Background and
Scope of Work
The Office of Vocational and Educational Services for Individuals with
Disabilities (VESID) is responsible for the overall coordination of services to
individuals with disabilities (consumers).
Vocational rehabilitational goods and services are provided to these
consumers so they can be employed in integrated or supported work settings.
VESID has over 300 counselors in 25 district and satellite offices serving over
106,000 consumers a year and spends in excess of $120 million a year on support
services, maintenance and transportation, and case services. VESID reported
that over 15,000 consumers were successfully placed in integrated work settings
or supported employment in 2003.
The audit examined internal controls and reviewed practices, records,
and documentation for the period January 1, 2000 through June 30, 2004. This was a performance audit and the
objective of our audit was to assess the adequacy of internal controls
established by VESID for the procurement and payment of vocational
rehabilitational goods and services.
Audit Results
The audit determined that VESID has not established and maintained an
effective internal control system.
Significant weaknesses were found in each of the five interrelated
components that form the basis for a good system of internal control.
·
VESID has not implemented a proper
control environment. Management has
placed an emphasis on meeting performance standards and, in that effort, has
eliminated some of the controls that previously existed. This resulted in inadequate oversight and
supervision over operations, especially fiscal decisions (pages 6-8).
·
VESID has not periodically assessed risk
in its district offices. A risk assessment was conducted in 2000; however,
management did not follow through and address the weaknesses and risks
identified (pages 9-10).
·
VESID has developed some written policies
and procedures for areas such as consumer and counselor relationships, key
processes in serving consumers, and types of services. However, VESID has not implemented some key
control activities for the procurement and payment of goods and services. For example, written procedures have not
been developed for the purchasing process.
Also, separation of duties and computer controls need to be improved
(pages 11-18).
·
Information from the computer systems is
not being used effectively and employees are not provided with the information
they need for their job duties (pages 19-21).
·
Management does not routinely monitor the
purchasing process or vendor performance (page 22).
Without an adequate internal control system, an environment is created
in which assets are not protected against loss or misuse; good business
practices are not followed; goals and objectives may not be accomplished; and
individuals are not deterred from engaging in dishonest, illegal, or unethical
acts. The audit found that the lack of controls resulted in some alarming
practices.
· Some
consumers interviewed stated they never received goods and services that were
purchased for them by VESID. For example, eight consumers did not receive over
$43,000 in computers and other equipment that were purchased by VESID and
charged to the consumers’ cases. In another case, a counselor authorized the
purchase of three camcorders in a four-month period, yet the consumer indicated
he only received one.
·
Documentation was not required or
retained to show the specific goods that were purchased. For example, eight laptop computers were purchased
for one consumer over a 17-month period, but documentation such as the
authorizations and invoices was not available in the case file to support the
expenditures. Besides being
undocumented, these purchases are not reasonable or necessary.
· Purchases
were made without the necessary supervisory approvals and oversight. For example, a counselor authorized $60,271
in vehicle modifications for one consumer without evidence of supervisory
approval.
· Numerous
computers were shipped to district offices, but adequate controls over the
equipment were not established. In fact, invoices obtained from two vendors
showed 33 laptop computers, valued at over $41,000, were shipped to a district
office. Records show the computers were ordered and received by VESID support
staff, but the disposition of the computers is unknown.
· Statewide,
over 11,000 transactions were back-dated over a three-year period and a review
of a sample of these transactions showed the files did not contain an adequate
explanation or documentation to justify the actions. Further, there were cases where multiple authorizations for one
consumer were issued to the same company and back-dated for several years
without adequate explanations. For
example, in a 10-month period, 11 authorizations for one consumer were
back-dated by as much as 2.5 years.
These authorizations were issued to the same computer vendor for
purchases totaling $8,241.
· Other
questionable practices included inaccurately charging the costs of consultants
to some VESID consumers, not restricting individuals’ access to transactions
within the scope of their responsibilities, processing authorizations to closed
cases, authorizing services in excess of the maximum amount established by
policy, and not effectively using available data to monitor activities.
