Background. We conducted the audit in accordance with the International Standards for the Professional Practice of Internal Auditing.

Transcription

1

2 Background We conducted a performance audit of the Payroll Section. The Payroll Section is responsible for the accurate and timely preparation, control and distribution of the: Commission s payroll Monthly, quarterly and annual payroll reports; and Employee W-2 statements. We conducted the audit in accordance with the International Standards for the Professional Practice of Internal Auditing. Internal Audit Team: Digdem Dee Tok Internal Auditor II 2

3 Objectives The objectives of the audit were to determine whether the current payroll operations safeguard the security, reliability, and accuracy of payroll data with respect to its effectiveness and efficiency in compliance with WSSC policies and procedures. Scope The audit period covered July 1, 2014 to June 30,

4 Findings Rating Recommendations 1. Inappropriate HRMS Oracle user access privileges High Review the current list of users and make proper adjustments to user privileges based on their job functions. Management reviewed the current list of users. Made appropriate adjustments for the consolidation of responsibilities by November 30,

5 Findings Rating Recommendations 2. Lack of segregation of duties High The additional access privileges for processing payroll, updating, and deleting data be removed or changed to read-only access. The Finance Department does not agree with the recommendation. Applying "read-only" access would disrupt the payroll process as the responsibilities do not serve only one function and would create process inefficiencies. 5

6 Findings Rating Recommendations 3. No formal procedures in place for monitoring user access reasonableness High Develop HRMS Oracle user access review procedures for identifying and eliminating user IDs for inactive users and individuals who are no longer employed with WSSC. When clean-up is performed on the HRMS for user access, use the actual date of change. Appropriate modifications were made by the Information Technology Department on November 30th,

7 Findings Rating Recommendations 4. No formal Internal Operating Procedures Medium Develop formal internal operating procedures and train staff to ensure consistency. Payroll Section Management will revise the 2013 draft procedures, add page numbers, and include an endorsement signature by September 30,

8 Internal controls are effective in mitigating the risks specific to the achievement of business objectives with a few exceptions. However, opportunities for control enhancement were identified, as previously noted. We have reviewed the results with the Payroll Section management and a management action plan has been developed. 8

9

10 Background We performed a limited-scope audit of Procurement Contract No Repairing and Repainting the Interior and Exterior of the St. Barnabas Ground Tank (Reservoir). We conducted the audit in accordance with the International Standards for the Professional Practice of Internal Auditing. Internal Audit Team: Jane Lewis Senior Internal Auditor Angela Makle Fortune Senior Internal Auditor 10

11 Objective The objective of the audit was to provide an independent assurance that parties to the signed Commission Procurement contracts adhered to the stipulated requirements and regulations; specifically, to determine compliance with the procurement and payment requirements of the selected contracts. Scope Review the procurement and payment requirements of Contract No Review the procurement and payment requirements under Tank Inspection Contract No Evaluate contract activities from October 15, 2014 through October 5,

12 Findings Rating Recommendations 1. Subcontractor did not perform work shown on the Commission approved subcontracting plan High Review the signed subcontracting plan for contract compliance. OSDI - the right-to-audit statement was added to the subcontracting certification forms. Procurement - WSSC established two new positions to mitigate the risk of non-compliance by vendors. Production - Effective July 3, 2017, the water storage tank rehabilitation program was transferred to the Facility Design and Construction Division under the Engineering and Construction Department. 12

13 Findings & (Cont d.) Findings Rating Recommendations 2. Reduced SLBE subcontracting participation rate High Monitor and review contract set-up and changes on the onset and at option renewal. Procurement - instituted the role of COR to work with user departments regarding contractor performance and any contract modifications. OSDI - business rules in the contracting module will be established to ensure that SLMBE contract requirements are complete Production Master Contract No for the rehabilitation of water storage tanks awarded in June 2016 addresses this issue. 13

14 Findings & (Cont d.) Findings Rating Recommendations 3. The Commission paid for work not inspected High Pay contractors based on the contract payment terms. Production - Not having an inspector assigned to this site was an anomaly. Effective July 3, 2017, the water storage tank rehabilitation program was transferred to the Facility Design and Construction Division under the Engineering and Construction Department. 14

15 Findings & (Cont d.) Findings Rating Recommendations 4. Insufficient evidence to support replacement of water main pipe High Obtain an independent evaluation of the replaced water main Update the Commission s permanent records Enforce regulatory and contract compliance Procurement - disagrees with this recommendation, as it would add an unnecessary cost burden to the Commission. Production - disagrees with this recommendation. There is major construction currently underway at the site for the construction of the new St. Barnabas Elevated Water Storage Tank. New construction ties into the new main, which should provide sufficient assurance that the pipe was installed. Engineering and Construction - does not concur that the Commission need incur the cost of an independent incursion to determine if the pipeline in place is in fact a newly (or nearly new) emplaced asset. Action due by Sept

16 Findings Rating Recommendations 5. The Commission exceeded its payments for additional piping High Production management should designate a Contract Manager to assist with contract management. Production - Effective July 3, 2017, the water storage tank rehabilitation program was transferred to the Facility Design and Construction Division under the Engineering and Design Department. 16

