EXECUTIVE SUMMARY

This review of the Department’s purchasing process was conducted in accordance with the Tactical Audit Plan covering the period July 1, 2000 through June 30, 2002. The purpose was to conduct a risk assessment of the Department's internal controls over the purchasing process. We accomplished the review by gathering data and interviewing staff. We did not test the information received or systems described in the attached report.

Background

The Department's purchasing function is primarily located in the Office of Facilities and Business Services. There, the Purchasing Unit and the Publications Group have ownership over the purchases that cross-cut program offices. Some other Department units also have responsibility for purchasing directly from vendors. Those offices include the Publications group, the State operated schools at Batavia and Rome, and, to a certain extent, the Office of Vocational and Educational Services for Individuals with Disabilities (VESID). This review focused on the Purchasing Unit and the Publication Group, both of which are located within the Office of Facilities and Business Services.

The purchasing process begins in the many program offices with a determination that goods or services are needed which are not available within the Department or cannot be provided by Department staff. Requirements for purchasing goods and services are established by many sources including State Finance Law, Office of General Services (OGS), Office of the State Comptroller (OSC), the Division of the Budget, and the Department of State. The Department has established policies and procedures to implement these laws, rules and regulations.

Internal Controls

The definition of internal controls has undergone significant change in the private and public sectors over the last decade. At one time, the term internal controls was synonymous with accounting controls which were primarily designed to provide assurance that assets were controlled and accounting records were accurate. Recently the definition of internal controls has been greatly expanded to include all activities of an organization designed to accomplish goals and objectives.

The Committee of Sponsoring Organizations (COSO) expanded the definition of internal controls in response to instances of significant irregularities found in the private sector. COSO defines internal control as a process, effected by an entity's board of directors, management and other personnel designed to provide assurance regarding the achievement of objectives in the following categories:

· Effectiveness and efficiency of operations.

· Reliability of financial reporting.

· Compliance with applicable laws and regulations.

COSO describes five interrelated components of an internal control process. They are Control Environment, Risk Assessment, Control Activities, Information and Communication, and Monitoring. We examined the Department’s purchasing process and assessed the extent that these components exist.

Results of the Review

Presented below is a summary of the observations developed as part of the risk assessment:

· The control environment at the Department level is ~~adequate~~good. Integrity and ethical value is incorporated into the philosophy of management, a code of conduct exists and officials have indicated that they would be quick to take action in the event that employee misconduct occurred.

· Similarly, the control environment at the unit level is also ~~adequate~~good. Management of the Purchasing Unit and the Publication Group have expressed their desire to ensure that the actions taken by Purchasing Unit are done effectively and efficiently, in compliance with applicable laws, rules and regulations, while insuring that all customers and suppliers are treated with honesty and fairness.

· Although a risk assessment was prepared by the Office of Business and Management Services and objectives related to the economy and efficiency of operation were established for the Purchasing Unit, formal objectives related to either the reliability of financial reporting or the expectations for compliance with applicable laws and regulations have not been established. In addition, objectives related to the purchasing function performed by the Publication Group have not been established.

· During our review, we found that the Purchasing Unit and the Publication Group do not have written policies and procedures manuals for the processing of a purchase order or the operation of the new Oracle system. In order to carry out the legal mandates associated with the purchasing process, they rely on the experience of the staff in interpreting the applicable laws, rules and regulations.

· An opportunity exists to improve the information and communication system related to the purchasing functioning two ways. At the Department level, there is a lack of a budget control process to make the information related to purchasing relevant. Reports to summarize the data entered or to monitor the work of the Purchasing Unit or Publication Group are not produced.

· In reviewing the monitoring techniques in place within the Purchasing Unit, we found that although a goal exists to monitor the time between receipt of the purchase order and the final processing of it there are no procedures in place to monitor it. In addition, we found that procedures for monitoring the purchasing function within the publication group do not exist. We believe that the Purchasing Unit should reach out to Department managers to obtain feedback on purchasing information that would be helpful to them in the performance of their duties and develop a reporting process to provide such information as needed.

Conclusion

The purpose of this review was to provide some assessment of the adequacy of the internal controls in place over the purchasing function. In order to do that, we examined the function in terms of the COSO definition of internal controls, and the existence of the five components. We believe the function is well controlled in providing the basic review of documentation and selection of vendors. However, there is a potential to strengthen the internal controls over the process and to provide information to the Department offices that are purchasing goods and services. Formal objectives should be developed so that staff and management are aware of the responsibilities of the Purchasing Unit. Objectives should be developed which focus on the economy and efficiency of operations, reliability of financial reporting, and compliance with applicable laws and regulations. Management should ensure that the objectives are measurable and attainable.

