The URL can be used to link to this page

Follow-up Review of BDO USA, LLP Audit Report Findings 10-30-17MIAMI BEACH INTERNAL AUDIT REPORT City of Miami Beach, 1700 Convention Center Dr ive , Miami '3139, www .miomibeoc hA .gov Office of Internal Audit Tel: 305-673-7020 TO : Jimmy L Morales, City Manager VIA: Mark D. Coolidge, Assistant Intern FROM : Norman D . Blaiotta, Senior Aud itor DATE : October 30, 2017 SUBJECT : Follow-up Review of BOO USA, LLP Audit Report Find ings Upon the discovery of a $3 .6 million fraud involving its Treasury and ACH disbursements, the City Administration and Finance Department, among other implemented changes, hired the independent firm of BOO USA, LLP (BOO) to perform an audit After extensive testing , interviews and analyzation, they issued a report on May 17, 2017 containing sixty (60) findings with recommendations on how to mitigate the City's risk exposure on these disbursements which also affected other Finance Department functions including payroll and accounts payable. The City's Finance took a proactive approach and had already begun making needed changes prior to BOO's report issuance but the report identified additional measures . In addition, the Information Technology Department began reviewing the Munis System's internal controls (permissions, user roles and work flows). Binders were subsequently prepared by the Finance Department of the supporting documentation maintained for each of the recommendations and the corresponding work performed to mitigate the associated risks . Based on our review of this provided documentation and additional testing performed on the Munis system, Internal Audit verified whether the corrective actions taken were sufficient in attaining the desired outcomes. Exhibit A located at the end of this rl}emo provides a synopsis of BOO 's sixty (60) recommendations and the City's corresponding management responses in the column entitled "Recommendations I Management Responses". Also, this column includes any Internal Audit observations which are presented to provide additional clarification . Furthermore, each recommendation's current status based on Internal Audit's testing is provided in the last column labeled "Status". In summary, Internal Audit was able to validate that all BOO recommendations were either completed (59) or substantially completed (1) as of October 30, 2017 as shown in the following table: Status Status Definition Number Completed Fu ll y implemented recommendation 50 Compensating Controls Alternative control(s) identified and 9 Established implemented to achieve the desired outcome Substantially Completed Minimal pending items outstanding 1 Not Implemented Recommendation not addressed 0 The one recommendation that was considered as substantially completed (#2 in Exhibit A) should be promptly addressed by the Finance Department. Once resolved, Internal Audit should be notified so that the necessary testing can be performed to help ensure that it is completed . Although the corrective actions initiated by the Finance Department for the Page 1 of 20 INTERNAL AUDIT MEMORANDUM Follow-up Review of BOO USA, LLP Audit Report Findings October 30, 2017 remaining 59 recommendations achieved the desired tested outcomes, one must remember that this is a dynamic process which must be updated as employees' positions and/or duties change. Lastly, Internal Audit would like to thank the Finance and Information Technology Departments for their assistance and cooperation throughout this review. F:\OBPI\$AUD\INTERNAL AUDIT FILES\DOC16-17\REPORTS -FINAL\BDO Audit Follow-up Review 1 0-30-17.docx cc: John Woodruff, Chief Financial Officer Allison R. Williams, Deputy Finance Director Ariel Sosa, Director -Information Technology Department Michael Smith, Director-Human Resources Page 2 of 20 I INTERNAL AUDIT MEMORANDUM Follow-up Review of BOO USA, LLP Audit Report Findings October 30, 2017 EXHIBIT A # Recommendations I Management Responses Status 1 Recommendation : Employees in charge of approving or rejecting an ACH debit should document the supporting evidence t hey relied on to determine that the vendor who initiated the ACH debit was legitima te and/or the amount of the ACH debit was correct. 2 3 Management Response : The City no longer makes ACH payments to vendors for good and services as of December 2016 . ACH payments are only approved for merchant services , banking fees , intergovernmental transactions and payroll re lated withholdings . Several of the foregoing are on a pre-approved list with the ban k and do not require approval. Valid ACH debits that are not on the pre - approved list now require dual approval by the City. The City placed dual approval on ACH debits effective March 2017 . Any payments are first approved by the Treasury Manager and then by the Deputy Finance Director. Approvals are made for merchant services fees after it is checked against an approved merchant list maintained by the Treasury Manager. Approvals fo r bank ing fees are made after a comparison to the analysis statement provided by the bank. Recommendation: The City should review the Munis rights, permissions, and authority of all Finance Department personnel to ensure that record-keeping, approval or rejection , adding and removing approved vendors , and other rights , permissions , and authority are appropriate for their respective roles and represent appropriate separation of duties. Management Response: Finance and IT reviewed the access rights in Munis for Finance staff and made the proper changes to reflect the appropriate segregation of duties. The Finance and IT team have set up weekly meetings to continuously examine user rights and roles within the system . In the coming month , the te am will review in detail the list noted below in the Internal Audit response and make any additional changes in Munis . Internal Audit: Upon request , the IT Department provided an updated report (1 ,579 pages, 66 employees in total) for granted rights to Finance Department staff. Internal Audit reviewed and summarized the high risk rights (access to social security numbers, super user roles, etc.) along with the names of Finance personnel to whom the rights were granted. A listing summarizing the permissions granted to staff was presented to Finance Department management for review. They are in the process of assessing these granted rights and are making any needed changes. Completed Substantially Completed Recommendation: Positive pay should be added to all Zero-Balance sub -accounts (ZBA) at Sun Trust. f----,,----------->::::---'---=c--..,.,...--.,-.,--:--::,.,.----,--=-,--,----__,..,..-----1 Compl et ed Management Res ponse : Th e City add ed Check Blo ck to a ll non - checking ZBA accounts in April 2017 , which is a stronger control than Positive Pay. Check block is a security service for non-checking Page 3 of 20 INTERNAL AUDIT MEMORANDUM Follow-up Review of BOO USA, LLP Audit Report Findings October 30. 