Certain transactions involving a few individuals may be inappropriate
or illegal. These transactions are being investigated and will be referred to
the appropriate parties for disciplinary or legal action.
Comments of VESID Officials
VESID officials' comments about the findings were considered in
preparing the report and are included as Appendix B. VESID officials agree with
the recommendations and have developed a plan to address the weaknesses. In addition, VESID has already implemented
some changes in response to the audit.
The Office of
Vocational and Educational Services for Individuals with Disabilities (VESID) is
responsible for the overall coordination of services to individuals with
disabilities (consumers). Vocational
rehabilitational goods and services are provided to these consumers so they can
be employed in integrated or supported work settings. VESID has over 300
counselors in 25 district and satellite offices serving over 106,000 consumers
a year and spends in excess of $120 million a year on support services,
maintenance and transportation, and case services. VESID reported that over
15,000 consumers were successfully placed in integrated work settings or
supported employment in 2003, which is more than double the number of consumers
placed in 1989.
Counselors
determine a consumer's eligibility, establish goals with consumer input,
determine the goods and services that will be purchased, and obtain the price
VESID will pay. Counselors can
authorize a wide variety of goods and services to assist the consumers. Goods include items such as clothing, home
modifications, vehicle modifications, and equipment such as computers. Services
can include counseling and guidance, vocational evaluation, physical
restoration, on-the-job training, college training, or a vocationally
orientated program. The VESID employees we interviewed are generally
hard-working individuals interested in doing things the right way with a
commitment to serving the disabled population of New York State.
VESID has
developed computerized systems to facilitate processing transactions for its
consumers as well as to monitor and report results. The systems establish a unique identification number for each
consumer, provide for recording case notes in a computerized format, track the
status of each case, and print authorizations and vouchers for payments.
The audit
examined internal controls and reviewed practices, records, and documentation
for the period January 1, 2000 through June 30, 2004. This was a performance audit and the objective of our audit was
to assess the adequacy of internal controls established by VESID for the
procurement and payment of vocational rehabilitational goods and services. This
audit was requested by the Department’s executive management and VESID’s Deputy
Commissioner as a follow-up to an audit of VESID’s Utica district office
conducted by the Office of the State Comptroller (OSC). OSC’s audit, issued on
September 22, 2003, identified the use of an unlicensed architect, potential
conflict of interest transactions, non-compliance with State bidding
requirements, and excessive costs for home modifications.
To accomplish the objective, we reviewed applicable laws, regulations,
policies and procedures; interviewed VESID management and staff; examined
records and supporting documentation; sampled a limited number of transactions on
a non-statistical basis; interviewed consumers; obtained invoices from vendors;
obtained an understanding of VESID’s computer systems; analyzed data available
from the computer systems; and conducted field visits in four offices.
Our audit included examining, on a test basis, evidence supporting
transactions recorded in the accounting and operational records, and applying
other procedures considered necessary in the circumstances. The audit also included assessing the
estimates, judgments, and decisions made by management and staff. We believe that the audit provides a
reasonable basis for our findings, conclusions, and recommendations.
The audit was time consuming and difficult to complete for a variety of
reasons. The following are some of the
challenges we faced:
· A
lack of documentation hampered the audit.
Documents, such as invoices and information showing that consumers
received the goods and services, were not required by VESID and generally were
not available to support transactions.
As a result, the audit contacted vendors to obtain invoices and
interviewed consumers to determine whether the goods and services were
received.
· It
took several months for the audit to determine that certain reports generated
from the computer systems were not reliable.
For example, some of the standard reports are based on service dates and
generally did not include back-dated authorizations. We also noted that case service codes, which define goods and
services in broad categories, were inconsistently used and could not be relied
upon.