Introduction

This review of the purchasing process is the first to be conducted as part of the comprehensive risk assessment of the Department’s Fiscal and Data Analysis Processes included in the Office of Audit Services’ Tactical Audit Plan covering July 1, 2000 through June 30, 2002. The purpose of this review is to conduct a comprehensive risk assessment of the Department's internal controls over the purchasing process using the Committee of Sponsoring Organizations (COSO) model which is the framework for the “Standards for Internal Control in New York State Government.”

Internal Controls

The definition of internal controls has undergone significant change in the private and public sectors over the last decade. At one time the term “internal controls” was synonymous with accounting controls which were primarily designed to provide assurance that assets were controlled and accounting records were accurate. Recently, the definition of internal controls has been greatly expanded to include all activities of an organization designed to accomplish goals and objectives.

COSO expanded the definition of internal controls in response to instances of significant irregularities found in the private sector. COSO defines internal control as a process, effected by an entity's board of directors, management and other personnel, designed to provide assurance regarding the achievement of objectives in the following categories:

· Effectiveness and efficiency of operations.

· Reliability of financial reporting.

· Compliance with applicable laws and regulations.

COSO describes five interrelated components of an internal control process. They are as follows:

· Control Environment,

· Risk Assessment,

· Control Activities,

· Information and Communication, and

· Monitoring.

We examined the Department’s purchasing process and assessed the extent that these components exist.

Background

The purchasing process or function is not completely found in one central location in the Department. Most purchases are processed through the Purchasing Unit within the Office of Facilities and Business Services. However, some other Department units also purchase directly from outside vendors. Those offices include the Publications Group, also located within the Office of Facilities and Business Services, the State-operated schools at Batavia and Rome, and to a certain extent, the Office of Vocational and Educational Services for Individuals with Disabilities (VESID). This review focused on the controls found in the Purchasing Unit and the Publication Group (Group). They were selected because their activities cross-cut Department offices.

Assessment of Internal Controls

The purpose of this review was to provide an assessment of the adequacy of the internal controls in place over the purchasing function. In order to do that, we examined the function in terms of the COSO definition of internal controls and the existence of the five components. The Purchasing Unit and Publication Group are staffed with knowledgeable, experienced individuals. We believe the functions are well controlled in providing the basic review of documentation and selection of vendors. However, there is a potential to strengthen the internal controls over the process and to provide more information to the Department offices that are purchasing goods and services. These potential areas are discussed below.

Comments of Department Officials

Department officials generally agreed with the findings and recommendations contained in this report. Their comments are included as Appendix B.

Purchasing

The Manual and web page outline procedures that are followed if the purchase of goods or services is available from a preferred source, or on State contract. In addition, information on discretionary purchases under $5,000, sole source procurements, and the purchase of commodities or services of $5,000 or more is also available.

Purchases can be classified into two categories: Personal Services and Non-Personal Services. Personal Services relate to the purchase of service from an individual or individuals such as a temporary employment agency. Non-Personal Services include the purchase of all goods, including materials, furniture, equipment, supplies, and services, such as testing and transportation.

Following the determination that goods or services are needed, a Purchase Requisition (PR10) form is prepared. Information required to be included on the PR10 include the program office name, contact person, delivery site, cost center, number of units, price per unit, and suggested vendor. Once prepared, the individual designated within each program office to authorize a purchase approves the PR10.

The price of the item in question determines the action taken by the Purchasing Unit. If the cost is under $5,000, the PR10 is reviewed upon receipt in the Purchasing Unit to determine if the goods are available on State contract or from a preferred source. If not, the purchase can be made from the open market. Prior to going to the open market, the PR10 is reviewed to determine if the goods are available from a Minority/Women-owned Business. If the purchase is to be made on the open market, three verbal quotes are obtained and the purchase is made. The vendors that were contacted and the prices quoted may or may not be documented on the PR10.

If the purchase is for $15,000 or more it must be bid, if it is for $10,000 or more it must be sent to OSC and if it is over $5,000 it must go into the Contract Reporter. An approved vendor list does not exist for purchases under $5,000. In those instances, the Department would use a known vendor, a vendor that is in the area, or one that has been dropping off sales brochures.

In addition to the regular purchasing requirement, requests for the purchase of furniture and equipment must be reviewed to determine if the goods constitute an addition to inventory. If additional floor space is needed or modification to building space is required, the request must be reviewed by the Space Planning and Allocation Group. Requests for computer-related equipment must have the approval of the Committee on Office Automation.

In October of 1999, the Purchasing Unit and the publication group went on line using the Oracle system.