2017 # Recommendations I Management Responses Status 4 5 6 accounts. The bank will not process any checks with this service without prior authorization from the City. Positive pay already exists on all checking ZBA accounts . The monthly bank reconciliation, which covers the review of all debits and credits , was completed through March 2017 . Internal Audit: The following accounts are with SunTrust but are no t managed by the City: general pension accounts , the fire and police pension , and One Miami Beach Inc. In add ition , four Police Department accounts are on the City's books but are managed solel y by them. None of t he above accounts have positive pay or check block controls. Although these accounts are not under the control of the Finance Department, they have requested the account owners to either app ly these security controls or these accounts should be removed from the City's books. Recommendation: Employees from the payroll processing division should be copied on emails sent by the accounts payable supervisor that document the explanations for all debits posted on the General Depository Bank Account to verify that the payroll ACH debits and wires posted to the General Depository Bank Account actually pertain to the City's payroll. Management Response: Beginning in January 2017, the payroll processing division is copied on all such emails . Recommendation : Finance department personnel should document the steps taken in reviewing suspicious items identified in the daily report of debits posted to the General Depository Account and RDA for payees and/or amounts. In addition, items that are validated and cleared should be supported with documentation of steps taken. Management Response: The Finance Department Daily Bank Debits Review Process (Daily Review) procedure was implemented in February 2017. The procedure documents that the Treasury Manager will document any review or inquiries made for payees or amounts that appear suspicious . The procedure also references how items that are validated and cleared should be supported with documentation. Recommendation : T he spreadsheet for pending research items from the daily report of debits should be forwarded to the internal audit department every day. Management Response : The City has restructured the daily review process and a spreadsheet of pending research items from the daily report of debits is no longer necessary. The spreadsheet was part of the temporary action taken by the City to mitigate further losses. In the aftermath of the fraudulent activities and the res ignation of the Treasury Manager, the City pulled together available staff from several areas in the Finance department to put as much oversight as possible on the ACH, banking and disbursement processes. Page 4 of 20 Completed Completed Completed : Compensating Controls Established INTERNAL AUDIT MEMORANDUM Follow-up Review of BOO USA LLP Audit Report Findings October 30. 2017 # Recommendations I Management Responses Status 7 8 9 10 Beginning in February 2017 , the City started using a daily debit transaction list which includes all debit transactions including all checks, wire transfers , ZBA deb its , and ACH transactions. All debits are checked and val idated in conformance with the procedure and the Treasury Manager sends a copy of the reviewed list to several staff members, including Internal Audit staff. Internal Audit reviews the list, tracks items that are pending further investigation and conducts follow-up of those pending items . Internal Audit keeps a log of items pending follow up to ensure that all items are resolved within 48 hours. Recommendation: A second review should be performed on the explanation for each debit posted to the General Depository Bank Account by the supervisor of the employee who originally provided the explanation. Management Response: All debits are reviewed and approved by City's management through the workflow approvals process before they are recorded on the City's books . This is considered the first review. A second review is completed in the Daily Bank Debits Review Process (Daily Review) which was implemented in February 2017. In addition, improved segregation of duties and the timely completion of the bank reconciliation are compensating controls to this review. Recommendation: Daily debit review process should be formally documented and written into a standard operating procedure and the procedure should specify the employees who will become substitutes in the event that the employees responsible for performing the daily review are absent. Management Response: The Finance Department's Daily Bank Debits Review Process (Daily Review) procedure was implemented in February 2017. A Financial Analyst II position is the substitute in the event that the employees responsible for performing the daily review are absent. This new position was added mid-year to facilitate the daily review process and provide for stronger segregation of duties. Recommendation: A designated employee from the payroll processing division should be copied on all communications sent by the payroll department that documents the explanations for all debits posted to the General Depository Bank Account. Management Response: The Payroll Processing Division is now copied on the emails effective February 2017. Recommendation: Each division within the Finance Department should access SunTrust online on a daily basis to review all Completed : Compensating Controls Established Completed Completed transactions posted (debits and credits) to their respective bank Completed : accounts and record them in the City's books , if they have not already been recorded, provided that the transactions are valid . Compensating ~--:--c:------:-:::c-'-----:-------:---'::-~--'-...:......_-=--:-:-.:______:'----------=--:-:---:-----:--l Controls Management Response: Accessing SunTrust online on a daily basis Established to review all transactions posted is not practical. One of the compensating controls is the Daily Bank Debits Review Process (Daily Page 5 of 20 INTERNAL AUDIT MEMORANDUM Follow-up Review of BDO USA, LLP Audit Report Findings October 30, 2017 # Recommendations I Management Responses Status 11 12 13 Review) implemented in February 2017 . This process reviews all debits on a daily basis . Cash and checks are reviewed daily and all other credits are checked through the monthly Bank Reconciliation procedure updated in April 2017. Recommendation : The City should establish documented standard operating procedures for the monthly bank reconciliation process. Each step in the monthly bank reconciliation process should be clearly described. A defined period of time should be established, documented, and included in the procedures for completing each phase of the monthly bank reconciliation. Specific timelines for completion should be established for each division within the Finance Department responsible for researching and correcting differences identified during the bank reconciliation process. The bank reconciliation must be completed no later than 30 days from the bank statement date. r--::-c:-'--'-'--------=---=---------==----=--c-:-----:---:---------=::-:--:-:--------=--------l