|
Audit Report |
Quick Pay Process
for the Period
April 1, 1998 Through March
31, 1999
AI-1299-03
April 18, 2000
The
University of the State of New York
THE STATE EDUCATION DEPARTMENT
Office of Audit Services
Albany, New York 12234
To: Terry Savo Date: January 5, 2006
From: Daniel Tworek
Subject: Audit Report of
Internal Audit - Quick Pay Process
We have performed an
audit of the Quick Pay (QP) Voucher process administered by the Fiscal
Management Unit of the New York State Education Department (Department).
The purpose of the
audit was to verify the accuracy and reliability of expenses paid through the
QP Voucher process. We audited certain
practices, records, and documentation supporting QP payments for the period of
April 1, 1998 through March 31, 1999.
The audit also included a review of the internal control structure and
compliance with applicable laws, regulations and policies.
The audit determined
that Fiscal Management is generally in compliance with all material aspects of
OSC's Procurement and Disbursement Guidelines Bulletin No. G-158. A summary of the audit results follows. A more detailed discussion is presented in
the main text of the report on the page referenced.
The implementation of
the report's recommendation will further improve Fiscal Management's processing
of Quick Pay Vouchers and provide reasonable assurance that expenses are
reported accurately. Fiscal
Management's written comments to the report are included as an appendix to this
report.
I appreciate the cooperation and courtesies extended to the audit staff during this review.
cc: J. Conway
M. DiVirgilio
B. Hahn
D. Juron
T. Sheldon
Table of Contents
Introduction..................................................................................................................................................... 1
Background.................................................................................................................................................... 1
Objectives, Scope, and Methodology............................................................................................... 2
Comments of Fiscal Management Officials................................................................................. 3
Report on Internal
Controls............................................................................................................... 4
Control Environment............................................................................................................................... 4
Risk Assessment............................................................................................................................................. 4
Control Activities....................................................................................................................................... 4
Information and Communication...................................................................................................... 5
Monitoring....................................................................................................................................................... 5
Conclusion...................................................................................................................................................... 5
Compliance with Laws,
Regulations, and Policies................................................................ 6
Supporting Documentation Attached............................................................................................. 6
Data Entry of Quick Pay Performed by a
Certification Operator................................. 7
Batches Certified by the Individual Performing
the Data Entry................................... 7
Password Security...................................................................................................................................... 7
Recommendations....................................................................................................................................... 8
Comments of Fiscal Management Officials................................................................................. 8
Auditor’s Note................................................................................................................................................ 8
Appendix A - Contributors to the Report
Appendix B - Response of Fiscal Management Officials
The Quick Pay (QP) Voucher process allows an agency to process invoices electronically which do not exceed a limit stated by the Office of the State Comptroller (OSC). The limits used during the audit period April 1, 1998 through March 31, 1999 were $2,500 for vendor payments and $500 for employee travel reimbursement. The QP voucher process is designed to increase efficiency in processing invoices that do not exceed the limits, while maintaining an effective OSC pre-audit of these payments. Streamlining the process for high volume, low dollar payments benefits both State agencies and OSC.
In the New York State Education Department (SED), the Bureau of Fiscal Management (Bureau) is responsible for processing QP vouchers. The Bureau uses a two-step process to enter data into OSC's Central Accounting System (CAS). The first step is the QP Voucher Entry/Correct process, which is online entry of voucher information about the goods and services being purchased. The second step is online certification of the QP voucher batches by finance officers/designates. With the CAS, OSC can pre-audit the "electronic voucher" and issue a check as early as the next day without requiring batches of paper vouchers and invoices.
OSC has allowed SED to increase its respective QP voucher limits to $2,500 for vendor payments and $500 for employee travel reimbursement, subject to the following conditions:
· an audit of the QP voucher process must be completed annually and the final report issued must be provided to OSC;
· OSC retains the right to continue normal pre-audit and post-audit responsibilities; and
· OSC retains the right to reduce or terminate the QP authority to SED should OSC become aware of any operating deficiencies or other circumstances that, in the opinion of OSC, warrant such action.
Pursuant to OSC's Procurement and Disbursement Guidelines, Bulletin No. G-158 and G-179, the audit included a review of the internal controls, security and procurement practices for QP transactions. We audited selected management practices, records, and documentation supporting QP payments and our objectives were to:
· evaluate the adequacy and effectiveness of SED's system of internal control for the QP voucher process;
· determine if costs are adequately supported;
· determine if procedures are in effect to insure that all source documents are properly secured, controlled, and can be accounted for;
· determine that expenses are properly reported to OSC on the CAS in accordance with applicable guidelines and regulations; and
· obtain an understanding of the procedures to prevent the unauthorized use or the misuse of the terminals in the data entry and certification activities.
