Comptroller of the Treasury Central Payroll Bureau

Similar documents
Department of Health and Mental Hygiene Laboratories Administration

Maryland Transportation Authority

Department of Human Resources Local Department Operations

Department of Labor, Licensing and Regulation Division of Labor and Industry

Maryland Department of Health Office of the Chief Medical Examiner

Department of Health and Mental Hygiene Clifton T. Perkins Hospital Center

University System of Maryland University of Maryland, College Park

Department of Labor, Licensing and Regulation Office of the Secretary Division of Administration

University System of Maryland University of Baltimore

Department of Transportation Maryland Aviation Administration

Department of Health and Mental Hygiene Office of the Secretary and Other Units

Maryland School for the Deaf

University System of Maryland Bowie State University

Prince George s County Public Schools

Department of Transportation Maryland Transit Administration

Maryland Public Broadcasting Commission

State Employee Performance Evaluation Program

Allegany County Public Schools

Seminar Internal Control Identification and Filtering

Baltimore City Community College

Martin 0 IMalley Governor 2011 JCR RESPONSE REPORT ON IMPROVING DEPARTMENT OF JUVENILE SERVICES OPERATIONS FOLLOW UP REPORT APRIL 2012 INTRODUCTION

The definition of a deficiency is also set forth in the attached Appendix I.

We wish to thank the staff and management of the Authority for their cooperation and assistance during the course of this engagement.

Citywide Payroll

Frequently Asked Questions About Government Payment Authorities Provincial Comptroller s Office

May 3, To the Jail Board Members and Management Western Tidewater Regional Jail Authority 2402 Godwin Blvd Suffolk, Virginia 23434

STATE OF NORTH CAROLINA

The definition of a deficiency is also set forth in the attached Appendix I.

STATE OF HAWAI I UNIVERSITY OF HAWAI I SYSTEMWIDE ADMINISTRATION OFFICE OF THE VICE PRESIDENT FOR BUDGET AND FINANCE/ CHIEF FINANCIAL OFFICER

FEDERAL AWARD PROGRAMS INTERNAL CONTROL EVALUATION. Cross-cutting characteristics (generally applicable to all fourteen requirements)

Pima County Community College District Year Ended June 30, 2008

STATE OF NORTH CAROLINA OFFICE OF THE STATE AUDITOR BETH A. WOOD, CPA

STATE OF NORTH CAROLINA

Kua O Ka La s Financial/Accounting Policies & Procedures

STATE OF NORTH CAROLINA

APPENDIX 2 COMMUNITY DEVELOPMENT COMMISSION FINANCIAL CHECKLIST REQUIRED FOR ALL APPLICANTS (A SITE VISIT MAY BE CONDUCTED LATER)

STATE OF LOUISIANA LEGISLATIVE AUDITOR

AUDIT OF: Richmond Pubic Schools PAYROLL

BROOKLYN CHARTER SCHOOL FINANCIAL MANAGEMENT PRACTICES. Report 2006-N-9 OFFICE OF THE NEW YORK STATE COMPTROLLER

O L A. Minnesota Pollution Control Agency. Internal Control and Compliance Audit OFFICE OF THE LEGISLATIVE AUDITOR STATE OF MINNESOTA

This Questionnaire/Guide is intended to assist you in decision making, as well as in day-to-day operations. Best Regards,

UNIVERSITY OF ILLINOIS (A Component Unit of the State of Illinois) Report Required Under Government Auditing Standards. Year ended June 30, 2011

The definition of a deficiency is also set forth in the attached Appendix I.

FUNCTION: To Protect and Enhance the Nonprofit Organization s Capacity to Serve the Community.

General Government and Gainesville Regional Utilities Vendor Master File Audit

INTERNATIONAL STANDARD ON AUDITING 315 UNDERSTANDING THE ENTITY AND ITS ENVIRONMENT AND ASSESSING THE RISKS OF MATERIAL MISSTATEMENT CONTENTS

Auditing Standards and Practices Council

CONVENT OF THE SACRED HEART SCHOOL FOUNDATION FINANCIAL REGULATIONS

The Episcopal Diocese of Kentucky

CITY OF CORPUS CHRISTI

Minneapolis Public Schools Special School District No. 1 Minneapolis, Minnesota. Communications Letter of the Student Activity Accounts.

