Office of the City Manager

Transcription

1 Office of the City Manager TO: FROM: Finance/Audit Committee Ruthe Holden, Internal Audit Manager SUBJECT: Final Fraud Risk Assessment Report-Phase 1 Recommendation This report is for information only. Background On January 5, 2015, the City Council held a special meeting on the Underground Utilities Program Audit Discussion. As part of the presentation, staff reviewed the details of an alleged employee embezzlement scheme involving the loss of approximately $6 million from the Underground Utilities fund. The City Council requested that a separate, comprehensive assessment of the City s fraud risk and internal controls be completed citywide. The City separated this project into three phases for the Fraud Risk Assessment in the Request for Proposal. Macias, Gini, O Connell (MGO) was awarded this contract and has completed the final report for phase 1. Summary of Fraud Risk Assessment Report Phase 1 assessed six departments: Housing and Career Services, Public Health, Human Services and Recreation, Transportation, Finance, and Public Works. MGO s objectives in completing phase 1 of the fraud risk assessment were to identify fraud risks in the six City departments processes, programs and organizational units, and make appropriate recommendations to mitigate those risks. The assessment process determined the fraud risks for specific business unit activities based on each department s unique fraud risk areas. MGO met with the department directors, deputies and business analysts as well as reviewing relevant documentation including prior audit reports, budgetary data, strategic plans and other department reports. Questions were developed for each department based on industry standards, best practices or known deficiencies of similar City departments. MGO assigned scores for each question based on established scoring criteria for inherent risk and control risk. Inherent risk begins with the category of resources and resource flows that are subject to occupational fraud and then related fraud schemes are evaluated by likelihood, significance and pervasiveness. The inherent risk score is based on a scale of 1 to 5, with 1 being low and 5 being high risk. Control risk evaluates whether the controls sufficiently address fraud risks and schemes. MGO determined the likelihood or probability that the identified risk can occur, and then they evaluated the mitigating controls. As part of devising the risk assessment questions, MGO linked the inherent risk of resources to fraud, fraud schemes, and mitigating controls. This is

2 Inherent Risk Rating MGO Final Risk Assessment Report Phase I Page 2 also called control gap analysis, to assess the design of controls to determine if they sufficiently mitigate the risk of the identified fraud scheme. The control risk rating score is measured on the presence of preventive controls, or those that mitigate specific fraud risks and deter them from occurring, or detective controls which are designed to identify fraud, should it occur. Examples of preventive controls would include segregation of duties or approvals and authorizations prior to executing certain transactions. Examples of detective controls include comparisons of actual to expected results, reconciliations, and monitoring activities. Based on these results, MGO then identified and evaluated mitigating controls of those risks to assess the likely effectiveness of controls to determine if they sufficiently mitigate the risk of potential fraud schemes. Finally the results of the assessment and scoring for control risk and inherent risk calculates the residual risk scoring on the overall and individual departments Heat Maps. Residual risk is based on the quadrant(s) on the heat map where the risks tend to congregate. Quadrant 1 (upper right) are higher residual risk scores with a need by the department to improve overall fraud risk management programs. Quadrant 2 (upper left) are residual risks that are high because the inherent risks are considered high. Residual risks in quadrant 2 have preventive and detective controls in place that mitigate the risks. Quadrant 3 (lower right) have lower inherent risks but require some controls to mitigate these inherent risks to an acceptable level. Quadrant 4 (lower left) contains the lowest residual risk scores, inherent risk is low and controls are present. The Heat Map below depicts the departments overall fraud residual risk scores. 5.0 PHASE 1 HEAT MAP Q2 Q1 Human Services & Recreation 4.0 Transportation Finance Public Works 3.0 Public Health Housing & Career Services 2.0 Q4 Q Control Risk Rating

