AGENDA CALL TO ORDER: DECLARATION OF QUORUM: Clerk of the Board

Size: px

Start display at page:

Download "AGENDA CALL TO ORDER: DECLARATION OF QUORUM: Clerk of the Board"

Simon Underwood
5 years ago
Views:

1 Orange County Sanitation District Special Meeting of the AUDIT AD HOC COMMITTEE Friday, September 22, :00 A.M. Administration Building Conference Room A Ellis Avenue Fountain Valley, CA (714) AGENDA CALL TO ORDER: DECLARATION OF QUORUM: Clerk of the Board PUBLIC COMMENTS: If you wish to address the Committee on any item, please complete a Speaker s Form (located at the table at the back of the room) and submit it to the Clerk of the Board or notify the Clerk of the Board the item number on which you want to speak. Speakers will be recognized by the Chairman and are requested to limit comments to three minutes. NON-CONSENT CALENDAR: 1. REVIEW OF INTERNAL AUDIT REPORTS ON SEARCH FOR FICTITIOUS EMPLOYEES AND FICTITIOUS VENDORS AND STAFF RESPONSES TO AUDIT RECOMMENDATIONS (Lorenzo Tyner) 2. SELECTION OF NEXT INTERNAL AUDIT ENGAGEMENTS (Lorenzo Tyner) OTHER BUSINESS AND COMMUNICATIONS OR SUPPLEMENTAL AGENDA ITEMS, IF ANY: ADJOURNMENT: 09/22/2017 Audit Ad Hoc Committee Page 1 of 2

2 Accommodations for the Disabled: Meeting Rooms are wheelchair accessible. If you require any special disability related accommodations, please contact the Orange County Sanitation District Clerk of the Board s office at (714) at least 72 hours prior to the scheduled meeting. Requests must specify the nature of the disability and the type of accommodation requested. Agenda Posting: In accordance with the requirements of California Government Code Section , this agenda has been posted outside the main gate of the Sanitation District s Administration Building located at Ellis Avenue, Fountain Valley, California, and on the Sanitation District s website at not less than 72 hours prior to the meeting date and time above. All public records relating to each agenda item, including any public records distributed less than 72 hours prior to the meeting to all, or a majority of the Board of Directors, are available for public inspection in the office of the Clerk of the Board. Agenda Description: The agenda provides a brief general description of each item of business to be considered or discussed. The recommended action does not indicate what action will be taken. The Board of Directors may take any action which is deemed appropriate. Kelly A. Lore Clerk of the Board (714) klore@ocsd.com For any questions on the agenda, Committee members may contact staff at: Director of Finance and Administrative Services Lorenzo Tyner (714) ltyner@ocsd.com 09/22/2017 Audit Ad Hoc Committee Page 2 of 2

3 August 24, 2017 STAFF REPORT TO: FROM: Ad Hoc Audit Committee Michael D. White, Controller SUBJECT: Responses to Agreed-Upon Procedures Report to Search for Fictitious Employees On August 24, 2017, White Nelson Diehl Evans (WNDE) issued their report on procedures they performed in their search for fictitious employees. Below is a listing of the auditors findings contained within their report, along with staff responses. Internal Controls 1. Procedure Performed: The Orange County Sanitation District (Sanitation District) provided narratives and/or interviews regarding how the Employee Master File (EMF) is maintained. Results: Only the Human Resources Department can enter new employees; remove employees; and make employee information changes, including the pay rate. The Payroll Department is responsible for processing payroll and cannot change employee information in the EMF. The functions of making changes to the EMF and processing payroll are segregated. No exceptions were noted as a result of the procedures performed. 2. Procedure Performed: The auditors received the EMF file as of March 13, 2017, and tested it against the Sanitation District s policies and procedures. Results: No exceptions were noted as a result of this testing. OCSD P.O. Box 8127 Fountain Valley, CA (714)

4 Response to Contracted Internal Auditors Report on Search for Fictitious Employees August 24, 2017 Page 2 of 6 3. Procedure Performed: The IT Manager responsible for providing the EMF in procedure #2 above signed a representation that, in the compilation or transmission of the EMF, all electronic data provided is as originally recorded in the Sanitation District s system and was not altered for purposes of this agreedupon procedure. Results: The representation letter was signed by the Principal Information Technology Analyst who provided the EMF. No exceptions were noted as a result of this testing. Analysis of EMF 1. Procedure Performed: The auditors reviewed the EMF for any duplicate employee names and/or addresses. Results: The auditors performed this procedure and utilized the results to select the samples for procedure #3 below within this Analysis of EMF section. 2. Procedure Performed: The auditors reviewed the EMF for any partial duplication of employee names and/or addresses (such as variations of employee names included in the EMF and the same street name, but different house/apartment number). Results: The auditors performed this procedure and utilized the results to select the samples for procedure #3 below within this Analysis of EMF section. 3. Procedure Performed: Since there should be no duplicates within the EMF itself, the auditors selected all exact or partial matches identified in procedures #1 and #2 above for testing. The auditors reviewed the personnel files to verify a W-4 (IRS form for determining the correct federal income tax withholding), I-9 (Employment Eligibility Verification), and other identifying documents (driver s license, etc.) and to note the pay rate in effect over the 21-month period. They then reviewed the history of payments made over the 21-month period for reasonableness in relation to the pay rate. Results: The auditors identified 39 partial matches when comparing the information within the EMF mostly due to similar addresses and selected them