BIOSCRIP, INC. CHARTER OF THE AUDIT COMMITTEE OF THE BOARD OF DIRECTORS

INTERNAL CONTROLS REVIEW PROGRESS REPORT Yellow highlighted items have been updated since last report in October 2017

Department of Agriculture

PAYROLL CHECK-OFF AUDIT

Seattle Public Schools Office of Internal Audit

INTERNAL CONTROLS REVIEW PROGRESS REPORT Yellow highlighted items have been updated since last report in October 2016

STATE OF NEW YORK OFFICE OF THE STATE COMPTROLLER. September 28, 2004

FRAUD SCHEMES. South Carolina HFMA Finance & Reimbursement Forum. November 13, 2012 WITH RELATED INTERNAL CONTROLS

Internal Control Evaluation

GROUP 1 AUTOMOTIVE, INC. AUDIT COMMITTEE CHARTER

Northern Oklahoma College Tonkawa, Oklahoma

STATE OF NORTH CAROLINA

Audit Follow Up. Citywide Disbursements (Report #0410, Issued April 15, 2004) As of September 30, Summary

Administration and Finance

Islip Union Free School District

Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement

Village of Waterville

REPORT NO MARCH 2012 UNIVERSITY OF SOUTH FLORIDA. Operational Audit

Single Audit Update: Internal Control over Compliance and the GAO s Green Book. MSBO s 80 th Annual Conference April 19, 2018

NHCAC North Hudson Community Action Corporation

Sub awards. Property Management

Business Requirements Definitions

SAN FRANCISCO COURT APPOINTED SPECIAL ADVOCATE PROGRAM

Maryland Department of Transportation Maryland Transit Administration

What Happens When Internal Controls Fail

Sub awards. Property Management

INTERNAL CONTROL HANDBOOK

Advanced Finance for Governing Board Members. Charter Schools: Advancing the Promise!! 2015 Annual Conference

INTERNAL CONTROLS REVIEW PROGRESS REPORT Yellow highlighted items have been completed/validated since last report in August 2016

INTERNAL CONTROLS REVIEW PROGRESS REPORT Highlighted items have been completed since last report in January 2016

Final Audit Follow Up

Triple C Housing, Inc. Compliance Plan

INTERNAL CONTROLS REVIEW PROGRESS REPORT

AUDIT OF SELECTED DEPARTMENTS PERFORMING ACCOUNTS RECEIVABLE FUNCTIONS

Payroll Services Internal Audit Report January 30, 2018

ROSWELL PARK CANCER INSTITUTE CORPORATION INTERNAL CONTROLS OVER PROCUREMENT AND REVENUES. Report 2005-S-15 OFFICE OF THE NEW YORK STATE COMPTROLLER

Audit Report. Audit of Contracting and Procurement Activities

LOUISIANA COMMUNITY & TECHNICAL COLLEGE SYSTEM Policy # Title: Recoupment of Overpayments

OFFICE OF THE STATE COMPTROLLER

Internal Audit Report Accounts Payable September 2017

LOUISIANA SCHOOL FOR THE DEAF BOARD OF ELEMENTARY AND SECONDARY EDUCATION DEPARTMENT OF EDUCATION STATE OF LOUISIANA

O L A. Department of Public Safety OFFICE OF THE LEGISLATIVE AUDITOR STATE OF MINNESOTA. July 1, 2004, through December 31, 2006

Internal Control Questionnaire and Assessment

Edmonton Police Service Payroll Audit April 4, 2012

Audit of Human Resources Operations Report Number A-1617DJJ-004 June 28, The Office of the Inspector General Bureau of Internal Audit

Fiscal Oversight Fundamentals

Internal Controls Integrating COSO

Auditing of Swedish Enterprises and Organisations

Cost Control Systems. Conclusion. Is the District Using the Cost Control Systems Best Practices? Internal Auditing. Financial Auditing

Transcription:

Audit Report Comptroller of the Treasury Central Payroll Bureau June 2006 OFFICE OF LEGISLATIVE AUDITS DEPARTMENT OF LEGISLATIVE SERVICES MARYLAND GENERAL ASSEMBLY

This report and any related follow-up correspondence are available to the public through the Office of Legislative Audits at 301 West Preston Street, Room 1202, Baltimore, Maryland 21201. The Office may be contacted by telephone at 410-946-5900, 301-970-5900, or 1-877- 486-9964. Electronic copies of our audit reports can be viewed or downloaded from our website at http://www.ola.state.md.us. Alternate formats may be requested through the Maryland Relay Service at 1-800-735-2258. The Department of Legislative Services Office of the Executive Director, 90 State Circle, Annapolis, Maryland 21401 can also assist you in obtaining copies of our reports and related correspondence. The Department may be contacted by telephone at 410-946-5400 or 301-970-5400.