17 Findings & (Cont d.) Findings Rating Recommendations 6. The prime contractor added more than a 5% subcontractor markup High Request the prime contractor reimburse WSSC for the added markup. Segregating the project management responsibilities for construction contracts. Production - Effective July 3, 2017, the water storage tank rehabilitation program was transferred to the Facility Design and Construction Division under the Engineering and Design Department. Agrees with the finding; however, does not agree with amount calculated.. Does not agree with the recommendation of segregate roles for Contract Manager and Project Manager 17

18 Findings & (Cont d.) Findings Rating Recommendations 7. The Commission has no direct or indirect right to audit the subcontractors Medium Formulate a process to bind subcontractors to the Commission s Right to Audit Clause. OSDI - Operations management updated the subcontracting and supplier certification forms. Procurement - agrees and accepts this recommendation 18

19 Findings & (Cont d.) Findings Rating Recommendations 8. Inspection field observers were paid more money than the contract agreement Medium Approve and pay supplier invoices in accordance with contract payment terms. Production By May 1, 2017 with the new RFP, the Project Manager will require all invoices be provided with the Labor Classifications titles as outlined in the contract. 19

20 Internal controls are effective in mitigating the risks specific to the achievement of business objectives with a few exceptions. However, opportunities for control enhancement were identified, as previously noted. We have reviewed the results with appropriate department management and a management action plan has been developed. 20

21

22 Background The Washington Suburban Sanitary Commission (WSSC) Disaster Recovery (DR) simulation exercise is an opportunity for staff to restore critical operations and systems of the Commission in the event of a disaster or interruption. WSSC had not conducted a disaster recovery test in nearly two years and no end users participated in this exercise. Internal Audit Team: Janice Hicks Internal Auditor II Digdem Dee Tok Internal Auditor II 22

23 Objective Provide an independent and objective assessment of the effectiveness of the disaster recovery testing exercise. Scope Observe the WSSC 48-hour DR exercise held on Monday, December 11, 2017 and Tuesday, December 12, 2017 at Recovery Point in Germantown, Maryland. 23

24 Findings Rating Recommendations 1. Insufficient Communication High Management ensure the DR list is complete and updated periodically to include all designated DR exercise members and their contact information IT management will confirm participant names and current phone numbers in advance of DR Testing 2. Recovery Site Locations are in the disaster zone High Management review the location of the DR testing facilities to ensure that WSSC is functioning within best practices IT management has accepted the risk that both testing sites are within 25 miles (24 driving miles) of RGH 24

25 Findings Rating Recommendations 3. Missing Exchange recovery procedure High Management update policies and procedures to ensure that all interdependent systems are included in the exercise IT Management will take the necessary steps to ensure that the functionality of all inter-dependent systems are included and accounted for in the process for future DR tests. 4: Failure to troubleshoot identified problems with TEAMS High Management update the policies and procedures to ensure that all interdependent systems are included in the process. Management update the policies and procedures to ensure that all interdependent systems are included in the process. 25

26 Findings Rating Recommendations 5. Systems Recovery Issues: E-permitting Bill Pay Rumba Medium Management update the policies and procedures to address: Inter-dependent systems Identified coding issues Licensing for applicable systems Management update the policies and procedures to address: Inter-dependent systems Identified coding issues Licensing for applicable systems 26

27 Internal controls are effective in mitigating the risks specific to the achievement of the business objectives with a few exceptions. However, opportunities for control enhancement were identified and communicated to IT management. We have reviewed the results with the appropriate department management and a management action plan has been developed to address the issues identified. 27

28

29 Background We performed an annual compliance review of the earnings element additional regular pay associated with the Washington Suburban Sanitary Commission (WSSC) payroll system. We conducted the audit in accordance with the International Standards for the Professional Practice of Internal Auditing. Internal Audit Team: Janice Hicks Internal Auditor II 29

30 Objective The purpose of the review was to provide management with an independent and objective assessment of the use of additional regular pay, evaluate the related internal controls, and identify improvements where needed. In Scope We reviewed the pay of all employees who earned additional regular pay from July 1, 2015 to June 30, Outside-Scope Additional regular pay is used in conjunction with emergency response and standby pay; however, we did not review the application of standby pay because the utilization of standby pay was being reviewed by management. 30

31 Findings Rating Recommendations 1. Undocumented earning of additional regular pay Medium Management establish a process to include internal controls that would reconcile, monitor, and analyze the use of additional regular pay. Management agrees and will comply with the risk mitigating recommendations to achieve business objectives. 2. Undocumented authorization of additional regular pay Medium Management comply with the existing policy regarding documented approval for the use of additional regular pay by managers. HR and Payroll ensure receipt of corresponding documentation along with the required approvals. Management agrees and will comply with the risk mitigating recommendations to achieve business objectives. 31

32 Internal controls are effective in mitigating the risks specific to the achievement of the business objectives with a few exceptions. However, opportunities for control enhancement were identified and communicated to the Customer Service Department, Human Resources Office, and the Payroll Section. We have reviewed the results with the appropriate department management and a management action plan has been developed to address the issues identified. 32