Audit Report Procurement FINAL
Port of Seattle Internal Audit Report Central Procurement Office Procurement System Review Current Practices in 2008 Issue Date: February 27, 2009 Report No.: 2009-03 Internal Audit Report Central Procurement Office Review Period: Current Practices in 2008 Table of Contents Internal Auditor's Report............................................................................................................3 Executive Summary....................................................................................................................4 Background .................................................................................................................................5 Audit Objective............................................................................................................................5 Audit Scope .................................................................................................................................5 Audit Approach ...........................................................................................................................6 Conclusion ..................................................................................................................................6 Audit Findings and Recommendations ....................................................................................7 1. Major Public Works 2. Small Works 3. Miscellaneous Purchases A & C Type Purchase Orders, S Type Contracts, and P-Cards 2 of 12 Internal Audit Report Central Procurement Office Review Period: Current Practices in 2008 Internal Auditor's Report We have completed a system review of the Central Procurement Office. The purpose of the review was to identify risks related to procurement and assess key controls designed to mitigate these risks. Management has the primary responsibility to establish and implement effective controls. Our audit objective was to assess and test those controls in order to determine if the controls were adequate and operating effectively as intended. We conducted the audit using due professional care. We planned and performed the audit to obtain reasonable assurance that existing controls over procurement within Central Procurement Office are working efficiently and effectively as intended. We identified certain control weaknesses related to documentation and inadequate segregation of duties which are discussed in the subsequent sections of this report. We extend our appreciation to the Central Procurement Office management and staff for their assistance and cooperation during the audit. Joyce Kirangi, CPA Internal Audit Manager 3 of 12 Internal Audit Report Central Procurement Office Review Period: Current Practices in 2008 Executive Summary Audit Scope and Objective The purpose of our review was to identify risks and assess the key controls that mitigate those risks. Our review included the Central Procurement Office's major categories of procurement. The scope of the review included the current practices of the CPO in 2008. Background The Central Procurement Office as an organizational unit was created in response to the 2007 SAO Performance audit. A number of contract services and administration staff from various organizational units have been combined to establish the CPO. The office provides oversight on overall procurement activities and is grouped into the major procurement categories: 1) Major Public Works, 2) Small Works, 3) Service Contracts, and 4) others (S, A and C purchases). The CPO centrally is responsible for procurement policies/procedures and their compliance. For a 4-year period ending 2008, the Port annually disbursed on the average $300 millions, $10 millions, $ 100 million, and $ 70 millions for Major Works, Small Work, Service Contracts, and others (S, A, and C purchases), respectively. Audit Results Summary The review identified a number of control weaknesses related to documentation and inadequate segregation of duties as well as opportunities to strengthen existing controls. 4 of 12 Internal Audit Report Central Procurement Office Review Period: Current Practices in 2008 Background The Central Procurement Office as an organizational unit was created in response to the 2007 State Auditor's Office performance audit report. A number of contract services and administration staff from various organizational units have been combined to establish the CPO. The office provides oversight on overall procurement activities and is grouped into the major procurement categories. The following are some examples of the CPO's involvement in the procurement of goods and services: Advertisement related to bid Vendor setup Centralizing documentation Purchase Order setup Contract/Agreement setup Procurement Policy/Procedure The Central Procurement Office is grouped into major categories that include: Major Public Works are projects initially estimated to be in excess of $200,000. Small Works are projects initially estimated to be less than or equal to $200,000. Service Contracts include personal and professional services. A-Type purchase orders are one-time purchases of specific goods and/or services. C-Type purchase orders are recurring fixed-price contracts with pre-established terms and conditions. S-Type vendor contracts are for recurring purchases with a specific vendor (also known as a Blanket Vendor Contract). Port-wide procurement disbursements for a 4-year period ending 2008 are as follows: in millions 2005 2006 2007 2008 Major Public Works $ 340 $ 317 $ 270 $ 217 Small Works $ 11 $ 10 $ 9 $ 7 Service Contracts $ 104 $ 111 $ 100 $ 80 S- Type Purchases $ 50 $ 41 $ 38 $ 39 A- Type Purchases $ 27 $ 25 $ 23 $ 25 C- Type Purchases $ 4 $ 2 $ 2 $ 3 Source: PeopleSoft Audit Objective The objective of our review was to identify risks to the Central Procurement Office (CPO) and assess controls to mitigate those risks within the Port's major categories of procurement: 1) Major Public Works, 2) Small Works, 3) Service Contracts, 4) others (S, A and C purchases). Audit Scope The scope of the review was current practices in 2008. 