June 9, 2006 Senator Nathaniel J. McFadden, Co-Chair, Joint Audit Committee Delegate Charles E. Barkley, Co-Chair, Joint Audit Committee Members of Joint Audit Committee Annapolis, Maryland Ladies and Gentlemen: We have audited the Comptroller of the Treasury Central Payroll Bureau (CPB) for the period beginning March 4, 2003 and ending December 31, 2005. Our audit disclosed that CPB s procedures and controls over the State payroll system need improvement. Specifically, a number of employees had access to critical automated payroll processing functions that could allow them to process unauthorized payroll transactions, and payroll adjustments were not adequately documented and independently reviewed. In addition, CPB s procedures to assist State agencies in the prevention or detection of improper payments to employees on multiple State payrolls should be improved. We also noted deficiencies relating to clearing accounts used for payroll deductions, and with CPB s information systems security. Respectfully submitted, Bruce A. Myers, CPA Legislative Auditor

2

Table of Contents Background Information 4 Agency Responsibilities 4 Current Status of Findings From Preceding Audit Report 4 Findings and Recommendations 5 State Payroll System * Finding 1 A Number of Employees Had Improper Access to Critical 5 Automated Payroll Processing Functions Finding 2 Payroll Adjustments Were Not Adequately Documented 6 and Were Not Subject to Independent Review Finding 3 - Procedures and Controls to Prevent or Detect Improper 7 Payments to Employees on Multiple Payrolls Need Improvement Non-Budgeted Funds Finding 4 The Compositions of Fund Balances Were Not Analyzed, and 8 the Proper Disposition of Certain Funds Retained Had Not Been Determined Computer Security Finding 5 Adequate Access and Logging Controls Did Not Exist 9 Audit Scope, Objectives, and Methodology 10 Agency Response Appendix * Denotes item repeated in full or part from preceding audit report 3

Agency Responsibilities Background Information The Central Payroll Bureau (CPB), a unit of the Comptroller of the Treasury, is primarily responsible for processing and issuing payroll checks and direct deposit advices on a biweekly basis for the regular State payroll, and for the payrolls of the Maryland Department of Transportation and the University System of Maryland. CPB is also responsible for processing payroll deductions, certain employee withholding statements, and other payroll reports for State government. According to CPB s records, these payrolls totaled approximately $4.4 billion during calendar year 2005. Current Status of Findings From Preceding Audit Report We reviewed the current status of the four findings included in our preceding audit report dated August 13, 2003. We determined that CPB satisfactorily addressed three of these findings. The remaining item is repeated in this report. 4

State Payroll System Findings and Recommendations Finding 1 A number of CPB employees had access to critical automated payroll processing functions that could allow them to initiate unauthorized payroll transactions. Analysis Unnecessary or improper access to critical automated payroll processing functions had been granted to a number of CPB employees that could allow them to initiate unauthorized payroll transactions. Specifically, we noted the following conditions: Statewide payroll data on electronic payroll reports were subject to change by six employees after they had been approved by both the related agencies and CPB personnel. As a result, these employees could record improper payroll changes (such as increasing employee pay amounts) which would not be subject to approval and may not be detected. Nine employees had access to critical online payroll processing functions even though their job responsibilities did not require such access. For example, six employees could record payroll deductions (such as tax liens and income taxes) when such access was not required for these employees. A similar condition was commented upon in our preceding audit report. Two employees had sole responsibility for processing wage garnishments and for establishing the related payee accounts to which the garnishments were to be disbursed. As a result, unauthorized or improper garnishments could be processed and the related funds misappropriated without detection. Wage garnishments, which totaled approximately $18.9 million in calendar year 2005, are used to deduct funds from employee paychecks to satisfy courtordered payments, such as for child support. Recommendation 1 We recommend that CPB restrict access to critical automated payroll processing functions to prevent changes from being made after they have been approved. In addition, we again recommend that access to critical online payroll processing functions be limited to only those employees whose job duties require such access. Finally, we recommend that an employee 5

