The ultimate goal is to effectively manage the risks in all functional areas through the implementation of a system of internal controls that help to ensure that errors, irregularities, and fraud are less likely to occur or go undetected. Risk Assessment Update Report 4

6 Risk Assessment Update Report Hastings-on-Hudson Union Free School District Discussion and Risk Rating by Functional Areas BUDGET, FINANCIAL ACCOUNTING and REPORTING Risk Rating 161 Medium This area is concerned with the budget development, implementation and monitoring process; financial accounting and reporting; operations of the Business Office, the Superintendent s Office, and Board governance. The District s adopted budget for FY15/16 is $46,493,447 compared to $44,601,912 for the prior fiscal year. The FY15/16 appropriations amount represents a budget-to-budget increase of 4.24% and a tax levy increase of 2.31%. The budget reflects a modest growth in the level of expenditures. In general, budgetary pressures increase the overall level of risk to the District in achieving its education mission. The District continues to have adequate segregation of duties over financial and accounting responsibilities. The Senior Accountant and Accountant post journal entries, and they are reviewed and signed-off by the District Treasurer. The Accountant completes all the bank reconciliations, and they are reviewed by the District Treasurer as part of her process for completing the Treasurer s Report that is provided monthly to the Board. Approved budget transfers are posted by the Accounts Payable Clerk. The District upgraded its existing financial accounting system in FY14/15 and several District employees have participated in numerous BOCES training sessions in both FY14/15 and FY15/16. The District s procedures are in compliance with the Open Meetings Law, Chapter 603 of the Laws of 2011, which came into effect February Specifically, Board Policies, Board Meeting Agendas and Minutes are made available to stakeholders on a timely basis on the District s website. The District also utilizes an internet based egovernance system, BoardDocs, that has improved the District s efficiency and effectiveness with all aspects of conducting Board Meetings, and it also improves the transparency to District s operations, and therefore helps to achieve greater accountability. In conclusion, this area has been evaluated as a Medium risk. DEBT, INVESTMENTS and CASH Risk Rating 130 Low Debt, Investments and Cash looks at the processes the District has in place to oversee issuing, monitoring and recording of debt; as well as policies and procedures for managing and monitoring investments and collateral, and cash management controls. Long-term debt outstanding for the District totaled $18,693,660 for the fiscal year ended June 30, 2015, compared to $17,739,429 in the previous year. The increase was mainly due to an approximately $1,943,990 increase in post-employment benefits obligations. Specifically, the balance in long term liabilities reflects $1,978,555 in bonds payable; 5

7 $1,433,582 in energy performance contract debt payable; $474,157 in Net Pension Obligation; $14,554,571 in Other Post Employment Benefits ( OPEB ); and $252,795 in compensated absences. The total OPEB Unfunded Actuarial Accrued Liability ( UAAL ) for FY14/15 was $37,993,349 with an Annual Required Contribution ( ARC ) of $3,060,175. The District contributed 41.6% or $1,274,390 of the ARC. Thus, the District recognized an increase in net OPEB obligation. The ARC represents the level of funding that, if paid on an on-going basis, is projected to cover annual and amortized costs over the next thirty years. In general, Districts meet OPEB obligations on a pay-as-you go basis. Debt service expenditures are budgeted at $1,101,680 for FY15/16, compared to $1,101,422 the prior fiscal year. Overall, debt service expenditures remain low and account for 2.4% of the total budget. In general, the District Treasurer is responsible for investing District funds and managing cash on hand, and periodically prepares fund balance projections to appropriately manage working capital. At fiscal year ending June 30, 2015, the District held approximately $14,789,174 in cash and investments and $4,500,002 in current liabilities. Cash and investments as a percentage of current liabilities was approximately 329%. This is a positive indicator of liquidity at the end of the fiscal year. Internal Audit notes that the District continues to have adequate segregation of duties and internal control over cash. The Senior Accountant/Deputy Treasurer collects cash and prepares the deposit slip. The District Treasurer writes the cash receipt ticket. The District Courier takes the deposit to the bank. The Accountant posts cash receipts and prepares the bank reconciliations. The District Treasurer reviews the bank reconciliations as part of the process of preparing the Treasurer s Reports to the Board. In addition, the District has adequate cash technology controls in place. The Deputy Treasurer and the District Treasurer are both needed to process a wire transfer. Specifically, both must either enter and/or release an outgoing wire transfer. Proper cash transfer technology controls require separation between the initiation, authorization, and execution of electronic or wire transfers. In conclusion, this area was rated a Medium risk. REVENUE and ACCOUNTS RECEIVABLE Risk Rating 159 Medium The review of this area focuses on property tax and non-tax revenue, recording and reporting revenue, billing and maintaining accounts receivable, and other Treasury functions in the Business Office. Overall for FY15/16, the District s budgeted source of revenues is property tax collections, state aid, and miscellaneous revenues such as tuition and charges for services, including Risk Assessment Update Report 6