· The
computer systems were difficult to use, to extract data from, and to generate
reports. It took several months to gain the knowledge to independently generate
and analyze the data. In addition, it took the audit hours to run relatively
simple reports and, in many cases, the processing of the reports was terminated
prior to completion.
·
District office managers stated that
certain policies, procedures, and controls were in place. During the course of the audit, we found that
some were, in fact, not implemented.
These instances adversely affected the credibility of the information
provided and made us skeptical. The audit looked to additional ways to verify
the accuracy of the information.
Our audit
concentrated on the internal controls over the procurement and payment of goods
and services. We reviewed operations at
four offices and analyzed Statewide data.
While our findings on specific transactions relate to the operations at
the four offices reviewed, our analysis of Statewide data shows the potential
for questionable transactions at other offices as well. As part of this audit, we did not follow-up
on the questionable transactions at other offices, but any plan to correct the deficiencies
identified in this report must take into account all of the district offices.
Based on
information that came to our attention, we also identified concerns with
maintenance and transportation (M&T) expenses, consumer eligibility,
economic need determination, vendor approval, and specialized vocational
training schools. These areas were not
within the scope of our audit; however, they represent a significant risk that
VESID needs to consider in preparing a plan to address the findings in this audit.
Internal
controls are the policies, procedures, and practices designed and implemented
to provide management with reasonable assurance that resources are safeguarded
against waste, loss, and misuse; that operations are efficient and effective;
that specific management objectives are achieved; that financial reports are
reliable; and that the entity complies with applicable laws and
regulations. The internal control
systems must be built into the business processes to ensure core activities are
accomplished effectively, efficiently, and economically.
An effective internal control system should facilitate stewardship and
accountability of resources as well as the accomplishment of goals and
objectives. The system should not be
looked upon as a separate system within an agency, but rather as an integral
part of the daily responsibilities of management and employees. OSC issued
guidance on internal controls in a document Standards
for Internal Controls in New York State Government (Standards). The
Standards specify that there are five interrelated components that form the
basis for a good system of internal control and provide detailed information on
each of the components. The Standards were used to assess VESID's internal
control system.
The
interrelated components are control environment, risk assessment, control
activities, information and communication, and monitoring. The audit determined
that VESID has not established and maintained an effective internal control
system. Significant weaknesses were
found in each of the five components.
The audit found that the lack of controls resulted in some alarming
practices related to purchasing goods and services for consumers. Our findings and recommendations are
addressed in more detail in the sections that follow. VESID management must give careful consideration to the findings
and recommendations to improve their internal control system.
The control environment sets the tone of an
organization, influencing the control consciousness of its people. It is the foundation for all other
components of internal control; providing discipline and structure. Control environment factors include
integrity and ethical values, commitment to competence, management
participation, management philosophy and operating style, organization
structure, assignment of authority, and human resource policies and practices.
In a decentralized organization, such as VESID with over 300 counselors
in 25 district and satellite offices serving over 106,000 consumers a year,
management’s actions help define the organizational culture affecting the
design, administration, and monitoring of the other internal control components.
Organizational culture determines what actually happens and which rules are
obeyed, bent, or ignored. Management must instill a control environment that
fosters integrity and ethical values, and a commitment to excellence. This
requires clearly communicating expectations to staff, assigning
responsibilities and authority to make decisions to the appropriate level, and
routinely monitoring performance.
District office managers are responsible for implementing the policies
and procedures established by central office and for monitoring the daily
activities of their staff. Counselors
have the authority to make most fiscal and programmatic decisions but do so
with little or no supervisory oversight.
Policies and procedures are not complete and the periodic monitoring of
counselor activities is not comprehensive.
This has created an environment in which inappropriate behavior can
occur and not be easily detected.
In the late
1980s, VESID established a goal to "increase the percentage of individuals
with disabilities placed in integrated job settings in a cost-effective
manner." In an effort to increase
the number of placements and reduce the time it takes for those placements to
occur, a number of controls were eliminated including the supervisory review of
case files and the approval of vendors by central office. In addition,
management adopted a hands-off operating style putting the decision-making
processes for purchasing, receiving, and payments in the district offices. This
created a situation where each of the counselors acted as independent
purchasing agents with inadequate guidance and oversight from central office.
