Loading...
LTC 258-2017 Update regarding the theft of funds from a City bank account258-2017 SunTrust Bank Review SunTrust performed a Treasury Bank review in April and provided their recommendations on May 16th . The review resulted in seven recommendations, which will all be implemented in the next 90 days. The review document is attached to this LTC. Finance Department Staffing All department vacancies have been filled except for two Financial Analyst III positions, which are currently being advertised. A summary of responses document has also been attached to this LTC that summarizes the status of implementation of the BDO and Crowe Horwath recommendations. If you have any questions, please feel free to contact me. Attachments Attachment A — Summary of BDO Recommendations & Management Responses Attachment B — Summary of Crowe Horwath Recommendations & Management Responses Attachment C — SunTrust Bank Treasury Process Review Attachment D — BDO Report Attachment A - Summary of BDO Recommendations and Management Responses # RECOMMENDATION / MANAGEMENT RESPONSE STATUS 1 Recommendation: Employees in charge of approving or rejecting an ACH debit should document the supporting evidence they relied on to determine that the vendor who initiated the ACH debit was legitimate and/or the amount of the ACH debit was correct. COMPLETE Management Response: The City no longer makes ACH payments to vendors for good and services as of December 2016. ACH payments are only approved for merchant services, banking fees, intergovernmental transactions and payroll related withholdings. Several of the foregoing are on a pre -approved list with the bank and do not require approval. Valid ACH debits that are not on the pre-approved list now require dual approval by the City. The City placed dual approval on ACH debits effective March 2017. Any payments are first approved by the Treasury Manager and then by the Deputy Finance Director. Approvals are made for merchant services fees after it is checked against an approved merchant list maintained by the Treasury Manager. Approvals for banking fees are made after a comparison to the analysis statement provided by the bank. 2 Recommendation: The City should review the Munis rights, permissions, and authority of all Finance Department personnel to ensure that record-keeping, approval or rejection, adding and removing approved vendors, and other rights, permissions, and authority are appropriate for their respective roles and represent appropriate separation of duties. IN PROGRESS Management Response: In March and April, the City reviewed the Munis rights, permissions, and authority of key Finance Department personnel and made the proper changes to reflect the appropriate separation of duties. The remainder of personnel will be reviewed by Ju ne 2017. The IT resources required to implement this recommendation are currently supporting the Munis: HR/Payroll project implementation which is scheduled to go-live in May 2017. 3 Recommendation: Positive pay should be added to all Zero-Balance sub-accounts (ZBA) at SunTrust. COMPLETE Management Response: The City added Check Block to all non-checking ZBA accounts in April 2017, which is a stronger control than Positive Pay. Check block is a security service for non -checking accounts. The bank will not process any checks with this service without prior authorization from the City. Positive pay already exists on all checking ZBA accounts. The monthly bank reconciliation, which covers the review of all debits and credits , was completed through March 2017. 4 Recommendation: Employees from the payroll processing division should be copied on emails sent by the accounts payable supervisor that document the explanations for all debits posted on the General Depository Bank Account to verify that the payroll ACH debits and wires posted to the General Depository Bank Account actually pertain to th e City’s payroll. COMPLETE Management Response: Beginning in January 2017, the payroll processing division is copied on all such emails. Attachment A - Summary of BDO Recommendations and Management Responses 5 Recommendation: Finance department personnel should document the steps taken in reviewing suspicious items identified in the daily report of debits posted to the General Depository Account and RDA for payees and/or amounts. In addition, items that are validated and cleared should be supported with documentation of steps taken. COMPLETE Management Response: The Finance Department Daily Bank Debits Review Process (Daily Review) procedure was implemented in February 2017. The procedure documents that the Treasury Manager will document any review or inquiries made for payees or amounts that appear suspicious. The procedure also references how items that are validated and cleared should be supported with documentation. 6 Recommendation: The spreadsheet for pending research items from the daily report of debits should be forwarded to the internal audit department every day. COMPLETE: COMPENSATION CONTROL ESTABLISHED Management Response: The City has restructured the daily review process and a spreadsheet of pending research items from the daily report of debits is no longer necessary. The spreadsheet was part of the temporary action taken by the City to mitigate further losses. In the aftermath of the fraudulent activities and the resignation of the Treasury Manager, the City pulled together available staff from several areas in the Finance department to put as much oversight as possible on the ACH, banking and disbursement processes. Beginning in February 2017, the City started using a daily debit transaction list which includes all debit transactions including all checks, wire transfers, ZBA debits, and ACH transactions. All debits are checked and validated in conformance with the procedure and the Treasury Manager sends a copy of the reviewed list to several staff members, including Internal Audit staff. Internal Audit reviews the list, tracks items that are pending further investigation and conducts follow-up of those pending items. Internal Audit keeps a log of items pending follow up to ensure that all items are resolved within 48 hours. 7 Recommendation: A second review should be performed on the explanation for each debit posted to the General Depository Bank Account by the supervisor of the employee who originally provided the explanation. COMPLETE: COMPENSATION CONTROL ESTABLISHED Management Response: All debits are reviewed and approved by City’s management through the workflow approval process before they are recorded on the City’s books. This is considered the first review. A second review is completed in the Daily Bank Debits Review Process (Daily Review) which was implemented in February 2017. In addition, improved segregation of duties and the timely completion of the bank reconciliation are compensating controls to this review. 8 Recommendation: Daily debit review process should be formally documented and written into a standard operating procedure and the procedure should specify the employees who will become substitutes in the event that the employees responsible for performing the daily review are absent. COMPLETE Management Response: The Finance Department’s Daily Bank Debits Review Process (Daily Review) procedure was implemented in February 2017. A Financial Analyst II position is the substitute in the event that the employees responsible for performing the daily review are absent. This new position was added mid -year to facilitate the daily review process and provide for stronger segregation of duties. Attachment A - Summary of BDO Recommendations and Management Responses 9 Recommendation: A designated employee from the payroll processing division should be copied on all communications sent by the payroll department that documents the explanations for all debits posted to the General Depository Bank Account. COMPLETE Management Response: The payroll processing division is now copied on the emails effective February 2017. 10 Recommendation: Each division within the Finance Department should access SunTrust online on a daily basis to review all transactions posted (debits and credits) to their respective bank accounts and record them in the City’s books, if they have not already been recorded, provided that the transactions are valid. COMPLETE: COMPENSATION CONTROL ESTABLISHED Management Response: Accessing SunTrust online on a daily basis to review all transactions posted is not practical. One of the compensating controls is the Daily Bank Debits Review Process (Daily Review) implemented in February 2017. This process reviews all debits on a daily basis. Cash and checks are checked daily and all other credits are reviewed through the monthly Bank Reconciliation procedure updated in April 2017. 11 Recommendation: The City should establish documented standard operating procedures for the monthly bank reconciliation process. Each step in the monthly bank reconciliation process should be clearly described. A defined period of time should be established, documented, and included in the procedures for completing each phase of the monthly bank reconciliation. Specific timelines for completion should be established for each division within the Finance Department responsible for researching and correcting differences identified during the bank reconciliation process. The bank reconciliation must be completed no later than 30 days from the bank statement date. COMPLETE: COMPENSATION CONTROL ESTABLISHED Management Response: The existing bank reconciliation procedure was updated in April 2017. To address timelines for completion, at the beginning of each fiscal year, a monthly closing memorandum is prepared by the Finance Department and distributed to all Finance staff. The memorandum includes the dates for recording all transactions into the City financial system. Adherence to the closing dates on the memorandum will meet this recommendation. The CFO has re-distributed the closing memo to staff to reiterate the importanc e of correcting differences by the closing dates. In addition, the Deputy Finance Director (DFD) has started monthly meeting s to ensure that the underlying issues causing reconciling items are addressed. The DFD will follow up on time items not clearin g in a timely manner. The procedure states that bank reconciliations shall be completed within 30 days from the cl ose of the books for the month, which is typically 10 to 15 days after the bank statement date. 12 Recommendation: Escalation procedures should be incorporated into the bank reconciliation process and researching and reconciling differences should be assigned to employees who were not involved in the division that was originally assigned the responsibility for explaining the differences. COMPLETE Management Response: To facilitate timely follow up, beginning in February 2017, the Deputy Finance Director (DFD) started monthly meetings to ensure that uncleared items and the underlying issues causing reconciling items are addressed. Items are escalated to the DFD and CFO. Attachment A - Summary of BDO Recommendations and Management Responses 13 Recommendation: The City should re-define and document what constitutes a completed bank reconciliation. A bank reconciliation is complete when the total amount of the difference between the bank balance per the bank statement (as adjusted for certain typical reconciling items) and the bank balance per the general ledger has been researched and explained. COMPLETE Management Response: The City has re-defined what constitutes a completed bank reconciliation. Effective with the February 2017 bank reconciliation, the City revised the process to include distribution of a preliminary reconciliation to staff to show unclear items. The correspondence includes the date and fiscal period in whic h the item must be cleared. A final reconciliation with the items clear or showing a valid explanation of why it remains unclear is completed and considered the completed bank reconciliation. In addition, monthly meetings have been implemented to ensure that the underlying issues causing reconciling items are addressed. 14 Recommendation: Each division within the Finance Department responsible for researching and correcting items identified in the bank reconciliation process should inform the bank reconciliation group in a documented fashion. The bank reconciliation group should, in turn, document the explanations and dates of corrections in the bank reconciliation and follow up with the responsible division on all unresolved differences. COMPLETE Management Response: Since February 2017, the documentation of bank reconciliation items improved markedl y due to the addition of key positions that were previously vacant such as the Treasury Manager. A new Financial Analyst I position in the bank reconciliation group was added in March 2017 that facilitates timely research and communication throughout the department. In addition, the Deputy Finance Director has started monthly meetings that facilitate communication across divisions to ensure that issues causing reconciling items are addressed. Since these changes were made, there have been substantially fe wer bank reconciliation items. 15 Recommendation: Employees who prepare bank reconciliations should have their recordkeeping rights cancelled, or a compensating control, such as independent management review of the reconciliation should be implemented. COMPLETE Management Response: Record keeping rights for several bank reconciliation employees were removed in April 2017. As a compensating control, the City’s Internal Audit independently reviews all bank reconciliations monthly for timely completion. 16 Recommendation: Bank reconciliations should identify and document the employee (s) who review (s) them. COMPLETE Management Response: The Bank Reconciliation procedure updated in April 2017 states that bank reconciliations are signed by the preparer and reviewed/signed and dated by a supervisor, manager, or Deputy Director. The reconciliation is maintained on file for subsequent reviews and audit s. Attachment A - Summary of BDO Recommendations and Management Responses 17 Recommendation: Munis should be modified to prevent the same accounts payable (A/P) employee from entering an invoice and also approving it. Alternatively, we recommend that the A/P employee who posts the batch of final approved invoices print a report that shows the A/P employee who entered the invoice and the A/P employee who approved the entry before the batch is posted to insure that the same employee did not enter and approve the invoice in A/P. In situations, where the same A/P employee entered and approved the invoi ce, the employee who posts the batch should review the invoice entry before posting the batch. COMPLETE Management Response: The accounts payable workflow process was modified in April 2017 to remove all accounts payable staff from the approval process. Accounts payable staff enters invoices into the workflow process and releases them for approval by managers across City departments. The City will continuously review the work flow process to ensure proper segregation of duties and controls. 18 Recommendation: Employees who process invoices in Munis should be prevented from entering new vendors or changing existing vendor information in the vendor master file. COMPLETE Management Response: Effective April 2017, the creation of new and modification to existing vendors for goods and services will be handled by the Procurement department. 19 Recommendation: City management should research all vendors with an associated general ledger account with cost center “0000” and changes should be made to the general ledger account so that it includes the correct cost center. IN PROGRESS Management Response: The City is in the process of reviewing general ledger accounts and working with Tyler-Munis to correct the cost centers. While under review, the City has created a catch-all workflow to monitor proper approval of the “0000” cost center. This process will be completed by July 2017. 20 Recommendation: The CFO should print a report of general ledger accounts with cost center “0000” and determine whether all payments posted to the accounts since Munis was implemented were approved by employees outside the A/P department in accordance with the Workflow Business Rules maintained by IT. IN PROGRESS Management Response: The City is in the process of reviewing and recoding general ledger accounts with cost center "0000” to reflect the proper workflows. This process will be completed by June 2017. The IT resources required to implement this recommendation are currently supporting the Munis: HR/Payroll project implementation which is scheduled to go-live in May 2017. 21 Recommendation: The City should transmit or upload the ACH disbursement file (if and when the ACH payments to vendors for good and services are resumed) and check register file from Munis to SunTrust without the files being subject to the possibility of manipulation. PENDING Management Response: The City will work with the bank and the software vendor to determine if a compatible file can be obtained that does not require manual adjustment. This item will be completed by June 2017. Attachment A - Summary of BDO Recommendations and Management Responses 22 Recommendation: An employee independent of accounts payable processing and with no recordkeeping rights should be in charge of uploading or transmitting the ACH disbursement and check register files to SunTrust, while the Acting A/P Supervisor as well as other employees in A/P should have their rights to upload the files to SunTrust revoked. COMPLETE Management Response: Effective April 2017, employees independent of accounts payable processing and with no recordkeeping rights are tasked with the uploading the ACH and check positive pay files to SunTrust Bank. Staff processing accounts payable rights were also removed from SunTrust in May 2017. 23 Recommendation: All passwords should require a combination of special characters, numbers, upper case letters and lower case letters and be changed periodically (at least every three months). COMPLETE Management Response: The City went live with Managed File Transfer (MFT) in March 2017. The MFT is an internet - based service that provides us the ability to transmit or receive data files to/from Suntrust Bank using a Web browser. It mitigates fraud and risk exposure while improving efficiency. Sunt rust assigns mailboxes in Managed File Transfer Portal. The mailbox is the collection point for all files to and from Suntrust. Each employee has a unique mailbox and password. Original passwords are created by Suntrust and each employee subsequently changed their password. Passwords are twelve characters long and are alpha numeric. 24 Recommendation: Employees independent of Accounts Payable processing and with no recordkeeping rights should be charged with downloading the original ACH disbursement and check register files from Munis and uploading or transmitting these files to SunTrust without being able to modify them. Once these files have been uploaded, the A/P employee who issued the ACHs and checks should independently call the 1-800 telephone number to communicate the total amount of the ACH disbursement and check register files. IN PROGRESS Management Response: Effective April 2017, employees’ independent of accounts payable processing and with no recordkeeping rights are in charge of uploading the ACH and check positive pay files to SunTrust Bank. Staff now submits Control Totals via Online ACH Control instead of calling the 1-800 telephone number. The City will work with the bank and the software vendor to obtain a compatible file format that does not require modification. This will be complete in June 2017. 25 Recommendation: Under these circumstances, the employee independent of Accounts Payable processing who uploaded the ACH disbursement and check register files in SunTrust should access SunTrust (Onlinefiletransfer.suntrust.com) the next morning and review any exceptions to ACH disbursements and checks that were communicated by SunTrust. COMPLETE Management Response: As indicated above, the City of Miami Beach went live with Managed File Transfer (MFT) on March 2017. The next morning, the transaction will be reviewed through the SunTrust Bank on-line system by the Accounts Payable Supervisor, who has no recordkeeping rights. Attachment A - Summary of BDO Recommendations and Management Responses 26 Recommendation: The City Manager should review all payments exceeding $1,000,000 made since Munis’ implementation and verify that he approved the expenditure in addition to any other required approval levels. PENDING Management Response: All payments exceeding $1 million not approved by the City Manager or his designee since the implementation of Munis will be reviewed by the City Manager by June 2017. The IT resources required to implement this recommendation are currently supporting the Munis: HR/Payroll project implementation which is scheduled to go-live in May 2017. 27 Recommendation: Munis should be modified so as not to allow significant payments to be issued unless the approvals of at least two different City officers have been documented in the system (see invoice entry for EFT No 406106). Further, Munis should be modified so as not to allow payments exceeding $1,000,000 to be issued unless the approv al of City Manager has been documented in the system COMPLETE Management Response: The City amended the workflow approval policy to say that the City Manager approves disbursement over $1 million except for debt service payments (principal, interest, and fees on bonds, loans and notes). These items are approved by the CFO, Deputy Finance Director or Assistant Finance Director. The debt service workflow was revised in April 2017. 28 Recommendation: Munis should be modified so as to not allow payments to be issued unless the A/P employee who approved the entry is documented in the System. COMPLETE Management Response: Effective April 2017, all accounts payable employee approvals have been removed in the system. The workflow for payments has been streamlined to only require approval by departments. 29 Recommendation: Munis should be modified so as not to permit payments exceeding $1,000,000 to be issued unless the approval of City Manager has been documented in the system. COMPLETE Management Response: Effective May 2017, all payments exceeding $1 million must be approved by the City Manager or his designee, except for debt service payments which are approved by the CFO or Deputy Finance Director. 30 Recommendation: The CFO should review all payments exceeding $500,000 made since Munis’ implementation and verify that at least another employee’s approval between levels 40 and 55 has been documented in the system in addition to the City Manager’s approval. PENDING Management Response: All payments made exceeding $500,000 since Munis’ implementation will be reviewed by the CFO by June 2017, to verify that at least another employee’s approval have been documented in the system. The IT resources required to implement this recomme ndation are currently supporting the Munis: HR/Payroll project implementation which is scheduled to go-live in May 2017. Attachment A - Summary of BDO Recommendations and Management Responses 31 Recommendation: Munis should be modified so as not to allow payments exceeding $500,000 to be issued without having the invoice entry approval of at least two employees with approval levels between 40 and 55 documented in the system. PENDING Management Response: The necessary workflow analysis and modification in Munis is anticipated to be completed by June 2017. The IT resources required to implement this recommendation are currently supporting the Munis: HR/Payroll project implementation which is scheduled to go-live in May 2017. 32 Recommendation: Management should review, since the implementation of Munis, all significant payments issued with respect to which the Risk Manager’s approval or the former Treasurer’s approval would have been required and verify that the corresponding approvals were documented in the system. PENDING Management Response: The necessary workflow analysis and modification in Munis is anticipated to be completed by June 2017. The IT resources required to implement this recommendation are currently supporting the Munis: HR/Payroll project implementation which is scheduled to go-live in May 2017. 33 Recommendation: Munis should be modified so as not allow payments to be issued when the approval of the Risk Manager or Treasurer is deemed necessary but not received. PENDING Management Response: The necessary workflow analysis and modification in Munis is anticipated to be completed by June 2017. The IT resources required to implement this recommendation are currently supporting the Munis: HR/Payroll project implementation which is scheduled to go-live in May 2017. 34 Recommendation: The new CFO should contact IT and clarify that only he can authorize IT to grant recordkeeping rights back to the Deputy Finance Director. COMPLETE Management Response: The IT department was informed that only the CFO can authorize IT to grant recordkeeping rights back to the Deputy Finance Director in March 2017. 35 Recommendation: The Treasurer, assuming that s/he is not included as an authorized signer and does not have recordkeeping rights, should review all wire transfers on a daily basis. COMPLETE Management Response: The Daily Bank Debits Review Process implemented in February 2017 requires the daily review of debits on a daily basis by the Treasury Manager. The Treasury Manager is not an authorized signer and does not have recordkeeping rights. 36 Recommendation: The City should negotiate with SunTrust a requirement to have at least two authorized signers signed the Ancillary Implementation Agreement in order to request a PIN for a determined person. COMPLETE Management Response: The City has consulted with the bank and put in place a requirement to have at least two authorized singers to request a PIN for a determined person in May 2017 . 