Completed : Management Response : The existing bank reconciliation procedure Compensating was updated in April 2017 . To address timelines for completion , at Controls the beginning of each fiscal year, a monthly closing memorandum is Established prepared by the Finance Department and distributed to all Finance staff. The memorandum includes the dates for recording all transactions into the City Financial System . Adherence to the closing dates on the memorandum will meet this recommendation . The CFO has re-distributed the closing memo to staff to reiterate the importance of correcting differences by the closing dates. In addition, the Deputy Finance Director (DFD) holds monthly meetings to ensure that the underlying issues causing reconciling items are addressed. The DFD will follow up on items not clearing in a timely manner. The procedure states that bank reconciliations shall be completed within 30 days from the close of the books for the month , which is typically 10 to 15 days after the bank statement date. Recommendation: Escalation procedures should be incorporatec! into the bank reconciliation process and researching and reconciling differences should be assigned to employees who were not involved in the division that was originally assigned the responsibility for f--:'-'ex=-"cp::...:.ll.:..:.a i""'"'n __ i n_,lg,_t:c....h.,.:-e-=d='"'"if--fe::...:.r.,.:-e--n-=-ce.::....s::...:..-=-----=---:-:------:------::-:------:----=---::--------:-----:---:---:--i Completed Management Response: To facilitate timely follow up, beginning in February 2017, the Deputy Finance Director (DFD) holds monthly meetings to ensure that uncleared items and the underlying issues causing reconciling items are addressed . Items are escalated to the DFD and CFO. Recommendation: The City should re-define and document what constitutes a completed bank reconciliation. A bank reconciliation is complete when the total amount of the difference between the bank balance per the bank statement (as adjusted for certain typical reconciling items) and the bank balance per the general ledger has been researched and explained. Management Response: The City has re-defined what constitutes a completed bank reconciliation. Effective with the February 2017 bank Page 6 of 20 Completed INTERNAL AUDIT MEMORANDUM Follow-up Review of BOO USA, LLP Audit Report Findings October 30. 2017 # Recommendations I Management Responses Status 14 15 16 reconciliation , the City revised the process to include distribution of a preliminary reconciliation to staff to show unclear items . The correspondence includes the date and fiscal period in which the items must be cleared . A final reconciliation with the items cleared or showing a valid explanation of why it remains unclear is completed and considered the completed bank reconciliation. In addition , monthly meetings have been implemented to ensure that the underlying issues causing reconciling items are addressed . Recommendation : Each division within the Finance Department responsible for researching and correcting items identified in the bank reconciliation process should inform the bank reconciliation group in a documented fashion. The bank reconciliation group should, in turn, document the explanations and dates of corrections in the bank reconciliation and follow up with the responsible division on all unresolved differences. Management Response: Since February 2017, the documentation of bank reconciliation items improved markedly due to the addition of key positions that were previously vacant such as the Treasury Manager1. A new Financial Analyst I position in the bank reconciliation group was added in March 2017 that facilitates timely research and communication throughout the department. In addition, the Deputy Finance Director has started monthly meetings that facilitate communication across divisions to ensure that issues causing reconciling items are addressed. Since these changes were made, there have been substantially fewer bank reconciliation items. Recommendation : Employees who prepare bank reconciliations should have their recordkeeping rights cancelled , or a compensating control, such as independent management review of the reconciliation should be implemented. Management Response : Record keeping rights for the employee preparing the general depository pooled cash bank reconciliation have been removed . Employees preparing other bank reconciliations still have record keeping and posting rights that are needed to perform additional roles. As a compensating control, a workflow is in place that requires two additional approvals when a journal entry is recorded and/or modified in Munis. In addition, Internal Audit independently reviews all bank reconciliations on a monthly basis for timely completion. Recommendation: Bank reconciliations should identify and document the employee (s) who rev iew (s) them. Management Response : The Bank Reconciliation procedure updated in April 2017 states that bank reconciliations are signed by the preparer and reviewed/signed and dated by a supervisor, manager, or Deputy Director. The reconciliation is maintained on file for subsequent reviews and audits . Completed Complete : Compensating Controls Established Completed 1. The prior Treasury Manager w as terminated from employment shortly after the discovery of the fraudulent theft. Page 7 of 20 INTERNAL AUDIT MEMORANDUM Follow-up Review of BOO USA, LLP Audit Report Findings October 30, 2017 # Recommendations I Management Responses Status 17 Recommendation: Munis should be modified to prevent the same accounts payable (AlP) employee from entering an invoice and also Completed approving it. Alternatively, we recommend that the AlP employee who posts the batch of final approved invoices print a report that shows the AlP employee who entered the invoice and the AlP employee who approved the entry before the batch is posted to insure that the same employee did not enter and approve the invoice in AlP In situations, where the same AlP employee entered and approved the invoice, the employee who posts the batch should review the invoice entry before posting the batch. Management Response : The accounts payable workflow process was modified in April 2017 to remove all accounts payable staff from the approval process . Accounts payable staff enters invoices into the workflow process and releases them for approval by managers across City departments . The City will continuously review the work flow process to ensure proper segregation of duties and controls . 18 Recommendation: Employees who process invoices in Munis should be prevented from entering new vendors or changing existing vendor information in the vendor master file. Completed Management Response: Effective April 2017 , the creation of new and modification to existing vendors for goods and services will be handled by the Procurement Department. 