5 Response to Contracted Internal Auditors Report on Search for Fictitious Employees August 24, 2017 Page 3 of 6 for testing. The majority of the matches occurred due to living on the same street and same city; however, there was a different street address or apartment number. For 38 out of the total 39 employees tested, the auditors inspected the signed I-9 that was signed by the human resources personnel who indicated that they inspected the proper identifying documents. However, they were unable to inspect other identifying documents, such as a driver s license, on 13 of these personnel files since copies were not retained. For one employee of the total 39 employees tested, the auditors were unable to inspect the signed form I-9 or other identifying documents, such as a driver s license, since the employee had retired in October 2016 and the documents were not available. Staff Response: The Sanitation District is required to verify federally accepted documentation establishing identity and employment authorization and have a Human Resources representative annotate the valid document, sign, and date. However, there is no federal mandate that copies of the verifying documentation be maintained. Several years back, Human Resources began the practice of including copies of the documentation along with the I-9 in the personnel file. The auditors sample of the entire workforce included personnel files prior to when the Sanitation District s internal practice required copies of the documentation. In response to the one employee who retired in October 2016, this employee was originally hired in 1985, one year prior to the mandate of Employment Eligibility Verification and the required completion and filing of Form I Procedure Performed: The Sanitation District provided a list of new employees hired during the 21-month period. Results: The auditors received this listing and utilized the information to select the sample as noted in procedure #6 below and tested in procedure #7 below within this New Employee section. 5. Procedure Performed: The Human Resources Department is responsible for entering new employees; making employee changes, including pay rates; and removing employees. The Payroll Department is responsible for processing payroll and cannot change employee information. The list of new employees was provided to both the Human Resources and Payroll Departments to verify

6 Response to Contracted Internal Auditors Report on Search for Fictitious Employees August 24, 2017 Page 4 of 6 the existence of the employees. The employee in charge of each department signed a representation that the new employee listing contained actual employees and/or noted any discrepancies. Results: The auditors received signed representation letters from both the Human Resources Assistant and the Finance Director. No discrepancies were noted. 6. Procedure Performed: A sample of 25 employees was randomly selected from the listing obtained in procedure #4 above. Results: The auditors selected the sample and tested the items in procedure #7 below within this New Employee section. 7. Procedure Performed: The auditors reviewed the following for the employees selected in procedure #6 above: the personnel files to verify a W-4 and other identifying documents (driver s license, etc.) were retained. Results: No exceptions were noted as a result of this testing. 8. Procedure Performed: The Sanitation District provided a list of employees with pay rate changes during the 21-month period. Results: The auditors received this listing and utilized the information to select the sample as noted in procedure #10 below and tested in procedure #11 below within the Change in Pay Rates section. 9. Procedure Performed: The Sanitation District provided the payroll policy surrounding required signatures/approvals on personnel action forms for pay rate changes. Results: Pay rate changes due to promotions or a change in position require a personnel action form (PAF). The payroll system automatically routes the PAF to the appropriate employee for approval, which will be a supervisor, manager, or department head of the employee s division. Cost of living increases are included in salary schedules containing the position title, step, and hourly rate,

7 Response to Contracted Internal Auditors Report on Search for Fictitious Employees August 24, 2017 Page 5 of 6 which are approved by the Board of Directors. Cost of living increases do not require a PAF and are entered into the system by the Human Resources Department based on the approved salary schedules. 10. Procedure Performed: A sample of 25 employees was randomly selected from the listing obtained in procedure #8 above, with 15 specifically selected as the largest pay rate changes and 10 randomly selected. Results: The auditors selected the sample and tested the items in procedure #11 below within this Change in Pay Rates section. 11. Procedure Performed: The auditors performed the following for the employees selected in procedure #10 above: a. reviewed the personnel files to verify a W-4 and other identifying documents (driver s license, etc.) were retained. b. compared the new pay rate from procedure #8 above with the PAF in the employee s personnel file to verify the propriety of the rate change. c. verified the PAF was approved by the appropriate supervisor in accordance with Sanitation District policy noted in procedure #9 above. Results: For all 25 employees tested, the auditors inspected the employment eligibility verification form, I-9, that was signed by the human resources personnel indicating that they inspected the proper identifying documents. However, for three of these employees, they were unable to inspect other identifying documents, such as a driver s license, since copies were not retained in the personnel files. Staff Response: Same result and staff response to Analysis of EMF Procedure Performed No. 3 above. 12. Procedure Performed: The Sanitation District provided a listing of employees and the number of paychecks issued for July 1, 2015 through June 30, Normally, an employee should have only 26 paychecks for one full fiscal year; however, annual rate adjustments occur through a separate check; therefore, the existence of 27 paychecks for one fiscal year would be reasonable. The auditors reviewed the number of paychecks issued per employee and investigated employees who have received in excess of 27 paychecks. Results: The auditors originally noted 105 employees with more than 27 paychecks; however, the Sanitation District requested the population be