8 building use. Property tax collections and other tax items account for approximately 81% of estimated revenues; government aid represents 9.2%; appropriated balances is 3.9%; and other miscellaneous revenues and transfers contribute 5.9% to revenues. According to the District s most recent External Audit, the District reported total revenues of $43,626,896 for the fiscal year ending June 30, 2015 compared to $43,186,490 for the previous fiscal year. This represents a slight increase in revenues from the prior year. The increase is mostly due to an increase in real property taxes of $610,539. The District s real property tax revenues are collected by The Town of Greenburgh, located in Westchester County, New York. The District s Board of Education issues the tax levy, and the town establishes the tax rolls and property assessment values. The town also bills and collects the District s property taxes. Westchester County enforces the all uncollected property taxes and guarantees the full payment of the District s property tax warrant. This arrangement between municipalities lowers the overall risk to the District in collecting and receiving property tax revenues. The District bills for tuition, health services, facilities use, textbook charges, and other miscellaneous expenses. Although these billings make up a smaller percentage of District revenues compared to property tax revenues, their volume of billing transactions can be significant. The billing and Accounts Receivable ( AR ) processes are centralized in the Business Office. The Business Offices uses an automated AR process, as it is integrated into the current financial accounting system. The Secretary to the School Administrator creates the bills. The Accountant posts cash receipts and applies payments to customer accounts. The Senior Accountant reviews the AR Aging report on a periodic basis. The District maintains some restricted reserve funds for such purposes as tax certiorari, debt service, capital projects, retirement and repairs. In addition, the District maintains an unassigned fund balance at the end of the fiscal year within the statutory limit of 4%, for subsequent year expenditures. Establishing and maintaining a positive fund balance and reserves is a best practice in effective long-term planning for Districts. Reserves help districts save up for future expenses, and can help decrease the need to rely exclusively on indebtedness to finance capital projects. In addition, maintaining an adequate level of reserves helps to lower the risk of any unanticipated events having a significant negative impact on the operating budget. The risk rating for this area is Medium. PURCHASING and ACCOUNTS PAYABLE Risk Rating 183 Medium This area is concerned with the Purchasing function and Accounts Payable, Cash Disbursements, and the Internal Claims Audit processes. In general, this area has an inherently higher risk due to its financial and operational significance to school districts. Risk Assessment Update Report 7

9 The Accounts Payable process in the Business Office is handled by the Accounts Payable Clerk, the Senior Accountant and the Accountant. The Accountant prepares the cash disbursements for the special aid, trust & agency, and capital funds. The Senior Accountant prepares the cash disbursements for the lunch fund. The Accounts Payable Clerk prepares cash disbursements for the general fund, and prints the warrants and checks. This arrangement provides for an appropriate way to divide the responsibilities while ensuring proper segregation of duties. In July, 2015, a new Accounts Payable Clerk was hired as a replacement for the retiring incumbent. The District Treasurer is the Board appointed Purchasing Agent. The Purchasing Agent s duties and responsibilities are to ensure proper controls over District expenditures. The duties include approval of new vendors and purchase orders, and ensuring the District seeks competitive procurement methods and complies with both its Purchasing Policy and New York State General Municipal Law ( GML ). Internal Audit notes that all Accounts Payable warrants and checks are audited by the District s Claims Auditor. In general, all claims must be audited prior to disbursement, with some exceptions. In addition, reports of claims audit findings are provided to Management and the Board on a periodic basis. By providing reports to both Management and the Board, the Claims Auditor communicates valuable information to the District, thereby assisting Management in monitoring compliance with purchasing polices and regulations. In addition, communicating detailed audit findings gives Management the opportunity to analyze procedures and find ways to improve the process and limit audit deficiencies going forward. The risk rating level for this area was evaluated as Medium. HUMAN RESOURCES and PAYROLL Risk Rating 185 Medium Both Human Resources and Payroll areas are closely linked in the administration of personnel, payroll, and benefits. In addition, this area is concerned with District compliance to Board Policies, union contracts and bargaining agreements, and applicable state and federal laws and regulations. The District s largest expense is salaries, wages and fringe benefits. This functional area is a highly significant one, not only due to the magnitude of its share of the District s budget, but also due to the complexity and sensitivity of its operations and ensuring compliance. The Superintendent and District Treasurer share supervisory responsibility over classified and certified staff, respectively. In addition, the new Director of Curriculum & Instruction has assumed responsibility over professional development of classified staff. Also, there are two Personnel Clerks residing in the Superintendent s Office that handle personnel and attendance. The replacement Personnel Clerk, who was hired in October, 2015, is responsible for adding new employees, their position, appointment, and salary. The Payroll Clerk reviews the data entry of all new employees into Finance Manager, which was Risk Assessment Update Report 8