19 Recommendation: City management should research all vendors with an associated general ledger account with cost center "0000 " and changes should be made to the general ledger account so that it includes the correct cost center. Management Response: The City updated all general ledger Completed accounts to include applicable cost centers which are the driving factors behind workflow approvals . In addition, the City has created a systematic catch-all workflow level of approval to capture any systematic errors of missing workflow approvals. 20 Recommendation: The CFO should print a report of general ledger accounts with cost center "0000" and determine whether all payments posted to the accounts since Munis was implemented were approved by employees outside the AlP department in accordance with the Completed Workflow Business Rules maintained by IT. Management Response: The CFO has completed the process of reviewing and receding general ledger accounts with cost center "0000" to reflect the proper workflows . 21 Recommendation: The City should transmit or upload the ACH disbursement file (if and when the ACH payments to vendors for good and services are resumed) and check register file from Munis to Completed : Sun Trust without the files being subject to the possibility of Compensating manipulation. Controls Management Response: The City successfully worked with Munis to Established resolve the manual space editing of the original ACH disbursement and positive pay file that is transmitted to the bank. When a check run Page 8 of 20 INTERNAL AUDIT MEMORANDUM Follow-up Review of BDO USA LLP Audit Report Findings October 30, 2017 # Recommendations I Management Responses Status 22 23 24 is processed in Munis , it generates the .txt file which is ready for transmission without ed itin g . However, due to Munis limitations and bank specifications , only an editable .txt file can be generated from Munis and transmitted to the bank. The City has taken additional steps to detect changes to the .txt file by segregating the duties of employees having the ability to upload the file to the bank and Munis recording rights . Internal Audit: The child support .txt file currently contains fourteen transactions. Previously, Finance Department staff would confirm that the employee's names plus the ind ividual and overall total amounts were correct but d id not verify that the listed bank accounts were accurate . Although if a bank account was changed by a Finance Department employee , it would be detected when the intended recipient does no t receive the monies. Finance Department staff has agreed to mitigate thi s risk go ing forward by verifying that the ban k accounts agree to those on file before uploading the data. Recommendation: An employee independent of accounts payable processing and with no recordkeeping rights should be in charge of uploading or transmitting the ACH disbursement and check register files to SunTrust, while the Acting AlP Supervisor as well as other employees in AlP should have their rights to upload the files to Sun Trust revoked. Management Response: Effective April 2017, employees independent of accounts payable processing and with no recordkeeping rights are tasked with the uploading the ACH and check positive pay files to SunTrust Bank. Staff processing accounts payable rights was also removed from SunTrust in May 2017. Recommendation: All passwords should require a combination of special characters, numbers, upper case letters and lower case letters and be changed periodically (at least every three months). Management Response: The City went live with Managed File Transfer (MFT) in March 2017. The MFT is an internet-based service that provides us the ability to transmit or receive data files to/from SunTrust Bank using a Web browser. It mitigates fraud and risk exposure while improving efficiency. SunTrust assigns mailboxes in Managed File Transfer Portal. The mailbox is th e collection point for all files to and from SunTrust. Each employee has a unique mailbox and password . Original passwords are created by SunTrust and each employee subsequently changed their password. Passwords are twelve characters long and are alpha numeric. Recommendation: Employees independent of Accounts Payable processing and with no recordkeeping rights should be charged with downloading the original ACH disbursement and check register files from Munis and uploading or transmitting these files to SunTrust without being able to modify them. Once these files have been uploaded, the AlP employee who issued the ACHs and checks should Page 9 of 20 Completed Completed Compl eted INTERNAL AUDIT MEMORANDUM Follow-up Review of BOO USA, LLP Audit Report Findings October 30. 2017 # Recommendations I Management Responses Status 25 26 27 independently call the 1-800 telephone number to communicate the total amount of the ACH disbursement and check register files . Management Response : Please refer to the City's response on Recommendation #21. In addition , due to a process change, the City no longer uses the 1-800-number. Recommendation : Under these circumstances, the employee independent of Accounts Payable processing who uploaded the ACH disbursement and check register files in SunTrust should access SunTrust (Onlinefiletransfer.suntrust.com) the next morning and review any exceptions to ACH disbursements and checks that were i---:=-co::....:m__:_:_:_:_m:_;:_uc.:...nc.:...i c=-=a.:..:..te=--d===-bL____.::_yS=-=u:..:...cnc.:...T-'--'ru:::..::s::=:t:,-. ----=--:------=--:-::-:---:--::=-------:------,-,----:-:---J Com p feted Management Response: The City of Miami Beach went live with Managed File Transfer (MFT) in March 2017 . The next morning after the ACH disbursement and check register files are uploaded, the transaction is reviewed for any exceptions using the SunTrust Bank on-line system by the Accounts Payable Supervisor, who has no recordkeeping rights . Recommendation: The City Manager should review all payments exceeding $1,000,000 made since Munis' implementation and verify that he approved the expenditure in addition to any other required approval levels . Management Response: All payments exceeding $1 million since the implementation of Munis have been reviewed and verified by the City Manager after Internal Aud it's review . Internal Audit: Two of the twenty-two tested transactions prior to 04/01/17 were missing the appropriate approvals which were promptly corrected by the Finance Department. Furthermore, all twelve sampled transactions occurring after 04/01/17 were properly approved on the system . Recommendation: Munis should be modified so as not to allow significant payments to be issued unless the approvals of at least two different City officers have been documented in the system (see invoice entry for EFT No 406106). Further, Munis should be modified so as not to allow payments exceeding $1,000,000 to be issued unless the approval of City Manager has been documented in the system Management Response: The City amended the workflow approval policy to say that the City Manager approves disbursement over $1 million except for debt service payments (principal , interest, and fees on bonds, loans and notes). These items are approved by the CFO, Deputy Finance Director or Assistant Finance Director. The debt service workflow was revised in April 2017 . Internal Audit: The workflow approvals policy is in draft form and is expected to be approved during the 2017/18 fiscal year. Page 10 of 20 Completed Completed INTERNAL AUDIT MEMORANDUM Follow-up Review of BOO USA, LLP Audit Report Findings October 30. 