There is a direct relationship between the objective's which the Department strives to achieve and the components of internal control. Shown below is an assessment of the five components of internal controls as they relate to the purchasing process.

Auditor’s Note

The OSC guidelines, which establish financial thresholds for bidding and advertising, have recently been changed.

Establishment of Objectives

Internal controls exist to provide management with reasonable assurance regarding the achievement of objectives in the following categories:

· Effectiveness and efficiency of operations.

· Reliability of financial reporting.

· Compliance with applicable laws and regulations.

The Purchasing Unit has established an objective for the effectiveness and efficiency of operations but has not established formal objectives related to either the reliability of financial reporting or the expectations for compliance with applicable laws and regulations. Formal objectives should be developed so that staff and management are aware of the responsibilities of the Purchasing Unit. Objectives should be developed which focus on the, reliability of financial reporting and compliance with applicable laws and regulations.

The consideration of the five components of internal control is difficult in the absence of formal objectives since the controls should be developed to provide reasonable assurance regarding the achievement of objectives. The Purchasing Unit should consider the three areas, and discuss the expectations for the purchasing function and develop formal objectives with Department management.

Control Environment

The control environment sets the tone of an organization, influencing the control consciousness of its people. It is the foundation for all other components of internal control, providing discipline and structure. Control environment factors include: integrity and ethical values; commitment to competence; management participation; management philosophy and operating style; organization structure; assignment of authority; and human resource policies and practices. Control environment is the most difficult to assess.

Control environment can be viewed at both the entity level (the Department) and the unit level (the Purchasing Unit). The control environment at the Department level is ~~adequate~~good. Integrity and ethical value is incorporated into the philosophy of management, a code of conduct exists, and officials have indicated that they would be quick to take action in the event that employee misconduct occurred. Quarterly performance reviews are held with managers. In addition, a process exists for manger to conduct self assessments of internal controls.

Similarly, the control environment at the unit level is also ~~adequate~~good. Management of the Purchasing Unit has expressed their desire to ensure that the actions taken by the Purchasing Unit are done effectively and efficiently and in compliance with applicable laws, rules and regulations while insuring that all customers and suppliers are treated with honesty and fairness. Performance measures exist in relation to the time frame for processing purchase orders and the goals appear reasonable and realistic to the staff of the Purchasing Unit.

Risk Assessment

Risk assessment is the entity's identification and analysis of relevant risks to the achievement of its objectives, forming a basis for determining how the risks should be managed. It should identify risk and analyze the likelihood of occurrence and impact. This process allows management to determine how much risk they are willing to accept and to set priorities accordingly.

In July 1987, the New York State Governmental Accountability, Audit and Internal Control Act (Act) was passed requiring implementation of comprehensive internal controls and audits of internal control systems throughout State government. The Act requires that, among other things, all agency heads establish and maintain effective systems of internal control review.

A series of training seminars beginning with all senior staff and Department managers have been held to raise understanding and awareness of internal control concepts. The training also identified steps the Department is taking to revise its overall system of internal controls and provide guidance in the initial phase of risk assessment. This training is now offered to all Department managers.

During this review, we found that the Purchasing Unit was identified in the inventory of significant functions of the Office of Business Management Services, and identified as a high risk area. The Purchasing Unit has completed a risk assessment of the function. The risk assessment conducted is not, however, based upon the achievement of Unit objectives. The assessment should focus on what can go wrong that would prevent the achievement of unit objectives, the likelihood and consequences of something going wrong, and what actions can be taken to minimize the potential of occurrence.

Control Activities

COSO defines control activities as the policies and procedures that help ensure that management directives are carried out. They also help ensure that necessary actions are taken to address risk to achievement of the entity's objectives. Control activities occur throughout the organization at all levels and in all functions. They include a range of activities as diverse as approvals, authorizations, verifications, reconciliations, reviews of operating performance, security of assets, and segregation of duties.

The Purchasing Unit does not have written policies and procedures manuals for the processing of a purchase order or the operation of the new Oracle system. In order to carry out the legal mandates associated with the purchasing process, they rely on the experience of the staff in interpreting the applicable laws, rules and regulations mandated by OSC, OGS, and the Division of the Budget. The advent of technology has assisted in this process by allowing the staff of the Purchasing Unit access to on-line information available from OSC and OGS.

The purchasing process includes a series of checks and balance which occur as a normal part of a transaction. This includes the processing of purchase orders by the Bureau of Fiscal Management and the subsequent transmittal of invoices to OSC to ensure that appropriate procedures were followed.