10 upgraded to a newer version called nvision, as well as enters the budget code to which their salary is charged to, and activates the employee for payroll purposes. However, salary lane changes for teachers are still processed in the Payroll Department. To ensure a complete segregation of duties, changes to salaries should be processed by Personnel. As a compensating control, the District Treasurer reviews all payroll changes as part of the payroll certification process. The District utilizes an automated professional development system, My Learning Plan. The system allows for automated planning, management, and reporting of professional development, including the process for approval and monitoring of continuing education credits and certifications. The system is accessible to staff to go online to register and request course approvals for professional development offerings. The District implemented an automated substitute finder and employee absence management system, AESOP. The system allows for employees to self-report absences, as well as efficiently find substitute employees to cover absent employees. The risk rating for this area is a Medium level. FACILITIES and CAPITAL ASSETS Risk Rating 187 Medium This area includes buildings and grounds, custodial operations and facilities maintenance, capital improvements and new construction, capital assets and inventory controls. A new Director of Facilities was hired in FY14/15. The Director of Facilities oversees the maintenance and upkeep of the District s two school buildings and surrounding grounds and fields. The Department comprises a staff of eighteen consisting of an office clerk, custodians, grounds men, maintenance mechanic and supervisor. The Facilities budget is comprised of operations expenses to maintain the District s physical plant, as well as supplies, equipment, and salaries of Department staff. In addition, maintenance costs include preventative care and maintenance on critical electrical, heating and cooling systems throughout the District s buildings, and utility expenses. The FY15/16 budget for operations and maintenance is $2,312,880, compared to $2,202,526 for the prior year. This represents a 5% increase in spending from the previous year. We conducted an internal audit in FY14/15 and made several recommendations to improve the operations and controls. Now that the major renovations for the auditorium have been completed, The Director of Facilities can focus on implementing the recommendations contained in the report. Internal Audit noted that the Facilities Department has begun to document and formalize its Preventative Maintenance ( PM ) program. The Department began documenting its PM program for emergency lighting, as well as filters and belt checks on equipment. However, the process is still done on a manual basis, and is not yet comprehensive. District Policy requires that a systematic maintenance program be established to protect the District s investment in plant and facilities. In general, the Risk Assessment Update Report 9

11 Department should have a work order system that reflects all critical functions of the Department: repairs, preventative maintenance, project work, etc. The District completed its Building Condition Survey (BCS) and developed a Five Year Facilities Plan in FY10/11 and a new BCS and Five Year Plan is being finalized for FY15/16. The Director of Facilities annually reviews and updates the plan, and, with assistance from the Facilities Committee, priorities are established to address further capital projects and construction needs. The District established both a Capital Reserve Fund and Repair Reserve Funds to assist in the long-term financing of capital improvements. The Facilities Department utilizes a quasi-automated and manual Facilities Use program. The Facilities Use Application is processed manually and enables the District to obtain adequate information about the group making the request, the purpose of the request, and how to appropriately assign priority, location, and level of custodial services required for the request. The Facilities Clerk processes all requests and the Director of Facilities approves the building use requests. The system currently does not allow teachers and Building Secretaries to have system access to input requests. Expansion of the system is planned and computer labs and conference rooms will be added to the schedule. In addition, teachers and other District personnel will have view access to the calendar to check for availability. The District capital asset inventory is maintained on an automated system. The Accountant in the Business Office is responsible for maintaining the capital asset inventory. To do so, the Accountant sends updates of additions and disposal of assets to the vendor that is the custodian of the database, on a periodic basis. The District cannot update or modify the database directly. In addition, the District s contracted vendor conducted a physical inventory of all its assets in FY10/11. A physical inventory audit helps the District ensure that capital assets exist, are properly recorded on its general ledger, and are appropriately safeguarded. This section has been evaluated as a Medium risk. STUDENT SERVICES Risk Rating 167 Medium This area includes Transportation, Food Service, Extraclassroom Activities, Athletics, Safety & Security, and Special Education Services. Although these areas may represent a small percentage of the District s budget compared to other programs and services, they directly impact the District s mission and objectives. In addition, these areas tend to be more operationally decentralized, and have a potentially greater impact on reputational risk to the District. Risk Assessment Update Report 10

12 Transportation The District contracts with neighboring school districts to provide student transportation services through a consortium arrangement consisting of the Quad-Village school districts. The consortium provides an overall cost savings for the District, compared to going solo. In general, the District provides transportation for students in kindergarten through fifth grade, per the District s Transportation Policy. In addition, the District provides transportation to students attending a special education program or a BOCES occupational education program outside of the school district; and students who attend a parochial or private school who meet the district guidelines for transportation. The FY15/16 pupil transportation budget is $1,499,900 compared to $1,420,667 in FY14/15. This amounts to a $79,233 or approximately 5.58% increase in spending from the prior fiscal year. Food Service The District provides a food service program to students, administered by an outside contractor. The Food Service program functions as a self-sustaining operation. The District reported $367,268 in revenues from food sales in FY14/15, compared to $320,233 in the prior fiscal year. In addition, the District s cost of food sales totaled $365,628 in FY14/15 compared to $286,334 in the prior year. Thus, food sales exceeded costs by $1,640 in FY14/15 compared to $33,899 in the prior year. As a result, fund balance in the school lunch fund increased from $68,890 to $70,530 by the fiscal year ending June 30 th Extraclassroom Activity Funds (ECAF) The District s Extraclassroom Activity Funds ( ECAF ) are overseen by Middle School and High School Central Treasurers. There were 46 student clubs reported in the District s External Audit in FY14/15. In total, student clubs collected approximately $106,765 and spent $107,084 throughout the fiscal year. Although this amount is not materially significant in comparison to the District s total budget, the nature and volume of activity warrants close monitoring and supervision which is performed by the students clubs, their faculty advisors, the central treasurers, the District s Business office staff and the District s external auditors. Athletics The District s FY15/16 Athletics Program budget is $790,130, compared to $708,326 in the prior year. This amounts to an increase of $81,804 from the previous year. In 2013, the District discovered deteriorating conditions at the Reynolds Field, and closed the track for the safety of all residents. The District contracted for an athletic field study to be conducted and the Board s Facilities Committee recommended a remedial construction plan. The voters approved the bond referendum for the project and work has finally begun with a scheduled date for completion of all outside work in July, 2017 Safety & Security The District has an active Health, Safety and Wellness Committee. As a result of the Newtown School tragedy, the District s committee has continued its focus on the safety and security of the District. The District s external doors are now locked during the school Risk Assessment Update Report 11