Not only is VESID not in compliance with State procurement requirements, this
situation has contributed to a weak control environment where less emphasis was
placed on the finances.
Management
must set the appropriate tone at the top and provide leadership by setting and
maintaining the organization’s ethical tone and providing guidance for proper
behavior. One way to set the tone is to
review the fiscal decisions being made by the counselors. The review should be completed using a
risk-based system and should be cost-effective. Management developed a case file review system to monitor
counselor performance, but it does not include a component to assess the
appropriateness of fiscal decisions.
Counselors do not routinely receive feedback on fiscal decisions they
make in managing consumers’ cases. This could lead a counselor to conclude that
the fiscal decisions are not reviewed and are less important than programmatic
decisions.
Also
contributing to a weak control environment was management permitting staff to
inappropriately charge the weekly cost for a consultant to one consumer’s case
even though several consumers benefited from the expenditure. This created an impression that the strict
accountability for funds is not important.
Some consultants worked on numerous cases and performed various services. They were directed by VESID staff to
accumulate their hours on a weekly basis.
A senior counselor would sign the record of service and authorize the
cost to be charged to a different consumer’s case each week. This was a way to “facilitate” payments to
the vendors. For example, one
consumer’s case was charged $401 for 37.5 hours for job coaching, but the
consumer did not receive the services.
VESID management indicated that the consultants worked on several cases
and performed various services for this fee.
We were able to confirm this payment practice occurs in at least four
offices but believe it is, in all likelihood, more widespread.
The audit also
noted some other questionable practices related to consultants. VESID paid some consultants an hourly rate
plus a $20 or $50 bonus for every case they closed successfully. This practice accentuates the emphasis on
placements. VESID also hired an agency to provide consultants to assist with
the screening of consumers’ eligibility.
There is some concern whether the consultants are independent
contractors or employees since they meet several of the criteria for
classification as an employee.
Also of
concern was the practice of a district office to hire an agency to provide
on-the-job training and have the training take place in that same district
office. The consumers did routine
office work that was previously done by VESID employees. The placement of consumers and consultants
in district offices raises concerns about the appropriateness of the use of
program funds for administrative functions.
Risk assessment is the identification and analysis of factors or
conditions that may threaten the achievement of management’s objectives. It involves identifying significant internal
and external risks that may impact the effectiveness and efficiency of operations,
the reliability of fiscal and programmatic reporting, and compliance with
applicable laws and regulations.
Once the risks have been identified, they should be analyzed for their
possible effect. Risk assessment
generally includes estimating the significance of the risk, assessing the
likelihood of its occurrence, and deciding how to manage the risk and what
steps should be taken. Risk assessment
should be conducted on a periodic basis to ensure any new or changing risks are
adequately managed. Such a process can provide
management with the opportunity to enhance accountability; improve performance;
ensure compliance; detect wrongdoing; and preclude or mitigate injury, damage,
or loss. VESID has not routinely
assessed risk in each of its district offices.
In 2000, a graduate intern
working for the Department assisted the district offices in conducting a risk
assessment. The risk assessment
identified key functions performed in each district office and the risks
associated with each function. For each
risk, an assessment was made of its significance, the likelihood that it would
occur, and the controls that were in place to reduce or minimize the risks.
If it was
determined that district office controls were not adequate, staff prepared a corrective
action plan identifying the cause of the risk, the types of control activities
that could prevent or reduce it, who would be affected by the new control, and
how the information should be communicated to staff. This process identified a number of significant risks that are
common to the district offices.
