Disbursements Accounts Payable
INTERNAL AUDIT REPORT OPERATIONAL AUDIT DISBURSEMENTS/ACCOUNTS PAYABLE January 2017 – December 2017 ISSUE DATE: JUNE 19, 2018 REPORT NO. 2018-03 Disbursements/Accounts Payable January 2017 – December 2017 INTERNAL AUDIT TABLE OF CONTENTS EXECUTIVE SUMMARY ................................................................................................................................................. 3 BACKGROUND .............................................................................................................................................................. 4 AUDIT SCOPE AND METHODOLOGY ........................................................................................................................... 5 SCHEDULE OF FINDINGS AND RECOMMENDATIONS............................................................................................... 6 APPENDIX A: RISK RATINGS ...................................................................................................................................... 10 APPENDIX B: COMPLETE MANAGEMENT RESPONSE ............................................................................................. 11 2 Disbursements/Accounts Payable January 2017 – December 2017 EXECUTIVE SUMMARY Internal Audit (IA) completed an audit of the Disbursements / Accounts Payable process within the Accounting and Financial Reporting Department (AFR) for the period January 1, 2017 through December 31, 2017. The audit was performed to evaluate the design of internal controls and in some cases, the operating effectiveness of those controls. Although considered, our audit was not designed to identify fraud. AFR Management has a strong understanding and appreciation of effective internal controls. This “tone at the top” mindset permeates to individuals performing key tasks within the disbursements process and contributed to our evaluation and conclusions. In 2017, AFR processed over 14,000 vendor payments, totaling approximately $675 million. Payment requests are decentralized, originating mainly outside AFR. AFR processes Port payments, and is one control component within the Port’s disbursements process. The decentralized nature of Port disbursements requires controls to be developed and followed both within and outside AFR. Therefore, the collective efforts of these controls holistically contribute to the overall effectiveness of the disbursements process. The issues identified align to best practices and are offered in the spirit of continuous improvement. 1) A Port wide delegation of authority for approving invoice payments should be reviewed and approved by Executive Management and memorialized into Executive Policy (EX-2) guidance. Delegations of authority establish approval limits that generally correlate to the individual’s level and responsibility within the organization. 2) Opportunities were identified to improve internal controls. These opportunities include, implementing controls to disable user access when no longer needed, validating the accuracy of invoices entered into PeopleSoft, and segregating the responsibility of adding and approving vendors. These changes to internal controls align to best practices and would further refine processes. These issues are discussed in more detail beginning on page six. We extend our appreciation to AFR, Central Procurement Office, and the Treasury Department for their assistance and cooperation during the audit. Glenn Fernandes, CPA Director, Internal Audit RESPONSIBLE MANAGEMENT TEAM Dan Thomas, Chief Financial Officer Rudy Caluza, Director Accounting and Financial Reporting Duane Hill, Senior Manager Disbursements 3 Disbursements/Accounts Payable January 2017 – December 2017 BACKGROUND The Disbursements function within the Accounting and Financial Reporting Department (AFR) reviews supporting documentation, general ledger coding, and enters invoice data into PeopleSoft. In early 2017, AFR began using COR360, a third party software designed to streamline and control invoice payments. COR360 gives employees, including those outside AFR, approval authority to request payment for invoices. The majority of department invoices, with the exception of Major Capital Projects and Port Construction Services, use COR360. Invoices processed outside of COR360, are approved manually and stored in the Records Center on the Port of Seattle’s internal website (Compass). Accounts Payable (AP) Specialists create vouchers in PeopleSoft daily. These vouchers run through an overnight validation process and are posted for payment upon validation. Once in PeopleSoft, the Port uses two general methods to disburse funds (checks and electronic funds transfer). Live checks are generated and counted by an AP Specialist. A second individual (i.e. Travel Card Administrator or Payroll Senior Accountant) recounts and agrees the number of checks to the results from a PeopleSoft query. The table below reflects detail on the transaction type (method), amount, and count of disbursements for the period January 1, 2017 through December 31, 2017: 2017 DISBURSEMENTS BY TYPE Method Amount % by Amount Count % by Count Check $76,467,068 11% 6,174 43% Electronic Payments* 598,010,956 89% 8,137 57% TOTAL $674,478,024 100% 14,311 100% * Includes ACH, wire, and EFT 4 Disbursements/Accounts Payable January 2017 – December 2017 AUDIT SCOPE AND METHODOLOGY We conducted this performance audit in accordance with Generally Accepted Government Auditing Standards and the International Standards for the Professional Practice of Internal Auditing. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. The period audited was January 2017 – December 2017. We used a risk-based approach from the planning phase to the testing phase. We assessed risks and identified controls to mitigate those risks. We gathered information through document requests, research, interviews, and observations. Our audit included the following procedures: Process Understanding • Created flow charts to obtain a comprehensive understanding of the disbursements process. • Identified risks and internal controls within the flow charts. • Evaluated the design of internal controls to determine if control gaps existed. Control Testing 1. COR360 Approval Hierarchy • Reviewed the hierarchy for reasonableness and completeness. • Walked through one transaction to determine whether the workflow process properly followed the approval hierarchy. 2. New Vendor Setup Approval • Compared vendor addresses and phone numbers (if available), from PeopleSoft to payroll records, to identify matches. When matches were identified, we analyzed payments to determine if they were appropriate. • Selected 26 vendors judgmentally to determine whether they were registered with the appropriate State Department of Revenue. 3. User Access • Evaluated user roles, including vendor requests and approvals, within PeopleSoft. 5 Disbursements/Accounts Payable January 2017 – December 2017 SCHEDULE OF FINDINGS AND RECOMMENDATIONS 1) RATING: MEDIUM A Port wide delegation of authority for approving invoice payments should be reviewed and approved by Executive Management and memorialized into Executive Policy (EX-2) guidance. Delegations of authorities establish approval limits that generally correlate to the individual’s level and responsibility within the organization. Delegations balance the risk an organization is willing to grant to an employee’s level within the organization, without compromising operational efficiencies. Generally, the higher the individual’s position, the higher the amount an individual can authorize. Port Policy EX-2 includes “…limits of authority for conducting regular day-to-day business transactions.” EX-2, Attachment A, contains 16 Port wide delegation schedules. These schedules identify individuals authorized to execute major construction contracts, small works contracts, and consulting agreements. The schedule also includes general positions that are authorized to enter into contracts for the purchase of goods and services. EX-2 does not include an authorization schedule for payment approval. AFR management indicated that approval limits were established in COR360 by working with various individuals throughout the Port, thus the delegation of authority already exists. IA evaluated the limits and identified individuals, whose approval authority appeared excessive. When discussed with the direct managers of these individuals, they concurred that the limits seemed excessive. Recommendations: 1) Perform a reasonableness check, and if necessary, confirm with Senior Management that the limits are accurate. 2) Obtain CFO review and approval of the limits within COR360 and attach the approved schedule within the appendix of the EX-2 Policy. Management Action Plan: We acknowledge that the auditor recommendation enhances visibility in the control environment. As recommended, a higher Executive-level review and affirmation of payment authorization delegations will be implemented, to augment department management authorized delegations. AFR will extract the payment delegations currently contained in COR360 and incorporate them into the executive level EX-2 delegation schedules. (Refer to Appendix B for complete response). DUE DATE: September 30, 2018 6 Disbursements/Accounts Payable January 2017 – December 2017 2) RATING: MEDIUM Opportunities were identified to improve internal controls. These opportunities include, implementing controls to disable user access when no longer needed, validating the accuracy of invoices entered into PeopleSoft, and segregating the responsibility of adding vendors. These changes to internal controls align to best practices and would further refine processes. 1) User Access (As of March 2018) Thirty eight individuals within the Central Procurement Office (CPO) had the ability to enter new vendor data and request approval. We identified two individuals, whose access should have been removed, one who transferred to a department outside of CPO and another whose access was no longer required to perform his job responsibilities. One hundred ninety six individuals had approval authority within COR360. We identified one individual, who was no longer an employee of the Port, but was not removed from the COR360 approval hierarchy. COR360 is a web-based application and does not require access to the Port’s network. Therefore, an individual who no longer works for the Port who previously had a user name and password, could still login to COR360. 2) COR360 Invoice Validation COR360 Invoices are manually entered into PeopleSoft. A validation process does not exist to assure that invoice details and amounts are entered correctly into PeopleSoft. 