2017 # Recommendations I Management Responses Status 28 Recommendation: Munis should be modified so as to not allow payments to be issued unless the AlP employee who approved the entry is documented in the System. Management Response : Effective April 2017 , all accounts payable Completed employee approvals have been removed in the system. The workflow for payments has been streamlined to only require approval by departments . 29 Recommendation: Munis should be modified so as not to permit payments exceeding $1,000,000 to be issued unless the approval of City Manager has been documented in the system. Completed Management Response : Effective May 2017, all payments exceeding $1 million must be approved by the City Manager or his designee, except for debt service payments which are approved by the CFO or Deputy Finance Director. 30 Recommendation: The CFO should review all payments exceeding $500,000 made since Munis ' implementation and verify that at least another employee's approval between levels 40 and 55 has been documented in the system in addition to the City Manager's approval. Completed Management Response: All payments made exceeding $500,000 since Munis implementation have been reviewed by the CFO to verify that at least another employee's approval has been documented in the system . 31 Recommendation: Munis should be modified so as not to allow payments exceeding $500,000 to be issued without having the invoice entry approval of at least two employees with approval levels between 40 and 55 documented in the system . Management Response : The necessary workflow analysis and Completed modification in Munis has been completed. Internal Audit: The workflow approvals policy is in draft form and is expected to be approved during the 2017/18 fiscal year . 32 Recommendation: Management should review, since the implementation of Munis, all significant payments issued with respect to which the Risk Manager's approval or the former Treasurer 's approval would have been required and verify that the corresponding approvals were documented in the system. Management Response : The City does not have a policy which states that certain disbursements must be approved by the Risk Manager or the Treasury Manager. Management reviewed all payments from Completed implementation to date in Munis that should have been approved by: (1) The Human Resources Department leadership, which includes the Risk Manager position; and (2) Finance Department leadership, which includes the Treasury Manager position. Invoices that were not properly approved in Munis were printed, manually signed by the appropriate leadership , scanned , and attached to the invoice record in Munis . Page 11 of 20 INTERNAL AUDIT MEMORANDUM Follow-up Review of BOO USA, LLP Audit Report Findings October 30, 2017 # Recommendations I Management Responses Status 33 Recommendation: Munis should be modified so as not to allow payments to be issued when the approval of the Risk Manager or Treasurer is deemed necessary but not received. Management Response : The City does not have a policy which states that certain disbursements must be approved by the Risk Completed Manager or the Treasury Manager. As discussed in Recommendation #19 , cost center numbers , which are the driving facto r beh ind workflow approvals , were created for all applicable general ledger accounts . As such , invo ices , including those for risk and treasury are routed to the appropriate departments for proper approval. 34 Recommendation: The new CFO should contact IT and clarify that only he can authorize IT to grant recordkeeping rights back to the Deputy Finance Director. Completed Management Response : The IT Department was informed that only the CFO can authorize IT to grant recordkeeping rights back to the Deputy Finance Director in March 2017. 35 Recommendation: The Treasurer, assuming that s/he is not included as an authorized signer and does not have recordkeeping rights, should review all wire transfers on a daily basis. Completed Management Response: The Daily Bank Debits Review Process implemented in February 2017 requires the daily review of debits on a daily basis by the Treasury Manager. The Treasury Manager is not an authorized signer and does not have recordkeeping rights . 36 Recommendation: The City should negotiate with Sun Trust a requirement to have at least two authorized signers signed the Ancillary Implementation Agreement in order to request a PIN for a determined person. Completed Management Response : The City has put in place a requirement to have at least two authorized signers to request a PIN for a determined person in May 2017 . 37 Recommendation: The City should establish a dual administration setup that would require two system administrators to create and remove users in SunTrust Online Treasury Manager. Completed Management Response: Dual administration setup was established in May 2017 to require two system administrators to create and remove users in SunTrust Online Treasury Manager. 38 Recommendation: An employee independent of IT and with no rights to request or make changes to the approval queues (workflow) should be responsible for reviewing an audit trail with the history of approval queue activity to verify whether changes to the invoice approval queues are authorized. Completed Management Response : In order to establish department level workflow approvals in Munis , the department Director or Assistance Director submits to IT a written request to setup or modify their department workflow. Page 12 of 20 INTERNAL AUDIT MEMORANDUM Follow-up Review of BOO USA, LLP Audit Report Findings October 30, 2017 39 40 41 42 Internal Audit: Semi-annual testing will be performed by Internal Audit to hel ensure that chan made were roved . Recommendation: The City should complete SunTrust Wire Transfer -Schedule G -Amendment to Callback Security Procedures that will uire Sun Trust to call back for verification for all hone-in wires. f--:-',...:.C.C..