37 Recommendation: The City should establish a dual administration setup that would require two system administrators to create and remove users in SunTrust Online Treasury Manager. COMPLETE Management Response: Dual administration setup was established in May 2017 to require two system administrators to create and remove users in SunTrust Online Treasury Manager. Attachment A - Summary of BDO Recommendations and Management Responses 38 Recommendation: An employee independent of IT and with no rights to request or make changes to the approval queues should be responsible for reviewing an audit trail with the history of approval queue activity to verify whether changes to the invoice approval queues are authorized. IN PROGRESS Management Response: IT has generated a report for Internal Audit to review the audit trail with the history of approval queue activity to verify whether changes to the invoice approval queues are authorized. Internal Audit will create a process to review the audit trails on a semi-annual basis by August 2017. 39 Recommendation: The City should complete SunTrust Wire Transfer – Schedule G – Amendment to Callback Security Procedures that will require SunTrust to call back for verification for all phone-in wires. COMPLETE Management Response: The City worked with SunTrust Bank to implement Schedule G callback security procedures. This change was completed in May 2017. 40 Recommendation: Accounts Payable employees should have their invoice approval rights removed, except for approval level 3, which is only a cursory review of the invoice entry. COMPLETE Management Response: Effective April 2017, all accounts payable employee approvals, including level 3, have been removed in the system. 41 Recommendation: Management should research and review all significant payments made since Munis’ implementation that show that an approval level of 50 was made by an A/P employee, but where the nature of the invoice paid would have required that the approval level of 50 be made by an employee outside of the A/P division. PENDING Management Response: All significant payments since Munis’ implementation will be researched and reviewed by the CFO by July 2017, to verify that proper approval has been documented in the system. 42 Recommendation: The Internal Audit Department should adopt a continuous auditing approach of the City payment processing. This continuous auditing approach should consist of continuous data assurance (CDA), continuous controls monitoring (CCM) and continuous risk monitoring and assessment (CRMA). CDA insures the integrity of data flowing through the accounting system. CDA uses software to extract data from the accounting system for data analysis of transactions in order to identify deviations from predetermined benchmarks. CMM uses also software that monitors access control and authorizations and system configurations of the accounting system. CRMA is a real -time integrated risk approach that measures risk factors on a continuing basis, integrates various risk scenarios into quantitative models, and provides inputs for audit planning. IN PROGRESS Management Response: The City recognizes the benefits of a continuous audit approach of the City’s payment process. The Internal Audit Division is planning on performing a citywide risk assessment later this fiscal year to coincide with the implementation of a new audit management software system in August 2017. Consideration will be given to the capability of applying a continuous audit approach to include continuous data assurance (CDA), continuous control monitoring (CCM) and continuous risk monitoring and assessment (CRMA). In the interim, Internal Audit has been continuously reviewing the Finance Department’s daily a nalysis of the general Attachment A - Summary of BDO Recommendations and Management Responses depository account to help ensure that all items represent approved transactions. Any items designated as in need of additional research initially by Finance staff are followed up on to verify that they are sufficiently and timely resolved. This practice was instituted in December 2016 and has continued to date. Internal Audit is confirming that Finance Department staff is timely reconciling all City identified bank accounts each month. Results are submitted monthly to Finance Department management for follow-up. 43 Recommendation: Alternatively, if a continuous auditing approach is not adopted, the City should hire an independent external auditor to conduct an audit of the City payment processing at least every year and formally established a process for the assessment of control risk and residual risk. IN PROGRESS Management Response: The City is planning to implement a continuous auditing approach as outlined in previous recommendation. If this cannot be accomplished, the Internal Audit division will conduct an audit on the City payment process on a semi-annual basis. 44 Recommendation: The City should re-evaluate the requirements for temporary staffing companies relating to background investigations that the temporary agency conducts on its employees, to ensure that City approved temporary staffing companies conduct background investigations on their employees that at a minimum identify criminal arrests, convictions, and completed reference checks. COMPLETE Management Response: The City’s Human Resources department conducts its own criminal background checks on all temporary employees including those obtained through third party employment agencies. 45 Recommendation: The City should develop a documented plan of action to address staffing losses and staffing deficiencies in the Finance Department. The plan of action should include an assessment of staffing losses in critical leadership positions as well as losses in key staffing positions where there is a direct impact on meeting the timeline and execution requirements of internal controls, policies and procedures established to mitigate fraud. IN PROGRESS Management Response: The key vacancies in the Finance Department have been filled as of May 17, 2017. Key positions such as the CFO and Treasury Manager were filled in February 2017. Two new positions to address bank reconciliations and treasury operations were filled in March 2017. The remaining t wo vacancies are anticipated to be filled by end of June 2017. A plan of action to assess staffing losses in critical leadership positions will be incorporated into the minimum staffing model in the following response. 46 Recommendation: The City should determine a minimum staffing model that is required in the Finance Department to meet the risk appetite of the City IN PROGRESS Management Response: A minimum staffing model required in the Finance Department is under development. The model will include an assessment of staffing losses in critical leadership positions as well as losses in key staffing positions where there is a direct impact on meeting the timeline and execution requirements of internal controls, policies and procedures established to mitigate fraud. The model is anticipated to be completed by July 2017. Attachment A - Summary of BDO Recommendations and Management Responses 47 Recommendation: The City should develop a procedural requirement that staffing in the Finance Department be examined and evaluated by internal audit or through an external independent examination periodically and at least annually. PENDING Management Response: Following the development of the minimum staffing model for the Finance Department, it will be reviewed by Internal Audit by August 2017. Thereafter, the model will be reviewed on a regular basis as part of the annual audit plan. 48 Recommendation: Background checks should be periodically performed on all current employees within the Finance Department. PENDING Management Response: The Finance department will work with Human Resources to develop guidelines for periodic background checks of current employees. The guidelines and first round of background checks are anticipated to be completed by August 2017. 49 Recommendation: The City should implement a whistleblower program, managed by an independent office or officer, or alternatively by a special commission consisting of the Internal Auditor, the Director of HR and City attorney. COMPLETE: COMPENSATION CONTROL ESTABLISHED Management Response: The City has three different ways for employees or citizens to report fraud or ethics violations.  The City chooses to leverage the FBI corruption hotline instead of an internal ethics hotline because it offers a potential whistleblower greater protection from an independent law enforcement agency. Whistleblowers can use the FBI corruption hotline (754-703-2000 option 4) which is currently advertised on the City's website and Miami Beach Television station (MBTV). The City currently has a police officer assigned to the FBI public corruption investigation task force.  In addition, the Miami-Dade County Office of the Inspector General has a "Report Fraud" phone number at 305-579-2593.  Finally, unethical conduct can be reported to the Miami-Dade County Commission on Ethics & Public Trust which provides assistance in identifying unethical conduct and other forms of public corruption in Miami -Dade County and all 34 Municipalities. Employees and citizens can report suspected wrong-doing with the Ethics Commission by contacting the 24-hour hotline at 786-314-9560. Attachment A - Summary of BDO Recommendations and Management Responses 50 Recommendation: The whistleblower program should be available 24-hour, 7-days/week with a toll-free phone number hotline, fax number and a web page that would enable an employee or a third party to report anonymously a complaint or tip about fraud, corruption, waste and/or abuse by City’s employees and officers. All complaints or tips should be evaluated and investigated promptly, and the result of the investigation should be documented and reported to the City Manager, Mayor and Commission. Documentation should be maintained that clearly indicates the date of the complaint, the whistleblower’s name or whether the person reportin g the complaint choose to remain anonymous, matter of the complaint, date of resolution of the complaint, how the complaint was resolved, and date the City Manager, Mayor and Commissioners were informed about the complaint and resolution. COMPLETE: COMPENSATION CONTROL ESTABLISHED Management Response: The FBI, the Miami-Dade County Office of the Inspector General, and the Miami -Dade County Commission on Ethics & Public Trust separately evaluate and investigate calls, and maintain their own documentation. Any valid complaints are communicated to the City Manager, Mayor and Commission. 51 Recommendation: The City should consider reviewing and revising, as necessary, its ethics and compliance policies and procedures to make sure employees are aware of the whistleblower hotline and program, and are encouraged to utilize the program to report allegations of wrongdoing. The City should encourage the use of internal reporting mechanisms, emphasizing the anonymity and confidentiality of those systems to its employees through various communication channels such as organization-wide meetings, training sessions, emails, posters in public areas and/or wallet cards. In addition, the City should ensure that the whistleblower program and related policy is included in t he City’s employee handbook. COMPLETE: COMPENSATION CONTROL ESTABLISHED Management Response: The City’s Whistleblower information is advertised to employees and citizens through various media including bi-weekly E-Newsletters, Miami Beach Television, MB the Miami Beach magazine, the Employee Handbook, and the City’s website. The City offers two mandatory employee training classes on Ethics and Ethics Regulatory to all employees. The Ethics training class has been available since 2004 and the Ethics Regulation class developed by the Miami-Dade Commission on Ethics and Public Trust, has been available since 2013. In March 2017, the City received the results from the Miami-Dade Commission on Ethics and Public Trust survey administered to City employees in December 2016 as a follow up to an ethics training program provided by Ethics Commission staff in 2013. 81 percent of employees felt Miami Beach government was “ethical” in 2016 compared to 65 percent during the 2013 survey – 25 percent increase over three years. Meanwhile, 77 percent of employees said they felt enough safeguards had been implemented by management to prevent corruption in the workplace – up significantly from 60 percent in 2013. Additionally, 80 percent said it was easier to “blow th e whistle” on corrupt activity, compared to 64 percent in 2013. They also felt better about reporting bad behavior according to the responses to a question about fear of retaliation for whistleblowers as in the most recent survey, 67 percent of employees felt adequate protections exist, compared to just 33 percent in 2013. Attachment A - Summary of BDO Recommendations and Management Responses 52 Recommendation: Customer Service should develop and implement a procedure for documenting, filing, and tracking complaints received from customers (e.g., payments of utilities). IN PROGRESS Management Response: The City currently has a manual process where complaint calls are forwarded through emails to the appropriate department personnel for a response. In May 2017, an item will be brought to City Commission for approval of a new automated call distribution (ACD) system. The new ACD system will document, file and track customer complaints while giving the City enhanced reporting capabilities. Enhanced functionality includes: Skill- based routing; Predictive routing; Multi-location and at-home agent capabilities; Inbound/Outbound call blending; Automatic call back; Supervisor Monitor/Coach/Barge; Call Recording with limited archiving; Email, Chat and Voice interaction capabilities; and Audio redaction of credit card information for PCI compliance. The new ACD system is anticipated to be operational by July 2017. The City also receives complaints through the eGov application which is a free, simple and real -time platform that connects citizens and businesses directly with the City for submitting requests and complaints. Requests and complaints are independently logged, forwarded to the appropriate department and monitored for follow -up. 53 Recommendation: Customer Service should reports statistics to the City Manager about customer complaints, such as number of customer complaints opened during the quarter, number of complaints closed during the quarter, number of complaints outstanding, and topics of complaints. IN PROGRESS Management Response: The new automated call distribution (ACD) system that will be brought to City Commission for approval in May 2017 will provide a diverse range of reporting options allowing Management to quickly and easily monitor Call-Center performance, while optimizing services and performance levels. Reporting capabilities will allow the City to closely track real-time management metrics with customizable dashboards monitoring customer complaint statuses. Enhanced functionality includes: View data in charts, graphs or raw data grids; Drill down into report data for more detailed analytics; Create, save and schedule custom reports; Track real -time metrics with dashboards; Report on industry-standard metric calculations; Export raw Call-Center analytics data for further refinement; and Pre-built reports and ad-hoc reports. The new ACD system is anticipated to be operational by July 2017. The eGov application has detailed reporting capabilities with tools for viewing and repor ting requests and complaints using various different criteria. Detailed analytics is available in pre-built and ad-hoc reports. 54 Recommendation: Payroll Processor’s custody of assets (control over cash) rights in SunTrust should be revoked. COMPLETE Management Response: Rights to custody of assets were revoked in April 2017. Attachment A - Summary of BDO Recommendations and Management Responses 55 Recommendation: Payroll Processor’s rights to create a new employee or change employee information in Eden should be revoked. COMPLETE Management Response: The City will be converting to Munis in May 2017. The Payroll Processor’s rights to create a new employee or change employee information in Munis were removed in May 2017. 56 Recommendation: The Payroll Processor should not be permitted to perform the two levels of approval of the payroll process that is required in Eden. COMPLETE Management Response: The City will be converting to Munis: HR/Payroll in May 2017. With the implementation of Munis, the Payroll Processor will not be able to perform two leve ls of approval. 57 Recommendation: Checks printed with signatures of the authorized signers should be handled exclusively by the Treasurer for mailing and distribution purposes, assuming s/he has no recordkeeping rights. COMPLETE Management Response: Beginning in May 2017, checks will be mailed out by the Treasury Manager, Accounts Payable Supervisor, or Accounting Manager. These positions do not have recordkeeping rights. 58 Recommendation: Throughout our fraud risk assessment of the City’s Treasury and ACH disbursements process, BDO identified potential vulnerabilities in other departments and functions of the City. In order for the City to fully understand, identify, assess and evaluate its overall fraud risk, BDO recommends that an overal l City wide fraud risk assessment be conducted and mitigating internal controls, procedures, and policies be documented and implemented. IN PROGRESS Management Response: Internal Audit is currently preparing a scope of work in order to solicit proposals by August 2017, an outside firm to conduct an overall citywide fraud risk assessment. With input from the Audit Committee, Internal Audit’s annual audit plan will be modified to reflect the results of the risk assessment to properly prioritize risk areas. 59 Recommend that a dollar amount limit be set with regards to the Deputy Finance Director’s PIN wire approval and wire initiation limits. COMPLETE The City has set a limit on how much each authorized individual can approve or initiate , including the CFO and Deputy Finance Director. As an additional control, each wire requires dual approval. 60 We recommend that the duplicate user profile be deleted from SunTrust On-line for the Revenue Manager. COMPLETE The duplicate user profile was deleted from SunTrust On-line for the Revenue Manager in April 2017. Attachment B - Crowe Horwath Recommendations and Management Responses # RECOMMENDATION / MANAGEMENT RESPONSE STATUS 1 Recommendation: The City should implement a policy requiring bank accounts to be reconciled within 30 days of the bank statement date and that copies of the bank reconciliations be forwarded to the appropriate manager for review on a timely basis. The appropriate manager should review the work of the subordinates to ensure that it is being performed in a timely manner. Instituting a time deadline and requiring supervisory review should speed up the reconciliation of bank accounts and identify any discrepancies that might occur. COMPLETE: COMPENSATION CONTROL ESTABLISHED Management Response: The existing bank reconciliation procedure was updated in April 2017. The procedure states that bank reconciliations shall be completed within 30 days from the close of the books for the month, which is typically 10 to 15 days after the bank statement date. To address timelines for completion, at the beginning of each fiscal year, a monthly closing memorandum is prepared by the Finance Department and distributed to all Finance staff. The memorandum includes the dates for recording all transactions into the City ’s financial system. Adherence to the closing dates on the memorandum will meet this recommendation. The CFO has re -distributed the closing memo to staff to reiterate the importance of correcting differences by the closing dates. In addition, the Deputy Finance Director (DFD) has started monthly meetings to ensure that the underlying issues causing reconciling items are addressed. The DFD will follow up on items not clearing in a timely manner. 2 Recommendation: Management has not developed and implemented procedures to perform a periodic review (Quarterly) for the financially significant databases to ensure that access levels of users remains commensurate with job responsibilities. Such a review should capture changes to application security and functionality as a result of new updates, organizational changes that result from departmental role adjustments, and errors and omissions in the current user administration process. These reviews should be documented and conducted by an individual independent of the administrative functions on the application. If this is not possible, management should have two individuals conduct the review. PENDING Management Response: Management will develop and implement procedures to perform a periodic review (Quarterly) for the financially significant databases to ensure that access levels of users remains commensurate with job responsibilities. Such a review will capture changes to application security and functionality as a result of new updates, organizational changes that result from departmental role adjustments, and error s and omissions in the current user administration process. These reviews will be documented and conducted by an individual independent of the administrative functions on the application. If this is not possible, management will have two individuals conduct the review. 3 Recommendation: We recommend that terminated users be removed from the system within forty eight (48) hours from termination in order to avoid unauthorized activity. COMPLETE Management Response: As of April 2017, terminated users are removed from the system by the IT department within forty eight (48) hours from termination in order to avoid unauthorized activity . © 2 0 1 6 S u n T r u s t B a n k s , I n c . S u n T r u s t i s a f e d e r a l l y re g i s t e r e d t r a d e m a r k o f S u n T r u s t B a n k s , I n c . TR E A S U R Y P R O C E S S RE V I E W F O R : Ma y 1 6 th , 2 0 1 7 PR O C E S S R E V I E W F O C U S 2AreasObserved Ac c o u n t s P a y a b l e • Sh a r e b e s t p r a c t i c e s o n a u t o m a t i n g p a y m e n t s a n d p o s i t i v e p a y . • Pr o v i d e s t r a t e g i e s a r o u n d m a n u a l p r o c e s s e s . Re c o n c i l i a t i o n • Ev a l u a t e t h e r e c o n c i l i a t i o n o f a c c o u n t s t a t em e n t a n d h e l p t o e a s i l y i d e n t i f y i n c o m i n g it e m s / c a s h . • Pr o v i d e b e s t p r a c t i c e s t o T h e C i t y o f M i a m i B e a c h i n u t i l i z i n g A L L d a t a a v a i l a b l e t o th e m , f r o m S u n T r u s t , i n t h e r e c o n c i l i a t i o n p r o c e s s . Fr a u d • Pr o v i d e b e s t p r a c t i c e s o n f r a u d p r o t e c t i o n a n d e v a l u a t e i f T h e C i t y o f M i a m i B e a c h i s ut i l i z i n g a l l f r a u d p r o t e c t i o n t o o l s • Ev a l u a t e s t a n d a r d o p e r a t i n g p r o c e d u r e s , p a y m e n t a n d a p p r o v a l p o l i c i e s , a n d ap p r o p r i a t e a d m i n i s t r a t i v e r i g h t s Re v e n u e • Ac c o u n t s Re c e i v a b l e • Ca s h i e r i n g Re v e n u e • Ac c o u n t s Re c e i v a b l e • Ca s h i e r i n g Ac c o u n t s Pa y a b l e Ac c o u n t s Pa y a b l e Re c o n c i l i a t i o n Re c o n c i l i a t i o n Tr e a s u r y Tr e a s u r y ME A S U R E & R E P O R T : S A M P L E S C O R E C A R D * Me a s u r e m e n t C a t e g o r y H i g h M e d i u m L o w Pa y m e n t s # A p p r o v e r s : W i r e / A C H – f r e e f o r m 2 1 0 # A p p r o v e r s : W i r e / A C H p a y m e n t s – t e m p l a t e s 1 N / A 0 # A p p r o v e r s : P o s i t i v e P a y e x c e p t i o n i t e m s 1 N / A 0 # A p p r o v e r s : A d d i s s u e r e c o r d s o n l i n e 1 N / A 0 # A p p r o v e r s : C h a n g e t e m p l a t e r o u t i n g i n s t r u c t i o n s 1 N / A 0 # o f t i m e s p a y m e n t s a r e k e y e d ( e . g ., a c c o u n t i n g s y s t e m , b a n k o n l i n e pl a t f o r m , e t c ) 12 3 Us e B a n k - d e f i n e d w i r e t e m p l a t e s Y e s N / A N o Us e U n i v e r s a l P a y m e n t I d e n t i f i c a t i o n C o d e ( U P I C ) f o r A C H i n c o m i n g pa y m e n t s Ye s N / A N o Im p o r t p a y m e n t s f i l e s ( r a t h e r t h a n k e y ) Al l p a y m e n t s i m p o r t e d o r up l o a d e d Mo s t p a y m e n t s i m p o r t e d b u t so m e m a n u a l k e y i n g No t u s i n g i m p o r t . K e y a l l p a y m e n t s . Pa y m e n t L i m i t s , A c c o u n t L i m i t s , U s e r L i m i t s Se t a p p r o v a l l i m i t s a t t h e u s e r le v e l , b y t e m p l a t e , a c c o u n t o r by t r a n s a c t i o n t y p e Tr a n s a c t i o n T y p e O n l y Not using AC H F r a u d C o n t r o l Ac t i v e l y u s i n g De b i t B l o c k s O n l y N o t u s i n g Ch e c k P o s i t i v e P a y Al l a c c o u n t s So m e a c c o u n t s N o t u s i n g De d i c a t e d d i s b u r s e m e n t a n d r e c e i v a b l e s a c c o u n t s A l l a c c o u n t s S o m e a c c o u n t s N o t u s i n g Op e r a t i o n s Fr e q u e n c y f o r r e v i e w o r r e c o n c i l e m e n t o f a c c o u n t s D a i l y W e e k l y M o n t h l y Au t o r e c o n c i l i a t i o n o f a c c o u n t s F u l l P a r t i a l M a n u a l De d i c a t e d c o m p u t e r f o r o n l i n e b a n k i n g O n l i n e b a n k i n g o n l y C o n t r o l s f o r U R L s A l l Ad m i n i s t r a t i o n Se g r e g a t i o n o f d u t i e s A d m i n f u n c t i o n o n l y Ad m i n c a n a l s o i n i t i a t e pa y m e n t s Ad m i n c a n i n i t i a t e a n d a p p r o v e p a y m e n t s Re v i e w o f a u d i t a n d a d m i n r e p o r t s W e e k l y M o n t h l y N e v e r De l e t e o r i n a c t i v a t e u s e r ID s A s u s e r s l e a v e M o n t h l y N e v e r 3 04 / 2 0 1 7 *T h i s i s f o r i l l u s t r a t i v e p u r p o s e s o n l y . G r a y s