8 Response to Contracted Internal Auditors Report on Search for Fictitious Employees August 24, 2017 Page 6 of 6 sampled. The auditors selected 25 employees for testing and found the reason for paychecks in excess of 27 were as follows: Additional payouts for compensated absences, such as vacation, sick, bereavement, and comp time Retroactive pay for rate changes Tuition reimbursements Staff Response: It is staff s opinion that the above three circumstances are legitimate reasons for issuing checks in excess of 27 to any one employee during the year and were appropriately authorized by Human Resources and Financial Management. Staff Overall Response: No fictitious employees were uncovered in this agreed-upon engagement.

9 ORANGE COUNTY SANITATION DISTRICT AGREED-UPON PROCEDURES REVIEW FICTITIOUS EMPLOYEE ANALYSIS FOR THE 21-MONTH PERIOD OF JULY 1, 2015 TO MARCH 31, 2017

10 Board of Directors Orange County Sanitation District Fountain Valley, California INDEPENDENT ACCOUNTANTS REPORT ON APPLYING AGREED-UPON PROCEDURES We have performed the procedures set forth in this report, which were agreed to by the management of the Orange County Sanitation District, Fountain Valley, California (the District), for the 21-month period of July 1, 2015 to March 31, The District s management is responsible for establishing and maintaining internal controls over payroll to ensure there are no fictitious employees. The sufficiency of these procedures is solely the responsibility of the management of the District. Consequently, we make no representations regarding the sufficiency of the procedures described below either for the purpose for which this report has been requested or for any other purpose. The procedures performed and the results of those procedures are as follows: Internal Controls 1. The District provided narratives and/or interviews regarding how the Employee Master File (EMF) is maintained. The narrative and/or interviews included: a. What data fields are maintained for each employee. b. What procedures are used to set up a new employee. c. What personnel are authorized to set up a new employee. d. Identified employees who have access to the EMF and also have authority to input data for purposes of issuing payroll checks. e. Identified the Information Technology (IT) employees that have access to the EMF and/or have the ability to make additions, deletions or changes to the EMF. f. Determined if any high-level officials obtain a periodic report of new employees added to the EMF. Results: a. The EMF included the following data fields: Employee ID Preferred and legal first name, middle name/initial, and last name Benefit group Bargaining group Department Division number and name Pay status, whether active or retired, and pay frequency Title (classification) Current mailing address Michelle Drive, Suite 300, Irvine, CA Tel: Fax: Offices located in Orange and San Diego Counties

11 Internal Controls (Continued) 1. (Continued) Results (Continued): b. Only the Human Resources Department can enter new employees, remove employees, and make employee information changes, including the pay rate. The Human Resources Department requests the necessary information from the new employee including a signed employment eligibility verification form, I-9. c. Only the Human Resources Department can set up a new employee. d. The Payroll Department has access to the EMF and can input data for issuing payroll checks. However, the Payroll Department cannot make changes to the EMF; therefore, this does not cause an issue for segregation of duties. e. The IT Department has access to the EMF, but cannot make changes. f. High-level officials do not obtain a periodic report of new employees added to the EMF; however, given the District s other controls, we do not see a need to add this procedure. Overall: Only the Human Resources Department can enter new employees, remove employees, and make employee information changes, including the pay rate. The Payroll Department is responsible for processing payroll and cannot change employee information in the EMF. The functions of making changes to the EMF and processing payroll are segregated. 2. The District provided the EMF as of March 13, Results: We received the EMF file. No exceptions were noted as a result of this testing. 3. The IT Manager responsible for providing the EMF in procedure #2 above signed a representation that in the compilation or transmission of the EMF, all electronic data provided is as originally recorded in the District s system and was not altered for purposes of this agreed-upon procedure. Results: The representation letter was signed by the Principal Information Technology Analyst who provided the EMF. No exceptions were noted as a result of this testing. Analysis of EMF 1. We reviewed the EMF for any duplicate employee names and/or addresses. Results: We performed this procedure and utilized the results to select the samples for procedure #3 below within this Analysis of EMF section