-------,,------:=,---~=------=::-:-:-----,----,,--:-:-:-~-----==-----:--=----:----:---J Com pI eted Management Response : The City worked with SunTrust Bank to implement Schedule G callback security procedures. This change was co leted in 2017. Recommendation: Accounts Payable employees should have their invoice approval rights removed, except for approval level 3, which is on a cu review of the invoice ent Management Response: Effective April 2017, all accounts payable employee approvals, including level 3, have been removed in the tem . Recommendation: Management should research and review all significant payments made since Munis' implementation that show that an approval level of 50 was made by an AlP employee, but where the nature of the invoice paid would have required that the approval level of 50 be made an em outside of the AlP division. Ma nagement Response : All significant payments since Mun is implementation have been researched and reviewed by the CFO, to that roval has been documented in the s tem . Recommendation: The Internal Audit Department should adopt a continuous auditing approach of the City payment processing . This continuous auditing approach should consist of continuous data assurance (CDA), continuous controls monitoring (CCM) and continuous risk monitoring and assessment (CRMA). CDA insures the integrity of data flowing through the accounting system. CDA uses software to extract data from the accounting system for data analysis of transactions in order to identify deviations from predetermined benchmarks. CMM uses also software that monitors access control and authorizations and system configurations of the accounting system. CRMA is a real-time integrated risk approach that measures risk factors on a continuing basis, integrates various risk scenarios into quantitative models, and provides inputs for audit planning. Management Response: The City recognizes the benefits of a continuous audit a pproach of the City's payment process . Internal Audit curre ntly has an RFQ opening 11/03/17 to hire an external company to perform a citywide risk assessment during the 2017/18 fiscal year. Consideration will be given to the capability of applying a continuous audit approach to include continuous data assurance (CDA), continuous control monitoring (CCM) and continuous risk monitoring and a ss essment (CRMA). In the interim , Internal Audit has Finance rtment's dail ana Page 13 of 20 reviewing the account Completed Completed Completed INTERNAL AUDIT MEMORANDUM Follow-up Review of BOO USA, LLP Audit Report Findings October 30, 2017 # Recommendations I Management Responses Status to help ensure that all items represent approved transactions since December 2016 . Any items designated as in need of additional research by Finance staff are followed up on to verify that they are sufficiently and timely resolved. Internal Audit is also confirming that Finance Department staff is timely reconciling the bank accounts each month . Results are submitted to Finance Department management for follow-up. 43 Recommendation: Alternatively, if a continuous auditing approach is not adopted, the City should hire an independent external auditor to conduct an audit of the City payment processing at least every year and formally established a process for the assessment of control risk and residual risk. Management Response: Internal Audit currently has an RFQ which opens 11/03/17 to hire an external company to perform a citywide risk assessment during the 2017/18 fiscal year . In addition, Internal Audit has been continuously reviewing the Finance Department's daily analysis of the general depository account to help ensure that all items represent approved transactions since December 2016. Any items designated as in need of additional research initially by Finance staff are followed up on to verify that they are sufficiently and timely resolved . Internal Audit is also confirming that Finance Department staff is timely reconciling the bank accounts each month. Results are submitted to Finance Department management for follow-up. 44 Recommendation: The City should re-evaluate the requirements for temporary staffing companies relating to background investigations that the temporary agency conducts on its employees, to ensure that City approved temporary staffing companies conduct background investigations on their employees that at a minimum identify criminal arrests, convictions, and completed reference checks. Management Response : The City's Human Resources Department conducts its own criminal background checks on all temporary employees including those obtained through third party employment agencies . 45 Recommendation: The City should develop a documented plan of action to address staffing losses and staffing deficiencies in the Finance Department. The plan of action should include an assessment of staffing losses in critical leadership positions as well as losses in key staffing positions where there is a direct impact on meeting the timeline and execution requirements of internal controls, policies and procedures established to mitigate fraud. Management Response: Key positions such as the CFO and Treasury Manager were filled in February 2017. Two new positions to address bank reconciliations and treasury operations were filled in March 2017 . Five Financial Analyst Ill (supervisors) have also been filled. A plan of action to assess staffing losses in critical leadership positions Page 14 of 20 Completed Completed Completed INTERNAL AUDIT MEMORANDUM Follow-up Review of BOO USA, LLP Audit Report Findings October 30. 2017 # Recommendations I Management Responses Status will be incorporated into the minimum staffing mode l in the following response . Internal Audit: Despite the Finance Department's awareness on actions to be taken during staff losses in critical leadership positions and in key staffing positions detailed in Management Response #46, it is recommended that the Finance Department document these and any other plan of actions to be incorporated in their Standard Operating Procedures . 46 Recommendation: The City should determine a minimum staffing model that is required in the Finance Department to meet the risk appetite of the City. Management Response : A minimum staffing model has been developed based on key performance indicators (KPI's) that help mitigate banking fraud . The three KPI's consist of the following : (1) Completion of the Daily Bank Debits Review Process (Daily Review) which documents any review or inquiries made for payees that appear suspicious in one day or less . Current performance is one day . (2) The average number of days to close the month and record all revenues , expenditures , and journal entries in 15 days or less. Performance for the period of March through August 2017 was 10 days. (3) Average days to complete monthly bank reconciliations for all transactions in the financial system in 30 days or less. Performance over March through August 2017 was 18 days . These three KPI 's are continually monitored and minimum staffing is Completed tied to meeting , and preferably exceeding , the goals . From a staffing perspective , meeting these goals is tied to effectively filling vacancies or taking necessary disciplinary action in a timely manner. For example, the Daily Review requires input from 11 positions and the Bank Reconciliation process at least 8 positions . Several positions considerably influence the performance of these KPI's such as the Deputy Finance Director, Treasury Manager, the Financial Analyst II facilitating the daily review process, and the Financial Analyst I facilitating the bank reconciliation process . However, a combination of vacancies such as two of the four Manager positions being vacant at the same time can have a greater impact on performance. In order to help mitigate this risk, the department has implemented a three-deep approach that strives to build internal capacity by cross-training employees to have job knowledge across three different functional areas . In addition, a list is now maintained of ex-Finance employees in other departments that could be accessed to help temporarily fill in gaps as needed . Page 15 of 20 INTERNAL AUDIT MEMORANDUM Follow-up Review of BOO USA, LLP Audit Report Findings October 30. 