h a d i n g r e f l e c t s o b s e r v a t i o n s m a d e o n A p r i l 4 th & 5 th , a g a i n s t r e s e a r c h e d In d u s t r y t r e n d s . To p F u t u r e S t a t e C o n s i d e r a t i o n s * * Fo r m a l T r a i n i n g : • Do c u m e n t c u r r e n t a n d f u t u r e S t a n d a r d O p e r a t i n g P r o c e d u r e s ( i . e . O T M / S u n V i e w / o v e r a l l p r o c e d u r e s ) • En g a g e t r a i n i n g d e p a r t m e n t f o r s p e c i f i c n e e d s o f s t a f f a s w e l l a s f u t u r e n e e d s / r e t r a i n i n g o f a l l u s e r s • Ut i l i z e q u i c k r e f e r e n c e g u i d e s b a n k h a s a v a i l a b l e t o a l l u s e r s Re c o n c i l i a t i o n : • Ha v e s t a t e m e n t s p u s h e d o u t v i a O n l i n e C o u r i e r w / S u n T r u s t l o g o t o y o u r c o m p u t e r • Au t o m a t e r e p o r t i n g v i a B A I o r c u s t o m e x p o r t ( i . e . s e t u p r e p o r t fa v o r i t e s i n O T M , c o m m o n l y u s e d B A I C o d e s , e x p a n d v a r i o u s r e p o r ts ty p e i n O L C ) • Co m m e r c i a l C a r d D a t a ( D a t a A n a l y s i s ) p u s h e d o u t Ca s h i e r i n g o f f i c e : • Mo v e a r m o r e d c a r p i c k u p t i m e ( a f t e r 1 1 a m ) , o r c h a n g e h o u r s o f e m p l o y e e • Au t o m a t e d e p o s i t p r o c e s s i n g - ( I n t e l l i g e n t S a f e , D a i l y P r o v i s i o n a l C r e d i t ) P h a s e 2 Re v e n u e : • Me r c h a n t D e t a i l - R e c e i v e e n h a n c e d s o f t d e s c r i p t o r o r t r a n s a ct i o n i d e n t i f i e r , r e d u c e n u m b e r o f m e r c h a n t v e n d o r s t o h a v e co n s i s t e n c y a n d s t r e a m l i n e d r e p o r t s • On l i n e P a y m e n t A c c e p t a n c e P r o c e s s i n g - t i e d w i t h t h e b a n k t o ha v e f u n d s c r e d i t e d t o y o u r d e p o s i t a c c o u n t w i t h i n 2 4 - 4 8 h o u r s , ut i l i z e P C I C o m p l i a n c e w e b b a s e d a s s e s s m e n t s Pa y a b l e s : • El e c t r o n i c I n v o i c e I m a g i n g & E - P r o c u r e m e n t ( i . e . f u l l y a u t o m a t e d w o r k f l o w p r o c e s s f o r i n v o i c e s , f i x M u n i s d a s h b o a r d s t a t u s co n c e r n s , r e i n f o r c e P O / I n v o i c e i s s u e s w i t h a l l d e p a rt m e n t s , u s e o f O C R e l e c t r o n i c i m a g i n g v s . k e y i n g ) • Re v i s i t E p a y a b l e s ( C a r d ) , C h e c k p r o c e s s – C a r d , C h e c k , W i r e / A C H • Au t o m a t e d p a y m e n t p r o c e s s i n g - T r a n s m i t a u t o m a t e d i n t e g r a t e d p a ym e n t s f i l e s , w h i c h c a n i n c l u d e C a r d , C h e c k , a n d W i r e s / A C H , ch e c k i s s u a n c e i n s t r u c t i o n s , a n d p o s i t i v e p a y f i l e NE X T S T E P S 4 Pl e a s e s e e o r i g i n a l p r e s e n t a t i o n f o r s p e c i f i c m a p p e d o u t d e t a i l s ** T h e o b s e r v a t i o n s c o n t a i n e d i n t h i s p r e s e n t a t i o n w i t h r e g a rd t o s u g g e s t e d c h a n g e s m u s t b e c o n f i r m e d b y C O M B w i t h th e c a s h m a n a g e m e n t , a n d t e c h n i c a l , a n d s e c u r i t y e x p e r t s a t C O M B . T h e i d e a s a n d r e c o m m e n d a t i o n s p r o p o s e d b y ST B a r e b a s e d o n l i m i t e d o b s e r v a t i o n s a n d s h o u l d b e v e t t e d wi t h t h o s e C O M B r e s o u r c e s b e f o r e C O M B d e c i d e s t o a c t on a n y o f t h e s e r e c o m m e n d a t i o n s . S T B w i l l b e h a p p y t o e n ga g e w i t h t h o s e s u b j e c t m a t t e r e x p e r t s a t C O M B a n d p u t th e m i n c o n t a c t w i t h o u r o w n s i m i l a r e x p e r t s i f n e e d e d p r i o r t o m o v i n g f o r w a r d o n a n y o f t h e i d e a s c o n t a i n e d i n t h i s pr e s e n t a t i o n . To p F u t u r e S t a t e C o n s i d e r a t i o n s * * Fr a u d & M e t r i c s • In c o r p o r a t e f r a u d b e s t p r a c t i c e s o n a l l a c c o u n t s • Me a s u r e & R e p o r t i n g : S a m p l e S c o r e c a r d • Me t r i c s - E s t a b l i s h m e t r i c s a t a l l l e v e l s ( i . e . e s t a b l i s h t e a m g o a l , i d e n t i f y g a p s w h e n t h e y o c c u r ) , S a m p l e K P I s i n A P ( i . e . D a y s Pa y a b l e O u t s t a n d i n g , i n v o i c e p r o c e s s i n g s p e e d , p r o d u c t i v i t y p e r te a m / i n d i v i d u a l , P O m a t c h i n g s p e e d , e r r o r r a t e s , m i s s e d d i s c o u n ts, la t e f e e s ) , P o s t a n d h a v e e v e r y o n e e n g a g e d ( V i s u a l ) NE X T S T E P S 5 ** T h e o b s e r v a t i o n s c o n t a i n e d i n t h i s p r e s e n t a t i o n w i t h r e g a r d t o s u g g e s t e d c h a n g e s m u s t b e c o n f i r m e d b y C O M B w i t h t h e c a s h m a n a gement, an d t e c h n i c a l , a n d s e c u r i t y e x p e r t s a t C O M B . T h e i d e a s a n d r e c o m m en d a t i o n s p r o p o s e d b y S T B a r e b a s e d o n l i m i t e d o b s e r v a t i o n s a n d should be v e t t e d w i t h t h o s e C O M B r e s o u r c e s b e f o r e C O M B d e c i d e s t o a c t on a n y o f t h e s e r e c o m m e n d a t i o n s . S T B w i l l b e h a p p y t o e n g a g e w i t h those su b j e c t m a t t e r e x p e r t s a t C O M B a n d p u t t h e m i n c o n t a c t w i t h o u r ow n s i m i l a r e x p e r t s i f n e e d e d p r i o r t o m o v i n g f o r w a r d o n a n y o f the ideas co n t a i n e d i n t h i s p r e s e n t a t i o n . Pl e a s e s e e o r i g i n a l p r e s e n t a t i o n f o r s p e c i f i c m a p p e d o u t d e t a i l s THE CITY OF MIAMI BEACH TREASURY AND ACH DISBURSEMENTS INDEPENDENT FRAUD RISK ASSESSMENT MAY 17, 2017 ATTACHMENT D P a g e | ii Table of Contents I. EXECUTIVE SUMMARY ........................................................................................................... 1 I. SCOPE AND METHODOLOGY ................................................................................................ 20 II. LIMITATION ON DOCUMENTATION PROVIDED TO BDO ....................................................... 23 III. DETAILED FINDINGS AND RECOMMENDATIONS FOR IMPROVING INTERNAL CONTROLS ...... 23 IV. MUNIS FINANCIAL SOLUTIONS ACCOUNTING SYSTEM – BACKGROUND ............................. 44 V. ACCOUNTS PAYABLE, ACH DISBURSEMENTS AND WIRE TRANSFERS .................................47 VI. ACCESS CONTROLS, RIGHTS, AND PERMISSIONS ..................................................................58 VII. OTHER RISK MANAGEMENT CONSIDERATIONS ....................................................................68 A. Permanent Staffing ........................................................................................................ 68 B. Temporary Staffing ........................................................................................................ 70 C. Internal Audit ................................................................................................................. 71 D. Insurance ........................................................................................................................ 73 E. Whistleblower Program and Complaint Monitoring ...................................................... 75 F. Payroll ........................................................................................................................... 78 G. Check Printing ................................................................................................................79 H. The City – Overall Fraud Risk Assessment ....................................................................79 APPENDIX A – LIST OF DOCUMENTS REVIEWED ........................................................................ 81 APPENDIX B – LIST OF INTERVIEWS CONDUCTED ...................................................................... 83 P a g e | 1 I. EXECUTIVE SUMMARY In December 2016, the City of Miami Beach (the “City”) discovered that approximately $3.6 million was transferred out of the City’s General Depository Account at SunTrust Bank (“SunTrust”) through a series of unauthorized Automated Clearing House (“ACH”) electronic transfers. Third parties obtained the City’s General Depository bank account number and A.B.A. routing number for the account and provided this information to various vendors, representing to such vendors that the provided account and bank information corresponded to the third parties’ own bank account. To collect on outstanding invoice balances, these vendors supplied the banking information to their respective financial institutions, where in turn, such financial institutions sent electronic requests to retrieve funds from the City’s General Depository Account at SunTrust. SunTrust processed the requests and debited the City’s General Depository bank account for the electronic transfers of funds (i.e., ACHs) sent to the financial institutions requesting the funds transfers. The first unauthorized transfer took place on July 11, 2016 and the final unauthorized transfer took place on December 15, 2016. The City, through the Finance Department’s bank reconciliation group, discovered several suspicious transfers, and on December 8, 2016, suspended all ACH debit payments to vendors for goods and services. Immediately thereafter, the City’s Finance Department began researching the suspicious transfers and the impacted accounts of the City. On December 19, 2016, the City Manager was informed of the fraud. After SunTrust was notified of the fraud, a new general depository account was opened and ACH fraud controls were implemented on both accounts to ensure no additional unauthorized ACH transfers related to this P a g e | 2 fraud could be processed. The SunTrust general depository account compromised in the fraud remains open, as the City transitions customers to the new account. As a result, on January 4, 2017, the City engaged with BDO Consulting, a division of BDO USA LLP (“BDO”, “we”, “our”), to perform an independent fraud risk assessment of the City’s Treasury and ACH disbursements process. For the purposes of this engagement, “Treasury and ACH disbursements” are defined as the banking and on-line banking functions of the City, primarily as it relates to the General Depository Account, and related zero-balance sub-accounts (“ZBA”) at SunTrust. BDO’s report provides an analysis, assessment, and evaluation of the City’s policies, procedures and internal controls designed and implemented to detect, deter and prevent fraud (“fraud controls”) in the Treasury and ACH disbursements process. In performing BDO’s independent fraud risk assessment, BDO obtained an understanding of the City’s internal controls in place at the time the fraud was detected and the internal controls implemented since such time. We interviewed relevant City and department managers and directors as well as key department employees. We also interviewed representatives from SunTrust responsible for the City’s general depository and ZBA. In addition, BDO analyzed and evaluated the City’s newly implemented written procedures and other protocols not formally documented. We tested numerous components of the Treasury and ACH disbursements process and evaluated various relevant policies, procedures, and internal controls related to the Treasury and ACH disbursement process. BDO considered the results of the procedures performed in developing the City’s overall Treasury and ACH disbursements fraud risk assessment. The procedures performed by BDO and the results of our testing are detailed in the body of the report. P a g e | 3 Based on the work performed by BDO through March 1 2017, the City has taken certain measures and implemented certain procedures to address the recent $3.6 million ACH disbursements fraud and mitigate the potential for additional loss of City funds by the unauthorized use of ACH transfers through the City’s General Depository Account at SunTrust. Specifically, the City:  Permanently suspended the use of ACH debits to pay vendors for goods and services through the City’s General Depository Account and ZBA at SunTrust.  Opened a new general depository account at SunTrust with the intention to transition all activity from the existing general depository account used in the fraud to the new account.  Added numerous ACH fraud controls to both the compromised and new general depository accounts at SunTrust.  Established a daily process for determining the validity of debits posted to the SunTrust General Depository Bank Account and the Redevelopment Agency City bank account (“RDA”).  The bank reconciliation group was instructed to complete the bank reconciliation of the SunTrust General Depository Bank Account and ZBA within 30 days from the end of the month being reconciled as opposed to 50 days, which was the period of time in effect before the fraud incident was discovered. In addition, the Deputy Finance Director instructed the various divisions within the Finance Department responsible for researching and correcting the differences identified during the bank reconciliation to clear the differences as soon as possible. However, the measures taken and procedures implemented by the City need to be documented in the form of written operating procedures and supported with modified internal controls, a detailed review and approval process, a structured independent internal audit process and periodic external audits. In addition, internal controls, policies, and procedures in effect prior to the $3.6 million fraud being detected in the City’s Treasury and ACH disbursements process were inadequately documented, inconsistently followed, frequently not reviewed or approved, and P a g e | 4 not examined through the internal audit process. Further, BDO identified specific areas of fraud risk that require mitigation through the implementation of written operating procedures and additional internal controls. These fraud risk mitigation recommendations are detailed throughout the report. These fraud mitigation recommendations were shared with the City prior to finalizing this report. On April 24, 2017, BDO provided the City with a table summarizing the recommendations made throughout this report. On April 26, 2017, BDO provided the City with an electronic draft copy of the final report. On April 28, 2017, BDO met with the City to walk through the draft copy of the final report and the recommendations. On May 2, 2017, the City provided the responses from its management with respect to the recommendations provided by BDO. The list of BDO’s recommendations and the corresponding responses from the City’s management are provided below: # RECOMMENDATION / MANAGEMENT RESPONSE 1 Recommendation: Employees in charge of approving or rejecting an ACH debit should document the supporting evidence they relied on to determine that the vendor who initiated the ACH debit was legitimate and/or the amount of the ACH debit was correct. Management Response: The City no longer makes ACH payments to vendors for good and services as of December 2016. ACH payments are only approved for merchant services, banking fees, intergovernmental transactions and payroll related withholdings. Several of the foregoing are on a pre-approved list with the bank and do not require approval. Valid ACH debits that are not on the pre- approved list now require dual approval by the City. The City placed dual approval on ACH debits effective March 2017. Any payments are first approved by the Treasury Manager and then by the Deputy Finance Director. Approvals are made for merchant services fees after it is checked against an approved merchant list maintained by the Treasury Manager. Approvals for banking fees are made after a comparison to the analysis statement provided by the bank. 2 Recommendation: The City should review the Munis rights, permissions, and authority of all Finance Department personnel to ensure that record-keeping, approval or rejection, adding and P a g e | 5 removing approved vendors, and other rights, permissions, and authority are appropriate for their respective roles and represent appropriate separation of duties. Management Response: In March and April, the City reviewed the Munis rights, permissions, and authority of key Finance Department personnel and made the proper changes to reflect the appropriate separation of duties. The remainder of personnel will be reviewed by June 2017. The IT resources required to implement this recommendation are currently supporting the Munis: Human Resources (“HR”) / Payroll project implementation which is scheduled to go-live in May 2017. 3 Recommendation: Positive pay should be added to all ZBA at SunTrust. Management Response: The City added Check Block to all non- checking ZBA in April 2017, which is a stronger control than Positive Pay. Check block is a security service for non-checking accounts. The bank will not process any checks with this service without prior authorization from the City. Positive pay already exists on all checking ZBA. The monthly bank reconciliation, which covers the review of all debits and credits, was completed through March 2017. 4 Recommendation: Employees from the payroll processing division should be copied on emails sent by the accounts payable supervisor that document the explanations for all debits posted on the General Depository Bank Account to verify that the payroll ACH debits and wires posted to the General Depository Bank Account actually pertain to the City’s payroll. Management Response: Beginning in January 2017, the payroll processing division is copied on all such emails. 5 Recommendation: Finance department personnel should document the steps taken in reviewing suspicious items identified in the daily report of debits posted to the General Depository Account and RDA for payees and/or amounts. In addition, items that are validated and cleared should be supported with documentation of steps taken. Management Response: The Finance Department Daily Bank Debits Review Process (Daily Review) procedure was implemented in February 2017. The procedure documents that the Treasury Manager will document any review or inquiries made for payees or amounts that appear suspicious. The procedure also references how items that are validated and cleared should be supported with documentation. 6 Recommendation: The spreadsheet for pending research items from the daily report of debits should be forwarded to the internal audit department every day. Management Response: The City has restructured the daily review process and a spreadsheet of pending research items from the daily P a g e | 6 report of debits is no longer necessary. The spreadsheet was part of the temporary action taken by the City to mitigate further losses. In the aftermath of the fraudulent activities and the resignation of the Treasury Manager, the City pulled together available staff from several areas in the Finance department to put as much oversight as possible on the ACH, banking and disbursement processes. Beginning in February 2017, the City started using a daily debit transaction list which includes all debit transactions including all checks, wire transfers, ZBA debits, and ACH transactions. All debits are checked and validated in conformance with the procedure and the Treasury Manager sends a copy of the reviewed list to several staff members, including Internal Audit staff. Internal Audit reviews the list, tracks items that are pending further investigation and conducts follow-up of those pending items. Internal Audit keeps a log of items pending follow up to ensure that all items are resolved within 48 hours. 7 Recommendation: A second review should be performed on the explanation for each debit posted to the General Depository Bank Account by the supervisor of the employee who originally provided the explanation. Management Response: All debits are reviewed and approved by City’s management through the workflow approval process before they are recorded on the City’s books. This is considered the first review. A second review is completed in the Daily Bank Debits Review Process (Daily Review) which was implemented in February 2017. In addition, improved segregation of duties and the timely completion of the bank reconciliation are compensating controls to this review. 8 Recommendation: Daily debit review process should be formally documented and written into a standard operating procedure and the procedure should specify the employees who will become substitutes in the event that the employees responsible for performing the daily review are absent. Management Response: The Finance Department’s Daily Bank Debits Review Process (Daily Review) procedure was implemented in February 2017. A Financial Analyst II position is the substitute in the event that the employees responsible for performing the daily review are absent. This new position was added mid-year to facilitate the daily review process and provide for stronger segregation of duties. 9 Recommendation: A designated employee from the payroll processing division should be copied on all communications sent by the payroll department that documents the explanations for all debits posted to the General Depository Bank Account. Management Response: The payroll processing division is now copied on the emails effective February 2017. P a g e | 7 10 Recommendation: Each division within the Finance Department should access SunTrust online on a daily basis to review all transactions posted (debits and credits) to their respective bank accounts and record them in the City’s books, if they have not already been recorded, provided that the transactions are valid. Management Response: Accessing SunTrust online on a daily basis to review all transactions posted is not practical. One of the compensating controls is the Daily Bank Debits Review Process (Daily Review) implemented in February 2017. This process reviews all debits on a daily basis. Cash and checks are checked daily and all other credits are reviewed through the monthly Bank Reconciliation procedure updated in April 2017. 11 Recommendation: The City should establish documented standard operating procedures for the monthly bank reconciliation process. Each step in the monthly bank reconciliation process should be clearly described. A defined period of time should be established, documented, and included in the procedures for completing each phase of the monthly bank reconciliation. Specific timelines for completion should be established for each division within the Finance Department responsible for researching and correcting differences identified during the bank reconciliation process. 30 days to complete entire process recommended. Management Response: The existing bank reconciliation procedure was updated in April 2017. To address timelines for completion, at the beginning of each fiscal year, a monthly closing memorandum is prepared by the Finance Department and distributed to all Finance staff. The memorandum includes the dates for recording all transactions into the City financial system. Adherence to the closing dates on the memorandum will meet this recommendation. The CFO has re-distributed the closing memo to staff to reiterate the importance of correcting differences by the closing dates. In addition, the Deputy Finance Director (DFD) has started monthly meetings to ensure that the underlying issues causing reconciling items are addressed. The DFD will follow up on time items not clearing in a timely manner. The procedure states that bank reconciliations shall be completed within 30 days from the close of the books for the month, which is typically 10 to 15 days after the bank statement date. 12 Recommendation: Escalation procedures should be incorporated into the bank reconciliation process and researching and reconciling differences should be assigned to employees who were not involved in the division that was originally assigned the responsibility for explaining the differences. Management Response: To facilitate timely follow up, beginning in February 2017, the Deputy Finance Director (DFD) started P a g e | 8 monthly meetings to ensure that un-cleared items and the underlying issues causing reconciling items are addressed. Items are escalated to the DFD and CFO. 13 Recommendation: The City should re-define and document what constitutes a completed bank reconciliation. A bank reconciliation is complete when the total amount of the difference between the bank balance per the bank statement (as adjusted for certain typical reconciling items) and the bank balance per the general ledger has been researched and explained. Management Response: The City has re-defined what constitutes a completed bank reconciliation. Effective with the February 2017 bank reconciliation, the City revised the process to include distribution of a preliminary reconciliation to staff to show unclear items. The correspondence includes the date and fiscal period in which the item must be cleared. A final reconciliation with the items clear or showing a valid explanation of why it remains unclear is completed and considered the completed bank reconciliation. In addition, monthly meetings have been implemented to ensure that the underlying issues causing reconciling items are addressed. 14 Recommendation: Each division within the Finance Department responsible for researching and correcting items identified in the bank reconciliation process should inform the bank reconciliation group in a documented fashion. The bank reconciliation group should, in turn, document the explanations and dates of corrections in the bank reconciliation and follow up with the responsible division on all unresolved differences. Management Response: Since February 2017, the documentation of bank reconciliation items improved markedly due to the addition of key positions that were previously vacant such as the Treasury Manager. A new Financial Analyst I position in the bank reconciliation group was added in March 2017 that facilitates timely research and communication throughout the department. In addition, the Deputy Finance Director has started monthly meetings that facilitate communication across divisions to ensure that issues causing reconciling items are addressed. Since these changes were made, there have been substantially fewer bank reconciliation items. 