3) New Vendor Setup In certain instances, new vendors are added and approved within AFR. Although different individuals perform these functions, to align with industry standards, vendor setup should be restricted to CPO. Additionally, moving this control out of AFR allows CPO to focus on the vendor selection and approval process and AFR to focus on the disbursement process. Recommendations: 1) Perform a quarterly user access review to identify and remove access when an employee transfers departments or the need is no longer necessary (i.e. an employee’s employment terminates). 2) Until an automatic feed can be developed, AFR should implement a control to validate the accuracy of COR360 invoices that are manually entered into PeopleSoft. 3) Partner with CPO to assess controls and best practices for establishing and approving new vendors. This could also include transferring certain responsibilities to CPO, if necessary. Management Action Plan: 1) As recommended, quarterly user access reviews will be put in place to identify and remove access when an employee transfers departments or the need is no longer necessary. Further, AFR has put in place a review against COR360 payment delegations, each time notice is received from HR that an employee has terminated Port employment. This proactive step is consistent with existing control protocols AFR has in place to administer user access controls in the Port’s PeopleSoft payroll administration and Concur travel/business expense systems. 2) We will institute batch total controls between COR360 output and PeopleSoft Financials accounts payable system input, to validate completeness. 7 Disbursements/Accounts Payable January 2017 – December 2017 3) AFR will work in partnership with CPO to assess this change. DUE DATE: September 30, 2018 8 Disbursements/Accounts Payable January 2017 – December 2017 1) EFFICIENCY OPPORTUNITY COR360 was implemented, as a Port wide tool, to expedite invoice payments and to establish an approval hierarchy within the application. However, not all groups use COR360 to process invoices. AFR implemented COR360, as a Port wide paperless accounts payable electronic invoicing system. The system was implemented to centrally receive, electronically scan, and approve vendor invoices more efficiently, while supporting AFR’s goal to pay vendor invoices more timely by leveraging technology. The majority of the Port, with approximately 320 users and 75 departments, use COR360. In June 2017, AFR met with Capital Development to discuss COR360. At that time, a decision was made to postpone the use of COR360 until a deeper understanding of Capital Development business processes was obtained. Invoices within Capital Development generally contain numerous pages of detail, are reviewed by multiple individuals, and are typically high amounts (exceeding $1 million). Management Action Plan: Management within Capital Development has agreed to have future discussions with AFR to explore opportunities to leverage COR360. 9 Disbursements/Accounts Payable January 2017 – December 2017 APPENDIX A: RISK RATINGS Findings identified during the course of the audit are assigned a risk rating, as outlined in the table below. The risk rating is based on the financial, operational, compliance or reputational impact the issue identified has on the Port. Items deemed “Low Risk” will be considered “Exit Items” and will not be brought to the final report. Port Commission/ Rating Financial Internal Controls Compliance Public Management Large financial impact Noncompliance High probability with applicable Important Missing, or inadequate for external audit Remiss in Federal, State, HIGH key internal controls issues and/or responsibilities and Local Laws, Requires immediate negative public of being a or Port Policies attention perception custodian of public trust Partial controls Inconsistent Potential for Relatively important compliance with external audit Moderate MEDIUM Not adequate to identify Federal, State, issues and/or May or may not financial impact noncompliance or and Local Laws, negative public require immediate misappropriation timely or Port Policies perception attention Generally Internal controls in place Low probability complies with but not consistently for external audit Federal, State and Lower significance Low financial efficient or effective issues and/or LOW/ Local Laws or Port impact negative public Exit Items Policies, but some May not require Implementing/enhancing perception minor immediate attention controls could prevent discrepancies future problems exist Efficiency An efficiency opportunity is where controls are functioning as intended; however, a modification would make Opportunity the process more efficient 1 0 Disbursements/Accounts Payable January 2017 – December 2017 APPENDIX B: COMPLETE MANAGEMENT RESPONSE Finding & Recommendation #1 A Port wide delegation of authority for approving invoice payments should be reviewed and approved by Executive Management and memorialized into Executive Policy (EX-2) guidance. Delegations of authority establish approval limits that generally correlate to the individual’s level and responsibility within the organization. Management Response: As the auditor notes, current Port-wide documented delegations of authority reflect delegation schedules that identify individuals authorized to execute procurements, such as major construction contracts, small works contracts, consulting agreements and other purchases. Payments are at the end stream of these approved procurements and once the goods/services are received, the Port has a contractual obligation to make payment. There are payment controls inherent in the Port’s financial systems. The procurement process