This information was submitted to central
office, but management did not take any action nor did it complete any other
comprehensive risk assessments. We also
noted that, as part of the Department’s annual certification on internal
controls to the Division of the Budget, VESID provided information to the
Commissioner indicating the existence of controls and a review process;
however, this process did not adequately identify the control weaknesses. In response to our audit, VESID has reviewed
the risk assessments previously completed by the district offices and has also
met with its managers to discuss the risks facing the district offices.
Control
activities are the policies, procedures, and processes implemented by
management to help ensure its directives are carried out. The control
activities include written policies and procedures, separation of duties,
supervisory review, and others.
Management must establish the necessary control activities to
effectively and efficiently accomplish the organization's objectives and
mission. The audit determined that VESID has not implemented some key control
activities for the procurement and payment of goods and services. This has led to serious weaknesses in the
purchasing process. Improvements are
needed related to written policies and procedures, separation of duties,
supervision, documentation, safeguarding assets, verification, and computer
controls. Information on each of these
areas follows.
Written
policies and procedures help ensure employees know what is expected of them and
also provide for standardization among district offices. The policies and procedures are
particularly important when there are offices in many locations and there is
high staff turnover. Policies and
procedures are an important internal control that establish responsibilities
and accountability, and help ensure consistency among staff.
VESID has
policies and procedures online covering areas such as consumer and counselor
relationships, key processes in serving consumers, and types of services.
However, some of the counselors we interviewed did not appear to be aware of
the policies and procedures or did not always follow them. For example, some counselors authorized
services in excess of the maximum amount established by policy. Other counselors did not use a required
ownership form. VESID policies require
that the consumer and counselor complete an ownership form for equipment
purchases such as computers. The form acknowledges that the equipment is the
property of VESID and must be returned under certain circumstances. However, most files we reviewed did not
include a copy of the signed form.
The audit found that the established policies and procedures were not
complete. For example, VESID did not
have procedures outlining the specific steps staff should follow in purchasing
goods and services. Procedures were not
available to address vendor approval, vendor selection, the delivery and
receipt of goods, the use of quotes and formal bids, counselor authorizations,
verification of the delivery of goods and services, reconciliation of the
receipt of goods and services with the billings, compliance with State purchasing
laws and regulations, and supervisory approvals.
The audit
reviewed the process for the delivery and receipt of goods authorized for
consumers and found there are no procedures to instruct staff in the
appropriate process to follow. Instances were found where goods were delivered
to the consumer's home, another location, and district offices. In other cases, consumers picked up the
goods directly from vendors. With variations in practice and the lack of documentation,
it is very difficult to determine if the consumer received the goods. In fact, eight consumers told us they did
not receive over $43,000 in computers and other equipment that were purchased
by VESID and charged to the consumer cases.
VESID updated its policy in October 2003 to address conflict of
interest transactions. However, the
policy does not address conflict of interest transactions between vendors and
consumers. In the absence of such a
policy to address this situation, a purchase was made from a related party
without any justification to show the price was competitive. For example, VESID paid a cousin of a
consumer $7,000 for a one month trial employment of the consumer. The cousin was reimbursed without the
benefit of a contract or justification for the costs. The services of the
consumer were terminated at the end of the month.
Key duties and
responsibilities should be divided or separated among different individuals to
reduce the risk of errors and misappropriation. No one individual should
control all key aspects of a transaction or event and the work of one employee
should serve as a check on others. Ideally, for the purchasing process, the
initiation, authorization, approval, ordering, receipt, payment, and record
keeping should be performed by different employees. Where the duties cannot be
adequately separated, there should be increased supervisory review and
oversight. The audit determined that
VESID has not implemented adequate separation of duties for the purchasing
process. As a result, there is less
assurance that all purchases are appropriate.
VESID
counselors have the authority to initiate, authorize, order, and direct
delivery of goods to various locations.
This process lacks adequate separation of duties and creates an
environment where goods and services could be misappropriated with little or no
risk of detection. For example,
counselors could order goods and have them delivered to their home or another
address. When the vouchers come in, they would in all likelihood be paid.