15 Recommendation: Employees who prepare bank reconciliations should have their recordkeeping rights cancelled, or a compensating control, such as independent management review of the reconciliation should be implemented. Management Response: Record keeping rights for several bank reconciliation employees were removed in April 2017. As a compensating control, the City’s Internal Audit independently reviews all bank reconciliations monthly for timely completion. 16 Recommendation: Bank reconciliations should identify and document the employee(s) who review(s) them. P a g e | 9 Management Response: The Bank Reconciliation procedure updated in April 2017 states that bank reconciliations are signed by the preparer and reviewed/signed and dated by a supervisor, manager, or Deputy Director. The reconciliation is maintained on file for subsequent reviews and audits. 17 Recommendation: Munis should be modified to prevent the same accounts payable (A/P) employee from entering an invoice and also approving it. Alternatively, we recommend that the A/P employee who posts the batch of final approved invoices print a report that shows the A/P employee who entered the invoice and the A/P employee who approved the entry before the batch is posted to insure that the same employee did not enter and approve the invoice in A/P. In situations, where the same A/P employee entered and approved the invoice, the employee who posts the batch should review the invoice entry before posting the batch. Management Response: The accounts payable workflow process was modified in April 2017 to remove all accounts payable staff from the approval process. Accounts payable staff enters invoices into the workflow process and releases them for approval by managers across City departments. The City will continuously review the work flow process to ensure proper segregation of duties and controls. 18 Recommendation: Employees who process invoices in Munis should be prevented from entering new vendors or changing existing vendor information in the vendor master file. Management Response: Effective April 2017, the creation of new and modification to existing vendors for goods and services will be handled by the Procurement department. 19 Recommendation: City management should research all vendors with an associated general ledger account with cost center “0000” and changes should be made to the general ledger account so that it includes the correct cost center. Management Response: The City is in the process of reviewing general ledger accounts and working with Tyler-Munis to correct the cost centers. While under review, the City has created a catch- all workflow to monitor proper approval of the “0000” cost center. This process will be completed by July 2017. 20 Recommendation: The CFO should print a report of general ledger accounts with cost center “0000” and determine whether all payments posted to the accounts since Munis was implemented were approved by employees outside the A/P department in accordance with the Workflow Business Rules maintained by IT. Management Response: The City is in the process of reviewing and recoding general ledger accounts with cost center "0000” to reflect the proper workflows. This process will be completed by June 2017. The IT resources required to implement this recommendation P a g e | 10 are currently supporting the Munis: HR/Payroll project implementation which is scheduled to go-live in May 2017. 21 Recommendation: The City should transmit or upload the ACH disbursement file (if and when the ACH payments to vendors for good and services are resumed) and check register file from Munis to SunTrust without the files being subject to the possibility of manipulation. Management Response: The City will work with the bank and the software vendor to determine if a compatible file can be obtained that does not require manual adjustment. This item will be completed by June 2017. 22 Recommendation: An employee independent of accounts payable processing and with no recordkeeping rights should be in charge of uploading or transmitting the ACH disbursement and check register files to SunTrust, while the Acting A/P Supervisor as well as other employees in A/P should have their rights to upload the files to SunTrust revoked. Management Response: Effective April 2017, employees independent of accounts payable processing and with no recordkeeping rights are tasked with the uploading the ACH and check positive pay files to SunTrust Bank. Staff processing accounts payable rights were also removed from SunTrust in May 2017. 23 Recommendation: All passwords should require a combination of special characters, numbers, upper case letters and lower case letters and be changed periodically (at least every three months). Management Response: The City went live with Managed File Transfer (“MFT”) in March 2017. The MFT is an internet-based service that provides us the ability to transmit or receive data files to/from SunTrust Bank using a Web browser. It mitigates fraud and risk exposure while improving efficiency. SunTrust assigns mailboxes in Managed File Transfer Portal. The mailbox is the collection point for all files to and from SunTrust. Each employee has a unique mailbox and password. Original passwords are created by SunTrust and each employee subsequently changed their password. Passwords are twelve characters long and are alpha numeric. 24 Recommendation: Employees independent of Accounts Payable processing and with no recordkeeping rights should be charged with downloading the original ACH disbursement and check register files from Munis and uploading or transmitting these files to SunTrust without being able to modify them. Once these files have been uploaded, the A/P employee who issued the ACHs and checks should independently call the 1-800 telephone number to communicate the total amount of the ACH disbursement and check register files. P a g e | 11 Management Response: Effective April 2017, employees’ independent of accounts payable processing and with no recordkeeping rights are in charge of uploading the ACH and check positive pay files to SunTrust Bank. Staff now submits Control Totals via Online ACH Control instead of calling the 1-800 telephone number. The City will work with the bank and the software vendor to obtain a compatible file format that does not require modification. This will be complete in June 2017. 25 Recommendation: Under these circumstances, the employee independent of Accounts Payable processing who uploaded the ACH disbursement and check register files in SunTrust should access SunTrust (Onlinefiletransfer.suntrust.com) the next morning and review any exceptions to ACH disbursements and checks that were communicated by SunTrust. Management Response: As indicated above, the City went live with MFT on March 2017. The next morning, the transaction will be reviewed through the SunTrust Bank on-line system by the Accounts Payable Supervisor, who has no recordkeeping rights. 26 Recommendation: The City Manager should review all payments exceeding $1,000,000 made since Munis’ implementation and verify that he approved the expenditure in addition to any other required approval levels. Management Response: All payments exceeding $1 million not approved by the City Manager or his designee since the implementation of Munis will be reviewed by the City Manager by June 2017. The IT resources required to implement this recommendation are currently supporting the Munis: HR/Payroll project implementation which is scheduled to go-live in May 2017. 27 Recommendation: Munis should be modified so as not to allow significant payments to be issued unless the approvals of at least two different City officers have been documented in the system (see invoice entry for EFT No 406106). Further, Munis should be modified so as not to allow payments exceeding $1,000,000 to be issued unless the approval of City Manager has been documented in the system Management Response: The City amended the workflow approval policy to say that the City Manager approves disbursement over $1 million except for debt service payments (principal, interest, and fees on bonds, loans and notes). These items are approved by the CFO, Deputy Finance Director or Assistant Finance Director. The debt service workflow was revised in April 2017. 28 Recommendation: Munis should be modified so as to not allow payments to be issued unless the A/P employee who approved the entry is documented in the System. Management Response: Effective April 2017, all accounts payable employee approvals have been removed in the system. The P a g e | 12 workflow for payments has been streamlined to only require approval by departments. 29 Recommendation: Munis should be modified so as not to permit payments exceeding $1,000,000 to be issued unless the approval of City Manager has been documented in the system. Management Response: Effective May 2017, all payments exceeding $1 million must be approved by the City Manager or his designee, except for debt service payments which are approved by the CFO or Deputy Finance Director. 30 Recommendation: The CFO should review all payments exceeding $500,000 made since Munis’ implementation and verify that at least another employee’s approval between levels 40 and 55 has been documented in the system in addition to the City Manager’s approval. Management Response: All payments made exceeding $500,000 since Munis’ implementation will be reviewed by the CFO by June 2017, to verify that at least another employee’s approval have been documented in the system. The IT resources required to implement this recommendation are currently supporting the Munis: HR/Payroll project implementation which is scheduled to go-live in May 2017. 31 Recommendation: Munis should be modified so as not to allow payments exceeding $500,000 to be issued without having the invoice entry approval of at least two employees with approval levels between 40 and 55 documented in the system. Management Response: The necessary workflow analysis and modification in Munis is anticipated to be completed by June 2017. The IT resources required to implement this recommendation are currently supporting the Munis: HR/Payroll project implementation which is scheduled to go-live in May 2017. 32 Recommendation: Management should review, since the implementation of Munis, all significant payments issued with respect to which the Risk Manager’s approval or the former Treasurer’s approval would have been required and verify that the corresponding approvals were documented in the system. Management Response: The necessary workflow analysis and modification in Munis is anticipated to be completed by June 2017. The IT resources required to implement this recommendation are currently supporting the Munis: HR/Payroll project implementation which is scheduled to go-live in May 2017. 33 Recommendation: Munis should be modified so as not allow payments to be issued when the approval of the Risk Manager or Treasurer is deemed necessary but not received. Management Response: The necessary workflow analysis and modification in Munis is anticipated to be completed by June 2017. The IT resources required to implement this recommendation are P a g e | 13 currently supporting the Munis: HR/Payroll project implementation which is scheduled to go-live in May 2017. 34 Recommendation: The new CFO should contact IT and clarify that only he can authorize IT to grant recordkeeping rights back to the Deputy Finance Director. Management Response: The IT department was informed that only the CFO can authorize IT to grant recordkeeping rights back to the Deputy Finance Director in March 2017. 35 Recommendation: The Treasurer, assuming that s/he is not included as an authorized signer and does not have recordkeeping rights, should review all wire transfers on a daily basis. Management Response: The Daily Bank Debits Review Process implemented in February 2017 requires the daily review of debits on a daily basis by the Treasury Manager. The Treasury Manager is not an authorized signer and does not have recordkeeping rights. 36 Recommendation: The City should negotiate with SunTrust a requirement to have at least two authorized signers signed the Ancillary Implementation Agreement in order to request a PIN for a determined person. Management Response: The City has consulted with the bank and put in place a requirement to have at least two authorized singers to request a PIN for a determined person in May 2017. 37 Recommendation: The City should establish a dual administration setup that would require two system administrators to create and remove users in SunTrust Online Treasury Manager. Management Response: Dual administration setup was established in May 2017 to require two system administrators to create and remove users in SunTrust Online Treasury Manager. 38 Recommendation: An employee independent of IT and with no rights to request or make changes to the approval queues should be responsible for reviewing an audit trail with the history of approval queue activity to verify whether changes to the invoice approval queues are authorized. Management Response: IT has generated a report for Internal Audit to review the audit trail with the history of approval queue activity to verify whether changes to the invoice approval queues are authorized. Internal Audit will create a process to review the audit trails on a semi-annual basis by August 2017. 39 Recommendation: The City should complete SunTrust Wire Transfer – Schedule G – Amendment to Callback Security Procedures that will require SunTrust to call back for verification for all phone-in wires. Management Response: The City worked with SunTrust Bank to implement Schedule G callback security procedures. This change was completed in May 2017. P a g e | 14 40 Recommendation: Accounts Payable employees should have their invoice approval rights removed, except for approval level 3, which is only a cursory review of the invoice entry. Management Response: Effective April 2017, all accounts payable employee approvals, including level 3, have been removed in the system. 41 Recommendation: Management should research and review all significant payments made since Munis’ implementation that show that an approval level of 50 was made by an A/P employee, but where the nature of the invoice paid would have required that the approval level of 50 be made by an employee outside of the A/P division. Management Response: All significant payments since Munis’ implementation will be researched and reviewed by the CFO by July 2017, to verify that proper approval has been documented in the system. 42 Recommendation: The Internal Audit Department should adopt a continuous auditing approach of the City payment processing. This continuous auditing approach should consist of continuous data assurance (CDA), continuous controls monitoring (CCM) and continuous risk monitoring and assessment (CRMA). CDA insures the integrity of data flowing through the accounting system. CDA uses software to extract data from the accounting system for data analysis of transactions in order to identify deviations from predetermined benchmarks. CMM uses also software that monitors access control and authorizations and system configurations of the accounting system. CRMA is a real-time integrated risk approach that measures risk factors on a continuing basis, integrates various risk scenarios into quantitative models, and provides inputs for audit planning. Management Response: The City recognizes the benefits of a continuous audit approach of the City’s payment process. The Internal Audit Division is planning on performing a citywide risk assessment later this fiscal year to coincide with the implementation of a new audit management software system in August 2017. Consideration will be given to the capability of applying a continuous audit approach to include continuous data assurance (CDA), continuous control monitoring (CCM) and continuous risk monitoring and assessment (CRMA). In the interim, Internal Audit has been continuously reviewing the Finance Department’s daily analysis of the general depository account to help ensure that all items represent approved transactions. Any items designated as in need of additional research initially by Finance staff are followed up on to verify that they are sufficiently and timely resolved. This practice was instituted in P a g e | 15 December 2016 and has continued to date. Internal Audit is confirming that Finance Department staff is timely reconciling all City identified bank accounts each month. Results are submitted monthly to Finance Department management for follow-up. 43 Recommendation: Alternatively, if a continuous auditing approach is not adopted, the City should hire an independent external auditor to conduct an audit of the City payment processing at least every year and formally established a process for the assessment of control risk and residual risk. Management Response: The City is planning to implement a continuous auditing approach as outlined in previous recommendation. If this cannot be accomplished, the Internal Audit division will conduct an audit on the City payment process on a semi-annual basis. 44 Recommendation: The City should re-evaluate the requirements for temporary staffing companies relating to background investigations that the temporary agency conducts on its employees, to ensure that City approved temporary staffing companies conduct background investigations on their employees that at a minimum identify criminal arrests, convictions, and completed reference checks. Management Response: The City’s Human Resources department conducts its own criminal background checks on all temporary employees including those obtained through third party employment agencies. 45 Recommendation: The City should develop a documented plan of action to address staffing losses and staffing deficiencies in the Finance Department. The plan of action should include an assessment of staffing losses in critical leadership positions as well as losses in key staffing positions where there is a direct impact on meeting the timeline and execution requirements of internal controls, policies and procedures established to mitigate fraud. Management Response: The key vacancies in the Finance Department have been filled as of May 17, 2017. Key positions such as the CFO and Treasury Manager were filled in February 2017. Two new positions to address bank reconciliations and treasury operations were filled in March 2017. The remaining two vacancies are anticipated to be filled by end of June 2017. A plan of action to assess staffing losses in critical leadership positions will be incorporated into the minimum staffing model in the following response. 46 Recommendation: The City should determine a minimum staffing model that is required in the Finance Department to meet the risk appetite of the City Management Response: A minimum staffing model required in the Finance Department is under development. The model will include an assessment of staffing losses in critical leadership positions as P a g e | 16 well as losses in key staffing positions where there is a direct impact on meeting the timeline and execution requirements of internal controls, policies and procedures established to mitigate fraud. The model is anticipated to be completed by July 2017. 47 Recommendation: The City should develop a procedural requirement that staffing in the Finance Department be examined and evaluated by internal audit or through an external independent examination periodically and at least annually. Management Response: Following the development of the minimum staffing model for the Finance Department, it will be reviewed by Internal Audit by August 2017. Thereafter, the model will be reviewed on a regular basis as part of the annual audit plan. 48 Recommendation: Background checks should be periodically performed on all current employees within the Finance Department. Management Response: The Finance department will work with Human Resources to develop guidelines for periodic background checks of current employees. The guidelines and first round of background checks are anticipated to be completed by August 2017. 49 Recommendation: The City should implement a whistleblower program, managed by an independent office or officer, or alternatively by a special commission consisting of the Internal Auditor, the Director of HR and City attorney. Management Response: The City has three different ways for employees or citizens to report fraud or ethics violations.  The City chooses to leverage the FBI corruption hotline instead of an internal ethics hotline because it offers a potential whistleblower greater protection from an independent law enforcement agency. Whistleblowers can use the FBI corruption hotline (754-703-2000, option 4) which is currently advertised on the City's website and Miami Beach Television station (MBTV). The City currently has a police officer assigned to the FBI public corruption investigation task force.  In addition, the Miami-Dade County Office of the Inspector General has a "Report Fraud" phone number at 305-579- 2593.  Finally, unethical conduct can be reported to the Miami- Dade County Commission on Ethics & Public Trust which provides assistance in identifying unethical conduct and other forms of public corruption in Miami-Dade County and all 34 Municipalities. Employees and citizens can report suspected wrong-doing with the Ethics Commission by contacting the 24-hour hotline at 786-314-9560. 50 Recommendation: The whistleblower program should be available 24-hour, 7- days/week with a toll-free phone number hotline, fax P a g e | 17 number and a web page that would enable an employee or a third party to report anonymously a complaint or tip about fraud, corruption, waste and/or abuse by City’s employees and officers. All complaints or tips should be evaluated and investigated promptly, and the result of the investigation should be documented and reported to the City Manager, Mayor and Commission. Documentation should be maintained that clearly indicates the date of the complaint, the whistleblower’s name or whether the person reporting the complaint choose to remain anonymous, matter of the complaint, date of resolution of the complaint, how the complaint was resolved, and date the City Manager, Mayor and Commissioners were informed about the complaint and resolution. Management Response: The FBI, the Miami-Dade County Office of the Inspector General, and the Miami-Dade County Commission on Ethics & Public Trust separately evaluate and investigate calls, and maintain their own documentation. Any valid complaints are communicated to the City Manager, Mayor and Commission. 51 Recommendation: The City should consider reviewing and revising, as necessary, its ethics and compliance policies and procedures to make sure employees are aware of the whistleblower hotline and program, and are encouraged to utilize the program to report allegations of wrongdoing. The City should encourage the use of internal reporting mechanisms, emphasizing the anonymity and confidentiality of those systems to its employees through various communication channels such as organization-wide meetings, training sessions, emails, posters in public areas and/or wallet cards. In addition, the City should ensure that the whistleblower program and related policy is included in the City’s employee handbook. Management Response: The City’s Whistleblower information is advertised to employees and citizens through various media including bi-weekly E- Newsletters, Miami Beach Television, MB the Miami Beach magazine, the Employee Handbook, and the City’s website. The City offers two mandatory employee training classes on Ethics and Ethics Regulatory to all employees. The Ethics training class has been available since 2004 and the Ethics Regulation class developed by the Miami-Dade Commission on Ethics and Public Trust, has been available since 2013. In March 2017, the City received the results from the Miami-Dade Commission on Ethics and Public Trust survey administered to City employees in December 2016 as a follow up to an ethics training program provided by Ethics Commission staff in 2013. 81 percent of employees felt Miami Beach government was “ethical” in 2016 compared to 65 percent during the 2013 survey – 25 percent increase P a g e | 18 over three years. Meanwhile, 77 percent of employees said they felt enough safeguards had been implemented by management to prevent corruption in the workplace – up significantly from 60 percent in 2013. Additionally, 80 percent said it was easier to “blow the whistle” on corrupt activity, compared to 64 percent in 2013. They also felt better about reporting bad behavior according to the responses to a question about fear of retaliation for whistleblowers as in the most recent survey, 67 percent of employees felt adequate protections exist, compared to just 33 percent in 2013. 