Background. We conducted the audit in accordance with the International Standards for the Professional Practice of Internal Auditing.

Transcription

1

2 Background We conducted a performance audit of the Payroll Section. The Payroll Section is responsible for the accurate and timely preparation, control and distribution of the: Commission s payroll Monthly, quarterly and annual payroll reports; and Employee W-2 statements. We conducted the audit in accordance with the International Standards for the Professional Practice of Internal Auditing. Internal Audit Team: Digdem Dee Tok Internal Auditor II 2

3 Objectives The objectives of the audit were to determine whether the current payroll operations safeguard the security, reliability, and accuracy of payroll data with respect to its effectiveness and efficiency in compliance with WSSC policies and procedures. Scope The audit period covered July 1, 2014 to June 30,

4 Findings Rating Recommendations 1. Inappropriate HRMS Oracle user access privileges Review the current list of users and make proper adjustments to user privileges based on their job functions. 2. Lack of segregation of duties The additional access privileges for processing payroll, updating, and deleting data be removed or changed to read-only access. 4

5 Findings (Cont d.) Findings Rating Recommendations 3. No formal procedures in place for monitoring user access reasonableness Develop HRMS Oracle user access review procedures for identifying and eliminating user IDs for inactive users and individuals who are no longer employed with WSSC. When clean-up is performed on the HRMS for user access, use the actual date of change. 4. No formal Internal Operating Procedures Medium Develop formal internal operating procedures and train staff to ensure consistency. 5

6 Findings Rating Management Response & Action Plans 1. Inappropriate HRMS Oracle user access privileges Management: Has reviewed the current list of users. Made appropriate adjustments for the consolidation of responsibilities by November 30, Lack of segregation of duties The Finance Department does not agree with the recommendation. Applying "read-only" access would disrupt the payroll process as the responsibilities do not serve only one function and would create process inefficiencies. 6

7 Findings Rating Management Response & Action Plan 3. No formal procedures in place for monitoring user access reasonableness Appropriate modifications were made by the Information Technology Department on November 30th, No formal internal operating procedures Medium Payroll Section Management will revise the 2013 draft procedures, add page numbers, and include an endorsement signature by September 30,

8 Internal controls are effective in mitigating the risks specific to the achievement of business objectives with a few exceptions. However, opportunities for control enhancement were identified, as previously noted. We have reviewed the results with the Payroll Section management and a management action plan has been developed. 8

9

10 Background We performed a limited-scope audit of Procurement Contract No Repairing and Repainting the Interior and Exterior of the St. Barnabas Ground Tank (Reservoir). We conducted the audit in accordance with the International Standards for the Professional Practice of Internal Auditing. Internal Audit Team: Jane Lewis Senior Internal Auditor Angela Makle Fortune Senior Internal Auditor 10

11 Objective The objective of the audit was to provide an independent assurance that parties to the signed Commission Procurement contracts adhered to the stipulated requirements and regulations; specifically, to determine compliance with the procurement and payment requirements of the selected contracts. Scope Review the procurement and payment requirements of Contract No Review the procurement and payment requirements under Tank Inspection Contract No Evaluate contract activities from October 15, 2014 through October 5,

12 Findings Rating Recommendations 1. Subcontractor did not perform work shown on the Commission approved subcontracting plan Review the signed subcontracting plan for contract compliance. 2. Reduced SLBE subcontracting participation rate Monitor and review contract set-up and changes on the onset and at option renewal. 3. The Commission paid for work not inspected Pay contractors based on the contract payment terms. 12

13 Findings (Cont d.) Findings Rating Recommendations 4. Insufficient evidence to support replacement of water main pipe Obtain an independent evaluation of the replaced water main Update the Commission s permanent records Enforce regulatory and contract compliance 5. The Commission exceeded its payments for additional piping Production management should designate a Contract Manager to assist with contract management. 6. The prime contractor added more than a 5% subcontractor markup Request the prime contractor reimburse WSSC for the added markup. 13

14 Findings (Cont d.) Findings Rating Recommendations 7. The Commission has no direct or indirect right to audit the subcontractors 8. Inspection field observers were paid more money than the contract agreement Medium Medium Formulate a process to bind subcontractors to the Commission s Right to Audit Clause. Approve and pay supplier invoices in accordance with contract payment terms. 14

15 Findings Rating Management Response & Action Plans 1. Subcontractor did not perform work shown on the Commission approved subcontracting plan OSDI- the right-to-audit statement was added to the subcontracting certification forms. Procurement- WSSC established two new positions to mitigate the risk of noncompliance by vendors. Production- Effective July 3, 2017, the water storage tank rehabilitation program was transferred to the Facility Design and Construction Division under the Engineering and Construction Department. 15

16 Findings Rating Management Response & Action Plans 2. Reduced SLBE subcontracting participation rate Procurement- instituted the role of COR to work with user departments regarding contractor performance and any contract modifications. OSDI- business rules in the contracting module will be established to ensure that SLMBE contract requirements are complete 16

17 Findings Rating Management Response & Action Plans 3. The Commission paid for work not inspected Production- Not having an inspector assigned to this site was an anomaly. Effective July 3, 2017, the water storage tank rehabilitation program was transferred to the Facility Design and Construction Division under the Engineering and Construction Department. 17

18 Findings Rating Management Response & Action Plans 4. Insufficient evidence to support replacement of water main pipe Procurement- disagrees with this recommendation, as it would add an unnecessary cost burden to the Commission. Production- Production disagrees with this recommendation. There is major construction currently underway at the site for the construction of the new St. Barnabas Elevated Water Storage Tank. New construction ties into the new main, which should provide sufficient assurance that the pipe was installed. 18