The finance
clerks in four offices had access to issue authorizations to purchase and to
also process vouchers to pay for the goods and services. This process lacks adequate separation of
duties.
Supervisory
review of transactions can help ensure only appropriate activities occur and
objectives are achieved. Supervisors
should monitor, review, and approve the work of their unit; provide necessary
guidance and training; and clearly communicate duties and responsibilities.
Given the lack of separation of duties, the need for supervisory review and
oversight is heightened. However, the
audit determined that VESID did not generally require supervisory review of
transactions including purchases.
Many of the counselors interviewed indicated
certain issues are discussed with their supervisor and purchases over a
specified threshold would require supervisory approval. However, we did not
find any evidence of those discussions or approvals by supervisors. In fact, we found a case where a counselor
authorized $60,271 for a van modification and there was no evidence of
supervisory review or approval even though the expenditure exceeded the $25,000
limit set in VESID’s policy.
The audit noted some changes to dates, quantity, and totals were being
made to vouchers after they had been certified and submitted to the district
offices by the vendors. Some of the
changes included increases to the total. Documentation was not available to
show a supervisor approved the changes or the reason for the changes.
The audit also determined that supervisory review and approval are not
required to add an individual or company to the approved vendor list. District office staff can add vendors to the system without the review
or approval of a supervisor. As a
result, there is an increased risk that vendors on the approved list may not be
qualified.
All transactions, purchased goods and
services, and significant events should be clearly documented in each
consumer’s case file. The documentation
should be complete, accurate, organized in a standard format, and recorded
promptly. The audit found that the consumer files did not contain adequate
documentation to support transactions and purchases made on behalf of the
consumers.
Documentation was often not available to
support certain purchases. In a few
cases, the district office could not find the files we requested. In other cases, the files were provided, but
did not contain the necessary documentation to support certain
expenditures. For example, eight laptop
computers were purchased for one consumer over a 17-month period, but
documentation, such as the authorizations and invoices, were not available in
the case file to support the expenditures.
Documentation
is generally not required or maintained to show that the consumer received the
goods VESID purchased for them. For
example, a counselor authorized the purchases of three camcorders for a
consumer in a four-month period, but there was nothing in the file to indicate
the consumer received the goods. In
fact, the consumer indicated only one camcorder was received. The counselor
could not explain the reason for authorizing three camcorders.
Similarly, many files did not contain documentation to show schools
provided records of attendance or grade reports for consumers. Nevertheless, VESID authorized payments for
these services. In one case, a payment was made for a consumer to attend a
driving school, but the consumer withdrew from the school and entered another
school. However, VESID paid the second
school and did not request a refund from the first school, even though it was
entitled to one.
Each authorization includes one or more case
service codes in broad categories that describe the goods and services being
provided. However, the audit found that
the case service codes are assigned by the counselors and, in some cases, have
no relationship to the goods being purchased. For example, in one of the cases
reviewed, we found that the purchase of electronic equipment was coded 420B
which is "books and related materials."
Documentation
is generally not available to show the specific items purchased. VESID
does not require vendors to submit an invoice or a detailed description
of the good purchased. The finance clerks in two district offices indicated
that payment is made based upon receipt of the signed voucher. For example, a
voucher was paid for $1,414 for “equipment/tools” without any information or
documentation to indicate what was actually purchased.
The audit found inconsistencies in the documentation maintained in the
consumers’ case files. In some
instances, copies of authorizations were in the files while others had multiple
copies (yellow and white originals), and still others had “reprints” of the
authorization. Most files did not include
invoices. It does not appear there is a
standard as to what documentation should be maintained in the files.
Safeguarding of assets is defined as
restricting access to resources and information to help reduce the risk of unauthorized
use or loss. Management must secure the organization’s assets, files,
documents, and other resources to protect them against loss and misuse. The audit found that VESID did not
adequately safeguard some of the assets it purchased for consumers.