13 day, there are greeters at the doorways, and there are buzzers and security cameras at all school building entryways. Additional security enhancements will continue in FY15/16. Special Education In general, the FY15/16 budget for special education services totals $6,074,779 compared to $5,804,994 in the previous fiscal year. The FY15/16 budget reflects a $269,785 increase in spending from the prior year. The increase is mostly as a result of increased BOCES services. In general, Special Education costs account for approximately 13% of the District s total budget and approximately 13% of the student population is classified. The District participates in the Mid-Westchester Special Education Consortium. The member school districts coordinate to identify needs and find where space and staff are available, in order to consolidate services and provide for economies of scale and greater efficiencies. Thus, the consortium helps to reduce District s costs for special education services. In conclusion, this area was given a Medium risk rating. INFORMATION TECHNOLOGY Risk Rating 199 Medium This area includes IT Strategy and Planning, Outsourced Vendor Management, Business Continuity Planning, IT Infrastructure and Maintenance, Information Security, Governance, Systems Development and Maintenance, Systems Support and Critical Systems. Since the last risk assessment update the District has completed the Instructional Technology Plan for This plan, which was submitted in compliance with the Smart Schools Bond Act, details the following: Vision and Goals of the District Technology, Infrastructure and Software Inventory Curriculum and Instruction Plans Related to Technology Professional Development Plans Technology Investment Plan Status of Technology Initiatives and Community Connectivity Implementation Plans Monitoring and Evaluation Plans In addition, the following key technology initiatives have been implemented: The District s financial and human resources application, Finance Manager, was upgraded to nvision. Bandwidth was increased to 100 Mb for improved wireless connectivity. Connectivity to the LHRIC was increased to 1.0 Gb for improved Internet access. Windows servers were upgraded to 2008/2012 and the operating system was upgraded to Windows 7 Professional. Risk Assessment Update Report 12

14 Uninterruptible Power Supply (UPS) Systems were upgraded on core switches. The MAC Media Arts Lab was upgraded. Details are provided under separate cover as an Appendix to this report. GOVERNMENT AID and GRANTS Risk Rating 128 Low This area includes grants and aid from state and federal governments, and foundation and other not-for-profit aid and donations. The District receives a small amount of state and federal aid. In terms of general state aid, the District estimates receipt of approximately $4,262,700 for FY15/16 compared to $4,037,700 in the prior year. This amount represents a modest increase from the prior year, and accounts for nine percent of the District s total budget. The District receives some federal aid through grants. In FY14/15, the District was awarded $489,082 in federal grants. Overall, federal grants account for less than 1% of the District s total budget. The Hastings Education Foundation (the HEF ) was established in 1997 to support the District s educational mission by providing funds for enrichment and advancement. The foundation is a 501(c) (3) designated charitable organization. The HEF conducts an annual benefit and auction as well as a letter campaign to raise funds. In FY15/16, the IEF funded a total of approximately $57, in grants for various projects including the creation of two Makerspaces mentor-led learning environments in the Hillside Elementary and Farragut Middle Schools. The District benefits greatly from the support of the Foundation, and the donations have helped the District offset declining state and federal aid over the last several years. This area was evaluated as a Low risk. Risk Assessment Update Report 13

15 Hastings-on-Hudson Central School District FY Audit Hours 15/16 16/17 Risk Assessment Update 50 Budget, Financial Accounting & Reporting Review of Business Office functions. Debt, Investments and Cash Review of internal controls over debt, investment, and cash management. Revenue and Accounts Receivables Review of revenue and account receivable controls. Purchasing and Accounts Payable 140 Review internal controls over purchasing, cash disbursements, accounts payable, and the claims audit process. Human Resources and Payroll Review of internal controls over human resources and payroll operations Facilities and Capital Assets Review of internal controls within the Facilities Department to include custodial and maintenance operations, and buildings and grounds work. Student Services Review of internal controls over the food service program, ECAF, pupil transportation, safety and security, and special education services. Information Technology Review of general computer controls. Government Aid and Grants Review internal controls over grants administration, accounting, and monitoring processes; and compliance with grant provisions. TBD TBD TBD TBD TBD TBD TBD TBD Total Internal Audit Hours 190 Risk Assessment Update Report 14