52 Recommendation: Customer Service should develop and implement a procedure for documenting, filing, and tracking complaints received from customers (e.g., payments of utilities). Management Response: The City currently has a manual process where complaint calls are forwarded through emails to the appropriate department personnel for a response. In May 2017, an item will be brought to City Commission for approval of a new automated call distribution (ACD) system. The new ACD system will document, file and track customer complaints while giving the City enhanced reporting capabilities. Enhanced functionality includes: Skill-based routing; Predictive routing; Multi-location and at-home agent capabilities; Inbound/Outbound call blending; Automatic call back; Supervisor Monitor/Coach/Barge; Call Recording with limited archiving; Email, Chat and Voice interaction capabilities; and Audio redaction of credit card information for PCI compliance. The new ACD system is anticipated to be operational by July 2017. The City also receives complaints through the eGov application which is a free, simple and real-time platform that connects citizens and businesses directly with the City for submitting requests and complaints. Requests and complaints are independently logged, forwarded to the appropriate department and monitored for follow- up. 53 Recommendation: Customer Service should reports statistics to the City Manager about customer complaints, such as number of customer complaints opened during the quarter, number of complaints closed during the quarter, number of complaints outstanding, and topics of complaints. Management Response: The new ACD system that will be brought to City Commission for approval in May 2017 will provide a diverse range of reporting options allowing Management to quickly and easily monitor Call-Center performance, while optimizing services and performance levels. Reporting capabilities will allow the City to closely track real-time management metrics with customizable dashboards monitoring customer complaint statuses. Enhanced functionality includes: View data in charts, graphs or raw data grids; P a g e | 19 Drill down into report data for more detailed analytics; Create, save and schedule custom reports; Track real-time metrics with dashboards; Report on industry-standard metric calculations; Export raw Call-Center analytics data for further refinement; and Pre-built reports and ad-hoc reports. The new ACD system is anticipated to be operational by July 2017. The eGov application has detailed reporting capabilities with tools for viewing and reporting requests and complaints using various different criteria. Detailed analytics is available in pre-built and ad- hoc reports. 54 Recommendation: Payroll Processor’s custody of assets (control over cash) rights in SunTrust should be revoked. Management Response: Rights to custody of assets were revoked in April 2017. 55 Recommendation: Payroll Processor’s rights to create a new employee or change employee information in Eden should be revoked. Management Response: The City will be converting to Munis in May 2017. The Payroll Processor’s rights to create a new employee or change employee information in Munis were removed in May 2017. 56 Recommendation: The Payroll Processor should not be permitted to perform the two levels of approval of the payroll process that is required in Eden. Management Response: The City will be converting to Munis: HR/Payroll in May 2017. With the implementation of Munis, the Payroll Processor will not be able to perform two levels of approval. 57 Recommendation: Checks printed with signatures of the authorized signers should be handled exclusively by the Treasurer for mailing and distribution purposes, assuming s/he has no recordkeeping rights. Management Response: Beginning in May 2017, checks will be mailed out by the Treasury Manager, Accounts Payable Supervisor, or Accounting Manager. These positions do not have recordkeeping rights. 58 Recommendation: Throughout our fraud risk assessment of the City’s Treasury and ACH disbursements process, BDO identified potential vulnerabilities in other departments and functions of the City. In order for the City to fully understand, identify, assess and evaluate its overall fraud risk, BDO recommends that an overall City wide fraud risk assessment be conducted and mitigating internal controls, procedures, and policies be documented and implemented. Management Response: Internal Audit is currently preparing a scope of work in order to solicit proposals by August 2017, an P a g e | 20 outside firm to conduct an overall citywide fraud risk assessment. With input from the Audit Committee, Internal Audit’s annual audit plan will be modified to reflect the results of the risk assessment to properly prioritize risk areas. 59 Recommend that a dollar amount limit be set with regards to the Deputy Finance Director’s PIN wire approval and wire initiation limits. The City has set a limit on how much each authorized individual can approve or initiate, including the CFO and Deputy Finance Director. As an additional control, each wire requires dual approval. 60 We recommend that the duplicate user profile be deleted from SunTrust On-line for the Revenue Manager. The duplicate user profile was deleted from SunTrust On-line for the Revenue Manager in April 2017. I. SCOPE AND METHODOLOGY The scope of BDO’s work included reviewing bank activity from July 2016 to January 2017, unless otherwise noted. During the course of our review, certain City processes were modified and changed as new procedures and related internal controls were implemented. In these instances, we identified and noted those process changes in our report. However, if a change was implemented after our fieldwork ended, February 3, 2017, we did not assess whether the modified processes were operating effectively and sufficient to mitigate the risks identified in this report. This project was carried out in accordance with Statements on Standards for Consulting Services issued by the AICPA Management Consulting Services Executive Committee. BDO’s independent fraud risk assessment of the City’s Treasury and ACH disbursement process was performed using a risk-based approach beginning with the identification of risks based upon a review of various documents and interviews with key individuals who were in the best position to explain key areas of vulnerability. Note that BDO excluded from the scope of its engagement the Active Card Integration (“ACI”) payment program which was coordinated with the purchasing-cards (“p-cards”). P a g e | 21 The Deputy Finance Director provided BDO with a general overview of the fraud and served as BDO’s primary point of contact. Other City employees with varying degrees of knowledge of the fraud provided their insight and understanding of the fraud. The City provided specific information relating to the internal policies, internal controls, procedures, and practices related to the Treasury and ACH disbursements process that was compromised by the fraud. Bank records, supporting documentation, narratives, reports, fraudulent unauthorized ACH debits and other relevant information described in this report were provided to BDO. In conducting the independent fraud risk assessment of the City’s Treasury and ACH disbursements process, BDO performed the following procedures:  Reviewed pertinent documents related to the ACH and disbursement process (see Appendix A for a list of documents reviewed as part of the fraud risk assessment process)  Conducted interviews of relevant City and SunTrust personnel to understand the internal control environment and identify key risk areas  Examined, assessed and evaluated current access rights of City employees to the City’s Munis Accounting Software and the General SunTrust Depository Account and related zero-balance sub-accounts, including those individuals with authority to grant online access to City personnel for such accounts  Performed walk-throughs of the relevant City’s areas within the Finance Department involved with establishing ACH debit parameters, setting up vendors, and paying vendors for goods and services through ACH payments and wire transfers, and examined internal control documentation relevant to this process, including identifying the employees responsible for recording such transactions in the City’s books and records and performed P a g e | 22 testing on a sample of wire transfers and ACH debit payments to vendors for goods and services through December 2016 (i.e., before suspension of this payment method)  Examined, assessed and evaluated the new controls that the City implemented to address the risk of fraud regarding the General Depository and zero-balance sub-accounts, including inquiring about the procedures performed by the City to review, research, and confirm the validity of ACH debits, wire transfers, and other debits, observing procedures, and inspecting relevant documents  Performed testing of the ACH fraud controls on the General Depository Account including appropriate rejection/approval of vendors, reporting by SunTrust of ACH debits that did not meet ACH parameters for approved vendors, and timeline compliance for approval/rejections of ACH payments  Reviewed the bank reconciliation process with regard to the General Depository Bank Account and relevant zero-balance sub-accounts to identify the roles and responsibilities of different employees involved in the bank reconciliation, understand and document the definition of a completed bank reconciliation, identify the ACH unreconciled items in the bank reconciliation and how the City addressed them, and understand the actions taken and the controls documented for addressing bank account reconciling differences  Reviewed the relevant City’s insurance policies, including the coverage and deductibles for each policy  Summarized the key fraud risks identified through the fraud risk assessment, evaluated the relevant internal controls that address these risks, concluded whether there was an internal control deficiency, and provided a recommendation to strengthen the internal control, if needed. P a g e | 23 II. LIMITATION ON DOCUMENTATION PROVIDED TO BDO As a result of the current and ongoing criminal investigation of the $3.6 million fraud, BDO was informed by the City that pursuant to Florida Statute 119.071(2)(c), active criminal investigative information is exempt from the Florida Public Records Law (119.07(1)) and also from s.24(a), Article I of the State Constitution. Furthermore, the City indicated that 119.071(5)(a) of the Florida Statutes makes social security numbers held by an agency confidential and exempt from 119.071(1) and s.24, Article I of the State Constitution. The Deputy Finance Director indicated the City is prohibited from sharing information about the investigation with others. Therefore, the City was unable to provide the following specific documentation and information requested by BDO:  The City internal investigative reports, memorandums, summaries, audits, and all other relevant investigative documents related to this matter.  External, third-party, or law enforcement investigative documents, reports, findings, summaries, or memorandums related to this matter.  The City criminal referral reports or documents sent to local, state, and/or federal law enforcement related to this matter. III. DETAILED FINDINGS AND RECOMMENDATIONS FOR IMPROVING INTERNAL CONTROLS In December 2016, after discovering the unauthorized ACH debits, the City took certain actions to address the immediate fraud and related vulnerabilities. BDO tested each of these actions taken by the City. P a g e | 24 Fraud Risk Identified Risk of unauthorized ACH debits and other debits posted to the City’s General Depository Account at SunTrust. Fraud Risk Assessment High. Action Taken by the City - #1 Permanently suspended the use of ACH debits to pay vendors for goods and services through the City’s General Depository Account at SunTrust and ZBA. Testing: BDO obtained an email sent on December 8, 2016 from the Deputy Finance Director to the former A/P Supervisor, Accounting Manager, and Treasurer, directing them to stop all ACH payments to vendors immediately. BDO confirmed this understanding with the Accounting Manager and the acting A/P supervisor. Further, BDO inspected the electronic funds transfer (EFT) register for the period 7/1/16 – 12/31/16 that was provided to us and noted no EFT’s issued after December 8, 2016 to vendors for goods and services. Action Taken by the City - #2 Opened a new general depository account at SunTrust with the intention to transition all activity from the existing general depository account used in the fraud to the new account. Testing: BDO inquired of the Deputy Finance Director and read the Deposit Account Resolution executed on 12/21/2016 covering the newest general depository bank account. BDO further verified that the authorized signers remained the same. The City began using the new general depository bank account on January 30, 2017. P a g e | 25 Action Taken by the City - #3 Added ACH fraud controls to both the compromised and new general depository accounts at SunTrust. As of January 27, 2017, the date of our testing, the Revenue Manager, the Deputy Finance Director, and the Assistant Director were the only employees with rights to approve/reject ACH debits posted to the General Depository Bank Account at SunTrust. BDO observed and confirmed that SunTrust sends an email alert to the Revenue Manager, the Deputy Finance Director, and the Assistant Director notifying them that an ACH debit was initially rejected due to no authorization on file (e.g. the ACH debit is from a vendor who it is not on the vendor approved list in SunTrust) and the City would have until 2 PM of the return date shown to approve the ACH debit. The email alert includes the following information: individual name and individual ID No of the person who initiated the ACH debit, the City’s bank transit routing number and bank account number, dollar amount of ACH initially rejected, originating vendor (company)’s name and company’s ID number that attempted to get paid via ACH debit. After the Revenue Manager receives the email, if he does not recognize the vendor, the Revenue Manager has the following two options: 1. Refrain taking any action, which will cause the bank to return the ACH debit to the originating company at 2:00 PM (local time) of the current day or the following day (depending on the time of the day the email alert was issued); or 2. Manually reject the ACH debit.1 1 To reject the ACH debit, the Revenue Manager would use his login credentials (ID No. and password) to access https://ach.suntrust.com, select the “ACH Fraud” control, go to the “Accepting Pending Payments” screen, select the ACH transaction in question, and select “refuse”. P a g e | 26 In the case that the Revenue Manager is not sure whether the vendor who initiated the ACH debit transaction is legitimate, he would consult with A/P, Payroll, or other relevant area within the Finance Department to verify that the vendor is a legitimate vendor. If, however, the Revenue Manager recognized the vendor as legitimate (or after consultation, he was able to verify that the vendor was legitimate), he would verify that the amount of the ACH debit is correct. Accordingly, the Revenue Manager would communicate with the A/P, Payroll, or any other area within the Finance Department that had relevant information about the ACH debit to confirm the amount of the ACH debit. Once the appropriate area within the Finance Department confirms the amount of the ACH debit, the Revenue Manager would go to “Accept Pending Payments” screen, select on the ACH transaction in question, and select on “Accept.” After the ACH debit is approved, SunTrust will send an email to the Revenue Manager, the Deputy Finance Director, and the Assistant Director confirming that the ACH payment to the vendor was approved. Once the Revenue Manager accepts the ACH payment to the vendor, the system will ask him if he wants to add the vendor to the list of authorized vendors. To add the vendor to the list of authorized vendors in SunTrust, the Revenue Manager must do the following:  In the ACH Fraud control screen, the Revenue Manager would click Authorization Maintenance, click “Add,” and select the respective bank account at SunTrust. The Revenue Manager can add a vendor not only to the General Depository Bank Account, but also to any other SunTrust bank account for which ACH fraud control has been set-up.  Typically, the Revenue Manager would select the General Depository Bank Account to add a vendor, which would bring a screen where he would enter and save the following information: o Begin date P a g e | 27 o Expiration date o Authorized payment amount (maximum amount or a specific amount) o Company ID number Once the vendor is added to the list of authorized vendors for the General Depository Bank Account at SunTrust, all ACH debits to the General Depository Bank Account initiated by this vendor (that are within the parameters set) will be automatically approved by SunTrust. However, the Revenue Manager does not need to wait for an email from SunTrust informing him about the initially rejected ACH debit to add a vendor to the list of authorized vendors for the General Depository Bank Account at SunTrust. In this case, the Revenue Manager can add a vendor to the list of authorized vendors at SunTrust by setting up the vendor in the Authorization Maintenance screen and following the process described above. ACH debit transactions are recorded by the division within the Finance Department to which the transaction pertains. For example, ACH debits pertaining to merchant fees (credit card fees) are recorded by an employee within the Revenue division. The respective journal entry requires two approval levels (10 and 20) before the journal entry can be posted to the general ledger. In this regard, we noted that the Revenue Manager has rights to make journal entries and can approve them with an approval level of 20. Testing: BDO verified that ACH fraud controls were added to both the compromised and new general depository accounts through visual inspection of the fraud controls listed under the account specifications for each account by SunTrust, through BDO’s meetings and interviews with SunTrust, and through our interviews with key City personnel. P a g e | 28 In addition, BDO performed a walk-through of the ACH fraud controls established over the compromised SunTrust General Depository Bank Account and tested: 1. Documentation evidencing that SunTrust reports daily ACH debits to Revenue Manager, Deputy Finance Director, and Assistant Director that were initially rejected because the vendor who initiated the ACH debit was not on the approved list of vendors maintained by the bank. 2. Documentation evidencing that SunTrust reports daily ACH debits to Revenue Manager, Deputy Finance Director, and Assistant Director because the ACH debit did not fall within the ACH parameters that were set for the approved vendor. 3. Documentation that evidences that the Finance Department researches the ACH debit that was initially rejected. 4. Documentation that evidences that the Finance Department approved or rejected the ACH debit in question. 5. If the Finance Department approved the ACH debit, we tested documentation from SunTrust confirming that the ACH debit was approved. 6. If the Finance Department failed to approve or reject the item in question, we tested documentation that evidences that the bank rejected the ACH debit in question by 2PM on the same day or the following day. As a result of our walk-throughs and testing described above, BDO notes the following deficiencies in internal controls and proposes the following recommendations. P a g e | 29 Internal Control Deficiency - Employees who were assigned the task of approving/rejecting the ACH debit, occasionally did not document how they verify whether a vendor who initiated the ACH debit was legitimate and/or that the amount of the ACH debit was correct. Recommendation: BDO recommends that employees in charge of approving/rejecting an ACH debit document the supporting evidence they reviewed and the name of other employees consulted to determine that the vendor who initiated the ACH debit was legitimate and/or that the amount of the ACH debit was correct. Internal Control Deficiency - The Revenue Manager, as one of the City employees assigned to approve or reject ACH debits, has permission and the ability to add vendors to the list of authorized vendors who can initiate ACH debits to SunTrust accounts, while he also has record keeping rights (i.e., he can record journal entries) in Munis, the City’s finance and accounting solution software. The Revenue Manager is able to add a vendor to the list of authorized vendors maintained at SunTrust by setting up the vendor in the Authorization Maintenance screen without having to wait for an email from SunTrust informing him, the Deputy Finance Director and the Assistant Director about the initially rejected ACH debit. Once the vendor has been added to the list of authorized vendors at SunTrust, any ACH debits from the same authorized vendor would be automatically approved and no email communication from SunTrust would be made. If the vendor is fictitious, the Revenue Manager has the ability to conceal the ACH payment to the vendor by recording the transaction in a journal entry, having to work through only one hurdle which is obtaining a work flow approval level 10 to approve his entry. Even though the Department of Finance performs a P a g e | 30 daily control of debits posted to the SunTrust General Depository bank account and the RDA bank account, the control is limited to identifying whether the ACH debit corresponds to a transaction initiated by the City with a recognized vendor. Accordingly, a debit of this type where the vendor is not recognized by Accounts Payable or Payroll most likely will be given to the Revenue Manager for research to determine the validity of the vendor. Recommendation: BDO recommends that the City review the segregation of duties concerning the Revenue Manager and consider suspending his record-keeping rights, while he is able to add vendors to the list of authorized vendors who can initiate ACH debits to SunTrust accounts. Alternatively, the City should consider suspending the Revenue Manager’s rights to approve or reject ACH debits and his ability to add vendors to the list of authorized vendors who can initiate ACH debits to SunTrust accounts, and assigned these rights to an employee without record-keeping rights. Action Taken by the City Established a daily process for determining the validity of debits posted to the SunTrust General Depository Bank Account and the Redevelopment Agency City bank account (“RDA”). Testing: BDO performed a walk-through of the daily process for determining the validity of debits posted to the SunTrust compromised General Depository Bank Account and the RDA and performed the following testing: 1. Observed the download from SunTrust Online Treasury Manager of debits posted to the General Depository Bank Account and RDA by the employee who prepares or reviews bank reconciliations. 2. Read the email with the report of debits posted to the General Depository Bank Account and RDA that was sent to the Acting Accounts Payable Supervisor requesting that she P a g e | 31 research all debits posted to these accounts to insure that they are related to the City’s transactions. 3. Observed the research performed by the Acting Accounts Payable Supervisor and traced various debits to supporting documentation in Accounts Payable. Observed that the Acting Accounts Payable Supervisor indicated on the report of debits posted to the General Depository Bank Account and RDA those debits that were related to A/P. 4. Observed that all ACH debits and wire transfer debits that do not correspond to A/P were communicated to the Payroll Processor. Observed the research performed by the Payroll Processor and tracing of various debits to supporting documentation in payroll. Observed that the Payroll Processor indicated on the report of debits posted to the General Depository Bank Account and RDA those debits that were related to payroll. 5. Read the email with explanation for all debits posted to the General Depository Bank Account and RDA that was sent by the Acting Accounts Payable Supervisor to the employee who downloaded the report of debits with copy to the Deputy Finance Director, Revenue Manager, Assistant Director, Assistant Internal Auditor, Internal Auditor, and an accounts payable analyst. 6. Observed that the Assistant Director reviewed that each employee who participated in daily process for determining the validity of debits posted to the SunTrust General Depository Bank Account and the RDA has completed his/her assigned duties. 7. Observed that the Assistant Director verified that the email with explanations of all debits posted to the SunTrust General Depository Bank Account and the RDA was sent to the employee who downloaded the report of debits with copy to the Internal Auditor. P a g e | 32 8. Observed that the Assistant Director reviewed the explanations documented in the daily report of debits posted to the SunTrust General Depository Bank Account and the RDA. 9. Observed that the Assistant Director reviewed the daily report of debits for any payees or amount that looked suspicious and made respective inquiries of the responsible division within the Department of Finance that was originally assigned the responsibility for researching the debit. 10. Observed that after the Assistant Director’s review was completed, he signed off on the copy of the email documenting the explanations for all debits posted to the SunTrust General Depository Bank Account and the RDA and hand delivered this email to an employee within the general ledger team for filing purposes. 11. Observed that the Assistant Director maintains a folder in the shared drive with all the respective emails in PDF format. 12. Reviewed additional emails from the Acting Accounts Payable Supervisor noting that certain debits required further research. 13. Reviewed the Excel schedule documenting all debits that required further research, the employee who further researched the debit, the employee who followed up with SunTrust, and the status of the pending research items. 