3 Page 3 At the conclusion of analyzing the six departments, MGO recommended the City adopt five citywide recommendations related to: 1. Realignment of Internal Control Roles and Responsibilities Overall, the City s internal control activities are adequately structured to ensure the prevention and detection of employee misconduct leading to an occupational fraud. However, the City places too much reliance on its business supporting functions such as Finance, Accounting, Purchasing, Human Resources, Risk Management, and City Attorney. In the course of the Fraud Risk Assessment, MGO received responses from many departments indicating that the department relied on Human Resources, Accounts Payable and Purchasing functions to prevent and detect fraudulent disbursement schemes. Operating departments are in the best position to identify irregular transactions and/or errors. They need to engage in methodical processes that incorporate adequate segregation of duties and supervisory monitoring to prevent or detect potential fraud or errors from occurring. Finance Department has taken the lead to develop a Citywide Policy for this recommendation which all City Departments will be required to implement within their existing processes and procedures. 2. Formal Selection of Internal Control Framework The City should adopt the Committee of Sponsoring Organizations of the Treadway Commission (COSO) Internal Control-Integrated Framework as the City s internal control framework. COSO Internal Control-Integrated Framework provides a current, common language and reference for management, employees and third parties to design, operate, and evaluate organizational internal controls. COSO has been the dominant internal control framework in the United States for the last 20 years and provides a good framework for developing and updating internal controls. Finance Department has taken the lead to develop a Citywide Policy for this recommendation that all City Departments will phase in as they update or implement policies and procedures. 3. Enterprise Resource Planning (ERP) Software Implementation-Citywide ERP software provides a set of automated tools, including automated internal controls and reporting capabilities that ultimately rely on people for effectiveness. The City s new ERP software is still transitioning to the final anticipated level of functionality to meet user requirements. Internal controls that rely on the ERP are affected by the transition. Changing controls increases the risk of fraud, primarily disbursement schemes in the accounts payable and payroll processes. Fraud risk from the implementation period will decrease as the various modules are implemented to their desired final state, along with appropriate controls. Finance Department and Department of Information Technology have taken the lead in addressing the risks and recommendations identified for the ERP implementation. 4. Escalation Policy, Citywide - Information that is not communicated in time to make a difference creates vulnerabilities. Internal and external parties can exploit these vulnerabilities as opportunities to carry out or conceal fraudulent schemes. Instituting an escalation policy that requires all staff to report conditions perceived as abnormal or irregular to another level, department or function of the City helps to identify potential employee misconduct. This was identified as a risk in several of the departments reviewed during Phase 1 of the Fraud Risk Assessment. Individual departments identified in the MGO report

4 Page 4 with this risk have included a corrective action for their departments. The City Manager s Office will work with Human Resources to implement this Citywide. 5. Stewardship of Non-cash Assets-Citywide Developing a comprehensive and unified noncash asset stewardship policy would help employees and management safeguard assets against misuse, theft, waste and abuse. While City departments have established custodial and inventory controls over City vehicles, mobile equipment and information technology assets, a Citywide comprehensive asset policy is not available in the City s Manual of Personnel & Administrative Rules. A non-cash asset policy should cover record keeping, identification, inventory counts and procedures, unable to locate asset reporting, accountability assignments to departments and individuals, and differentiate between capital and non-capital assets. Finance Department has taken the lead in addressing recommendations related to this risk, including developing a Citywide policy and inventorying capital assets and other significant inventories. The details of the corrective actions for these five Citywide recommendations are included in the individual department s corrective action sheet that was assigned primary responsibility for completing the corrective action. The table below summarizes the results for each of the six departments reviewed. Department Inherent Residual Risk No. of Status Risk Rating (1 low 5 high) Rating Recommendations Housing & 2.8 Low 3 1 completed Career Services Public Health 3.0 Low 4 3 completed Human Services 3.8 Moderate 6 4 completed & Recreation Transportation 3.7 Moderate 4 2 completed Finance 3.8 High 10 3 completed Human 1 Resources 1 Public Works 3.6 Moderate High 8 1 completed Below is a brief synopsis of each department s fraud risk assessment conclusions, the complete final report is included in Attachment A. Housing and Career Services The results of the Fraud Risk Assessment show that the inherent risk rating is 2.8 and residual risk of fraud within the six divisions of the Housing and Career Services 1 As part of the assessment of Finance, Human Resources was noted as the lead in completing a recommendation related to training in the handling of personally identifiable and other sensitive information. Human Resources was not part of the first assessment phase.