16 Hastings-on-Hudson Union Free School District Appendix IT Risk Assessment Update FY 2015/2016

17 Information Technology (IT) in education environments has basic inherent risk due to the concentration of critical information being in an electronic format and the need to provide for the proper security over this information. The following risk assessment was conducted in cooperation with IT management for each of the following IT audit areas: IT Strategy and Planning An assessment of the School District s IT management controls determines whether the organizational structure, the IT resources used, and related control policies and procedures are adequate to foster effective management of Information Technology. Management and the School District s Board of Education must be clearly involved in the IT planning and decision-making process. The Information Technology functions at the School District are performed under the direct supervision of the Network Administrator who reports to the Superintendent and District Treasurer. The Network Administrator is responsible for day to day IT administration for students, teachers and administrative staff throughout the District. Other positions supporting the IT function include two BOCES Network Specialists (one F/T and one P/T) and an AV Technician. Areas of responsibility for each IT position are documented and a Professional Staff Development Program has been established. The School District has completed the Instructional Technology Plan survey for 2015 which was submitted in compliance with the Smart Schools Bond Act. This plan details the following: Vision and Goals of the District Technology, Infrastructure and Software Inventory Curriculum and Instruction Plans Related to Technology Professional Development Plans Technology Investment Plan Status of Technology Initiatives and Community Connectivity Implementation Plans Monitoring and Evaluation Plans The District has an established District Technology Committee, chaired by the Superintendent, which meets on a monthly basis to discuss District wide technology needs. The Committee also evaluates how technology goals and objectives are met, and assists in the implementation of the Technology Plan components. Periodic Committee updates are presented at Board meetings. Outsourced Vendor Management An assessment of the vendor management controls determines whether vendors are appropriately selected, effectively managed and monitored as a normal course of business. Specific attributes, which demonstrate the effective use of vendors include: ii

18 A formalized vendor selection process which includes appropriate due diligence procedures such as background checks, capability, cost, financial stability, quality of IT personnel etc. Formalized vendor contract review which includes the development of specific service level metrics A structured process for monitoring activities performed by vendors The Technology Department reviews vendor contracts on an as-needed basis and must follow a structured vendor selection process, as defined by applicable New York State law, in order to be eligible for discounts provided by the Schools and Libraries Program of the Universal Service Fund (commonly referred to as E-Rate ). The E-Rate Program funds some of the School District s telecommunications and internet connections and the applications that use them. Services that are outsourced by the School District include: Outsourced Services Internet Service Provider nvision, eschooldata and Horizon Application Host Web Based Help Desk (Service Now) Technical Network Expertise LAN Support and Hardware Maintenance Remote Backup Service Schoolwires Web Based Student/Teacher Communication System, District Web Site and Parent Portal Destiny Library System Data Cabling/Wireless Management Support Smart Board Installation and Maintenance Google Drive/Apps Provider Lower Hudson Regional Information Center (LHRIC)/BOCES Follett Axispoint TecQuipment Google As a result of these outsourcing arrangements, the majority of IT operational risk for these functions has been transferred to outsourced providers. This transfer of risk, however, requires the District to establish strong monitoring controls to ensure service providers maintain a controlled operational environment. Business Continuity Planning The District has a documented a Finance Manager (nvision) Disaster Activation Plan and all servers are remotely backed up to the LHRIC on a daily basis. In addition, a Business Operations Continuity and Disaster Preparedness Plan has been developed and documented with the off-site recovery location at the LHRIC. The District tests the Operations Continuity and Disaster Preparedness Plan annually with the LHRIC. iii

19 IT Infrastructure and Maintenance Hastings-on-Hudson Union Free School District The School District s network infrastructure connects the classrooms, schools and buildings to each other and the Internet via fiber optic cables, Windows servers and various switches and routers that control traffic throughout Hastings High School/Farragut Middle School/District Office and Hillside Elementary School. In addition, a Transparent LAN Service (TLS) connection is provided by the LHRIC which serves as the gateway to the Internet and includes firewall protection and content filtering for District Internet users. Lightspeed Systems content filtering software provides the District with comprehensive web filtering based on an education-specific URL database. A Technology Profile that includes network diagrams has been developed which documents the District s infrastructure. This document was recently updated to reflect the current environment. An inventory of the existing computer hardware in all schools and the District Office is completed by BOCES each year. The inventory is separated into instructional and administrative technology categories, organized by location, and includes District purchased hardware identified by model number and serial number. In addition, an Applications by Asset report is generated documenting the software installed on each computer. The software application reports are reviewed periodically to determine continued need and to ensure compliance with software licenses. The Network Administrator and BOCES Network Specialists are responsible for maintenance of the district-wide network and wireless projects. Information Security Systems security administration is a process which entails performing risk analysis, administering the security policy, identifying security breaches, reporting incidents to management, maintaining and reviewing audit and security logs, and coordinating with both users and management regarding security. The District has adopted formal policies related to Information Security which include Network Access, Passwords, Remote Access and Security Administration. Access to the School District s Network is controlled through network user ID s and passwords which are set to expire every 90 days. Specific network login rights and access are determined by the type of account provided to the user, such as teacher, student, district employee, etc. An additional user ID and password is required to access critical application systems such as nvision and eschooldata, and changes to nvision user permissions are monitored and reviewed monthly. Application security is maintained by a designated individual within the department that uses the system. Network security administration procedures are performed by the Network Administrator who has Administrator rights to modify the security settings. The Network Administrator is notified via the Board of Education s meeting agenda and minutes when an employee is terminated or hired. Although Network Access Forms have been established to document iv