14. Inquired of the Internal Auditor and observed that he receives a daily email notification with an indication that each debit posted to the SunTrust General Depository Bank Account and the RDA corresponded to a transaction originated by the City. Inquired of the Internal Auditor that he verifies that the employee responsible for investigating the validity of the disbursements is taking action. Inquired of the Internal Auditor that he follows-up on all debits that do not have an explanation and that he documents his follow-up. P a g e | 33 15. BDO judgmentally selected a sample of 25 ACH debits and wire transfers from the daily reports of debits posted to the SunTrust General Depository Bank Account and RDA covering the period from January 3, 2017 to January 30, 2017 to determine that the debits corresponded to transactions originated by the City. We inspected supporting documentation, emails from the Acting Accounts Payable Supervisor documenting the explanations for the sample of debits selected, and sign offs by the Assistant Director as evidence of his review. As a result of our walk-through and above described testing, BDO noted the following deficiencies in internal controls and makes the following recommendations: Internal Control Deficiency - On 1/27/17 a debit of $ 4,120.88 was posted to the General Depository Bank Account and the Acting A/P Supervisor matched this debit to a credit in the same amount that was posted to the Zero Balance Account Parking sub-account. However, no further research was performed in regard to the debits posted to the ZBA Parking sub-account that equaled the $4,120.88 credit to determine that all of the debits posted were based on transactions originated by the City. Since the ZBA Parking sub-account did not have positive pay, we believe that the Acting A/P Supervisor should have further investigated whether the debits posted to the ZBA Parking sub-account that equaled the respective credit corresponded to transactions originated by the City. Recommendation: BDO recommends positive pay be added to all ZBA. Further, we recommend that for all debits posted to the General Depository Bank Account that correspond to credits posted to the respective ZBA, the Acting A/P Supervisor research the respective debit posted to the ZBA that occurred before the positive pay was added to the ZBA. P a g e | 34 Internal Control Deficiency - BDO noted that the employee from the payroll processing division responsible for researching that the payroll ACH debits and wires posted to the General Depository Bank Account actually pertained to the City’s payroll, was not being copied on the emails sent by the Acting A/P Supervisor documenting that the payroll debits posted corresponded to payroll transactions originated by the City. Recommendation: BDO recommends that the employee from the payroll processing division be copied on the email sent by the Acting A/P Supervisor that documents the explanations for all debits posted to the General Depository Bank Account. Internal Control Deficiency - There is no documentation of the Assistant Director’s review of the daily report of debits posted to the General Depository Bank Account and RDA for any payees or amounts that looked suspicious and respective inquiries of the employee who was originally assigned the responsibility for researching the debit in question. Recommendation: BDO recommends that the Assistant Director document his review of the relevant documentation and inquiries made that validates any payees or amounts that appeared suspicious. Internal Control Deficiency - Whenever there is a debit that requires further research, the debit is recorded in a spreadsheet for pending research items. However, the status of pending research items is not emailed to the Internal Audit Department. P a g e | 35 Recommendation: BDO recommends that the spreadsheet for pending research items be emailed on a daily basis to the Internal Audit Department. Internal Control Deficiency - Once the employee, who was originally assigned the responsibility for researching the debit, identified the debit as pertaining to a City transaction, there is no second review or approval of the explanation for each debit by the employee’s immediate supervisor. The review performed by the Assistant Director does not extend to verifying the explanation provided for each debit, but only those debits that he considers suspicious. In addition, the Internal Audit Department does not perform a meaningful review of the explanations for each debit posted to the General Depository Bank Account and RDA by tracing the explanations to supporting documentation. The Internal Audit Department simply looks at the daily review of debits to see if there are notes or comments next to each debit item and follow-ups with Acting A/P Supervisor on all debit items that do not have an explanation. Recommendation: BDO recommends that a second review be performed on the explanation for each debit posted to the General Depository Bank Account by the supervisor of the employee who originally provided the explanation. Internal Control Deficiency - There is no formal written procedure documenting the daily debit review process. Rather, the daily review of debits posted to the General Depository Bank Account and RDA was established via a daily calendar invite and remainder. P a g e | 36 Recommendation: BDO recommends that daily debit review process be formally written and specify the employees who will become substitutes in the event that the employees responsible for performing the daily review are absent. Fraud Risk Identified Lack of segregation of custody of assets (control over cash) duties from record keeping duties in the Deputy Finance Director position before February 3, 2017 that could have led to misappropriation of cash and concealment through the recording of inappropriate journal entries. Fraud Risk Assessment High. Mitigating Control The accounting software does not allow the same employee to record and approve his own journal entry. Internal Control Deficiency and Action Taken by the City BDO determined that the Deputy Finance Director has signature authority over the relevant general depository and ZBA at SunTrust while also having record keeping rights in the City’s accounting system. On February 3, 2017, the Deputy Finance Director informed BDO that her record keeping rights were canceled in response to a request she made to the City’s IT department. Before February 3, 2017, however, the Deputy Finance Director had rights to record journal entries, which only required one level of approval prior to posting to the general ledger. Testing: BDO read the SunTrust’s Master Deposit Account Resolution executed March 2, 2016 covering the General Depository Bank Account and ZBA and determined that the Deputy Finance P a g e | 37 Director was an authorized signer. We inquired of the Deputy Finance Director as to her record keeping rights in Munis and verified that she in fact had record keeping rights. After she requested that IT cancel her record keeping rights, BDO observed the Deputy Finance Director’s access to Munis on her City assigned computer and verified that she only has view access rights. Fraud Risk Identified High pre-approved ACH debit threshold dollar amounts for intergovernmental agency vendors that could allow inappropriate ACH debit amounts to occur. Fraud Risk Assessment High. Mitigating Control Daily process for determining the validity of debits posted to the SunTrust General Depository Bank Account. Internal Control Deficiency and Action Taken by the City During BDO’s examination of the SunTrust list of approved inter-governmental agency vendors for ACH debits, the City agreed that the pre-approved threshold dollar amounts were too high and the Deputy Finance Director made the decision to lower the threshold dollar amounts for ACH payments to approved intergovernmental agency vendors. Testing: BDO inquired of the Deputy Finance Director and observed the threshold dollar amounts during the walk-through of the ACH fraud control established for the SunTrust General Depository Bank Account. We obtained a screenshot with the lower threshold dollar amounts. P a g e | 38 Fraud Risk Identified Unusual delays in the preparation of monthly bank reconciliations for the General Depository Bank Account and ZBA at SunTrust that can result in the City not being able to timely detect unauthorized ACH debits or other debits posted to the bank accounts. Fraud Risk Assessment High. Mitigating Controls ACH fraud control, positive pay, and daily process for determining the validity of debits posted to the SunTrust General Depository Bank account. Updated Action Taken by the City In a memorandum dated and effective February 21, 2017 to the Finance Department Staff from John Woodruff, Chief Financial Officer, the Finance Department Daily Bank Debits Review Process (Daily Review) is defined, documented and outlined to include the following required steps: The Treasury Manager or Treasury FA 1 prints a daily debit transaction list from the SunTrust Online Treasury Manager (OTM). The List includes checks, wire transfers, ZBA debits, and ACH transactions and all of these debit transactions are reviewed following specified and documented protocols. The memorandum expressly states that ACH payments to vendors for goods and service are not allowed. The memorandum describes approved ACH payment categories as merchant services, banking fees, intergovernmental transactions and payroll related withholding. Specific reconciliation steps for each approved ACH payment type are described in the memorandum. P a g e | 39 The process for conducting the daily bank debits review and the distribution of the daily debits list is described in the memorandum. Internal Audit conducts a review of the report, tracks pending items, and conducts follow-up on pending items. Internal Audit maintains a log of items pending to ensure that all items are resolved within a 48 hour cycle. A Hard copy of the daily transaction report is sent to the general ledger division for record keeping. Copies are maintained for 1 year. Actions Taken by the City The bank reconciliation group was instructed to complete the bank reconciliation of the SunTrust General Depository Bank Account and ZBA within 30 days from the end of the month being reconciled as opposed to 50 days, which was the period of time in effect before the fraud incident was discovered. In addition, the Deputy Finance Director instructed the various divisions within the Finance Department responsible for researching and correcting the differences identified during the bank reconciliation to clear the differences as soon as possible. Testing: BDO performed a walk-through of the bank reconciliation process with the Accounting Manager and inquired about the changes in the bank reconciliation process as a result of the fraud incident. We identified the roles and responsibilities of different employees involved in the bank reconciliation. We inquired of management about its definition of a completed bank reconciliation. We identified the ACH unreconciled items in the bank reconciliation and how they were addressed. We also read the email sent by the Deputy Finance Director to the various divisions within the finance department responsible for researching and correcting the differences identified during the bank reconciliation instructing them to clear the differences as soon as possible. As a result of our walk-through, BDO noted the following internal controls deficiencies and makes the following recommendations: P a g e | 40 Internal Control Deficiency - As of January 31, 2017, the December 31, 2016 bank reconciliation was being finalized but not yet completed. Upon reviewing the final version of the December 31, 2016 bank reconciliation completed on February 3, 2017, we noted that the difference between the bank balance per the bank statement (as adjusted for certain typical reconciling items) and the bank balance per the general ledger amounted to $33,435,793.23. The transactions that comprise this difference have been identified and assigned to the corresponding divisions within the Finance Department for research and correction. Recommendation: We recommend that each division within the Finance Department access SunTrust online on a daily basis to review all transactions posted (debits and credits) to their respective bank accounts and record them in the City’s books, if they have not already been recorded, provided that the transactions are valid. Internal Control Deficiency Although the various divisions within the Finance Department responsible for researching and correcting the differences identified during the bank reconciliation were instructed on January 3, 2017 to clear the differences as soon as possible, no due dates were imposed on them. Further, there are no escalation procedures for reassigning the research of reconciling differences to other employees, who are not part of the division that was originally assigned the responsibility for explaining the differences, after a certain period of time has elapsed. In this regard, according to SunTrust’s Deposit Agreement and Treasury and Payment Terms and Conditions, the City has 30 days from the bank statement date (or 30 days from the date of an alert notice, if earlier) to notify and dispute a check paid that is not paid by the City using Positive Pay. P a g e | 41 Recommendation: BDO recommends that a defined period of time to clear differences be vested with each division within Finance Department responsible for researching and correcting the differences identified during the bank reconciliation. In no event, the period of time to prepare the bank reconciliation and research and correct the differences should exceed 30 days from the bank statement date. We also recommend that after this period of time has elapsed, the City establish escalation procedures for reassigning the research of reconciling differences to other employees, who were not involved in the division that was originally assigned the responsibility for explaining the differences. Internal Control Deficiency - The City’s definition of a completed bank reconciliation is not in accordance with proper balance sheet account reconciliations. City management reports that the bank reconciliation is completed at the time all differences between the bank balance per the bank statement (as adjusted for certain typical reconciling items) and the bank balance per the general ledger have been identified and assigned to the corresponding divisions within the Finance Department for research and correction. In the case of the July 31, 2016 bank reconciliation, management considered that it was completed on October 17, 2016, the date an email was sent by the Accounting Manager to responsible parties within the Finance Department asking them to research and correct the differences identified in this bank reconciliation, the sum of which amounted to $11,820,644.80. In our view, the July 2016 bank reconciliation, as well as other monthly bank reconciliations can only be considered completed once all differences have been researched and explained. P a g e | 42 Further, unrecorded ACH debits in the amount of $8,416.58 ($908.58 on July 11, 2016 and $7,511 on July 29, 2016, both posted in the July 2016 bank statement), that later were determined to be fraudulent, were included in a subtotal difference of $390,336.06, which was assigned to the former Deputy Finance Director and the former Accounts Payable Supervisor to research. The subtotal difference of $390,336.06 was documented as part of the $11,820,644.80 total difference. Because the $8,416.58 ACH debits difference was not determined to be fraudulent until December 2016, it was carried from the July 2016 bank reconciliation to the subsequent months’ bank reconciliations, as part of the total difference that was assigned each reconciliation period to the former A/P Supervisor to investigate. In addition, the bank reconciliation for July 2016 shows identified differences as old as October 1, 2015 that were not cleared. Recommendation: BDO recommends that the City change its definition of a completed bank reconciliation so that it considers that a bank reconciliation is completed when the total amount of the difference between the bank balance per the bank statement (as adjusted for certain typical reconciling items) and the bank balance per the general ledger has been researched and explained. In this way, the City can in fact know whether bank reconciliations have been timely prepared. Internal Control Deficiency - The various divisions within the Finance Department that were responsible for researching and correcting the identified differences did not communicate with the bank reconciliation group informing them about the reasons for the differences and the dates they were corrected. Thus, the bank reconciliation group did not have any documentation that would explain the reasons for the various differences noted in the monthly bank reconciliations and the dates they were corrected. In addition, the bank reconciliation group did not follow up with the respective division of the P a g e | 43 Finance Department on identified differences that were carried to the next month’s bank reconciliation. Recommendation: We recommend that various divisions within the Finance Department that are responsible for researching and correcting the identified differences inform the bank reconciliation group about the reasons for the differences and the dates they were corrected. Further, we recommend that the bank reconciliation group document the explanations and dates of corrections in the bank reconciliation and follow up with the responsible division on all unresolved differences. Internal Control Deficiency - Even when following management’s definition of a completed bank reconciliation, the monthly bank reconciliations from July 2016 to October 2016 exceeded the 50-day maximum term allowed for the preparation of bank reconciliations that was in effect at that time. Among the factors that contributed to this delay were the new accounting software implemented in May 2016 and high personnel turnover within this department. Fraud Risk Identified Employees who prepare and review bank reconciliations have record-keeping rights. Accordingly, they can eliminate reconciling differences by making journal entries. Fraud Risk Assessment High. Mitigating Control The accounting software does not allow the same employee to record and approve his own journal entry. P a g e | 44 Internal Control Deficiency - The employee responsible for preparing bank reconciliations also has record-keeping rights. In addition, the Accounting Manager, who prepared the bank reconciliation for November 2016 and usually reviews the bank reconciliations, also has record-keeping rights. Further, there is no documentation of the employee who reviewed the November 2016 bank reconciliation. Although we understand that Munis does not permit an employee who makes a journal entry to also approve it, the risk of fraud increases when bank reconcilers have recordkeeping rights as they can eliminate reconciling differences by making journal entries. Recommendation: This is a basic segregation of duties violation. We recommend that employees who prepare bank reconciliations have their recordkeeping rights cancelled, or that a compensating control such as independent management review of the reconciliation be implemented. We also recommend that bank reconciliations document the employee who reviews them. IV. MUNIS FINANCIAL SOLUTIONS ACCOUNTING SYSTEM – BACKGROUND In 2014, the City began the process to replace the current enterprise resource planning system (ERP) known as Eden with Munis. According to the City, the replacement of the system is a key part of the administration’s goal to re-engineering core business processes to maximize efficiencies and service to constituents. Implementation of the project is the responsibility of the Munis Steering Committee composed of various key staff including an Assistant City Manager, the Chief Financial Officer, the Budget Director, the Procurement Director, and the IT Director. In a summary statement provided to BDO, the City stated: “The ERP system includes the Finance, Budget, Procurement, and Human Resources business processes. There are three main phases of the project including: (1) Core Financials P a g e | 45 (includes Finance/Procurement/Budget); (2) Human Resources/Payroll; and (3) Utility Billing. With the implementation of the Munis software several new processes including ACH payments (debits) were started to ensure vendors payments for good and services were more timely and efficient. The Go-Live date for the Core Financials phase of the project was May 2, 2016. The implementation structure was that core City staff were trained by the software implementation team on how to setup the new software, validate and test converted data and train end users. The City staff had the task of ensuring completeness and accuracy of all aspects of the implementation, including recording of data to the general ledger. During the planning, conversion, implementation, and training phases of the new software, Finance and IT staff continued to work on everyday tasks to ensure the seamless transition from one software system to another while providing the same level of service to vendors and other internal departments. To accomplish both, all levels of staff worked practically double shifts for many weeks. This significant time commitment and the normal learning curve required with any new software implementation adversely affected staff’s ability to reconcile and correct the resulting high volume of discrepancies in a timely manner”. The City’s CFO at the time stated that the City “Does not even know we have an exception until it occur and became reconciling items”. She stated that the number of exceptions has been decreasing every month since the implementation of Munis but “a lot” of transactions were not posting in the correct month resulting in a very large number of items that were required to be reconciled. P a g e | 46 During the validation and testing converted data stages, there was significant change over in leadership, transfers, promotions and terminations, which resulted in several vacancies in the Finance department. This further compounded the volume of work for remaining staff. BDO Finding Prior to the implementation, a fraud risk assessment was not completed by the City regarding exposure of implementing a new financial software system. A risk assessment could have taken into account the high probability of inaccurate, untimely or convoluted data being posted to the general ledger from disbursement and receipting transactions and the effects it would have on financial reconciliations. If a fraud risk assessment was conducted by the City prior to the implementation of Munis, the City could have developed and implemented mitigating internal controls and procedures to more closely review and analyze transactions, including ACH disbursements and more timely reconcile items that were not cleared in the bank reconciliation process. According to the Deputy Finance Director and the Accounting Manager, the implementation of Munis impacted the Finance Department’s ability to timely reconcile open and unverified payments through the City’s accounts payable process due to the volume of open debits resulting from staff not fully understanding the Munis system, the use of ACH debits to pay vendors for goods and services under the Munis system for accounts payable, and lack of adequate staff to verify and close open debits. The Deputy Finance Director stated that with the implementation of Munis, the number of “exceptions” listed every months were extremely high. She stated that the City “Doesn’t even know we have an exception until we are told.” The Deputy Finance Director also stated that the number of exceptions has been decreasing every month since P a g e | 47 the implementation of Munis but “a lot” of transactions were not posting in the correct month resulting in a very large number of items that requires reconciliation. V. ACCOUNTS PAYABLE, ACH DISBURSEMENTS AND WIRE TRANSFERS Munis Financial Solutions incorporates built-in approval streams for transactions relating to Treasury and ACH disbursements that considers separation of duties and checks and balances to mitigate fraud. BDO conducted a walk-through of the ACH disbursements and wire transfers process and observed the following processes:  entering of invoices in Accounts Payable to be paid via ACH and wire transfer;  approvals, including approval levels, required in Munis for the invoice to be considered completely approved;  posting of the batch of approved invoices (selection of approved invoices to be paid);  issuance of ACH payments and wire transfers;  uploading of the ACH disbursement file in SunTrust’s online file transfer webpage;  review of any exceptions reported by SunTrust to the ACH disbursement file;  entering and approving wire transfers in SunTrust’s Online Treasury Manager webpage. P a g e | 48 Our observation of the ACH payment process is related to an invoice that was paid via ACH before the ACH payments to vendors for goods and services were suspended on December 8, 2016. As a result of our walk-through, we identified the following fraud risks, internal controls deficiencies and make the following recommendations: Fraud Risk Identified Munis permits the accounts payable employee who entered the invoice to approve his own entry increasing the risk of collusion with the business unit employee who approved the invoice in situations where only one level of approval outside of accounts payable is required to pay the invoice, and facilitating in this way the issuing fraudulent payments to companies or persons. Fraud Risk Assessment High. Mitigating Controls Except for certain situations described below, before payments can be made, invoices require the approval of least one employee outside of accounts payable. In addition, Munis does not permit the same employee to enter an invoice and post the corresponding batch in Accounts Payable. Posting a batch of invoices means in this particular case selecting a group of invoices shown as approved in Munis so that payment can be issued. Internal Control Deficiency A best practice in fraud mitigation controls is to implement procedures and controls that require that invoices entered by an Accounts Payable (“A/P”) employee require a different A/P employee to approve the entry. A/P department procedures should not permit an A/P employee to make an invoice entry and also approve the same entry. However, BDO observed that the A/P P a g e | 49 module of Munis does not