at the front-end encompasses the Central Procurement Office (CPO) issuing purchase orders against which approved payments submitted to the Accounting & Financial Reporting (AFR) department for goods/services received must match against key control criteria. If required criteria such as quantity, unit cost, amount and purchase order maximum amount of the approved procurements are not met, the payment will be rejected by the PeopleSoft Financials system, regardless of whether payment approval was given. These payments represent at least 90% of payments made by AFR. In implementing COR360’s online workflow and electronic approval process, delegations of payment authority were established with the management of each respective Port department. Such management authorized delegations to initiate and approve payments are well documented and established in the COR360 system. This is required for the system to administer the electronic workflow payment initiation and review/approval control points for each Port department. Through this implementation protocol, payment delegations of authority have been established involving the respective Port department management. Nevertheless, we acknowledge that the auditor recommendation enhances visibility in the control environment. As recommended, a higher Executive-level review and affirmation of payment authorization delegations will be implemented, to augment department management authorized delegations. AFR will extract the payment delegations currently contained in COR360 and incorporate them into the executive level EX-2 delegation schedules. While we agree with the recommendation, however, we respectfully ask how this rises to the level of an audit finding. The recommendation forwards an observation to refine upon solid internal controls already in place. Formal delegation of payment authority does exist, is established with each respective department’s management that is accountable for the operational oversight responsibility, is fully documented in the COR360 system, and is executed accordingly by the systems electronic workflow for all payment requests and approvals. Further, the delegation of authority is established through appropriate department management, which conforms with internal control protocols that are required in order for control points to be meaningful. They should rest with individuals at the appropriate levels of 1 1 Disbursements/Accounts Payable January 2017 – December 2017 management having the necessary operational knowledge to effectively execute the expected judgment and control. Formally adding the payment delegation schedule into EX-2 delegation process provides an enhancement for visibility at the executive level, but does not correct any internal control deficiency. Formal delegation of authority for payments are established appropriately involving management in the respective Port departments. Finding & Recommendation #2 Opportunities were identified to improve internal controls. These opportunities include, implementing controls to disable user access when no longer needed, validating the accuracy of invoices entered into PeopleSoft, and segregating the responsibility of adding vendors. These changes to internal controls align to best practices and would further refine processes. Management Response: As a preface, we respectfully offer an overarching point in reference to the three opportunities for refinements offered by the auditor. We value and embrace the recommendations. However, as a public agency, it is important to note to the public that the Port has well-designed, robust and effectively operating internal controls in place over payments. The Port of Seattle is rigorously audited by two major external audit entities. The Washington State Auditor’s Office (SAO) annually audits the Port for public funds/assets accountability and legal/regulatory compliance. Moss Adams, the Port’s independent Certified Public Accounting firm, annually audits the Port’s financial statements and federal regulatory compliance over major grants and passenger facilities charge (PFC) accountability and spending. With these audits taking a rigorous holistic approach to auditing the Port’s system of internal controls, we are proud that year-after-year they have affirmed that effective internal controls are in place with no notable deficiencies. Moreover, the effectiveness of the Port’s internal controls is tried and proven, demonstrating a solid record of no fraud or misappropriation in the payment of public funds, with all payments administered by the Port’s centralized accounting operations and systems. 1) User Access (As of March 2018) Management Response: The Central Procurement Office (CPO) annually administers formally required updates of EX-2 delegations of authority. Also, the Port has focused to provide an effective off-boarding process for employees leaving the Port. This would include immediate notification and action to cancel all delegations of authority, as is the case for canceling all systems access authorizations. This should also apply to employees transferring to another department thereby, requiring immediate changes to any delegations and system access authorizations as well. The Accounting & Financial Reporting (AFR) department will work in partnership with CPO and the Human Resources (HR) department to assess any necessary refinements to protocols or compliance to ensure timely notification and changes to delegations of authority