independent of the wage garnishment process review all source documentation for garnishments processed by CPB employees to ensure their propriety, and document such reviews. Finding 2 Payroll adjustments processed by CPB employees were not adequately documented and were not subject to independent review. Analysis Employee payroll adjustments (for example, increases to pay) requested by agency personnel were processed by CPB employees without adequate documentation and were not subject to independent review. Normally, adjustments to employee payrolls are made by agency personnel prior to submission of the payrolls to CPB. When changes are needed after the payrolls have been submitted, agency personnel notify CPB staff to process the requested adjustments. However, CPB did not require written documentation from the agencies to support the requests. Rather, requests for adjustments were accepted via telephone call, and CPB personnel recorded the names of the employees who made these requests and ensured that they were on the list of employees authorized to make such adjustments. Since these requests were verbal, there was a lack of adequate support for the related transactions and a lack of accountability should any erroneous or improper adjustments be identified. Furthermore, while CPB procedures required independent approval of adjustments by the respective agencies after the payments were made, the aforementioned CPB employees were solely responsible for ensuring that such approvals were obtained. Consequently, adjustments could be both processed and approved by the same agency employee. Our test of 62 adjustments processed by CPB employees during two pay periods in calendar year 2005 disclosed that, for 25 adjustments, agency approval was obtained from the same employee who had requested the adjustment or such approval could not be located by CPB. For example, for 20 adjustments which increased employee pay by $17,880, the same agency employee had both requested and approved the adjustments. We were able to subsequently confirm the propriety of these adjustments with independent agency personnel. Recommendation 2 We recommend that CPB require requests for adjustments to be submitted in writing by agency personnel and that subsequent independent written agency approvals be obtained for all adjustments. In addition, we 6

recommend that all payroll adjustments processed by CPB employees be reviewed and approved by independent CPB personnel. Finally, we recommend that CPB retain supporting documentation for all payroll adjustments. Finding 3 Procedures and controls to prevent or detect improper payments to employees on multiple payrolls need improvement. Analysis Procedures and controls to prevent or detect improper payments to employees on multiple payrolls for overlapping employee hours need improvement. CPB has certain system edits that help prevent an employee from being paid more than once on the same payroll system at the same agency. However, there were no established system controls designed to prevent or detect an employee from being paid on two different payrolls at one agency (such as on both regular and contractual payrolls), or from being paid on the same or different payrolls at multiple agencies (such as on the regular payroll at two different agencies). Specifically, when a new employee was added to an agency payroll, there was no mechanism to alert CPB if that employee was also on another State payroll. While CPB has the ability to generate reports that identify employees on duplicate payrolls, it did not generate such reports unless specifically requested by an agency. In January 2006, we generated a report which reflected more than 400 State employees on two or more payrolls. Many of these employees are legitimately working at multiple agencies. Nevertheless, during our audits of other agencies, we have identified numerous employees on two or more payrolls who were paid more than once for the same hours worked. For example, our August 2004 report on Spring Grove Hospital Center identified a management employee who was employed on a full-time basis by the Center and on a contractual basis at several Department of Public Safety and Correctional Services facilities. Our limited review of this employee s time records disclosed 160 overlapping hours for which related payments approximated $8,800. One State agency recently identified an employee that was improperly paid approximately $70,000 over an 18-month period. This employee was erroneously paid on both the agency s contractual and regular payrolls for the same hours worked, and this matter has been referred to 7

the Office of the Attorney General - Criminal Investigations Division. These situations could have either been prevented or detected earlier if additional controls had been in place. Recommendation 3 We recommend that CPB implement procedures to assist State agencies in the identification and prevention of payroll improprieties. Specifically, we recommend that CPB enhance system controls to detect all recently hired employees who are on more than one payroll and submit such data to the applicable State agencies for investigation and approval. We also recommend that, in the future, CPB submit periodic (such as quarterly) reports to State agencies notifying them of all employees on multiple payrolls so that appropriate follow-up can be performed. Non-Budgeted Funds Finding 4 CPB did not analyze the composition of two clearing account funds, and the proper disposition of certain funds had not been determined. Analysis CPB did not analyze the composition of two clearing account funds that had combined balances of approximately $687,000 as of November 30, 2005. CPB maintained a clearing account for employee payroll deductions. Transactions recorded in this account totaled in excess of $1.1 billion during fiscal year 2005. The other clearing account was maintained for the employer s share of fringe benefits, such as social security and income taxes. While CPB maintained internal accounting records for these funds and periodically reconciled the records to the State s accounting system, it did not analyze the composition of the funds in these accounts. Fund composition analyses of clearing accounts are necessary to determine the specific transactions remaining in the accounts and to provide for their subsequent and timely disposition. Furthermore, we noted that one of these accounts contained $267,022, which primarily consisted of federal tax refunds that were sent to CPB, including one refund check for approximately $200,000 that was received in fiscal year 2001. CPB management believes the refunds were not owed to the State, and certain 8