12 Analysis of EMF (Continued) 2. We reviewed the EMF for any partial duplication of employee names and/or addresses (such as variations of employee names included in the EMF and the same street name, but different house/apartment number). Results: We performed this procedure and utilized the results to select the samples for procedure #3 below within this Analysis of EMF section. 3. Since there should be no duplicates within the EMF itself, we selected all exact or partial matches identified in procedures #1 and #2 above for testing. a. We reviewed the personnel files to verify a W-4 (IRS form for determining the correct federal income tax withholding), I-9 (Employment Eligibility Verification), and other identifying documents (driver s license, etc.) were retained and to note the pay rate in effect for the 21-month period. b. We reviewed the history of payments made over the 21-month period for reasonableness in relation to the pay rate noted in procedure #3a above. Results: We identified 39 partial matches when comparing the information within the EMF mostly due to similar addresses and selected them for testing. The majority of the matches occurred due to living on the same street and same city; however, there was a different street address or apartment number. For 38 out of the total 39 employees tested, we inspected the signed I-9 that was signed by the human resources personnel who indicated that they inspected the proper identifying documents. However, we were unable to inspect other identifying documents, such as a driver s license, on 13 of these personnel files since copies were not retained. For 1 employee out of the total 39 employees tested, we were unable to inspect the signed form I-9 or other identifying documents, such as a driver s license, since the employee had retired in October 2016 and the documents were not available. There were no other issues noted during this testing. New Employees 4. The District provided a list of new employees hired during the 21-month period. Results: We received this listing and utilized the information to select the sample as noted in procedure #6 below and tested in procedure #7 below within this New Employee section. 5. The Human Resources Department is responsible for entering new employees, making employee changes, including pay rates, and removing employees. The Payroll Department is responsible for processing payroll and cannot change employee information. The list of new employees was provided to both the Human Resources and Payroll Departments to verify the existence of the employees. The employee in charge of each department signed a representation that the new employee listing contained actual employees and/or noted any discrepancies. Results: We received signed representation letters from both the Human Resources Assistant and the Finance Director. No discrepancies were noted

13 New Employees (Continued) 6. A sample of 25 employees was randomly selected from the listing obtained in procedure #4 above. Results: We selected the sample and tested the items in procedure #7 below within this New Employee section. 7. We reviewed the following for the employees selected in procedure #6 above: a. We reviewed the personnel files to verify a W-4 and other identifying documents (driver s license, etc.) were retained. Results: No exceptions were noted as a result of this testing. Change in Pay Rates 8. The District provided a list of employees with pay rate changes during the 21-month period. Results: We received this listing and utilized the information to select the sample as noted in procedure #10 below and tested in procedure #11 below within this Change in Pay Rates section. 9. The District provided the payroll policy surrounding required signatures/approvals on personnel action forms for pay rate changes. Results: Pay rate changes due to promotions or a change in position require a Personnel Action Form (PAF). The payroll system automatically routes the PAF to the appropriate employee for approval, which will be a supervisor, manager, or department head of the employee s division. Cost of living increases are included in salary schedules containing the position title, step, and hourly rate, which are approved by the Board of Directors. Cost of living increases do not require a PAF and are entered into the system by the Human Resources Department based on the approved salary schedules. 10. A sample of 25 employees was randomly selected from the listing obtained in procedure #8 above, with 15 specifically selected as the largest pay rate changes and 10 randomly selected. Results: We selected the sample and tested the items in procedure #11 below within this Change in Pay Rates section. 11. We reviewed the following for the employees selected in procedure #10 above: a. We reviewed the personnel files to verify a W-4 and other identifying documents (driver s license, etc.) were retained. b. We compared the new pay rate from procedure #8 above with the PAF in the employee s personnel file to verify the propriety of the rate change. c. We verified the PAF was approved by the appropriate supervisor in accordance with District policy noted in procedure #9 above

14 Change in Pay Rates (Continued) 11. (Continued) Results: For all 25 employees tested, we inspected the employment eligibility verification form, I-9, that was signed by the human resources personnel indicating that they inspected the proper identifying documents. However, for 3 of these employees, we were unable to inspect other identifying documents, such as a driver s license, since copies were not retained in the personnel files. There were no other issues noted during this testing. Excess Paychecks 12. The District provided a listing of employees and the number of paychecks issued for July 1, 2015 through June 30, Normally, an employee should have only 26 paychecks for one full fiscal year; however, annual rate adjustments occur through a separate check; therefore, the existence of 27 paychecks for one fiscal year would be reasonable. We reviewed the number of paychecks issued per employee and investigated employees who have received in excess of 27 paychecks. Results: We originally noted 105 employees with more than 27 paychecks; however, the District requested the population be sampled. We selected 25 employees for testing and found the reason for paychecks in excess of 27 were as follows: Additional payouts for compensated absences, such as vacation, sick, bereavement, and comp time Retroactive pay for rate changes Tuition reimbursements Disclaimer This agreed-upon procedures engagement was conducted in accordance with attestation standards established by the American Institute of Certified Public Accountants. We were not engaged to and did not conduct an examination or review, the objective of which would be the expression of an opinion or conclusion, respectively, on the existence of fictitious employees. Accordingly, we do not express such an opinion or conclusion. Had we performed additional procedures, other matters might have come to our attention that would have been reported to you. However, no fictitious employees were uncovered in this agreed-upon procedures engagement. Restriction on the Use of This Report This report is intended solely for the information and use of the Orange County Sanitation District Board of Directors and management of the District, and is not intended to be, and should not be, used by anyone other than those specified parties. Irvine, California August 24,