for and COR360 system access by Port departments. It is important to note that the Port has proactive preventative controls are in place. COR360 is typically set-up with separate initiation and approval(s) for payments, such that segregation of duties exist between those who can initiate payment requests and those who can approve them. Hence, whether a current or terminated employee, individuals typically will not be able to access the COR360 system and unilaterally initiate and approve payments on their own. Further, the Port financial system’s procurement 1 2 Disbursements/Accounts Payable January 2017 – December 2017 purchase order controls (described above) for payments, independent of the COR360 review/approval process, are also in place. These controls reject payments that do not meet certain control criteria, regardless of whether they have been approved through the COR360 electronic workflow. Moreover, the AFR accounts payable team scrutinizes payment requests from COR360 as they enter them into the PeopleSoft system for payment execution. Nevertheless, we acknowledge that the recommendation enhances the control environment. As recommended, quarterly user access reviews will be put in place to identify and remove access when an employee transfers departments or the need is no longer necessary. Further, AFR has put in place a review against COR360 payment delegations, each time notice is received from HR that an employee has terminated Port employment. This proactive step is consistent with existing control protocols AFR has in place to administer user access controls in the Port’s PeopleSoft payroll administration and Concur travel/business expense systems. 2) COR360 Invoice Validation Management Response: As industry best practice, the Accounting & Financial Reporting (AFR) department implemented in 2017, a third-party cloud-based system designed to streamline and control invoice payments. The COR360 system brings benefits and efficiencies to the Port including electronic receipt of vendor billing invoices, centralized automated scanning of invoices/supporting documentation, automated initiation of payment vouchers, online completion of payment requests, and electronic workflow that route invoices/payment requests to the appropriate Port departments personnel for online review/approval. The system enhances internal controls over the payment initiation and review/approval process, facilitates more timely payment of Port obligations, establishes electronic records for the full payment stream, eliminates paper and misrouted/lost invoices, and tracks the status of invoices and payments processing at any point in time. Moreover, this solution costing the Port about $36k in annual user licensing fees is much more cost-effective than the Port procuring and maintaining its own system. COR 360 was to be implemented in two phases. Phase one, to implement the online electronic environment for the Port’s payments, which is completed pending follow-up with two departments that were deferred. Phase two, which we are embarking upon to implement the best solution to provide systems interfaces, currently focused on COR360 and the Port’s PeopleSoft accounts payable financial system module. System interfaces would enable automated intra-system payment data integrity checks. In the interim, however, manual controls are in place. First, after each accounts payable specialist inputs the payment data from COR360 and before the payment files are approved to be run in PeopleSoft Financials, the accounts payable manager performs a review of the pending payments for observed irregularities or questionable items. Second, after the payments are produced and before they are released, an AFR senior manager reviews a print-out of all payments pending release for observed irregularities or questionable items. As an added measure of control through visibility, AFR has designed and is implementing an automated exceptions report for each accounts payable payment run that will identify any payments made to AFR accounts payable staff, AFR senior managers, AFR director and/or the Chief Financial Officer. Nevertheless, we acknowledge that the recommendation enhances the control environment during the 1 3 Disbursements/Accounts Payable January 2017 – December 2017 interim period. We will institute batch total controls between COR360 output and PeopleSoft Financials accounts payable system input, to validate completeness. This will augment the above described two-tier review controls already in place. As part of the Phase two implementation, automated transactional data accuracy checks at the detailed level will be possible and executed through implementation of the systems interface solution. 3) New Vendor Setup Management Response: We respect that the auditor’s recommendation is founded on industry best practice, that the approval and establishment of vendors in a payment system be done in operations outside of the department administering payments. AFR will work in partnership with CPO to assess this change. 1 4
Limitations of Translatable Documents
PDF files are created with text and images are placed at an exact position on a page of a fixed size.
Web pages are fluid in nature, and the exact positioning of PDF text creates presentation problems.
PDFs that are full page graphics, or scanned pages are generally unable to be made accessible, In these cases, viewing whatever plain text could be extracted is the only alternative.