prevent an employee from entering an invoice and also approving it. Munis does not issue a specific alert if this happens and there is no procedure in place to detect this. Munis has controls in place that prohibit an employee from entering an invoice and posting it. However, the A/P employee who posts the invoice or batch of invoices does not review the invoice entry, who made the invoice entry, or who approved it in A/P. Recommendation: BDO recommends that Munis be modified to prevent the same A/P employee from entering an invoice and also approving it. Alternatively, we recommend that the A/P employee who posts the batch of final approved invoices print a report that shows the A/P employee who entered the invoice and the A/P employee who approved the entry before the batch is posted to insure that the same employee did not enter and approve the invoice in A/P. In situations where the same A/P employee entered and approved the invoice, the employee who posts the batch should review the invoice entry before posting the batch. Fraud Risk Identified Risk of payments to companies which are not authorized vendors due to A/P employees’ rights to change the vendor master file. Fraud Risk Assessment High. Mitigating Control Changes to the vendor master file must be approved by procurement before they become effective. P a g e | 50 Internal Control Deficiency Any A/P employee can enter a new vendor or change vendor information. Even though the new vendor or change in the vendor information would still need to go through an approval workflow in the procurement department before the new vendor or change in vendor information becomes effective, the risk of fraud increases when employees who process invoices are allowed to enter new vendors or change vendor information in the vendor master file. Recommendation: BDO recommends that employees who process invoices in Munis be prevented from entering new vendors or changing existing vendor information in the vendor master file. Fraud Risk Identified Risk of fraudulent payments to vendors due to the fact that approval of invoices by employees outside of accounts payable are not required in certain situations. Fraud Risk Assessment High. Internal Control Deficiency In situations where an invoice entry in A/P corresponds to a vendor with an associated general ledger account with cost center “0000,” it is possible to issue an EFT (or check) having the entry only workflow approval level of 3, which is the level assigned to any employee in Accounts Payable. Munis does not require an approval outside of the A/P department for an EFT payment (or check) to be issued in this case. For example, for invoice number 17012000224, dated 1/13/2017, for $21,165, Munis shows that there is only one level of workflow approval, which corresponds to level 3 and this level of approval is assigned to all employees within the A/P department. This means that any P a g e | 51 employee in the A/P department could have approved the invoice and once approved, the entry’s status would have changed from pending approval to “approved”. The change in status to “approved” would have allowed an A/P employee to post the invoice and begin the process of issuing a check or EFT to the vendor. In this particular case, the above entry was voluntarily forwarded by an employee in Accounts Payable to the Revenue Manager for approval. The Acting Accounts Payable Supervisor from A/P informed us that the situation described above occurs between 5% and 10% of the entries made in Accounts Payable. Recommendation: BDO recommends that management research all vendors with an associated general ledger account with cost center “0000” and that changes be made to the general ledger account so that it includes the correct cost center. Further, we recommend that the CFO print a report of general ledger accounts with cost center “0000” and determine whether all payments posted to the accounts since Munis was implemented were approved by employees outside the A/P department in accordance with the Workflow Business Rules maintained by IT. Fraud Risk Identified Risk of payments to companies which are not authorized vendors due to the fact that vendor information can be modified in the ACH disbursement and check register files uploaded to SunTrust. Fraud Risk Assessment High. P a g e | 52 Mitigating Controls ACH payments to vendors for goods and services has been suspended since December 8, 2016. Differences between amounts posted in the bank statements and amounts posted in the general ledger will be identified in the monthly bank reconciliations. Internal Control Deficiency The Acting A/P Supervisor who was responsible for uploading the ACH disbursement text file to SunTrust (Onlinefiletransfer.suntrust.com) before December 8, 2016, was able to make changes to the file before it was sent to SunTrust. In fact, the Acting A/P Supervisor eliminated a space that would otherwise have caused an error. In this regard, we were also able to note that changes could be made to the dollar amount of the ACH, name of the vendor, vendor’s bank account number and routing number, and total amount of the ACHs paid in the ACH disbursement file. In addition, BDO observed that changes could be made to the dollar amount, name of the vendor, check number, and total amount of checks paid in the check register text file that is also uploaded to SunTrust for the purpose of positive pay. Recommendation: BDO recommends that the City transmit or upload the ACH disbursement file (if and when the ACH payments to vendors for good and services are resumed) and check register file from Munis to SunTrust without the files being subject to the possibility of manipulation. BDO further recommends that an employee independent of accounts payable processing and with no recordkeeping rights should be in charge of uploading or transmitting the ACH disbursement and check register files to SunTrust, while the Acting A/P Supervisor as well as other employees in A/P should have their rights to upload the files to SunTrust revoked. P a g e | 53 Internal Control Deficiency The Acting A/P Supervisor who was responsible for uploading the ACH disbursement file to SunTrust before December 8, 2016, was able to access Onlinefiletransfer.suntrust.com with a password that did not require a combination of special characters, numbers, upper case letters and lower case letters or that needed to be changed periodically. In addition, the Acting A/P Supervisor informed BDO that she has had the same password for the past eight months. Recommendation: BDO recommends that passwords require a combination of special characters, numbers, upper case letters and lower case letters and be changed periodically (at least every three months). Internal Control Deficiency The same A/P employee who uploaded the ACH disbursement file in Onlinefiletransfer.suntrust.com was responsible for calling a 1-800 telephone number to communicate the total amount of the ACH disbursement file. In situations where the ACH disbursement file can be modified, there is an increase in the in risk of fraud when the same employee makes a separate phone call to the bank to report the total of the ACH disbursement file. Further, the A/P employee who processed the ACHs and checks in Accounts Payable and uploaded the ACH disbursement and check register files also accessed SunTrust (Onlinefiletransfer.suntrust.com) the next morning and reviewed any exceptions that were communicated by SunTrust. For example, an exception could be a check presented for payment that was not in the check register file uploaded. In this context, the risk of fraud is greater when the same A/P employee who processes payments in A/P also uploads the ACH and check register files to SunTrust and reviews the exceptions, which require a pay or return decision. P a g e | 54 Recommendation: BDO recommends that an employee independent of Accounts Payable processing and with no recordkeeping rights be in charge of downloading the original ACH disbursement and check register files from Munis and uploading or transmitting these files to SunTrust without being able to modify them. Once these files have been uploaded, the A/P employee who issued the ACHs and checks should independently call the 1-800 telephone number to communicate the total amount of the ACH disbursement and check register files. Under these circumstances, the employee independent of Accounts Payable processing who uploaded the ACH disbursement and check register files in SunTrust should access SunTrust (Onlinefiletransfer.suntrust.com) the next morning and review any exceptions to ACH disbursements and checks that were communicated by SunTrust. Testing of internal controls BDO tested ACH disbursements to vendors for goods and services and wire transfers that were made during the period from July 1, 2016 to December 31, 2016 to determine if the expenditures were properly approved, supporting documentation existed, and that payments and payees per disbursement register matched the payments and payees per the bank statement. We randomly selected a sample of 25 ACH debits and wire transfers from the disbursement register covering the period indicated above. We identified the following fraud risks, deficiencies in internal controls and offer the following recommendations: P a g e | 55 Fraud Risk Identified Risk of fraudulent payments to vendors due to the fact that Munis allows the same City officer to fulfill the different levels of invoice approval and permits invoices exceeding $1,000,000 to be approved by City officers other that the City Manager. Fraud Risk Assessment High Mitigating Controls Budgetary constraints may set a limit in the amount to be spent in a particular project. Wire transfers in SunTrust require that the employee who initiates the transfer be different from the employee who approves the transfer. Internal Control Deficiency The invoice entry for EFT No 406106, dated 9/30/16, for $15,985,119.21, paid to a City vendor , was approved in Munis only by Chief of Staff with approval levels of 20, 40, and 60. In addition, the invoice entry for wire No 36456600, dated 5/15/16, for $14,835,994.46, paid to an approved construction vendor, was approved by a City employee with an approval level of 20 and the Chief of Staff with an approval level of 40 without the City Manager’s approval. The draft memo regarding Accounts Payable Invoice and purchasing workflow approvals provided by the Deputy Finance Director documents that the City Manager (approval level 60) is required to approve all expenditures above $1,000,000. The workflow business rules document obtained from IT also indicates that the City Manager has an approval level of 60 for expenditures exceeding $1,000,000. P a g e | 56 Recommendation: BDO recommends that City Manager review all payments exceeding $1,000,000 made since Munis’ implementation and verify that he approved the expenditure. BDO further recommends the City verify these same payments exceeding $1 million were properly approved by other required approval levels. BDO recommends that Munis be modified so as to not allow significant payments to be issued unless the approvals of at least two different City officers have been documented in the system (see invoice entry for EFT No 406106). Further, Munis should be modified so as not to allow payments exceeding $1,000,000 to be issued unless the approval of City Manager has been documented in the system. Internal Control Deficiency Typically in Munis, invoices entered in the Accounts Payable module by an A/P employee require another A/P employee to approve the entry. This second A/P employee approval was not documented in Munis with regards to the wire numbers 36800728, 36806161, and 36806176, dated 8/31/16, for $8,547,250, $4,153,975, and $4,550,634, respectively, paid to US Bank, NA. In addition, Munis shows that the invoice entries for these three wires, which correspond to debt service payments, were approved only by the former Treasurer. Similarly, the invoice entry for wire No 177, dated 11/30/16, for $4,280,351.36, paid to US Bank NA for debt service, had the approval of only the former Treasurer and an employee from the budget office with an approval level 30. Even though this might not have been a violation of the workflow business rules document provided by IT, the City Manager's approval should have been documented in Munis because of the magnitude of the amounts paid. P a g e | 57 Recommendation: BDO recommends that Munis be modified so as to not allow payments to be issued unless the A/P employee who approved the entry is documented in the System. We further recommend that Munis be modified so as not to permit payments exceeding $1,000,000 to be issued unless the approval of City Manager has been documented in the system. Internal Control Deficiency The invoice entry for wire No 82, dated 10/12/16, for $532,784.80, paid to a City vendor, was approved only by City Manager (approval level 60). The draft memo regarding Accounts Payable invoice and purchasing workflow approvals provided by the Deputy Finance Director indicates that another approval level between 40 and 55 would have been necessary to approve this expenditure. Recommendation: BDO recommends that the CFO review all payments exceeding $500,000 made since Munis’ implementation and verify that at least another employee’s approval between levels 40 and 55 has been documented in the system in addition to the City Manager’s approval. Further, Munis should be modified so as not to allow payments exceeding $500,000 to be issued without having the invoice entry approval of at least two employees with approval levels between 40 and 55 documented in the system. Internal Control Deficiency With regard to the invoice entry for wire No. 167, dated 11/16/16, for $410,744.83, paid to Miami Beach FOP Health Tr, the Risk Manager was not identified in the Munis workflow as the reviewer and approver of the entry despite the fact that she was the relevant approver. For this P a g e | 58 reason, the A/P employee who made the entry forwarded the respective invoice entry to the Risk Manager to obtain her approval. Similarly, in the case of the invoice entry for wire No 177, dated 11/30/16, for $4,280,351.36, paid to US Bank, NA, the former Treasurer, did not automatically show in the Munis workflow for review and approval of the entry despite the fact that he was the relevant approver. For this reason, the A/P employee who made the entry forwarded the respective invoice entry to the former Treasurer to obtain his approval. Recommendation: BDO recommends that management review, since the implementation of Munis, all significant payments issued with respect to which the Risk Manager’s approval or the former Treasurer’s approval would have been required and verify that the corresponding approvals were documented in the system. We further recommend that Munis be modified so as not allow payments to be issued when the approval of the Risk Manager or Treasurer is deemed necessary but not received. VI. ACCESS CONTROLS, RIGHTS, AND PERMISSIONS BDO reviewed the following documents:  The SunTrust CB User Setup Report, run date January 20, 2017, to determine the current online access rights of City’s employees to the SunTrust General Depository Bank Account and ZBA and employees with authority to grant online access;  The current ancillary implementation agreement with SunTrust regarding fund transfer services to determine employees who have PINs and therefore are authorized to approve wire transfers regarding the SunTrust General Depository Bank Account and ZBA; P a g e | 59  The Master Deposit Account Resolution executed March 2, 2016 covering the compromised SunTrust General Depository Bank Account and ZBA, and the Deposit Account Resolution executed December 21, 2016 covering the newest SunTrust General Depository Bank Account to determine the City officers who are authorized signers;  The City – Munis ERP System, Roles and Members to determine the recordkeeping rights of City‘s employees; and  Workflow Business Rules. BDO inquired of relevant employees about their online access rights to SunTrust General Depository Bank Account and ZBA as well as their access rights in Munis. We also inquired of the director of IT and the Deputy Finance Director about the process for changing the invoice approvals queue. Based on the testing performed, BDO identified the following fraud risks and deficiencies in internal controls, and offer the following recommendations: Fraud Risk Identified Lack of segregation of custody of assets (control over cash) duties from record keeping duties in the Deputy Finance Director and other positions that could lead to misappropriation of cash and concealment through the recording of inappropriate journal entries. Fraud Risk Assessment High. Mitigating Control The accounting software does not allow the same employee to record and approve his own journal entry. Wire transfers in SunTrust require that the employee who initiates the transfer be different from the employee who approves the transfer. P a g e | 60 Internal Control Deficiency The Deputy Finance Directors’ custody of assets rights (control over cash) derived from being an authorized signer in the SunTrust accounts and having the ability to make or approve wire transfers were incompatible with her recordkeeping rights in Munis. As result, during our field work BDO recommended that the Deputy Finance Director request that her recordkeeping rights in Munis be cancelled. Following our recommendation, the Deputy Finance Director stated to us that she no longer has recordkeeping rights in Munis, which we were able to verify. However, we are unaware of a mechanism which would prevent Deputy Finance Director from reacquiring recordkeeping rights from IT. Recommendation: We recommend that the new CFO contact IT and clarify that only he can authorize IT to grant recordkeeping rights back to the Deputy Finance Director. Internal Control Deficiency The Assistant Director in the Finance Department has custody of assets rights (control over cash) derived from being an authorized signer in the SunTrust accounts that are incompatible with his recordkeeping rights in Munis. Recommendation: BDO recommends that the Assistant Director’s recordkeeping rights be revoked. Internal Control Deficiency The Accounting Manager has custody of assets rights (control over cash) derived from having the ability to initiate or approve wire transfers and having rights to upload disbursement files to SunTrust and make pay/return decisions on positive pay exceptions that are incompatible with her record keeping rights in Munis. P a g e | 61 Recommendation: BDO recommends that the Accounting Manager’s custody of assets rights be revoked. Internal Control Deficiency The Revenue Manager has custody of assets rights (control over cash) derived from having the ability to initiate wire transfers, being the system administrator, and having rights to make pay/return decisions on positive pay exceptions that are incompatible with his recordkeeping rights in Munis. Recommendation: BDO recommends that the Revenue Manager’s recordkeeping rights be suspended in Munis, leaving him only with view access rights, as long as he continues to have custody of assets rights. Internal Control Deficiency A specific financial analyst III has custody of assets rights (control over cash) derived from having the ability to initiate wire transfers and having rights to make pay/return decisions on positive pay exceptions that are incompatible with her recordkeeping rights in Munis. Recommendation: BDO recommends that the specific financial analyst’s custody of assets rights be revoked. Internal Control Deficiency The Payroll Processor has custody of assets rights (control over cash) derived from having the ability to upload ACH disbursement files to SunTrust and entering (funding) in SunTrust payroll manual checks that are incompatible with his recordkeeping rights in Munis. Recommendation: BDO recommends that the Payroll Processor’s custody of assets rights be revoked. P a g e | 62 Internal Control Deficiency The Acting A/P Supervisor has custody of assets rights (control over cash) derived from having the ability to initiate wire transfers, having rights to upload disbursement files to SunTrust and make pay/return decisions on positive pay exceptions, and custody of printed checks that are incompatible with her recordkeeping rights (i.e., ability to make journal entries as well as record vendor invoices) in Munis. Recommendation: BDO recommends that the Acting A/P Supervisor’s custody of assets rights be revoked. Internal Control Deficiency A specific A/P financial analyst has custody of assets rights (control over cash) derived from having rights to upload disbursement files to SunTrust and make pay/return decisions on positive pay exceptions that are incompatible with his recordkeeping rights (i.e., ability to make journal entries as well as record vendor invoices) in Munis. Recommendation: BDO recommends that the specific financial analyst custody of assets rights be revoked. Fraud Risks Identified There is the risk that wire transfers could be made to companies or persons for no business purpose due to the fact that authorized signers can request from SunTrust PINs for wire transfer approval for persons who are not employees of the City. Similarly, system administrators can request from SunTrust User ID numbers for persons who are not employees of the City and grant them rights to initiate wire transfers or can request an additional User ID for themselves. Further, phone-in wires are not always selected for verification by SunTrust. Additionally, the Deputy Finance Director’s PIN wire approval and wire initiation limits are set as unlimited. P a g e | 63 Fraud Risk Assessment High Mitigating Control Differences between amounts posted in the bank statements and amounts posted in the general ledger will be identified in the monthly bank reconciliations. Internal Control Deficiency Only officers who are authorized signers in the General Depository Bank Account can request SunTrust to provide a PIN to a person designated by them. The PIN is used for approving wires (and entering payroll wire transfers) in SunTrust Online Treasury Manager (“OTM”). OTM does not allow the same person to enter and approve a wire transfer. Based on the documentation provided by SunTrust, the bank is relying on the authorized signer’s request for assigning a PIN to the person indicated in the Ancillary Implementation Agreement without independently verifying that this person is an employee of the City. Therefore, any of the authorized signers could assign a PIN to a person who is not an employee of the City, such as a friend or a family member, in which case a wire transfer could be entered in OTM by his friend or family member, while the authorized signer could approve it, if s/he has also a PIN. Recommendation: BDO recommends that the City negotiate with SunTrust a requirement to have at least two authorized signers signed the Ancillary Implementation Agreement in order to request a PIN for a determined person. We also recommend that the Treasurer, assuming that s/he is not included as an authorized signer and does not have recordkeeping rights, review on a daily basis all wire transfers. P a g e | 64 Internal Control Deficiencies The Deputy Finance Director, as the SunTrust Online Treasury Manager system administrator, can request from SunTrust a User ID number for a person who is not an employee of the City and grant him rights to initiate wire transfers from the General Depository Bank Account. Accordingly, a friend or family member could initiate a wire transfer and the Deputy Finance Director would be able to approve it using her PIN. Similarly, the Deputy Finance Director as the system administrator can request an additional User ID for herself. If this happened, the Deputy Finance Director would be able to access SunTrust Online Treasury Manager and initiate a wire transfer using one of the User IDs while later approving the wire transfer by using the other User Id that is associated with her PIN. Recommendation: We recommend that the City establish a dual administration setup that would require two system administrators to create and remove users in SunTrust Online Treasury Manager. Internal Control Deficiency The Revenue Manager has two user IDs for login into SunTrust Online Treasury Manager. Recommendation: We recommend that the duplicate user profile be deleted from SunTrust Online Treasury Manager. Internal Control Deficiency Phone-in wires are not always selected for verification by SunTrust, in which case a wire transfer can go out with only the authorization of the PIN holder who initially called in the wire. P a g e | 65 Recommendation: We recommend that the City complete SunTrust Wire Transfer – Schedule G – Amendment to Callback Security Procedures that will require SunTrust to call back for verification for all phone-in wires. Internal Control Deficiency Currently, the Deputy Finance Director’s PIN wire approval and wire initiation limits are set as unlimited. Recommendation: We recommend that a dollar amount limit be set with regard to the Deputy Finance Director’s PIN wire approval and wire initiation limits. Fraud Risk Identified Lack of segregation of invoice processing duties from record-keeping journal entry rights in Accounts Payable employee positions that could lead to misappropriation of cash and concealment through the recording of inappropriate journal entries. Fraud Risk Assessment High. Mitigating Control The accounting software does not allow the same employee to record and approve his own journal entry. Two levels of approvals are required for non-revenue type journal entries while one level of approval is required for revenue type journal entries. Internal Control Deficiency Employees in the Accounts Payable division have rights to record journal entries and post them to the general ledger, once the journal entries have been approved by another employee. The P a g e | 66 risk of fraud increases when individuals responsible for the invoice processing and recording