5 Page 5 Department is low (quadrant 4). There are three recommendations identified for potential risks related to: 1. reconciling and maintaining loan transactions in Interlinq, 2. establishing controls around courier services delivering loan payoffs, and 3. monitoring Department oversight activities in Section 8 and CDBG programs. Public Health The Department s overall inherent risk rating is 3.0, and the final residual risk of fraud is considered low (quadrant 4). There are four recommendations identified for potential risks related to: 1. Procurement Card (P-Card) management, 2. safekeeping of vital statistics certificate stock, 3. cash handling in Finance & Administration, and 4. cash handling in Environmental Health division. Human Services and Recreation The Department s overall inherent risk rating is 3.8 and the final residual risk of fraud within the five areas of the Human Services and Recreation Department is considered moderate (quadrant 2). There are six recommendations identified for potential risks related to: 1. space use monitoring, 2. program monitoring, 3. filling the Deputy Director position, 4. accepting donated resources, 5. closing an unused petty cash account, and 6. protecting soccer league registration sensitive information. Transportation The Department s overall inherent risk rating is 3.7 and the final residual risk of fraud within the five divisions of the Transportation Department is considered moderate (quadrant 2). There were four recommendations identified for potential risks related to: 1. procurement proposal evaluations, 2. Traffic Engineering physical security, 3. Parking Services cashier station monitoring, and 4. Complete Streets separation of duties. Finance The Department s overall inherent risk rating is 3.8 and final residual risk of fraud within the four divisions of the Finance Department is considered high (quadrant 1) to moderate-high (quadrant 2). The assessment demonstrates that the residual risk for fraudulent disbursements and cash thefts is high due to the nature of the Department s centralized business support activities for the City of Pasadena s departments. There are eleven recommendations identified for potential risks related to: 1. manual cash receipts, 2. ERP software implementation (Citywide Recommendation), 3. establishing an escalation policy (Citywide Recommendation,

6 Page 6 4. stewardship of non-cash assets (Citywide Recommendation), 5. periodic reviews of Statement of Economic Interests and Business Interests, 6. establishing Citywide policy for information security and personally identifiable information (Citywide Recommendation-Human Resources responsibility), 7. master vendor file management, 8. treasury bank and cash reconciliations, 9. coin box inventory management, 10. realignment of internal control roles and responsibilities (Citywide Recommendation), and 11. formal selection of internal control framework (Citywide Recommendation). Ten are the responsibility of Finance Department and one is the responsibility of Human Resources Department. Public Works The Department s overall inherent risk rating is 3.6 and the final residual risk of fraud is considered moderate-high (quadrant 2) which reflects the Department s major resource outflows and inflows in the form of infrastructure and other public works acquisitions that are large in scope, value, and complexity. There are eight recommendations identified for potential risks related to: 1. citywide escalation policy (Citywide recommendation), 2. clean-desk policy, 3. cash handling, 4. change order management, 5. inventory management, and non-cash asset stewardship (Citywide recommendation), 6. management of building keys, 7. citywide building alarm access, and 8. fuel usage monitoring. Next Steps MGO will complete on-site fraud training for City Senior Management and develop an online training for City staff. MGO will also provide the City with a comprehensive Fraud Manual that will be used in future training sessions. On October 10, 2016, City Council approved a 2-year extension of MGO s contract for phases 2 and 3. MGO will begin work with Department of Water and Power for phase 2 of the Risk Assessment, which will start in December 2016 and is expected to be completed in early Phase 3, which includes the other City departments, will commence once phase 2 is substantially complete. The Internal Audit group will follow up on all open recommendations from the fraud risk assessment and periodically update the Finance/Audit Committee. Attachments: (1) Appendix A: MGO Final Risk Assessment Report Phase 1