15 August 24, 2017 STAFF REPORT TO: FROM: Ad Hoc Audit Committee Michael D. White, Controller SUBJECT: Responses to Agreed-Upon Procedures Report to Search for Fictitious Vendors On August 24, 2017, White Nelson Diehl Evans (WNDE) issued their report on procedures they performed in their search for fictitious vendors. Below is a listing of the auditors findings contained within their report along with staff responses. Internal Controls 1. Procedure Performed: The Orange County Sanitation District (Sanitation District) provided narratives and/or interviews regarding how the Vendor Master File (VMF) is maintained. Results: Only the Purchasing Department can make changes to the VMF and add new vendors. The Accounts Payable Department and non-purchasing department employees (such as the General Manager, Purchasing Manager, Department Directors, Division Managers, Supervisors, and other Sanitation District staff) are responsible for approving purchases. The functions of making changes to the VMF and approving purchases are segregated. 2. Procedure Performed: The Sanitation District provided the VMF and a listing of Sanitation District employees, including employee addresses, the Employee Master File (EMF), as of March 13, Results: No exceptions were noted as a result of this testing.

16 Response to Contracted Internal Auditors Report on Search for Fictitious Vendors August 24, 2017 Page 2 of 6 3. Procedure Performed: The IT Manager responsible for providing the VMF and EMF in procedure #2 above signed a representation that in the compilation or transmission of the VMF and EMF, all electronic data provided was as originally recorded in the Sanitation District s system and was not altered for purposes of this agreed-upon procedure. Results: The representation letter was signed by the Principal Information Technology Analyst who provided the VMF and EMF. No exceptions were noted as a result of this testing. Test for Possible Matches between Vendors and Employees 1. Procedure Performed: The auditors compared the names and addresses of the vendors in the VMF with the names and addresses of employees in the EMF. Results: The auditors performed this procedure and utilized the results to select the samples for the procedures under Exact Matches section and Partial Matches section below. Exact Matches 2. Procedure Performed: Exact matches between the VMF and EMF can be due to travel or other reimbursement requests by employees that are paid outside of the payroll system. The auditors provided the listing of exact matches to the Sanitation District and requested a history of payments made (outside of payroll) for the 21-month period. They utilized the payment history to identify 15 employees with the largest aggregate payments made outside of payroll. From the remainder of the exact matches identified, a random sample of 10 was selected. Results: The auditors provided the matches noted from procedure #1 ( Test for Possible Matches between Vendors and Employees section) above and received the history of payments for the 21-month period from the Sanitation District. They utilized the history of payments to make the sample selection for procedures #3 and #4 below within this Exact Matches section. In addition, during their review of the VMF, the auditors noted some vendors that are listed multiple times. The vendors had the same address and, in some

17 Response to Contracted Internal Auditors Report on Search for Fictitious Vendors August 24, 2017 Page 3 of 6 cases, the same tax identification number. The auditors recommend the Sanitation District review the VMF and remove the vendors that are listed more than once without different addresses. The vendors noted are included in Attachment A. Staff Response: In some instances, vendors are legitimately listed multiple times due to the need for the separation of a supplier s legally filed address with the Internal Revenue Service (as identified on their W-9 and used for Form 1099 reporting) and the mailing address used for payments. There are also instances where payments are for rebates to sewer customers where the same customer has various accounts that are tied to specific parcels or permit numbers. The parcel numbers are different, but the mailing address may be the same. In other circumstances, it may appear that vendors are listed multiple times when actually all but one of the duplicates have been deactivated within the financial information system because of obsolescence. Deleting obsolete files is not a viable option due to the possible loss of transaction history. Sanitation District staff will review the vendors listed in Attachment A to determine if any of the vendor duplicates can be deactivated. 3. Procedure Performed: For those 25 employees selected in procedure #2 above, the auditors selected a sample from the payment history to test to verify the propriety of the payment. In selecting the sample of individual transactions, they followed the American Institute of Certified Public Accountants (AICPA) sample size guidance with a maximum sample size per employee of 25 transactions. Results: The auditors selected the sample and tested the items selected in procedure #4 below within this Exact Matches section. 4. Procedure Performed: To verify the propriety of the payments selected in procedure #3 above, the auditors performed the following: a. The Sanitation District provided procurement policies and procedures indicating the type and amount of approvals required. b. The auditors ensured the reimbursement request or invoice was approved in accordance with Sanitation District policy noted in procedure #4a above. c. The auditors determined the payment was for goods and/or services that are reasonable given the Sanitation District s business. d. In the case of vendors selected that are not employees, the auditors verified the Sanitation District has a W-9 on file.