2017 # Recommendations I Management Responses Status 47 48 49 In addition to the KPI's , another staffing consideration is the proper maintenance of the segregatio n of duties in the department. With the implementation of stronger internal controls as per the BOO Report recommendations, maintaining an appropriate level of segregation of duties is more difficult when positions are vacant for any considerable length of time . An example is the dual approval necessary to process online electronic disbursement transactions . In the event of a vacancy of key position(s), the Finance Department will evaluate temporarily re-assigning roles and approvals within the existing staff to properly maintain internal controls. The proposed reassignment of roles and approvals will be subject to review and approval by Internal Audit. If the proposed reassignment is not deemed sufficient, the next steps would be followed to maintain the proper level of internal controls : (1) Temporarily re-assign ex-Finance employees currently working in other departments back to Finance (2) Temporarily re-assign senior staff in other departments (3) Use temporary services contract to fill position(s) In addition to the minimum staffing model, the Deputy Finance Director conducts monthly meetings with the Finance team to assess that there is sufficient staff depth to address vacancies , vacations, sick leave, and other impacts to minimum staffing . Recommendation: The City should develop a procedural requirement that staffing in the Finance Department be examined and evaluated by internal audit or through an external independent examination periodically and at least annually. Management Response : Internal Audit has rev iewed and validated the performance to date of the KPI 's in the minimum staffing model. In addition, the Finance Department will continue to monitor positions duties to help ensure that they do not conflict. As part of Internal Audit's future semi-annual accounts payable reviews, we will review Finance's staffing levels to help ensure that open positions are filled timely. Recommendation : Background checks should be periodically performed on all current employees within the Finance Department. Management Response: Per Citywide Policy HR.18.01 "Due to the sensitive nature of the work in the Finance Department, background checks will be conducted for employees every two years based on hire date . Employees with an odd-numbered hire date will have background checks conducted in odd-numbered years and vice versa in even-numbered years." To date , background checks have been performed on the Finance Department's employees with odd- numbered hire dates . Recommendation: The City should implement a whistleblower program, managed by an independent office or officer, or alternatively by a special commission consisting of the Internal Auditor, the Director of HR and City attorney. Page 16 of 20 Completed Completed Completed : Compensating Controls Established INTERNAL AUDIT MEMORANDUM Follow-up Review of BDO USA. LLP Audit Report Findings October 30, 2017 # Recommendations I Management Responses Status 50 51 Management Response: The City has three different ways for employees or citizens to report fraud or ethics violations . • The City chooses to leverage the FBI corruption hotline instead of an internal ethics hotline because it offers a potential whistleblower greater protection from an independent law enforcement agency. Whistleblowers can use the FBI corruption hotline (754-703-2000 option 4) which is currently advertised on the City's website and Miami Beach Television station (MBTV). The City currently has a police officer assigned to the FBI public corruption investigation task force. • In addition, the Miami-Dade County Office of the Inspector General has a "Report Fraud" phone number at 305-579-2593. • Finally, unethical conduct can be reported to the Miami-Dade County Commission on Ethics & Public Trust which provides assistance in identifying unethical conduct and other forms of public corruption in Miami-Dade County and all 34 Municipalities. Employees and citizens can report suspected wrong-doing with the Ethics Commission by contacting the 24- hour hotline at 786-314-9560. Recommendation: The whistleblower program should be available 24- hour, 7-days/week with a toll-free phone number hotline, fax number and a web page that would enable an employee or a third party to report anonymously a complaint or tip about fraud, corruption, waste and/or abuse by City's employees and officers. All complaints or tips should be evaluated and investigated promptly, and the result of the investigation should be documented and reported to the City Manager, Mayor and Commission. Documentation should be maintained that clearly indicates the date of the complaint, the whistleblower's name or whether the person reporting the complaint choose to remain anonymous, matter of the complaint, date of resolution of the complaint, how the complaint was resolved, and date the City Manager, Mayor and Commissioners were informed about the complaint and resolution. Management Response: The FBI, the Miami-Dade County Office of the Inspector General, and the Miami-Dade County Commission on Ethics & Public Trust separately evaluate and investigate calls, and maintain their own documentation . Any valid complaints are communicated to the City Manager, Mayor and Commission . Recommendation: The City should consider reviewing and revising, as necessary, its ethics and compliance policies and procedures to make sure employees are aware of the whistleblower hotline and program, and are encouraged to utilize the program to report allegations of wrongdoing. The City should encourage the use of internal reporting mechanisms, emphasizing the anonymity and confidentiality of those systems to its employees through various communication channels such as organization-wide meetings, training sessions, emails, posters in public areas and/or wallet cards. In Page 17 of 20 Completed : Compensating Controls Established Completed : Compensating Controls Established INTERNAL AUDIT MEMORANDUM Follow-up Review of BOO USA, LLP Audit Report Findings October 30, 2017 # Recommendations I Management Responses Status 52 addition, the City should ensure that the whistleblower program and related policy is included in the City 's employee handbook. Management Response : The City 's Whistleblower information is advertised to employees and citizens through various media including bi-weekly E-News letters , Miami Beach Television, MB the Miami Beach magazine , the Employee Handbook, and the City's website. The City offers two mandatory employee training classes on Ethics and Ethics Regu latory to all employees. The Ethics training class has been available since 2004 and the Ethics Regulation class developed by the Miami-Dade Commission on Ethics and Public Trust, has been available since 2013. In March 2017 , the City received the results from the Miami-Dade Commission on Ethics and Public Trust survey administered to City employees in December 2016 as a follow up to an ethics training program provided by Ethics Commission staff in 2013. 