5 of 12 Internal Audit Report Central Procurement Office Review Period: Current Practices in 2008 Audit Approach To achieve the objectives we performed the following procedures: Obtained an understanding of the systems and transactions involved within the context of the CPO including significant procurement compliance requirements Assessed and identified risks associated with the CPO Identified key controls to mitigate risk Tested key controls for effectiveness Conclusion The review identified a number of control weaknesses related to documentation and inadequate segregation of duties as well as opportunities to strengthen existing controls. 6 of 12 Internal Audit Report Central Procurement Office Review Period: Current Practices in 2008 Audit Findings and Recommendations 1. Major Public Works a). Involvement in Acquisition Planning Construction Contract Services is not consistently included in the construction acquisition planning meetings. The Project Management Group is responsible for inviting the Manager of Construction Contract Services to the pre-design meetings for Major Works Construction projects. The current practice involves the Project Management Group extending an invitation to the Manager of Contract Services on an as needed basis after the Acquisition planning phase has been completed. In most cases, the Manager of Contract Services is not invited to the meetings until the acquisition planning is nearly completed. According to the Contract Administration Manual, Contract Administration will participate in the pre-design meetings to the extent required to assure selection of the proper contracting method, proper contracting category (Small Works or Major Public Works), funding sources and tax issues/implications. If Contract Administration does not assure that the proper contracting method, proper category, funding sources and tax issues/implication are addressed in the pre-design phase this may delay the project as well as incur additional costs to properly redesign the project. Recommendation We recommend that Construction Contract Services receive periodic updates of upcoming projects from the Project Management Group. Construction Contract Services should participate in the acquisition planning meetings to the extent required, to assure that the proper contracting method, proper contracting category, funding sources and tax issue/implications are addressed. Management Response The Port is implementing, via CPO-1, a stronger acquisition planning phase for all projects over $200,000. As part of acquisition planning for projects, the project management groups in conjunction with CPO will conduct acquisition strategy planning meetings to develop an acquisition plan. This plan shall be included in the project notebooks. At key dates specified in the acquisition plan, whenever significant changes occur, or when CPO or other Port Departments request an acquisition meeting, CPO and the project management group will review and, if appropriate, revise the plan. CPO-1 training is underway and we have begun more formal acquisition planning on many projects. 2. Small Works a). Inadequate Documentation During the course of our review, a number of instances of less than adequate documentation related to the solicitation-to-bid process of small works were noted. Detail testing of a risk-based sample of 10 contracts from a population of 50 contracts with the beginning dates in 2008 revealed the following exceptions: 7 of 12 Internal Audit Report Central Procurement Office Review Period: Current Practices in 2008 1. One contract lacked documentation as to why the lowest bidder was not selected. 2. Some files did not include evidence of date stamping of sealed bids or evidence of an appropriate sealed bid process. Inadequate training and no standardization at outlying areas of the Port that perform solicitations of small works contracts contributed to the observed condition. Proper documentation provides evidence of compliance with the competitive solicitation process, establishes confidence in our processes, and assures accountability to Port policies. In the absence, compliance efforts by the CPO cannot be objectively verified and consequently becomes questionable. Recommendation We recommend that management implement improved control procedures to correct the above weaknesses. Specifically, we recommend that management: 1. Strengthen policies and procedures to assure adequate documentation in the small works files. 2. Continue to provide training on adequate file documentation and establish accountability of the file information. 3. Continue the process of monitoring and correcting roster information. 