The database system used by the Purchasing Unit has a number of controls built into it, including log-in codes, documentation/entry requirements, verification of available funding, and approvals/authorizations requirements.

The one area of risk concern noted is the lack of an encumbrance process for purchases under $10,000. An encumbrance is a routine internal control which operates by establishing a commitment of funds at the time of approval of a purchase. This will prevent the commitment of funds in excess of the appropriated amounts. Although OSC considers the encumberance of funds at that amount is optional, including this control would strengthen the purchasing system by providing assurance that funds are available and would provide more precise accountability with SED funds. At the time of the review we were told that the new computer system allows for an internal encumbrance process. This is designed to allow a determination of the status of the availability of funds without formally entering the encumbrance on the Comptroller's accounting system. The system was not operational at the time of the review.

Information and Communication

The information and communication system consists of methods and records established to identify, assemble, analyze, classify, record and report an entity's transactions, and to maintain accountability for the related assets and liabilities. The system should allow for the capture and exchange of information in a form and time frame that enables people to carry out their responsibilities effectively. The information system should produce reports containing operational, financial and compliance-related information that makes it possible to run and control the Purchasing Unit.

The Purchasing information system at the Department consists of a combination of systems and reports that, when working together, provide program managers with the information needed. The systems include the Fiscal Management System and the Oracle System. In addition, various information generated by the Department is forwarded electronically to OSC where it is processed and used to generate reports which are then forwarded back to the Department. An opportunity exists to improve the information and communication system related to the purchase function at both the Department and unit level.

At the Department level there is a lack of a budget control process to make the information related to purchasing relevant. Financial information related to the results of the purchasing function within the Department is primarily communicated to Department staff through reports generated by OSC. This occurs as a result of the information being entered by the Purchasing Unit during the processing of purchase orders, and the Bureau of Fiscal Management's processing of invoices and other expenditures. One report is the OSC Bud 65 report. The Bud 65 report is designed to provide details in total by cost center the expenditures incurred, encumbrances outstanding and unencumbered balance by cost center.

The difficulty with the Bud 65 report is that unit level budget data are not entered onto the OSC system. Therefore, purchasing data are not as useful to managers in the absence of unit level budget data. The Office of Audit Services (Office), for example, has no budget data entered onto OSC’s financial system. Thus any purchasing done by the Office is not included in a comprehensive Department accounting system for comparison against a budgeted figure.

A question regarding the reliability of these data arises given the procedures implemented within the Purchasing Unit not to encumber purchase orders for less than $10,000, and to process purchases orders regardless of the availability of funding. If such a policy is to be continued, the program offices should be notified to allow them the opportunity to maintain an independent set of records if the needs of the office warrant accurate data.

At the unit level, there is an online system which provides managers with the status of any individual purchase request. The process could be improved by developing more standard reports for use by managers. For example, there is no routine production of reports to monitor the work of the unit or to summarize the data entered. Presently, the only report being prepared by the Purchasing Unit is a quarterly report detailing the number and dollar value of purchases made from Minority/Women-owned businesses.

Communication systems within the Department and the Purchasing Unit entail the use of numerous forms including various types of written, verbal and electronic mediums. Information is available to the program offices through the administrative policy and procedure manual and the purchasing section of the Business Management Services intra-agency web page. These systems have been very effective in communicating information within the Department.

Monitoring

Monitoring is a process that assesses the quality of internal control performance over time. Monitoring involves assessing the design and operation of controls on a timely basis and taking necessary corrective action. To ensure that controls are performing as intended, the Purchasing Unit should continually monitor operations and have periodic evaluations performed by management, often with the assistance of the internal or external auditors.

The manager of the Business Management Services Unit has identified the percent of purchase orders processed within three days as a performance indicator to be used in monitoring the work of the unit and the average cycle time from purchase order to the delivery by item type.

In reviewing the monitoring techniques in place within the Purchasing Unit, we found that there are no procedures in place to monitor the time between receipt of the purchase order and the final processing of it. In addition, due to the decentralized nature of the Department, the majority of purchasing that occurs is generated by the program offices and information on the delivery is not sent to the Purchasing Unit. Therefore, it is not possible to measure the time between the issuance of a purchase order and the delivery of the goods.

The only monitoring activity taking place other than the daily oversight of the unit by the manager is the production of a report detailing the number and dollar value of the items purchased from Minority/Women-owned businesses. An external and/or internal audit of the unit has not been conducted.

Publications

The Publication group administers requests for printing and printing related services. This includes those conducted both in house and through outside printing firms. The publication group is a separate revenue fund and at the current time, they prepare, process and purchase their own equipment and supplies without the assistance of the Purchasing Unit.

The purchasing process in the publication group begins with a determination that supplies and or equipment are needed and or the determination that a work order which has been requested by a program office is best performed by an outside vendor. The determination that a work order should be performed by an outside vendor is dependent on many factors including the work load of the unit at the time the request is received, the technical aspects of the work and the equipment needed to complete the job.

Requirements for purchasing goods and services are established by many sources including State Finance Law, Office of General Services (OGS), Office of the State Comptroller (OSC), and Division of the Budget and the Department of State. The Publications Group has established policies and procedures to implement these laws, rules and regulations and they rely on the experience of staff to ensure they are followed.

In October of 1999, the publication group went on line using the Oracle system.

Control Environment

As mentioned in the previous section, the control environment at the Department level is ~~adequate~~good. The control environment within the Publication Group is ~~adequate~~good in the sense that management has expressed their desire to ensure that actions taken by the Group are done effectively and efficiently and recorded appropriately. However, we did find an overwhelming desire to get the job done and a sense among the employees that too much staff has been lost while the work required of the unit has not been reduced. In addition, we found that due to the size of the staff, the ability to segregate duties is limited.

Risk Assessment

During our review, we found that printing services were identified in the inventory of significant functions of the Office of Facility and Business Services and identified as a high risk area. However, there were no specific goals identified. The Publication Group had not completed a risk assessment for ~~the unit or~~ the purchasing function performed by the unit.

Control Activities

The Publication Group does not have written policies and procedures manuals for the processing of a purchase order or the operation of the new Oracle system. In order to carry out the legal mandates associate with the purchasing process, they rely on the experience of the staff in interpreting the applicable laws, rules and regulation mandated by the Office of the State Comptroller, Office of General Services and the Division of the Budget. The advent of technology has assisted in this process by allowing the staff of the Purchasing Unit access on line to information available from the Office of the State comptroller and the Office of General Services.

Inherent in the purchasing process is a series of checks and balance, which occur as a normal part of the process. This includes the processing of purchase order by the Bureau of Fiscal Management and the subsequent invoices by the Office of the State Comptroller to ensure that appropriate procedures were followed.

During our review of the Publication Group, we found that purchase orders for under $10,000 were not being encumbered on the OSC system and we were told that just as is the case with the Purchasing Unit, the purchase is recorded on the internal encumbrance system. At the time of this review, the internal encumbrance system was not operational. It was noted during the review that the Publication Group can process a purchase order without the encumbrance of funds. Unlike the Purchasing Unit, which required supervisory approval to print a purchase order for which funds were not available, the publication group was able to print the purchase order without encumbering the funds.

Information and Communications

As discussed in the previous section of the report, there are weaknesses in the Department’s Fiscal Reporting System. The information and communication system within the publication group is ~~adequate~~good. Information is readily available and staff meetings are held. The Group uses an internal computer job processing system (covalent) which tracks the status and costs of all printing jobs.

Monitoring

The Publication Group is a separate revenue fund and as such, they monitor the revenue and expenses they are incurring to remain a profitable group. Procedures to monitor the selection of vendors or to ensure compliance with the various laws rules and regulation governing the purchasing process are not defined. Management has not established targets or goals to measure performance

Improvement Opportunities for Reducing Risk

To the Purchasing Unit

1. Develop specific objectives related to the operation of the purchasing function. Consider including objectives related to effectiveness and efficiency of operations, reliability of financial reporting, and compliance with applicable laws and regulations.

2. Encumber all purchases on the internal encumbrance system.

3. Reconfigure the purchasing risk assessment based upon the objectives established in recommendation number 1.

4. Develop specific procedures describing the processing of purchasing transactions, and the reporting of data to Department management and staff.

5. Periodically and regularly provide Department managers with purchasing information including all amounts.

6. Reach out to Department managers to obtain feedback on purchasing information that would be helpful to them in the performance of their duties. Develop a reporting process to provide such information as needed.

To the Publications Group

7. Develop specific objectives related to the operation of the purchasing function within the Publications Group.

8. Conduct a risk assessment of the purchasing process within the Publications Group.

9. Reach out to Department managers to obtain feedback on the purchasing function within the Publications Group to identify purchasing information that would be helpful to them in the performance of their duties.

10. Develop specific procedures describing the processing of transactions and the reporting of data to Department Management and staff.

Comments of Department Officials

Department officials generally agreed with recommendations 1, 3, 4, 7, 8 and 10. They indicated that they will implement recommendations 5, 6 and 9 at the time of full implementation of the Oracle system. In response to recommendation 2, officials state that they are in compliance with Department policy regarding encumbrances.