81 percent of employees felt Miami Beach government was "ethical" in 2016 compared to 65 percent during the 2013 survey-25 percent increase over three years . Meanwhile, 77 percent of employees said they felt enough safeguards had been implemented by management to prevent corruption in the workplace -up significantly from 60 percent in 2013. Additionally , 80 percent said it was easier to "blow the whistle" on corrupt activity, compared to 64 percent in 2013 . They also felt better about reporting bad behavior according to the responses to a question about fear of retaliation for whistleblowers as in the most recent survey, 67 percent of employees felt adequate protections exist , compared to just 33 percent in 2013. Recommendation: Customer Service should develop and implement a procedure for documenting , filing, and tracking complaints received from customers (e.g ., payments of utilities). Management Response: The City currently has a manual process where complaint calls are logged in a spreadsheet and forwarded through emails to the appropriate department personnel for a response . A new automated call distribution (ACD) system has been acquired and is anticipated to be operational by January 2018 . The new ACD system will document, file and track customer complaints while giving the City enhanced reporting capabilities. Enhanced functionality includes: Skill-based routing; Predictive routing; Multi- location and at-home agent capabilities; Inbound/Outbound call blending; Automatic call back; Supervisor Monitor/Coach/Barge; Call Recording with limited archiving; Email, Chat and Voice interaction capabilities; and Audio redaction of credit card information for PCI compliance . The City also receives complaints through the eGov application which is a free, simple and real-time platform that connects citizens and businesses directly with the City for submitting requests and Page 18 of 20 Completed INTERNAL AUDIT MEMORANDUM Follow-up Review of BOO USA, LLP Audit Report Findings 53 54 comp laints . Requests and complaints are independently logged, forwarded to the rtment and monitored for fo l Recommendation: Customer Service should report statistics to the City Manager about customer complaints , such as number of customer complaints opened during the quarter, number of complaints closed during the quarter, number of complaints outstanding , and to cs of com nts. Management Response: A quarterly complaint report has been developed by Customer Service that summarizes complaints by topic and month . The report provides statistics such as the number of customer complaints , number of complaints opened and closed during the quarter, number of complaints outstanding, and topics of complaints. The report is provided to the City Manager on a quarterly basis. Development of the report is currently a manual process and it is anticipated that the new automated call distribution (ACD) system that will provide a diverse range of reporting options all owing Management to quickly and easily monitor Call-Center performance, while optimizing services and performance levels . Reporting capabilities will allow the City to closely track real-time management metrics with customizable dashboards monitoring customer complaint statuses. Enhanced functionality includes : View data in charts, graphs or raw data grids; Drill down into report data for more detailed analytics; Create, save and schedule custom reports ; Track real-time metrics with dashboards; Report on industry-standard metric calculations; Export raw Call-Center analytics data for further refinement; and Pre-built re and ad-hoc re Recommendation: Payroll Processor's custody of assets (control over October 30. 2017 Completed cash hts in Sun Trust should be revoked . f--:--:,..---'--""----=-----=-:-----:---------::-------------,-,--,-------j Completed Management Response: Rights to custody of assets were revoked in ril20 17. 55 Recommendation: Payroll Processor's rights to create a new employee or change employee information in Eden should be revoked . Completed Management Response: The Payroll Processor's rights to create a new employee or change employee information in Munis were removed in 2017. 56 Recommendation: The Payroll Processor should not be permitted to perform the two levels of approval of the payroll process that is uired in Eden . Management Response: The City converted to Munis : HR!Payroll in Completed May 2017 and no longer uses the Eden system. Following the implementation of Munis, the Payroll Processor is not able to perform two levels of a roval. 57 Recommendation : Checks printed with signatures of the authorized signers should be handled exclusively by the Treasurer for mailing Completed and distribution purposes, assuming s/he has no recordkeeping rights. Page 19 of 20 INTERNAL AUDIT MEMORANDUM Follow-up Review of BOO USA, LLP Audit Report Findings October 30, 2017 # Recommendations I Management Responses Status Management Response: As of May 2017, checks are mailed out by the Treasury Manager, Accounts Payable Supervisor, or Accounting Manager. These positions do not have recordkeeping rights. 58 Recommendation: Throughout our fraud risk assessment of the City's Treasury and ACH disbursements process, BOO identified potential vulnerabilities in other departments and functions of the City. In order for the City to fully understand, identify, assess and evaluate its overall fraud risk, BOO recommends that an overall City wide fraud risk assessment be conducted and mitigating internal controls, procedures, and policies be documented and implemented. Completed Management Response: The Office of Internal Audit currently has an RFQ which closes 11/03/17 to hire an external company to perform a citywide risk assessment during the 2017/18 fiscal year. With input from the Audit Committee, Internal Audit's annual audit plan will be modified to reflect the results of the risk assessment to properly prioritize risk areas . 59 Recommend that a dollar amount limit be set with regards to the Deputy Finance Director's PIN wire approval and wire initiation limits. The City has set a limit on how much each authorized individual can Completed approve or initiate, including the CFO and Deputy Finance Director. As an additional control, each wire requires dual approval. 60 We recommend that the duplicate user profile be deleted from Sun Trust On-line for the Revenue Manager. Completed The duplicate user profile was deleted from SunTrust On-line for the Revenue Manager in April 2017 . Page 20 of 20