To accomplish our objectives, we reviewed applicable laws, regulations, policies and procedures; interviewed SED management and staff; examined records and supporting documentation; and sampled transactions on a statistical basis. We conducted our audit in accordance with Government Auditing Standards issued by the Comptroller General of the United States. These standards require that we plan and perform the audit to obtain reasonable assurance that the internal controls, security and procurement practices for the QP transactions are accurate.
An audit includes examining, on a test basis, evidence supporting transactions recorded in the accounting and operational records, and applying such other audit procedures as we considered necessary in the circumstances. An audit also includes assessing the estimates, judgments and decisions made by management. We believe that the audit provides a reasonable basis for our findings, conclusions and recommendations.
Fiscal Management officials generally agreed with the findings and recommendations contained in this report. However, they do not believe the report supports a recommendation to improve password security. Their written response is included as Appendix B to this report.
The Standards for Internal Control in New York State Government, issued by the Office of the State Comptroller, identifies five components as internal control standards. These components are; Control Environment, Communication, Assessing and Managing Risk, Control Activities, and Monitoring.
As part of the audit, staff were interviewed; the QP voucher process was documented, and policies and procedures, applicable laws, rules and regulations were reviewed in order to perform a preliminary assessment of the internal control system. Following our assessment, various tests were performed to ensure that the internal controls identified were in place and functioning as intended.
The control environment in the Bureau is adequate. Written procedures exist for the payment of claims. The written procedures include the State Procurement Guidelines, OSC rules and regulations, and internal procedures. The Bureau operates under the OSC recommended standards for the separation of duties for staff requiring more than one employee to be involved in the payment of a claim. Training is provided, staff turnover is low, and management has indicated that they would be quick to take action in the event of employee misconduct.
Management has reviewed the risks associated with the payment process and identified the following risks:
· If strong internal controls are not in place and or procedures are not followed, SED could potentially face the loss of its QP authority.
· Loss of this ability could result in a delay of payments. As a result, a loss of vendors could result and additional interest charges may be incurred under the prompt payment provision of the State Finance Law.
· With a QP authorization of up to $2,500, misuse of the system could result in the loss of assets and/or theft of goods or money.
Control activities within SED begin with the processing of a purchase requisition and the preparation of a travel authorization. Written procedures exist for every step in the purchase/payment process including the preparation, approval, processing and payment. The procedures reflect OSC, OGS and SED rules, regulations and guidelines. Additional controls exist in the levels of approvals required for processing at each step and include a separation the duties.
Control over the computer system exists in the form of limited access to terminals and the assignment of unique passwords with limited authority to various employees, depending on the requirements of the job. Passwords are changed at six-month intervals.
The information and communication system within SED consists of methods and records established to identify, capture and exchange information in a form and time frame that enables staff to carry out their responsibilities effectively. The information systems consist of reports produced on a daily, weekly and monthly basis. Communications systems within SED allow for the free flow of information and the ability of staff to bring potential problems or abnormalities to supervisory personnel. Supervisors are encouraged to work together to resolve problems and issues. Management holds periodic meetings with staff to discuss the status of the Bureau and problems that are occurring.
Monitoring of the QP voucher process is an on-going function in the Accounts Payable and Travel units, and begins when the clerk audits the invoice/voucher and data enters the information into CAS. The certification process is achieved through a two-step process. The Principal Account Clerk(s) or Calculations Clerks(s)II of the Accounts Payable & Travel units sign the QP vouchers after a review to certify that the data entry was accurate. The Principal Account Clerk(s) review the vouchers to assure that they have been approved and signed by the appropriate unit and to certify the QP vouchers on CAS for payment. At any point in the process, all staff involved in the process are able to ask for additional information and/or reject a voucher.
In addition, pursuant to OSC Bulletins G-158 and G-179, SED has conducted a yearly audit of the QP voucher process beginning in 1996.
Following our preliminary assessment of the internal control structure, we performed various tests of the process to determine if the internal controls previously identified were functioning as intended. As shown in the next section of this report, although an adequate system of internal controls exists, we identified instances where it was not functioning as intended.
Management is responsible for ensuring compliance with laws, regulations and policies, and for establishing and maintaining systems of internal controls. The objectives of these systems are to provide reasonable assurance that assets are safeguarded against loss from unauthorized use or disposition, and that transactions are properly authorized and recorded to permit the preparation of financial reports in accordance with generally accepted accounting principles, applicable laws, regulations and policies.
The New York Code of Rules and Regulations, Volume 2 (Audit and Control) Part 21 "Quick Pay Voucher Payment System" states in section 21.5 that Internals Controls must include the following:
(a) separation of duties relating to ordering, receiving and payment functions;
(b) separation of on-line data entry and certification functions; and
(c) security over operator identification numbers and passwords assigned to certification and data entry operators.
The audit found that supporting documentation was always available, however there were instances of data entry being performed by a certification operator, batches being entered and certified by the same individual, and batch certification being done when time sheets indicated the individual was not at work.