efforts made to return the funds to the federal government have been unsuccessful. CPB management acknowledges that, since the proper disposition of these funds could not be determined, the funds should most likely be reverted to the State s General Fund. Recommendation 4 We recommend that CPB analyze the aforementioned non-budgeted fund clearing accounts to determine the composition of the balances, and continue to prepare monthly compositions in the future. In addition, we recommend CPB notify the Department of Budget and Management of the existence of the $267,022 and revert the funds to the General Fund unless otherwise directed by the Department. Computer Security Finding 5 Adequate access and logging controls did not exist. Analysis Adequate controls were not established over critical production payroll data files and online transactions. CPB uses the Comptroller of the Treasury s Annapolis Data Center to process the State s payroll. The Data Center's computer system contains a security software system capable of restricting and logging direct modification access to CPB s data files and online transactions. However, nine individuals had unlogged direct modification access to critical production payroll data files, including one person whose job responsibilities did not require such access. In addition, two of these individuals had unnecessary access to critical online payroll transactions. These conditions could result in the improper modification of critical payroll data. Recommendation 5 We recommend that CPB restrict direct modification access to critical production data files and restrict the use of online transactions to users who require such access. We also recommend that all direct modifications of critical payroll files be logged by the security software and reviewed and approved by management. 9

Audit Scope, Objectives, and Methodology We have audited the Comptroller of the Treasury Central Payroll Bureau (CPB) for the period beginning March 4, 2003 and ending December 31, 2005. The audit was conducted in accordance with generally accepted government auditing standards. As prescribed by the State Government Article, Section 2-1221 of the Annotated Code of Maryland, the objectives of this audit were to examine CPB s financial transactions, records, and internal control, and to evaluate its compliance with applicable State laws, rules, and regulations. We also determined the current status of the findings included in our preceding audit report. In planning and conducting our audit, we focused on the major financial-related areas of operations based on assessments of materiality and risk. Our audit procedures included inquiries of appropriate personnel, inspections of documents and records, and observations of CPB s fiscal operations. We also tested transactions and performed other auditing procedures that we considered necessary to achieve our objectives. Data provided in this report for background or informational purposes were deemed reasonable, but were not independently verified. Our audit did not include certain support services provided to CPB by the Comptroller of the Treasury Office of the Comptroller. These support services (such as processing of invoices, maintenance of accounting records, and related fiscal functions) are included in the scope of our audits of the Office of the Comptroller. Our audit also did not include certain support services provided to CPB by the Comptroller of the Treasury Information Technology Division related to the procurement and monitoring of information technology equipment and services. These support services are included in the scope of our audits of the Information Technology Division. Our audit scope was limited with respect to CPB s cash transactions because the Office of the State Treasurer was unable to reconcile the State s main bank accounts during the audit period. Due to this condition, we were unable to determine, with reasonable assurance, that all CPB cash transactions were accounted for and properly recorded on the related State accounting records as well as the banks records. CPB s management is responsible for establishing and maintaining effective internal control. Internal control is a process designed to provide reasonable assurance that objectives pertaining to the reliability of financial records, effectiveness and efficiency of operations including safeguarding of assets, and compliance with applicable laws, rules, and regulations are achieved. 10

Because of inherent limitations in internal control, errors or fraud may nevertheless occur and not be detected. Also, projections of any evaluation of internal control to future periods are subject to the risk that conditions may change or compliance with policies and procedures may deteriorate. Our reports are designed to assist the Maryland General Assembly in exercising its legislative oversight function and to provide constructive recommendations for improving State operations. As a result, our reports generally do not address activities we reviewed that are functioning properly. This report includes findings relating to conditions that we consider to be significant deficiencies in the design or operation of internal control that could adversely affect CPB s ability to maintain reliable financial records, operate effectively and efficiently, and/or comply with applicable laws, rules, and regulations. Our report also includes a finding regarding a significant instance of noncompliance with applicable laws, rules, or regulations. Other less significant findings were communicated to CPB that did not warrant inclusion in this report. The Office of the Comptroller s response, on behalf of CPB, to our findings and recommendations is included as an appendix to this report. As prescribed in the State Government Article, Section 2-1224 of the Annotated Code of Maryland, we will advise the Office regarding the results of our review of its response. 11

AUDIT TEAM Brian S. Tanen, CPA, CFE Audit Manager A. Jerome Sokol, CPA Information Systems Audit Manager Mark S. Hagenbuch, CPA Senior Auditor Terry S. Gibson Staff Auditor Veronica Arze Information Systems Staff Auditor

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback