Introduction

Background

The Quick Pay (QP) voucher process allows an agency to electronically process invoices that do not exceed limits established by the Office of the State Comptroller (OSC). The limits during the audit period April 1, 2000 through March 31, 2001 were $2,500 for vendor payments and $500 for employee travel reimbursement. The QP voucher process is designed to increase efficiency in processing invoices that do not exceed the limits, while maintaining an effective OSC pre-audit of these payments. Streamlining the process for high volume, low dollar payments benefits both State agencies and OSC.

In the New York State Education Department (Department), the Bureau of Fiscal Management (Bureau) is responsible for processing QP vouchers. The Bureau uses a two-step process to enter data into OSC's Central Accounting System (CAS). The first step is the QP Voucher Entry/Correct process, which is on-line entry of voucher information about the goods and services being purchased. The second step is online certification of the QP voucher batches by finance officers/designates. With the CAS, OSC can pre-audit the "electronic voucher" and issue a check as early as the next day without requiring batches of paper vouchers and invoices.

OSC has allowed the Department to participate in the QP voucher process subject to the following conditions:

· an audit of the QP voucher process must be completed annually and the final report issued must be provided to OSC;

· OSC retains the right to continue normal pre-audit and post-audit responsibilities; and

· OSC retains the right to reduce or terminate the QP authority should OSC become aware of any operating deficiencies or other circumstances that, in the opinion of OSC, warrant such action.

Objectives, Scope, and Methodology

Pursuant to OSC's Procurement and Disbursement Guidelines, Bulletin No. G-158 and G-179, the audit included a review of the internal controls, security, and procurement practices for QP transactions. We audited selected management practices, records, and documentation supporting QP payments and our objectives were to:

· evaluate the adequacy and effectiveness of the Department’s system of internal control for the QP voucher process;

· determine if costs are adequately supported;

· determine if procedures are in effect to insure that all source documents are properly secured, controlled, and can be accounted for;

· determine that expenses are properly reported to OSC on the CAS in accordance with applicable guidelines and regulations; and

· obtain an understanding of the procedures to prevent the unauthorized use or misuse of terminals in the data entry and certification activities.

To accomplish our objectives, we reviewed applicable laws, regulations, policies and procedures; interviewed the Department management and staff; examined records and supporting documentation; and sampled transactions on a statistical basis. We conducted our audit in accordance with Government Auditing Standards issued by the Comptroller General of the United States. These standards require that we plan and perform the audit to obtain reasonable assurance that the internal controls, security, and procurement practices for the QP transactions are accurate.

An audit includes examining, on a test basis, evidence supporting transactions recorded in the accounting and operational records, and applying such other audit procedures as we considered necessary in the circumstances. An audit also includes assessing the estimates, judgments, and decisions made by management. We believe that the audit provides a reasonable basis for our findings, conclusions, and recommendations.

Comments of Bureau Officials

Bureau officials generally agreed with the findings and recommendations contained in this report. The Bureau is working with the Office of Information Technology Services (ITS) to ensure that controls are in place and working within the computer system. Their written response is included as Appendix B to this report.

Report on Internal Controls

The Standards for Internal Control in New York State Government, issued by the Office of the State Comptroller, identifies five components as internal control standards because they are essential for achieving the objectives and mission of an organization on a long term basis. These components are; control environment, communication, assessing and managing risk, control activities, and monitoring.

The audit examined the QP voucher process by assessing the adequacy of the components of internal controls within the QP voucher process. Staff were interviewed, the QP voucher process was documented, and policies and procedures, applicable laws, rules and regulations were reviewed to assess the internal control system. Various tests were performed to ensure that the internal controls identified were in place and functioning as intended.

Control Environment

Control environment is the attitude toward internal control and control consciousness established and maintained by the management and the employees of the organization.

The control environment in the Bureau is good. Management has exhibited ethical values and integrity. The management style is conducive to accountability for performance. The staff of the Bureau exhibit competence in their knowledge of the system and ability to do their jobs. Morale of staff and management and the supportive attitude toward this review also demonstrate the positive control environment.

Risk Assessment

Risks are events that threaten the accomplishment of objectives. Risk assessment is the process of identifying, evaluating, and determining how to manage these events.

Bureau management has participated in the Department’s risk assessment process, reviewed the risks associated with voucher payment, and identified the following risks:

· If strong internal controls are not in place and/or procedures are not followed, the Department could potentially face losing its QP authority.

· Loss of this ability could result in a delay of payments. As a result, the Department could lose vendors and additional interest charges may be incurred under the prompt payment provision of the State Finance Law.

· With a QP authorization of up to $2,500, misuse of the system could result in the loss of assets and/or theft of goods or money.

Control Activities

Control activities are tools, both manual and automated, that help prevent or reduce the risks that can impede the accomplishment of the organization's objectives and mission.

Control activities related to the QP payment process begin with a purchase requisition and the preparation of a travel authorization. Written procedures exist for the purchase/ payment process including the request, approval, pre-audit, and payment. The procedures reflect OSC, the Office of General Services (OGS) and Department rules, regulations, and guidelines. Additional controls exist in the levels of approvals required for processing at each step and include a separation the duties.

Control over the computer system exists in the form of limited access to terminals and the assignment of unique passwords with limited authority to various employees, depending on the requirements of the job. Passwords are changed at six-month intervals.

As reported in previous Quick Pay audits, control activities over the QP process are good. The audit found that supporting documentation was always available and vouchers were totaled correctly.

We have identified some instances of opportunities to improve controls in the area of separation of duties and the development of procedures to prevent duplicate payments.

Separation of Duties

The New York Code of Rules and Regulations, Volume 2 (Audit and Control) Part 21 "Quick Pay Voucher Payment System" states in section 21.5 that internals controls must include the following:

(a) separation of duties relating to ordering, receiving, and payment functions;

(b) separation of on-line data entry and certification functions; and

The organizational structure of the Department assures a separation of duties in relation to the purchasing and payment function. However, in a small percentage of vouchers the separation of duties did not exist. As part of this review, we reviewed the separation of duties and security surrounding the financial management system.

Certification Operators Perform Data Entry

OSC's Bulletin No. A-266 states that any person who has a Certification Operator ID cannot also perform QP data entry.

The audit found that, of the 14,511 vendor vouchers processed during the period April 1, 2000 through March 31, 2001, 390 (2.7 percent) of the QP vouchers were data entered by certification operators. In fact, the same person data entered and certified. This condition was also found during the last Quick Pay audit. The frequency has increased 1.4 percent from the prior year.

Bureau officials indicated that in some instances, due to workflow considerations, certification operators have to enter data. However, management indicated that they have developed compensating controls to avoid the risk associated with the lack of separation.

Duplicate Payments

The audit found five instances of a duplicate payment being made to a vendor. In each instance, the Bureau identified the duplicate payment and a letter was sent requesting that it be repaid. An analysis of the payments is shown below:

· Voucher numbers MP10654 and MP07932. Both vouchers had been processed three times using the same voucher number and paid twice (the first time they were rejected). In both cases, the same voucher number, invoice number, and purchase order number were used.

· Voucher numbers MP08232 and MP06917. Both vouchers were paid twice using the same voucher number without being rejected. In both instances, voucher number MP08232 referenced the same invoice number. Voucher number MP06917 referenced both the invoice and purchase order number.

· Voucher number MP19330 and MP19466. Both vouchers were for the same vendor for the same invoice, but they were paid twice using two different voucher numbers. In both instances, although the voucher number varied, the same invoice number and purchase order number were used.

Our review found that each time one of the duplicates was processed, it was processed in a different batch with each one having a separate and distinct batch number. We were able to identify instances where a number of invoices to different vendors were paid using the same voucher number. Therefore, it appears that the computer system, as it currently exists, will allow staff to process invoices using the same voucher number, invoice number, and/or purchase order number.

Although the occurrences of duplicate payments were extremely rare and always caught by staff, we believe procedures should be reviewed.

Information and Communication

Communication is the exchange of useful information between and among people and organizations to support decisions and coordinate activities. Within an organization, information should be communicated to management and other employees who need it in a form and within a timeframe that helps them to carry out their responsibilities. Communication also takes place with outside parties such as customers, suppliers, and regulators.

The information system within the Department as it related to the payment of QP vouchers is very good. Reports are produced on a daily, weekly, and monthly basis. Communications systems within the Department allow for the free flow of information and the ability of staff to bring potential problems or abnormalities to supervisory personnel. Supervisors are encouraged to work together to resolve problems and issues. Management holds periodic meetings with staff to discuss the status of the Bureau and problems that are occurring.

Department staff has on-line access to individual vouchers. We noted one instance where the on-line data are inaccurate and should be corrected. Upon receipt of the information from ITS, we reviewed the data to determine if there were any payments that exceeded the Department’s Quick Pay authorization. During the course of this review, we noted a number of payments to the same vendor on the same day for the same dollar amount. A review of the on-line payment history function available through the Bureau web site also indicated that these payments were posted twice. In order to determine if the vendors had been overpaid, a copy of the check register was obtained. A review of the check register revealed that, although the payments to the vendors were shown twice on the internal tracking system, only one check had been issued for the amount. To date, the duplicate listing of these vouchers has not been corrected. As part of this audit, we have notified ITS of these occurrences.

Monitoring

Monitoring is the review of an organization's activities and transactions to assess the quality of performance over time and to determine whether controls are effective. Management should focus monitoring efforts on internal control and achievement of organization objectives. For monitoring to be most effective, all employees need to understand the organization's mission, objectives, responsibilities, and risk tolerance levels.

Monitoring of the QP voucher process is an on-going function in the Accounts Payable and Travel units, and begins when the clerk audits the invoice/voucher and data enters the information into CAS. The certification process is achieved through a two-step process. The Principal Account Clerk(s) or Calculations Clerks(s)II of the Accounts Payable & Travel units sign the QP vouchers after a review to certify that the data entry was accurate. The Principal Account Clerk(s) review the vouchers to assure that they have been approved and signed by the appropriate staff person certifies the QP vouchers on CAS for payment. At any point in the process, all staff involved in the process are able to ask for additional information and/or reject a voucher.

One area of improvement noted in the monitoring system is the lack of a process to monitor vendors exceeding the $15,000 limit, which would require a contract. The Bureau has periodically generated reports for program offices to identify the cumulative expenditure levels of frequently used vendors. However, the Bureau does not routinely examine the cumulative expenditures. During the initial phase of the audit, we interviewed staff from the Purchasing unit and the Bureau to document the procedures in place regarding the purchase of equipment and supplies. The audit found that procedures are in place to ensure that single purchases, which exceed the allowable limits, follow bidding procedures. However, procedures do not exist to monitor multiple purchases to the same vendor to ensure that they do not exceed the $15,000 limit in total.

Conclusion

The Bureau continues to exercise good control over the QP process. Errors found represent a very small percentage of transactions. We believe that implementing the following recommendations could strengthen controls.

Recommendations

1. Ensure that certification operators do not data enter QP voucher batches.

2. Periodically generate reports to monitor the occurrence of individuals by-passing the separation of responsibilities and the existence of duplicate payments.

3. Routinely generate a cumulative report of total expenditures by vendor and provide it to the Purchasing unit.

Comments of Bureau Officials

Bureau officials agree with recommendations.