18 Response to Contracted Internal Auditors Report on Search for Fictitious Vendors August 24, 2017 Page 4 of 6 Results: The cash disbursements selected for testing were approved in accordance with the Sanitation District s policies, were reasonable given the Sanitation District s business, and had a W-9 on file, if applicable. No exceptions were noted as a result of this testing. Partial Matches 5. Procedure Performed: The auditors determined the number of employees and vendor names and/or addresses that have partial matches, provided the listing of partial matches to the Sanitation District, and requested a history of payments made (outside of payroll) for the 21-month period. They then selected a sample based on the AICPA sample size guidance with a maximum sample size of 25. The sample selection was split with 60% of the sample selection focusing on the largest aggregate payments by vendor and 40% of the sample randomly selected. Results: The auditors provided the matches noted from procedure #1 ( Test for Possible Matches between Vendors and Employees section) above and received the history of payments for the 21-month period from the Sanitation District. They utilized the history of payments to make the sample selection for procedures #6 and #7 below within this Partial Matches section. 6. Procedure Performed: For those matches selected in procedure #5 above, the auditors selected a sample from the payment history to test to verify the propriety of the payment. In selecting the sample of individual transactions, they followed the AICPA sample size guidance with a maximum sample size per employee of 25 transactions. Results: The auditors selected the sample and tested the items selected in procedure #7 below within this Partial Matches section. 7. Procedure Performed: To verify the propriety of the payments selected in procedure #6 above, the auditors performed the following: a. The Sanitation District provided procurement policies and procedures indicating the type and amount of approvals required. b. The auditors ensured the reimbursement request or invoice was approved in accordance with Sanitation District policy noted in procedure #6a above.

19 Response to Contracted Internal Auditors Report on Search for Fictitious Vendors August 24, 2017 Page 5 of 6 c. The auditors determined the payment was for goods and/or services that are reasonable given the Sanitation District s business. d. In the case of vendors selected that are not employees, the auditors verified the Sanitation District had a W-9 on file. Results: The cash disbursements selected for testing were approved in accordance with the Sanitation District s policies and were reasonable given the Sanitation District s business with the exception of one transaction noted in the second paragraph below. Out of the 11 vendors selected for testing, five did not have a W-9 on file. The Sanitation District did not have a W-9 on file because the vendor was set up a long time ago in the system. The W-9 was not a formally documented or consistently followed procedural step by Purchasing to obtain and append a W-9 for newly created Vendor files until the estimated timeframe of We recommend the Sanitation District ensures that all vendors in the VMF have a W-9 on file. Out of 34 cash disbursements selected for testing, one did not have the required approval. This disbursement was a rebate to a Sanitation District customer in the net amount of $17, This customer paid fees based on estimated usage and, at year-end, the Sanitation District calculated the customer fees based on actual usage. In this case, the customer was owed a rebate. The Sanitation District s policy is that all credits or rebates to customers should be reviewed and approved by the Controller. We did not note the Controller s initials on the customer refund. We recommend the Sanitation District ensure the required approvals are obtained prior to paying customer refunds. Staff Response: The Sanitation District agrees with the recommendation to ensure that all vendors in the VMF have a W-9 on file. Information Technology (IT) will (1) deactivate any VMFs that have not had any transactional activity over the last two fiscal years and (2) generate a report identifying all remaining active VMFs that do not have W-9 s attached. From this report generated by IT, Purchasing will obtain the missing W-9 documents and scan them into the active VMFs. The goal is to complete this recommendation by March 31, In reference to the lack of approval on a customer refund by the Controller, the Sanitation District will include a line on the Batch Control Sheet, the approval document for the payment of rebates, requiring the Controller s signature approval. 8. Procedure Performed: The Sanitation District provided a list of all new vendors added during the 21- month period. Results: The Sanitation District provided the listing of all new vendors added during the 21-month period.

20 Response to Contracted Internal Auditors Report on Search for Fictitious Vendors August 24, 2017 Page 6 of 6 9. Procedure Performed: The Sanitation District distributed the list of new vendors to the appropriate personnel who reviewed the list and confirmed that new vendors added to the list were valid. Results: The listing was provided to the Contracts/Purchasing Assistant and the Purchasing Supervisor who signed a representation letter that, to the best of their knowledge, the new vendors consisted of valid vendors utilized by the District for appropriate Sanitation District daily operations. Review of P.O. Boxes 10. Procedure Performed: The auditors identified vendors in the VMF with P.O. Boxes as addresses and selected a sample of 25. Results: The auditors identified the vendors in the VMF that had P.O. Boxes as addresses and selected a sample for the procedure #11 below within this Review of P.O. Boxes section. 11. Procedure Performed: The auditors verified the authenticity of the vendor by performing the following procedures: a. Reviewed the form W-9 the Sanitation District has on file. b. Accessed the vendor websites and/or called the vendor to verify existence. Results: The auditors were able to verify the existence of all vendors with online websites. For 13 of the 25 vendors selected, they were not able to inspect the W-9. The Sanitation District did not have a W-9 on file because the vendor was set up a long time ago in the system. The W-9 was not a formally documented or consistently followed procedural step by Purchasing to obtain and append a W-9 for newly created Vendor files until the estimated timeframe of The auditors recommend the Sanitation District ensures that all vendors in the VMF have a W-9 on file. Staff Response: This is the same recommendation as stated in Partial Matches Procedure Performed No. 7 and OCSD s response is the same. Staff Overall Response: No fictitious vendors were uncovered in this agreedupon engagement.

21 ORANGE COUNTY SANITATION DISTRICT AGREED-UPON PROCEDURES REVIEW FICTITIOUS VENDOR ANALYSIS FOR THE 21-MONTH PERIOD OF JULY 1, 2015 TO MARCH 31, 2017

Board of Directors Orange County Sanitation District Fountain Valley, California INDEPENDENT ACCOUNTANTS REPORT ON APPLYING AGREED-UPON PROCEDURES We have performed the procedures set forth in this

The District s management is responsible for establishing and maintaining internal controls over cash disbursements to ensure there are no fictitious vendors.