19 Findings Rating Management Response & Action Plan 5. The Commission exceeded its payments for additional piping Production- Effective July 3, 2017, the water storage tank rehabilitation program was transferred to the Facility Design and Construction Division under the Engineering and Design Department. 6. The prime contractor added more than a 5% subcontractor markup Production- Effective July 3, 2017, the water storage tank rehabilitation program was transferred to the Facility Design and Construction Division under the Engineering and Design Department. The Production Team does not agree with the recommendation segregate roles for Contract Manager and Project Manager. 19

20 Findings Rating Management Response & Action Plan 7. The Commission has no direct or indirect right to audit the subcontractors Medium OSDI- Operations management updated the subcontracting and supplier certification forms. Procurement- agrees and accepts this recommendation 8. Inspection field observers were paid more money than the contract agreement Medium Production- Starting immediately, it is recommended that when changes are made to an existing service contract on a re-initiation of that service, that all changes made by the end user or Procurement are discussed, identified, and mutually agreed upon. 20

21 Internal controls are effective in mitigating the risks specific to the achievement of business objectives with a few exceptions. However, opportunities for control enhancement were identified, as previously noted. We have reviewed the results with appropriate department management and a management action plan has been developed. 21

22

23 Background The Washington Suburban Sanitary Commission (WSSC) Disaster Recovery (DR) simulation exercise is an opportunity for staff to restore critical operations and systems of the Commission in the event of a disaster or interruption. WSSC had not conducted a disaster recovery test in nearly two years and no end users participated in this exercise. Internal Audit Team: Janice Hicks Internal Auditor II Digdem Dee Tok Internal Auditor II 23

24 Objective Provide an independent and objective assessment of the effectiveness of the disaster recovery testing exercise. Scope Observe the WSSC 48-hour DR exercise held on Monday, December 11, 2017 and Tuesday, December 12, 2017 at Recovery Point in Germantown, Maryland. 24

25 Findings Rating Recommendations 1. Insufficient Communication 2. Recovery Site Locations are in the disaster zone Management ensure the DR list is complete and updated periodically to include all designated DR exercise members and their contact information Management review the location of the DR testing facilities to ensure that WSSC is functioning within best practices 3. Missing Exchange recovery procedure Management update policies and procedures to ensure that all interdependent systems are included in the exercise 25

26 Findings (Cont d) Findings Rating Recommendations 4: Failure to Troubleshoot identified problems With TEAMS Management update the policies and procedures to ensure that all inter-dependent systems are included in the process. 5. Systems Recovery Issues: E-permitting Bill Pay Rumba Medium Management update the policies and procedures to address: Inter-dependent systems Identified coding issues Licensing for applicable systems 26

27 Findings Rating Management Response & Action Plans 1. Insufficient Communication 2. Recovery Site Locations are in the disaster zone IT management will confirm participant names and current phone numbers in advance of DR Testing IT management has accepted the risk that both testing sites are within 25 miles (24 driving miles) of RGH 3. Missing Exchange recovery procedure This document was version one of the events list Additional details will be added for future iterations 27

28 Findings Rating Management Response & Action Plan 4. Failure to Troubleshoot identified problems With TEAMS IT Management will take the necessary steps to ensure that the functionality of all interdependent systems are included and accounted for in the process for future DR tests. 5. Systems Recovery Issues: E-permitting Bill Pay Rumba Medium The issues that were identified with these systems will be addressed and tested during the next DR exercise. 28

29 Internal controls are effective in mitigating the risks specific to the achievement of the business objectives with a few exceptions. However, opportunities for control enhancement were identified and communicated to IT management. We have reviewed the results with the appropriate department management and a management action plan has been developed to address the issues identified. 29

30

31 Background We performed an annual compliance review of the earnings element additional regular pay associated with the Washington Suburban Sanitary Commission (WSSC) payroll system. We conducted the audit in accordance with the International Standards for the Professional Practice of Internal Auditing. Internal Audit Team: Janice Hicks Internal Auditor II 31

32 Objective The purpose of the review was to provide management with an independent and objective assessment of the use of additional regular pay, evaluate the related internal controls, and identify improvements where needed. In Scope We reviewed the pay of all employees who earned additional regular pay from July 1, 2015 to June 30, Outside-Scope Additional regular pay is used in conjunction with emergency response and standby pay; however, we did not review the application of standby pay because the utilization of standby pay was being reviewed by management. 32

33 Findings Rating Recommendations 1. Undocumented earning of additional regular pay Medium Management establish a process to include internal controls that would reconcile, monitor, and analyze the use of additional regular pay. 2. Undocumented authorization of additional regular pay Medium Management comply with the existing policy regarding documented approval for the use of additional regular pay by managers. HR and Payroll ensure receipt of corresponding documentation along with the required approvals. 33

34 Findings Rating Management Response & Action Plans 1. Undocumented earning of additional regular pay Medium Management agrees and will comply with the risk mitigating recommendations to achieve business objectives. 2. Undocumented authorization of additional regular pay Medium Management agrees and will comply with the risk mitigating recommendations to achieve business objectives. 34

35 Internal controls are effective in mitigating the risks specific to the achievement of the business objectives with a few exceptions. However, opportunities for control enhancement were identified and communicated to the Customer Service Department, Human Resources Office, and the Payroll Section. We have reviewed the results with the appropriate department management and a management action plan has been developed to address the issues identified. 35