20 the creation of user ID s, a formal process should be implemented that documents when user access entitlements need to be changed or removed. Access to the server room in the High School/Middle School is controlled by a key lock and contains a climate control system, fire/smoke detection systems and a UPS system. Each of the District server locations is protected by a firewall with internet filtering, surf control protection, and an application that protects system integrity and prevents unwanted executable files from being downloaded. In addition, Sophos anti-virus software is used throughout the School District with automatic updates received as they become available. Governance IT management within the School District is responsible for the development of policies and operating procedures that assure effective management, the security of information technology resources and compliance with applicable regulatory guidelines. School District Employees are required to read and sign the District s Acceptable Technology Use Policy prior to gaining network access. There is also an Acceptable Use Policy for students and a Student Use of Privately Owned Technology Policy. Additionally, the District has adopted an Information Security Breach and Notification Policy and a Computer Resources and Data Management Policy. The Network Administrator has documented a comprehensive Information Assurance Risk Assessment which includes an inventory of the District s assets within the following IT system components: People, Hardware, Software, Network, Data and Procedures. The assets were prioritized and evaluated for potential threats. Current security policies and infrastructure procedures were then evaluated to identify the controls in place to ensure the security of the District s assets. Several recommendations were made to address any gaps identified in IT security. Systems Development and Maintenance The School District does not perform any systems development and does not make changes to the academic or business office application systems. The financial application system vendor, nvision, coordinates with the LHRIC to deliver and install system updates via approved remote access. As the School District does not perform its own programming functions in support of its critical systems, performing systems development and maintenance functions is not critical to the continued success of the organization. The management of these functions provided by service providers, however, is critical as noted in the Vendor Management section of the Risk Assessment. Systems Support v

21 Systems Support includes those components of information technology that support systems processing and consist of help desk procedures, backup, desktop support and production support. Maintenance and support of technology service requests is provided by the web-based LHRIC Service Desk System, Service Now. The District has a Technology Request Portal that can be used by staff for the submission of IT, Computing, Network, Software, Audio Visual, Printing and other technology requests. Once a request is received, the appropriate technician will contact the user as soon as possible to manage and process the request. Backup software has been installed on the network file servers to automatically perform nightly full backups for each buildings server using a remote backup service (CommVault Galaxy) through BOCES. Critical Applications Critical applications have a material impact on the School District s operations and management of non-public information. These applications must be reviewed and tested on an annual basis to ensure the integrity of processing and the security of information. Critical applications include the following: Service Application Type of Data Tests of Controls Provider/Vendor nvision Financial and Human Resources Employee non-public Internal Audit Management System eschooldata Student Management System Employee/Student non-public Internal Audit Connect Ed Emergency Notification System Student non-public Internal Audit IEP Direct Web Based Special Education Employee/Student non-public Internal Audit Student Management System Horizon POS and Food Inventory System Employee/Student non-public Internal Audit Schoolwires Web Based Student/ Teacher Communication System and District Web Site Employee/Student non-public Internal Audit vi

22 HASTINGS-ON-HUDSON UNION FREE SCHOOL DISTRICT PURCHASING AND ACCOUNTS PAYABLE INTERNAL AUDIT Date: August 1, 2016 To: From: Cc: Subject: Ms. Eileen Baecher, Board President David E. Moran, Director of Education Practice Audit Committee Maureen Caraballo, District Treasurer Ray Montesano, Superintendent Purchasing and Accounts Payable Internal Audit Background We have applied certain financial, compliance and operational audit procedures to the Purchasing and Accounts Payable functional areas of the Hastings-On-Hudson Union Free School District (the District ) as of June 30, As a result of our most recent Risk Assessment Report, Internal Audit recommended this area for an in-depth review to determine ways to improve procedures, and establish increased accountability and stronger internal controls. Audit Scope Our responsibility was to assess the adequacy and effectiveness of internal controls over Purchasing and Accounts Payable operations in the District. We reviewed the period from July 1, 2015 through June 30, A detailed description of audit work performed is presented in the Summary of Audit Procedures Performed section of this report. These audit procedures performed are in accordance with The International Standards for the Professional Practice of Internal Auditing promulgated by the Institute of Internal Auditors. Executive Summary As a result of the work performed, we noted the following observations that resulted in recommendations designed to improve internal controls and enhance operating policies and procedures: 1. The District should continue their processes and controls for the competitive bid process. 2. The District should continue their processes and controls for cash disbursements. 3. The District should consider updating the procedure for requesting and submitting Travel and Entertainment ( T&E ) employee expense reimbursements to ensure appropriate supervisory approval is obtained, adequate supporting documentation is submitted, and to prevent circumvention of already established purchase requisition procedures. Internal Audit Report Page 1 accumepartners.com

23 HASTINGS-ON-HUDSON UNION FREE SCHOOL DISTRICT PURCHASING AND ACCOUNTS PAYABLE INTERNAL AUDIT 4. The District should develop and implement a new vendor form whereby the Purchasing Agent and the Purchasing/Accounts Payable Clerk indicate their approval and set up of the new vendor in the District s financial management system. 5. The District should continue its procedures for the Claims Audit process. 6. The District should continue its procedures for the contracts for services process. Based on the results of the procedures performed, the internal control structure is rated as Needs Improvement The internal audit rating structure is defined below: Satisfactory Needs Improvement Indicates an acceptable system of internal control and satisfactory compliance with applicable policies, procedures and regulatory requirements. Findings indicate modest weaknesses that require management's attention. Indicates weaknesses in the system of internal control and/or compliance with related policies, procedures and regulatory requirements. These findings require management's prompt resolution to prevent further deterioration and possible losses Unsatisfactory Indicates significant weaknesses in the system of internal control and/or compliance with related policies, procedures and regulatory requirements. Management's immediate attention to these findings is required to prevent potential loss to the institution. We would like to thank the management and staff of the District for the assistance and courtesy extended to us during the course of our audit. Accume Partners Internal Audit Report Page 2 accumepartners.com