Consequently, we make no representations regarding the sufficiency of the procedures described below either for the purpose for which this report has been requested or for any other purpose.

22 Board of Directors Orange County Sanitation District Fountain Valley, California INDEPENDENT ACCOUNTANTS REPORT ON APPLYING AGREED-UPON PROCEDURES We have performed the procedures set forth in this report, which were agreed to by the management of the Orange County Sanitation District, Fountain Valley, California (the District), for the 21-month period of July 1, 2015 to March 31, The District s management is responsible for establishing and maintaining internal controls over cash disbursements to ensure there are no fictitious vendors. The sufficiency of these procedures is solely the responsibility of the management of the District. Consequently, we make no representations regarding the sufficiency of the procedures described below either for the purpose for which this report has been requested or for any other purpose. The procedures performed and the results of those procedures are as follows: Internal Controls 1. The District provided narratives and/or interviews regarding how the Vendor Master File (VMF) is maintained. The narrative and/or interviews included: a. What data fields are maintained for each vendor. b. What procedures are used to set up a new vendor. c. What personnel are authorized to set up a new vendor. d. Identified employees who have access to the VMF and also have authority to approve invoices, purchase orders, or receiving documents. e. Identified the Information Technology (IT) employees that have access to the VMF and/or have the ability to make additions, deletions, or changes to the VMF. f. Determined if any high-level officials obtain a periodic report of new vendors added to the VMF. g. If the District makes manual or emergency payments to vendors that do not go through the regular approval and review procedures, identified personnel responsible for verifying that the vendor has been approved and added to the VMF. Results: a. The VMF included the following data fields: Vendor name Type of vendor (vendor versus employee) Address, city, state, and zip code Tax Identification Number Type of company: C (corporation), N (any other type), P (individual/sole proprietor), and E (exempt) Business phone (can add fax number, but is not mandatory) (not mandatory) Michelle Drive, Suite 300, Irvine, CA Tel: Fax: Offices located in Orange and San Diego Counties

23 Internal Controls (Continued) 1. (Continued) Results (Continued): b. New vendors are entered into the system by the Purchasing Department. A W-9 must be scanned into the system as support for the existence of the new vendor. Also the tax identification number (TIN) must be entered into the system. By entering in the TIN number, the District can verify that the vendor does not already exist in the system to avoid duplicate entries. c. Only the Purchasing Department can make changes to the VMF and add new vendors. d. The Accounts Payable Department has access to the VMF and can approve invoices. However, the Accounts Payable Department cannot make changes to the VMF; therefore, this does not cause an issue for segregation of duties. e. The IT Department has access to the VMF, but cannot make changes. f. High-level officials do not obtain a periodic report of new vendors added to the VMF; however, given the District s other controls, we do not see a need to add this procedure. Per our discussion with the finance department, the District does not believe a benefit exists for this control as they could not think of any new vendor being added that would raise a red flag. g. If a manual or emergency payment to a vendor requires setup in the VMF then the only difference from the procedure noted in b above is that a W-9 is not required. The W-9 will be obtained at a later date due to the emergency situation. Overall: Only the Purchasing Department can make changes to the VMF and add new vendors. The Accounts Payable Department and non-purchasing department employees (such as the General Manager, Purchasing Manager, Department Directors, Division Managers, Supervisors, and other District staff) are responsible for approving purchases. The functions of making changes to the VMF and approving purchases are segregated. 2. The District provided the VMF and a listing of District employees, including employee addresses, the Employee Master File (EMF), as of March 13, Results: We received the VMF and EMF files. No exceptions were noted as a result of this testing. 3. The IT Manager responsible for providing the VMF and EMF in procedure #2 above signed a representation that in the compilation or transmission of the VMF and EMF, all electronic data provided was as originally recorded in the District s system and was not altered for purposes of this agreed-upon procedure. Results: The representation letter was signed by the Principal Information Technology Analyst who provided the VMF and EMF. No exceptions were noted as a result of this testing