of disbursements in the cash disbursement records can also make journal entries, which can be used to record unauthorized payments that would otherwise have not been allowed and issued in the Accounts Payable module of Munis. Additionally, journal entries can be used to reclassify unauthorized disbursements originally posted to a general ledger account in the Accounts Payable/Cash Disbursement module of Munis to another general ledger account in order to conceal the payments. Recommendation: BDO recommends that employees in the Accounts Payable division have their rights to record journal entries in Munis revoked. Fraud Risk Identified The Acting Accounts Payable Supervisor and other Accounts Payable employees can process invoice for payments and approve the invoices with a Department Director level (approval level of 50) when the associated cost center falls within the range 9000-9999. This lack of segregation of duties could result in inappropriate payments issued. Fraud Risk Assessment High. Internal Control Deficiency The Workflow Business Rules documents that BDO obtained from IT shows that the Acting Accounts Payable Supervisor and other Accounts Payable employees have an approval level of 50 (Department Director) associated with any cost center 9000-9999. Management explained to us that this cost center range was more “city-wide” and, therefore, finance was going P a g e | 67 to review at that level. The risk of fraud increases when invoices can be approved for payment by the same employees who processed them. Recommendation: We recommend that Accounts Payable employees have their invoice approval rights removed, except for approval level 3, which is only a cursory review of the invoice entry. Further, we recommend that management research and review all significant payments made since Munis’ implementation that show that an approval level of 50 was made by an A/P employee, but where the nature of the invoice paid would have required that the approval level of 50 be made by an employee outside of the A/P division. Fraud Risk Identified Lack of an independent review of changes made by IT employees to the invoice approval queues that may result in unauthorized changes not being timely detected. Fraud Risk Assessment High. Internal Control Deficiency Only certain IT employees have administrative rights, which allow modifications to the invoice approval queues. Request to make changes to the approval queues are sent to the Munis Workflow email box with the approval of the department head or designee. However, there is no employee independent of IT and not part of the approval queue that is responsible for reviewing an audit trail with the history of approval queue activity to verify whether changes to the approval queues are authorized. P a g e | 68 Recommendation BDO recommends that an employee independent of IT and with no rights to request or make changes to the approval queues be responsible for reviewing an audit trail with the history of approval queue activity to verify whether changes to the invoice approval queues are authorized. Conclusion While BDO understands that there are mitigating controls in place, such as Munis not allowing the same employee to approve his own journal entry or SunTrust Online Transfer Manager not allowing the same employee to approve a transfer initiated by him, the risk of fraud nonetheless increases when employees who have recordkeeping duties have also custody of assets rights (control over cash). The fewer obstacles in place to overcome a control as well as the fewer number of persons that is needed to collude begets the greater risk of fraud. VII. OTHER RISK MANAGEMENT CONSIDERATIONS In conducting our fraud risk assessment, BDO identified certain other risk management related considerations for the City as detailed below. A. Permanent Staffing BDO obtained The Finance Department Organizational Chart FY 2016/17 and conducted an analysis of staffing related issues that are noteworthy in raising from a fraud risk standpoint. As part of the assessment, BDO noted the following based on the interviews conducted with the City personnel and the review of documents provided by the City:  The following Finance Department personnel resigned from leadership positions of significant responsibility in Fiscal Years 2015, 2016 and 2017: o Patricia Walker, CFO, resigned/retired in September 2015. o Georgina Echert, Assistant Finance Director, resigned in September 2015. P a g e | 69 o John Woodruff, Interim CFO, September 2015 through January 2016, resigned in February 2016. (Note: Mr. Woodruff was rehired as the City’s CFO in February 2017.) o John Schumaker, Deputy Finance Director, resigned in September 2016. o Juan Rodriquez, Treasury Manager, resigned in December 2016. o Ramon Suarez, former Finance Manager in Accounts Payable, was transferred from Accounts Payable to Budget in January 2016 and is currently an employee in HR. BDO compared the current finance staff at the City to the Finance Department Organizational Chart (not including the customer service center) for FY 2016-2017 and the following positions are open:2  Financial Analyst III (3 vacant of 9 total positions on org chart)  Financial Analyst II (2 of 12 vacant)  Financial Analyst I (3 of 7 vacant)  Temps (one filled, one vacant) Recommendations: BDO recommends that the City develop a documented plan of action to address staffing losses and staffing deficiencies in the Finance Department. The plan of action should include an assessment of staffing losses in critical leadership positions as well as losses in key staffing positions where there is a direct impact on meeting the timeline and execution requirements of internal controls, policies and procedures established to mitigate fraud. The City should determine a minimum staffing model that is required in the Finance Department to meet the risk appetite of the City. 2 The Chief Accountant (1 position, which was renamed to “Accounting Manager”) and Treasury Manager were filled shortly before the finalization of this report. P a g e | 70 BDO recommends that the City develop a procedural requirement that staffing in the Finance Department be examined and evaluated by internal audit or through an external independent examination periodically and at least annually. BDO also recommends that background checks be periodically performed on all current employees within the Finance Department. B. Temporary Staffing The City utilizes a pool of temporary agencies vetted and approved by the city to provide staffing to fill open positions on a temporary basis. To temporarily fill a position in the Finance Department, a request is made by the Finance Department to Human Resources (HR), describing the duties and responsibilities required of the temporary position. HR identifies approximately three qualified candidates from the approved temporary staffing providers, the Finance Department interviews the candidates, and a final selection is made by the HR Department based on the recommendations made by the Finance Department. BDO determined that two temporary employees hired through the process described above were assigned to sensitive positions in the Finance Department. Both temporary employees were terminated by the City after they applied for permanent positions with the City and the City’s own background investigation revealed previous criminal convictions or allegations of embezzlement. The details are described below: The first temporary employee was hired as a temporary employee in the Finance Department and served in Accounts Payable from June 2016 to December 2016. This employee applied for a permanent position in Accounts Payable in November 2016 and during the City’s background investigation pursuant to her application, a former employer informed the City that the employee was involved in a theft or embezzlement as the bookkeeper of the business. As a P a g e | 71 result of the City learning this information, the employee was not selected for the permanent position and her temporary position at the City was terminated. The second temporary employee was terminated by the City after being vetted by the City for a permanent position in Accounts Payable. This employee was hired as a temporary employee in Accounts Payable through the same process described above in the second quarter of FY 2016. According to the City, the employee was performing well in his temporary position, applied for a permanent position as a Financial Analyst I, was offered a permanent job, and the offer was rescinded after HR learned he was convicted of insurance fraud while conducting a background investigation related to his application for a permanent position with the City. Recommendations: BDO recommends that the City re-evaluate the requirements for temporary staffing companies relating to background investigations that the temporary agency conducts on its employees, to ensure that City approved temporary staffing companies conduct background investigations on their employees that at a minimum identify criminal arrests, convictions, and completed reference checks. C. Internal Audit BDO interviewed the Internal Auditor and obtained his internal audit report dated January 27, 2011 covering the City payment processing during the period from October 1, 2007 to July 31, 2009. In 2015, Internal Audit attempted another audit of the City payment process but it was not completed because the auditor responsible was assigned to another department. The 2015 draft report was never released. P a g e | 72 Based on our discussion with the Internal Auditor, the Internal Audit Department has assessed the inherent risk of the City payment processing as high, but it has not established a formal process for the assessment of control risk and residual risk. In spite of having assessed inherent risk as high and scheduled an audit every five years, the Internal Audit Department has not conducted an audit of the City payment processing with a report released to the City Manager for over seven years. Recommendations: BDO recommends that the Internal Audit Department adopt a continuous auditing approach of the City payment processing. This continuous auditing approach consists of continuous data assurance (CDA), continuous controls monitoring (CCM) and continuous risk monitoring and assessment (CRMA). CDA insures the integrity of data flowing through the accounting system. CDA uses software to extract data from the accounting system for data analysis of transactions in order to identify deviations from predetermined benchmarks. CMM uses also software that monitors access control and authorizations and system configurations of the accounting system. CRMA is a real-time integrated risk approach that measures risk factors on a continuing basis, integrates various risk scenarios into quantitative models, and provides inputs for audit planning. Alternatively, if a continuous auditing approach is not adopted, BDO recommends that the City hire an independent external auditor to conduct an audit of the City payment processing at least every year and formally established a process for the assessment of control risk and residual risk. P a g e | 73 D. Insurance On December 4, 2016, the City expanded its crime policy with Travelers Casualty and Surety Co. of America. The previous policy was in effect for many years and covered only dishonest acts by Finance employees. Effective December 4, 2016, the policy was expanded to include $1,000,000 coverage for dishonest acts of any City employee, forgery and alteration, on premises, in transit, money orders and counterfeit paper currency, funds transfer fraud, claim expense, and social engineering. The City purchased a new Cyber Policy from Illinois National Insurance Company with an effective date of December 21, 2016. The $1,000,000 policy covers network interruption, cyber extortion, security privacy liability, media, and event management. Both policies described above were expanded or added after a property program expired in June 2016 and a discussion addressed areas where added coverage was needed. BDO obtained the Arthur J. Gallagher Risk Management Services, Inc. Insurance Summary, prepared for the City on January 6, 2017. The policy information described above was confirmed, as follows: Coverage: Crime Effective Date: December 4, 2017 Insurance Carrier: Travelers Casualty and Surety Co. of America Policy #: 106639672 Premium: $7,909.00 P a g e | 74 Description of Property and Coverage: Employee Dishonesty $1,000,000 Forgery or Alteration $1,000,000 On Premises $1,000,000 In Transit $1,000,000 Money Order & Counterfeit Paper Currency $1,000,000 Computer Fraud $1,000,000 Funds Transfer Fraud $1,000,000 Claim Expense $25,000 Social Engineering $500,000 Deductibles: Forgery or Alteration $50,000 On Premises $50,000 In Transit $50,000 Money Orders and Counterfeit Money $50,000 Computer Fraud $50,000 Funds Transfer Fraud $50,000 Coverage: Cyber Liability Effective Date: December 21, 2016 Insurance Carrier: Illinois National Insurance Company Policy #: 007509216 Premium: $5,643.00 Description of Limits, Coverages, and Deductibles: Sub-limits: Media Content $1,000,000 Security and Privacy Liability $1,000,000 Network Interruption $1,000,000 Event Management $1,000,000 Cyber Extortion $1,000,000 Deductibles:3 $25,000 each and every loss but increased to $25,000 each and every loss in respect to windstorm except as follows:  $100,000 per occurrence Fire, Theft, Windstorm and Vandalism in respect of the “Holocaust” sculpture  $25,000 per occurrence in respect of Flood losses in respect of the “Mermaid” sculpture  $200,000 per occurrence Flood losses respects to property at Bass Museum, 2100 Collins Avenue, Miami Beach, FL. 3 BDO reviewed the description of deductibles for the Cyber Liability coverage prepared by Arthur J. Gallagher Risk Management Services, Inc. P a g e | 75  $15,000 per occurrence in respect of malicious damage and/or vandalism in respect of other losses policy deductibles to apply in respect of the Sculpture by Dan Graham situated at 1100 Lincoln Road, South Beach, Miami.  $100,000 per occurrence in respects of Legal Liability. BDO contacted the City on February 7, 2016 and informed them of the potential error in the deductible description for Cyber Liability. On February 7, 2017, the City’s Risk Manager informed BDO that corrections were being made to the summary document and provided the following deductible information for Cyber Liability via an email as follows: Coverage Policy Limit Deductible Media Content $1,000,000 $25,000 Security and Privacy Liability $1,000,000 $25,000 Network Interruption $1,000,000 $25,000 Event Management $1,000,000 $25,000 Cyber Extortion $1,000,000 $25,000 Reputation Guard $50,000 -0- According to the Risk Department, the City’s policy may cover the $3.6 million fraud and City may be able to recover part of the loss from the fraud. The Risk Manager learned of the $3.6 million fraud on December 22, 2016 from the HR Director. The Risk Manager informed the City Manager and subsequently filed a claim with Travelers Insurance to recover the $3.6 million. The claim is pending as the City and SunTrust continue to take action to recover funds related to the fraud. E. Whistleblower Program and Complaint Monitoring Both the Internal Auditor and the Director of HR stated to BDO that they are not aware of the existence of a City whistleblower program, where allegations of fraud, corruption, waste and/or abuse by City’s employees and officers can be anonymously reported. P a g e | 76 Recommendations: BDO recommends that the City implement a whistleblower program, managed by an independent office or officer, or alternatively by a special commission consisting of the Internal Auditor, the Director of HR and City attorney. The whistleblower program should be available 24-hour, 7-days/week with a toll-free phone number hotline, fax number and a web page that would enable an employee or a third party to report anonymously a complaint or tip about fraud, corruption, waste and/or abuse by City’s employees and officers. All complaints or tips should be evaluated and investigated promptly, and the result of the investigation should be documented and reported to the City Manager, Mayor and Commission. Documentation should be maintained that clearly indicates the date of the complaint, the whistleblower’s name or whether the person reporting the complaint choose to remain anonymous, matter of the complaint, date of resolution of the complaint, how the complaint was resolved, and date the City Manager, Mayor and Commissioners were informed about the complaint and resolution. The City should also consider reviewing and revising, as necessary, its ethics and compliance policies and procedures to make sure employees are aware of the whistleblower hotline and program, and are encouraged to utilize the program to report allegations of wrongdoing. The City should encourage the use of internal reporting mechanisms, emphasizing the anonymity and confidentiality of those systems to its employees through various communication channels such as organization-wide meetings, training sessions, emails, posters in public areas and/or wallet cards. In addition, the City should ensure that the whistleblower program and related policy is included in the City’s employee handbook. P a g e | 77 Additionally, BDO noted that Customer Service does not have a procedure in place for documenting, filing, and tracking complaints received from customers (e.g., payments of utilities). Recommendation: BDO recommends that customer complaints be documented indicating at the very least the following:  Name of customer  Date of complaint  Matter of complaint  Name of employee who addressed the customer’s complaint  How the complaint was resolved  Date of resolution of complaint  Name of manager approving resolution of complaint BDO recommends that Customer Service reports statistics to the City Manager about customer complaints, such as number of customer complaints opened during the quarter, number of complaints closed during the quarter, number of complaints outstanding, and topics of complaints. The City’s Response to BDO’s Recommendation Whistleblowers can use the FBI corruption hotline (754-703-2000 option 4) which is currently advertised on the City's website and Miami Beach Television station (MBTV). The City chooses to leverage the FBI corruption hotline instead of an internal ethics hotline because it offers a potential whistleblower greater protection from an independent law enforcement agency. The City currently has a police officer assigned to the FBI public corruption investigation task force. P a g e | 78 In addition, the Miami-Dade County Office of the Inspector General has a “Report Fraud” phone number at 305-579-2593. Unethical conduct can be reported to the Miami-Dade County Commission on Ethics Public Trust which provides assistance in identifying unethical conduct and other forms of public corruption in Miami-Dade County and all 34 Municipalities. The Ethics Commission is dedicated to bolstering public trust in administration of government by informing the public and private sectors about the laws and seeking strict compliance with them. It is empowered to subpoena, audit, and investigation all facts and persons materially related to a complaint at issue. Citizens can report suspected wrong-doing with the Ethics Commission by contacting the 24-hour hotline at 786-314-9560. The City offers two mandatory training classes on Ethics and Ethics Regulatory to all employees. The Ethics training class has been available since 2004 and the Ethics Regulation class has been available since 2013. F. Payroll While BDO was inquiring of the Payroll Processor about his disbursement responsibilities, we learned that the payroll process requires two levels of approvals in Eden, the City’s financial software used for processing payroll; however, the Payroll Processor can approve the payroll twice. After the second approval is made a payroll check or ACH is ready to be issued and the payroll journal entry is automatically posted in Eden. The Payroll Processor then uploads a text file with the journal entry in Munis. The Payroll Processor has also the ability to create a new employee or change employee information in Eden and has the right to upload the ACH disbursement and check register files in SunTrust. The Payroll Processor’s payroll processing P a g e | 79 rights in Eden, recordkeeping rights in Munis, and access rights to SunTrust General Depository Bank Account and ZBA as described increases the risk of fraud. Recommendation: BDO recommends that the Payroll Processor’s custody of assets (control over cash) rights in SunTrust be revoked. Further, the Payroll Processor’s rights to create a new employee or change employee information in Eden should be also revoked. In addition, the Payroll Processor should not be permitted to perform the two levels of approval of the payroll process that is required in Eden. G. Check Printing Incidental to BDO’s walkthrough of the ACH disbursement and wire transfer process, we observed that the Acting Accounts Payable Supervisor, printed the checks corresponding to the SunTrust Zero Balance Account for Accounts Payable. The checks automatically printed with the signatures of the authorized signers. We noticed that a specific accounts payable analyst has right to print checks as well. The risk of fraud increases when employees responsible for processing accounts payable have also the custody of printed checks with the signatures of the authorized signers. Recommendation: BDO recommends that checks printed with signatures of the authorized signers be handled exclusively by the Treasurer for mailing and distribution purposes, assuming s/he has no recordkeeping rights. H. The City – Overall Fraud Risk Assessment Throughout our fraud risk assessment of the City’s Treasury and ACH disbursements process, BDO identified potential vulnerabilities in other departments and functions of the City. P a g e | 80 In order for the City to fully understand, identify, assess and evaluate its overall fraud risk, BDO recommends that an overall City wide fraud risk assessment be conducted and mitigating internal controls, procedures, and policies be documented and implemented. P a g e | 81 APPENDIX A – LIST OF DOCUMENTS REVIEWED SunTrust Documents  SunTrust Bank “Ancillary implementation agreement for ACH payment initiation and fund transfer services” which includes a listing all of the City’s employees that had wire transfer personal identification number (“PIN”) approval authority executed on April 4, 2016, September 15, 2016, October 12, 2016 and December 22, 2016.  SunTrust CB User report as of January 20, 2017 showing the current online access rights of City’s employees to the SunTrust General Depository Bank Account and ZBA  The Master Deposit Account Resolution executed March 2, 2016 for Accounts covering the SunTrust General Depository Bank Account and Zero-Balance sub-accounts  Deposit Account Resolution executed December 21, 2016 covering the new General Depository Bank Account  Daily debit activity reports for the SunTrust General Depository Bank Account and the Redevelopment Agency City Bank Account for January 2017 City Documents  Schedule of debits posted to the SunTrust General Depository Bank Account and the Redevelopment Agency City Bank Account for January 2017 that require further research  Electronic Funds Transfer (“EFT”) and wire transfer registers for the period from July 1, 2016 to December 31, 2016  Monthly bank reconciliations of the SunTrust General Depository and ZBA for the monthly periods July 2016 to December 2016  Bank reconciliation policy and procedures P a g e | 82  Invoices and other documentation in support of a sample of ACH and wire transfers made during the period from July 1, 2016 and December 31, 2016  Email correspondence among various City Department personnel  The Workflow Business Rules as of February 3, 2017, which documents the invoice approval levels granted to City employees  Draft document describing the accounts payable invoicing and purchasing workflow approvals  The Munis ERP System, Roles and Members, as of February 3, 2017, which is a report that describes the City employee’s access rights to the Munis Accounting Software  Finance Department organizational chart for Fiscal Year 2016/2017  Staffing document the City  Specific temporary employee’s termination document  City job descriptions  Internal audit report on City payment processing dated January 27, 2011  Draft internal audit report dated December 12, 2015  Travelers Casualty and Surety Co. of America insurance policy effective December 4, 2016  Illinois National Insurance Company Cyber Insurance policy effective December 21, 2016  Arthur J. Gallagher Risk Management Services, Inc. Schedule of Insurance Summary prepared for the City on January 6, 2017 P a g e | 83 APPENDIX B – LIST OF INTERVIEWS CONDUCTED No. Employee Name Title Interview Date(s) 1 Allison Williams Deputy Finance Director January 17, 2017 January 23, 2017 January 25, 2017 January 27, 2017 February 3, 2017 2 Jim Sutter Internal Auditor January 18, 2017 3 Sara Patino Accounting Manager January 17, 2017 January 25, 2017 January 27, 2017 January 30, 2017 February 3, 2017 4 Manny Marquez Assistant Director January 17, 2017 January 20, 2017 January 30, 2017 5 Sonia Bridges Risk Manager January 17, 2017 January 24, 2017 6 Sasha Gonzalez Customer Service Supervisor January 17, 2017 7 Ariel Sosa Information Technology (“IT”) Director January 18, 2017 8 Bob Biles Application Division Director January 18, 2017 9 Frank Quintana IT Support Director January 18, 2017 10 Michael Smith Human Resources Director January 19, 2017 11 Ramon Suarez Human Resources Administrator January 18, 2017 12 Benjamin Nussbaum Revenue Manager January 19, 2017 January 26, 2017 January 27, 2017 13 Diana Castellanos Acting Accounts Payable Supervisor January 20, 2017 January 25, 2017 January 26, 2017 January 30, 2017 14 Fernando Pestana Payroll Processor February 1, 2017 15 Steve Leth et al. SunTrust Relationship Manager (and team) January 18, 2017