24 HASTINGS-ON-HUDSON UNION FREE SCHOOL DISTRICT PURCHASING AND ACCOUNTS PAYABLE INTERNAL AUDIT Summary of Audit Procedures Performed Procedure 1 Reviewed the District s Board Policies and Department level Purchasing and Accounts Payable policies and procedures. Procedure 2- Interviewed District management and staff: District Treasurer (Board appointed Purchasing Agent), Deputy Treasurer, Accountant, Purchasing/Accounts Payable Clerk, Secretary and the Claims Auditor. Procedure 3- Reviewed and tested a sample of 5 competitive bids awarded in FY15/16. Procedure 4- Reviewed and tested a sample of 15 T&E employee expense reimbursements totaling $1, Procedure 5- Reviewed and tested a sample of 15 cash disbursements totaling $60, Procedure 6- Reviewed 15 new vendors added in FY15/16. Procedure 7- Reviewed and tested a sample of 5 Accounts Payable Warrants. Procedure 8- Reviewed and tested a sample of 5 contracts for services. Internal Audit Report Page 3 accumepartners.com

25 HASTINGS-ON-HUDSON UNION FREE SCHOOL DISTRICT PURCHASING AND ACCOUNTS PAYABLE INTERNAL AUDIT Recommendations to Enhance the System Of Internal Controls and Improve Operating Procedures 1. Purchasing Observation Internal Audit tested the competitive bid process. We reviewed the bid files to ensure they were conducted in compliance with District Purchasing Policies and General Municipal Law ( GML ). Specifically, we reviewed bid files to ensure that bid proposals had an adequate level of detail and specificity; advertisement for bids were formally and legally published; sealed bids were appropriately time stamped, processed and opened; bid analyses and bid award determinations were appropriate and sufficiently documented; and the Bid recommendations to award the bids were Board approved. In our review, we found no significant deficiencies: Risk/Opportunity School Districts are required by state law to request bids for goods and services, when the expenditure exceeds the dollar amounts established by GML. Competitive purchasing policies and procedures are essential internal controls that help to ensure all recognized and responsible vendors are given equal opportunity to supply the District, prevent favoritism of one vendor over another, keep District residents informed of the purchasing function, and help to prevent error, abuse, and fraud. Specifically, date and time stamping of the sealed bids provides evidence that sealed bids were received by the District up until the Bid Open time. Similarly, a formal bid opening log should be created and witnessed by two District employees. This ensures that no one vendor is given preferential time and opportunity to develop their bid offer. In addition, to ensure appropriate preparation and conduct of competitive bids, a Bid and RFP Calendar should be established to ensure that all expenditures are procured in compliance with bidding requirements. In general, the Purchasing Agent should work with Department heads to create the calendar, assess Department needs, and help determine if services should go out to bid or RFP on an annual basis. Recommendation: The District should continue their processes and controls for the competitive bid process. Management s Response: No response required Internal Audit Report Page 4 accumepartners.com

26 HASTINGS-ON-HUDSON UNION FREE SCHOOL DISTRICT PURCHASING AND ACCOUNTS PAYABLE INTERNAL AUDIT 2. Accounts Payable-Cash Disbursements Observation Internal Audit reviewed and tested internal controls over cash disbursements. Internal Audit reviewed the claims to ensure that the claim for payment was appropriately authorized and approved; adequate documentation supported the claim, services were independently verified; the claim reconciled to contract terms; and the claim was timely processed. In our review, we found no significant deficiencies. Risk/Opportunity Good internal controls over the accounts payable and cash disbursement process helps to ensure that actual expenditures are in line with the District budget, and help to prevent fraud and misappropriation of District assets. In general, all expenditures should be supported with adequate documentation and sufficient itemization to ensure that goods were received, services were rendered, and validate that the nature of the expense was an appropriate school district expense. Recommendation: The District should continue their processes and controls for cash disbursements. Management s Response: No response required 3. Travel & Expense ( T&E ) Employee Reimbursements Observation Internal Audit reviewed the internal controls over the Travel & Entertainment ( T&E ) employee expense reimbursement process. Specifically, we reviewed the employee claims for reimbursements to ensure they were appropriately approved and processed; and were in compliance with applicable District Policies and procedures. In our review, we noted no instances of significant deficiencies. However, there were 5 instances of not including the formal claim form with the requests (although the necessary invoices and/or documentation were present). There were also 3 instances of invoice copies, not the original invoices as required by District policy. Also, Internal Audit noted that there is only one form for Conference/ Travel Reimbursement requests and it is somewhat obsolete, given the availability of automated applications that the District may want to consider. Internal Audit Report Page 5 accumepartners.com