A sample of 140 QP vendor vouchers and 71 QP travel vouchers were selected for review from the period April 1, 1998 and March 31, 1999. The audit found no material errors in the supporting documentation or calculation of QP vouchers' totals.
The audit determined that the Bureau is in compliance with all material aspects of OSC's Procurement and Disbursement Guidelines, Bulletin No. G-158 regarding the retention of supporting documentation and the accurate calculation of voucher totals.
OSC's Bulletin No. A-266 states that any person who has a Certification Operator ID cannot also perform QP data entry.
The audit found that, of the 34,723 vendor vouchers processed during the period April 1, 1998 through March 31, 1999, 492 (1.4 percent) of the QP vouchers were data entered by certification operators. This condition was also found during the last Quick Pay audit. The frequency has decreased from 4.2 percent to the current level.
Bureau officials attribute the reduction in the incidence of certification operators data entering to improvements made to internal controls over the data entry process in response to the prior Quick Pay audit. It was noted during this audit that the ORACLE Financial Management System includes control features that will prevent this from occurring in the future.
OSC’s Financial Management Guide’s, Internal Control Standards state that management should ensure that “Key duties and responsibilities in authorizing, processing, recording, and reviewing transactions should be separated among individuals."
The responsibility for data entering vouchers and certifying the batch should be performed by different individuals to ensure the appropriateness of the information entered and approved.
The audit reviewed 140 QP vouchers and compared the name of the person performing the data entry with the name of the person certifying the batch. In two instances, the vouchers were data entered and certified by the same individual. This observation was also made during the last Quick Pay audit, however the frequency has decreased.
OSC's Accounting Bulletin A-266, page 5, states "Management is responsible for ensuring adherence to all controls for terminal and password security. " For those vouchers selected for review by OSC, the audit compared the date that the batch was certified with the employees' time sheets to ensure that the individual certifying the batch was present on the day that their password was used.
Password security is intended to prevent the entry of unauthorized transactions, changes to computer files and access to restricted data. Violation of password security can effect the integrity of the data and increase the potential for fraud and abuse.
The audit found two instances of a certification operator certifying a batch on days that their time sheet indicates they were not present.
Bureau officials indicated that, on these two days, the individual reported to work on her regular day off. The Bureau needs to establish a policy on how time worked which deviates from the regular schedule is recorded and accounted for to ensure accountability with password security.
1. Ensure that certification operators do not data enter QP voucher batches.
2. Ensure that the individual performing data entry is not the individual certifying the batch.
3. Periodically generate reports to monitor the occurrence of individuals by-passing the separation of responsibilities.
4. Ensure that passwords are unique to each individual and not shared among Bureau staff.
5. Meet with Human Resource Management staff to determine a method to account for staff deviating from normal work schedules to ensure accountability with password security.
Fiscal Management officials agree with recommendations 1, 2, 3 and 5. They do not believe the report supports a recommendation regarding password security.
The audit identified instances of a password being used on days when the individual assigned the password was marked absent on the timesheet. There was no documentation available as to what occurred on those days. The two possibilities are that the individual reported to work on a regular day off or someone else used the password. Our recommendation, number 4, addressed the latter possibility.
Appendix A
Quick Pay Process
Contributors to the Report
· James Conway, Audit Manager
· Bonnie Lee Hahn, Senior Auditor
|
To: |
Daniel Tworek |
Date: |
April 11, 2000 |
|
From: |
Don Juron |
||
|
Subject: |
|||
Fiscal
Management has completed our review of the audit of the Quick Pay Process for
the period April 1, 1998 through March 31, 1999. We have the following responses to the recommendations identified
in the report:
Recommendations 1& 2 &3- As referenced on
page 7 of the audit report, Fiscal Management made enhancements to its internal
control process with regards to quick pay data entry upon completion of the
prior quick pay audit. It should be noted
that the previous audit report was issued in September of 1998 and therefore
the changes were not implemented until almost six months into the succeeding
state fiscal year. Therefore the 492
noted incidences of QP vouchers data entered by certification operators were
the result of the crossover from the issuance of the prior audit report and the
beginning of the new fiscal year. As
noted on page 7, Fiscal Management has implemented a new financial management system
which includes systematic control features which will not allow a certification
operator to perform quick pay data entry.
Recommendation #4- We believe that the
documentation as identified in the audit report does not support the need for
this recommendation.
Recommendation #5- We agree with this recommendation and will seek the advice of Human Resource Management. Fiscal Management wishes to note that in both instances noted in the audit report of a certification operator certifying a batch on days that their time sheet indicated that they were not at work, the choice to complete this task was that of the employee alone and their supervisor was aware of their actions. We will seek the advice of Human Resources to ensure compliance with overtime requirements.
cc: Theresa Cary
James Conway
Michael DiVirgilio