4. Consider using a Port-wide standardized checklist of required documents for all small works contracts. Management Response Four contracts were identified as having had inadequate documentation. Each contract was initiated and executed during the process of establishing the Central Procurement office. Specifically, SW-0315295 and SW-0315493 were procured out of Aviation Maintenance and executed 3/14/08 and 5/5/08 respectively. SW-0315605 and SW 0315708 were procured by Marine maintenance and the contracts were executed 2/27/08 and 1/22/08 respectively. All four contracts had the finding that the file failed to contain the date stamp envelope. Since establishing a centralized procurement office, CPO has been working with procurement professionals responsible for small works roster procurements to establish consistent procedures and compliance with legal and Port requirements. CPO will continue to provide training on these matters as we continue to evaluate current processes and identify issues and new processes. Two additional findings were noted for SW-0315605 executed in February 2008. First, with respect to the finding that one contract did not include evidence as to why one bidder was not selected; CPO investigated the matter and determined that the initial low bidder was found not responsible because they did not meet the supplemental responsibility criteria. A letter should have been send to the low bidder rejecting their bid and indicating that they were found not responsible. This letter should be in the procurement file. We were unable to locate the letter. Training will be conducted on this issue to ensure procurement professionals understand the requirements surrounding responsibility reviews and bid rejections. 8 of 12 Internal Audit Report Central Procurement Office Review Period: Current Practices in 2008 3. Miscellaneous Purchases A & C Type Purchase Orders, S Type Contracts, and P-Cards a). Segregation of Duties During the course of the audit we noted the following concerns regarding proper segregation of duties: There is no approval process in place for issuing or changing purchase orders or blanket vendor contracts. Any Buyer within CPO has the ability to place or change a purchase order or blanket vendor contract individually up to $25,000. Vendors may also be created and approved by the same person. Detailed testing of the vendor database for 2008 showed that the majority of new vendors were approved by the person with the capability to also create vendors in the system. Segregation of duties is a basic, key internal control designed to ensure that errors or irregularities are prevented or detected on a timely basis by employees in the normal course of business. Segregation of duties provides two benefits: 1) a deliberate fraud is more difficult because it requires collusion of two or more persons, and 2) it is much more likely that innocent errors will be found. Without proper segregation of duties in these areas the Port is subjecting itself to increased risk of unauthorized or fraudulent purchases. Recommendation The CPO should review its processes to ensure that significant risk areas contain adequate segregation of duties so that no single individual has control over two or more key phases of a transaction or operation. Management Response Issuing & Changing PO With EX-2 the ability to make significant changes to purchase order is limited by EX-2. Buyers may issue and maintain purchase orders within their delegated authority. This authority is limited to $25,000 for Buyers and Mangers and $100,000 for Sr. Purchasing Manager. All other changes must go to Director CPO and/or Managing Director of CDD or the CEO. Change orders may come from the department (increase, decrease qty, substitute item, etc.) or the Buyer may authorize. Most frequently the buyer will modify small amounts of pricing or quantities to clear payment exceptions. Vendor Creation The CPO agrees that vendor creation and approval present a risk area. CPO is in the process of reviewing this issue and will likely establish a process that separate the function of entering the vendor information for the person who approves the data and verifies the W-9. 9 of 12 Internal Audit Report Central Procurement Office Review Period: Current Practices in 2008 b). Inadequate S- Type Contract ( a.k.a. Blanket Vendor Contract) Documentation and Approval An S-Type contract is a written document with agreed-upon terms and conditions pertaining to recurring purchases of goods and services (e.g., maintenance supplies and services, janitorial services, etc.) The primary purpose is to provide customers with a more efficient way to acquire typically small-dollar-value and frequently-needed goods and services. Prior to negotiating a S-Type contract, the CPO documents the need and approval for the contract on a S-Type Contract Request form, a Purchase Requisition, or a memo. PUR 1-d requires that the Manager, Purchasing, approve all S-Type contracts before they are placed. When deciding whether to renewal an existing S-Type contract, CPO will review the contract to ensure that is was being used as it was intended and that a renewal is justified. This review will usually include reviewing payments against the contract to ensure that purchases were frequent, that purchase amounts were appropriate for the contract, and that only authorized departments were using the contract. Detail testing of 15 S-Type contracts revealed that: 20% did not contain any documentation justifying the need or approval for the contract. 