27 HASTINGS-ON-HUDSON UNION FREE SCHOOL DISTRICT PURCHASING AND ACCOUNTS PAYABLE INTERNAL AUDIT Risk/Opportunity T&E expense reimbursements usually require a greater level of scrutiny and review to ensure that the associated travel, conference, related expenses, and other miscellaneous expenses are actual and necessary and therefore eligible for reimbursement according to GML. In addition, T&E reimbursements should be reviewed to ensure that reimbursement or expenditures claims are not circumventing already established purchase requisition procedures. All T&E reimbursements should be appropriately approved, sufficiently supported by documentation, and in compliance with Board Policies and applicable rules and regulations. Districts should have formally documented procedures specifying the type of expenditures eligible for employee reimbursement, the form and instructions for submitting claims for reimbursement, and the supporting documentation required to approve T&E reimbursements. Recommendation: The District should consider updating the procedure for requesting and submitting Travel and Entertainment ( T&E ) employee expense reimbursements to ensure appropriate supervisory approval is obtained, adequate supporting documentation is submitted, and to prevent circumvention of already established purchase requisition procedures. Management s Response: Responsible Individual: Target Date: 4. New Vendors Observation Internal audit reviewed the internal controls over the addition of new vendors for the District. Specifically we reviewed the documentation and process by which the vendors were approved and then formally added to the District s financial management and accounting system. Although the Purchasing/Accounts Payable Clerk, with the District Treasurer s approval, is the only individual that can add new vendors to the system, and will not do so unless she has received the formal W-9 form containing the taxpayer ID and the address, there is no formal new vendor form which allows the purchasing agent to indicate her approval of the new vendor s addition to the system. Risk/Opportunity School districts regularly seek new vendors to provide additional sources of supplies and services. In so doing, this practice permits more choices and opportunities for better prices for Internal Audit Report Page 6 accumepartners.com

28 HASTINGS-ON-HUDSON UNION FREE SCHOOL DISTRICT PURCHASING AND ACCOUNTS PAYABLE INTERNAL AUDIT services and supplies for the district. Best practices indicate that districts should always require not only a W-9 form with the proper tax number identification, but also an address that contains a street address and not just a PO Box number. When a new vendor is selected by the district, the controls surrounding the setup of the new vendor should contain multiple reviews. The Purchasing/Accounts Payable Clerk, in conjunction with other individuals/departments who have recommended the new vendor, determines if the vendor meets the district's criteria. The Purchasing/Accounts Payable Clerk should then obtain the approval of the purchasing agent before entering the vendor into the system. The combination of documentation reviews, references if appropriate, and sign offs by both the office assistant and purchasing agent should ensure that new vendors meet the districts criteria to become a legitimate source of services and/or goods for the district. Recommendation: The District should develop and implement a new vendor form whereby the Purchasing Agent and the Purchasing/Accounts Payable Clerk indicate their approval and set up of the new vendor in the District s financial management system. Management s Response: Responsible Individual: Target Date: 5. Claims Auditing Observation Internal Audit reviewed the internal controls in place over the claims audit process. We reviewed policies and procedures to ensure that the Claims Auditor does not have incompatible duties, directly and periodically reports to the Board, and follows adequate and appropriate procedures while performing the claims audit. In our review, we found no major control deficiencies. Risk/Opportunity By auditing, allowing, or rejecting claims in the warrant, the claims audit function serves as an added internal control over the purchasing and accounts payable processes. By law, the Board is responsible for the audit of claims. Most school districts delegate the responsibility to a Claims Auditor. The Board appoints a Claims Auditor to act on the Board s behalf, and the Claims Auditor should report directly to the Board, provide periodic audit reports to the Board, Internal Audit Report Page 7 accumepartners.com

29 HASTINGS-ON-HUDSON UNION FREE SCHOOL DISTRICT PURCHASING AND ACCOUNTS PAYABLE INTERNAL AUDIT and discuss any problems so that they may be addressed and resolved within the powers and duties of the Board. The Claims Auditor should adequately document his/her audit of the claims to evidence that all claims were audited prior to payment. The Claims Auditor should also mark or initial the line item/check number on the corresponding Warrant. This would provide evidence that the audit of claims was completed for all claims and checks to be disbursed, listed on that particular Warrant. Recommendation: The District should continue its procedures for the Claims Audit process. Management s Response: No response required 6. Services Contracts Observation Internal Audit reviewed and tested internal controls over the establishment of contracts for services. Internal Audit reviewed the contracts to ensure that the contracts between the vendors and the District were current; the contracts were signed by the Superintendent/Purchasing Agent or Board President; the contracts were approved by the Board and the contracts specifically delineated services to be rendered, compensation and terms of the contracts. In our review, we found no significant deficiencies. We did note one example of a recent contract that was awaiting the final vendor s signature but was otherwise completed. Risk/Opportunity Good internal controls over the contracts for services process helps to ensure that actual expenditures are in line with the District budget, and help to prevent fraud and misappropriation of District assets. In general, all contracts should be supported with adequate documentation and sufficient itemization to ensure that the services were rendered, and in agreement with terms of the contract. Recommendation: The District should continue its procedures for the contracts for services process. Management s Response: No response required Internal Audit Report Page 8 accumepartners.com