24 Test for Possible Matches between Vendors and Employees 1. We compared the names and addresses of the vendors in the VMF with the names and addresses of employees in the EMF. a. We searched for exact matches of names and addresses. b. We searched for partial matches (such as variations of employee names included in the VMF and the same street name, but different house/apartment number). Results: We performed this procedure and utilized the results to select the samples for the procedures under Exact Matches section and Partial Matches section below. Exact Matches 2. Exact matches between the VMF and EMF can be due to travel or other reimbursement requests by employees that are paid outside of the payroll system. We provided the listing of exact matches to the District and requested a history of payments made (outside of payroll) for the 21-month period. We utilized the payment history to identify 15 employees with the largest aggregates payments made outside of payroll. From the remainder of the exact matches identified, a random sample of 10 was selected. Results: We provided the matches noted from procedure #1 ( Test for Possible Matches between Vendors and Employees section) above and received the history of payments for the 21-month period from the District. We utilized the history of payments to make the sample selection for procedures #3 and #4 below within this Exact Matches section. In addition, during our review of the VMF, we noted some vendors that are listed multiple times. The vendors had the same address and, in some cases, the same tax identification number. We recommend the District review the VMF and remove the vendors that are listed more than once without different addresses. The vendors noted are included in Attachment A. 3. For those 25 employees selected in procedure #2 above, we selected a sample from the payment history to test to verify the propriety of the payment. In selecting the sample of individual transactions, we followed the American Institute of Certified Public Accountants (AICPA) sample size guidance with a maximum sample size per employee of 25 transactions. Results: We selected the sample and tested the items selected in procedure #4 below within this Exact Matches section. 4. To verify the propriety of the payments selected in procedure #3 above, the following was performed: a. The District provided procurement policies and procedures indicating the type and amount of approvals required. b. We ensured the reimbursement request or invoice was approved in accordance with District policy noted in procedure #4a above. c. We determined the payment was for goods and/or services that are reasonable given the District s business. d. In the case of vendors selected that are not employees, we verified the District has a W-9 on file

25 Exact Matches (Continued) 4. (Continued) Results: The cash disbursements selected for testing were approved in accordance with the District s policies, were reasonable given the District s business, and had a W-9 on file, if applicable. No exceptions were noted as a result of this testing. Partial Matches 5. We determined the number of employees and vendor names and/or addresses that have partial matches. We provided the listing of partial matches to the District and requested a history of payments made (outside of payroll) for the 21-month period. We selected a sample based on the AICPA sample size guidance with a maximum sample size of 25. The sample selection was split with 60% of the sample selection focusing on the largest aggregate payments by vendor and 40% of the sample randomly selected. Results: We provided the matches noted from procedure #1 ( Test for Possible Matches between Vendors and Employees section) above and received the history of payments for the 21-month period from the District. We utilized the history of payments to make the sample selection for procedures #6 and #7 below within this Partial Matches section. 6. For those matches selected in procedure #5 above, we selected a sample from the payment history to test to verify the propriety of the payment. In selecting the sample of individual transactions, we followed the AICPA sample size guidance with a maximum sample size per employee of 25 transactions. Results: We selected the sample and tested the items selected in procedure #7 below within this Partial Matches section. 7. To verify the propriety of the payments selected in procedure #6 above, the following was performed: a. The District provided procurement policies and procedures indicating the type and amount of approvals required. b. We ensured the reimbursement request or invoice was approved in accordance with District policy noted in procedure #6a above. c. We determined the payment was for goods and/or services that are reasonable given the District s business. d. In the case of vendors selected that are not employees, we verified the District had a W-9 on file. Results: The cash disbursements selected for testing were approved in accordance with the District s policies and were reasonable given the District s business with the exception of one transaction noted in the second paragraph below. Out of the 11 vendors selected for testing, 5 did not have a W-9 on file. The District did not have a W-9 on file because the vendor was set up a long time ago in the system. The W-9 was not a formally documented or consistently followed procedural step by Purchasing to obtain and append a W-9 for newly created Vendor files until the estimated timeframe of We recommend the District ensures that all vendors in the VMF have a W-9 on file

26 Partial Matches (Continued) 7. (Continued) Out of 34 cash disbursements selected for testing, one did not have the required approval. This disbursement was a rebate to a District customer in the net amount of $17, This customer paid fees based on estimated usage and, at year-end, the District calculated the customer fees based on actual usage. In this case, the customer was owed a rebate. The District s policy is that all credits or rebates to customers should be reviewed and approved by the Controller. We did not note the Controller s initials on the customer refund. We recommend the District ensure the required approvals are obtained prior to paying customer refunds. Analyzing New Vendors 8. The District provided a list of all new vendors added during the 21- month period. Results: The District provided the listing of all new vendors added during the 21-month period. 9. The District distributed the list of new vendors to the appropriate personnel who reviewed the list and confirmed that new vendors added to the list were valid. Results: The listing was provided to the Contracts/Purchasing Assistant and the Purchasing Supervisor who signed a representation letter that, to the best of their knowledge, the new vendors consisted of valid vendors utilized by the District for appropriate District daily operations. Review of P.O. Boxes 10. We identified vendors in the VMF with P.O. Boxes as addresses and selected a sample of 25. Results: We identified the vendors in the VMF that had P.O. Boxes as addresses and selected a sample for the procedure #11 below within this Review of P.O. Boxes section. 11. We verified the authenticity of the vendor by performing the following procedures: a. Reviewed the form W-9 the District has on file. b. Accessed the vendor websites and/or called the vendor to verify existence. Results: We were able to verify the existence of all vendors with online websites. For 13 of the 25 vendors selected, we were not able to inspect the W-9. The District did not have a W-9 on file because the vendor was set up a long time ago in the system. The W-9 was not a formally documented or consistently followed procedural step by Purchasing to obtain and append a W-9 for newly created Vendor files until the estimated timeframe of We recommend the District ensures that all vendors in the VMF have a W-9 on file