53% were not approved by a Manager, Purchasing, as required by PUR1-d. 100% were renewals of an existing S-Type contract; however, no documentation was maintained evidencing the review performed on the existing contract to justify the renewal. Without adequate supporting documentation and approval, the CPO can not substantiate their due diligence in executing contracts that are in the best interest of the Port. Recommendation The CPO should ensure that its procedures are in compliance with all Port polices and procedures. They should also document and maintain all key procedures performed in analyzing and justifying the placement of S-Type contracts. Management Response The CPO agrees that evidence of the Sr. Manager's approval does not exist in the blanket order contract files. This has been remedied and we are currently reformatting the contracts so all will be signed by the Sr. Manager. Moreover changes to EX-2 redelegations require signature authority of the Sr. Manager or higher level. An activity report with a checklist will be provided the Buyer indicating the analysis was completed. c). The Signature Requirement for Purchase Requisitions is Not Effective in Preventing Unauthorized Purchase Orders. 10 of 12 Internal Audit Report Central Procurement Office Review Period: Current Practices in 2008 The CPO requires that departments submit a signed Purchase Requisition form before they will fill the purchase order. However, CPO does not perform any procedures to ensure that the signature is legitimate or that the Purchase Requisition has been appropriately approved. Detailed testing of Purchase Requisitions associated with purchase orders revealed that 20% of the Purchase Requisitions examined, while legitimate, were signed by an individual who did not have the authority to approve purchases. The current procedures do not mitigate the risk of filling an unauthorized purchase order. Recommendation As a central procurement office established to have a greater oversight of all Port purchases, the CPO should consider having more involvement in the approval of purchase orders. Management Response CPO is working with Port to establish a better system for establishing who has authority to sign requisitions. Each Senior Executive Staff is providing CPO with a list of personnel who have authority to sign requisitions and the level of their authority. CPO will review requisitions to make certain appropriate parties have signed the document. It is up to the departments to make certain staff given authority to sign requisitions acts within the best interest of the department and budget constraints. This should minimize risk of CPO procuring unauthorized items/services. d). Vendor Creation Procedures associated with vendor creation are insufficient to ensure that the Port only contracts with legitimate vendors. The CPO requires that any new vendor submit a W-9 form before they are approved in the system. A Buyer may enter a new vendor in the system, but the vendor cannot be paid until they are approved in the system by a Manager or Senior Manager, Purchasing. However, the Buyers do not perform any procedures to verify that the vendor is a legitimate business. Also, the Manager, Purchasing, responsible for approving vendors in the system does not require any documentation for a new vendor other than the W-9 form. 20 vendors were examined to determine if available public records could substantiate them as legitimate businesses. 10% of the vendors tested could not be substantiated. Subsequent audit procedures did verify that these vendors were appropriate; however, there is no documentation maintained within the CPO to support them. Vendor creation is a significant risk to any organization, and an effective system of approving vendors can substantially reduce the risk of fraud. Recommendation The CPO should establish procedures designed to ensure that only legitimate vendors are approved to conduct business with the Port. Documentation should be maintained evidencing the creation and approval of new vendors. 11 of 12 Internal Audit Report Central Procurement Office Review Period: Current Practices in 2008 Management Response The CPO agrees that vendor creation and approval present a risk area. CPO is in the process of reviewing this issue and will likely establish a process that separate the function of entering the vendor information for the person who approves the data and verifies the W-9. Purchasing staff will be allowed the authority to enter vendor information. AFR staff will be granted approval authority to approve vendor requests and changes. W-9 information will be verified against the IRS database by AFR Staff. This process maybe sufficient to limit risk and we are investigating whether a mechanism to document the process is necessary and/or required. 12 of 12
Limitations of Translatable Documents
PDF files are created with text and images are placed at an exact position on a page of a fixed size.
Web pages are fluid in nature, and the exact positioning of PDF text creates presentation problems.
PDFs that are full page graphics, or scanned pages are generally unable to be made accessible, In these cases, viewing whatever plain text could be extracted is the only alternative.