OIG No. 20-10: First Semi-annual Finance Review - Fiscal Year 2019-20Joseph M. Centorino, Inspector General
June 29, 2020
TO: Honorable Mayor and Members of the
FROM: Joseph M. Centorino, Inspector Genera
RE: First Semi-annual Finance Review - Fis
OIG No. 20-10
sion
Executive Summary
Upon the discovery during 2016 of a $3.6 million fraud involving its Treasury and ACH
disbursements, the City Administration and Finance Department hired the independent
firm of BOO USA, LLP (BOO) to perform an audit. BOO issued a report containing 60
findings with recommendations on how to mitigate the City's risk exposure on these
disbursements.
The then-existing Office of Internal Audit was tasked with performing semi-annual reviews
of selected BOO recommendations to ensure that these controls continued to be
implemented. Following the transfer of the Internal Audit to the newly formed Office of
Inspector General (OIG), these reviews have been continued. The focus of this review
was to test City staff's compliance with BOO recommendations numbered 17, 27, and 38.
The review revealed the following issues:
• A lack of segregation of duties was noted in four instances during a review of Account
Payable transactions that occurred between November 1, 2017 and March 31, 2020.
• Six transactions equal to or more than $100,00 were not dually approved.
• The authorization for one of the 12 sampled Role Assignment Changes was not
documented by the Munis System Administrator in charge of performing these
changes in the Munis system.
OFFICE OF THE INSPECTOR GENERAL, City of Miami Beach
1130 Washington Avenue, 6" Floor, Miami Beach, FL 33139
Tel: 305.673.7020 • Fax: 305.587.2401 • Hotline: 786.897.111I
Email: CityofMiamiBeachOIG@miamibeachfl.gov
Website: www.mbinspectorgeneral.com
Joseph M. Centorino, Inspector General
TO: Honorable Mayor and Members of the City Commi ion
FROM: Joseph Centorino, Inspector Gen al
DATE: June 29, 2020
AUDIT: First Semi-annual Finance Review - Fiscal Year 2019/20
OIG No. 20-10
PERIOD: October 1, 2019 to March 31, 2020
Upon the discovery of a $3.6 million fraud involving its Treasury and ACH disbursements, the City
Administration and Finance Department, among other responsive actions, hired the independent firm of
BOO USA, LLP (BOO) to perform an audit. After extensive testing, interviews and analysis, BOO issued
a report on May 17, 2017 containing 60 findings with recommendations on how to mitigate the City's risk
exposure on these disbursements, which also affected other Finance Department functions, including
payroll and accounts payable. The City's Finance and Information Technology Departments worked
together to take the corrective actions necessary to mitigate the associated risks and to attain the desired
outcomes.
In response to the BOO audit report, the then-existing Office of Internal Audit was tasked with performing
semi-annual reviews of selected recommendations to ensure that these outcomes continue to be
achieved by the City. The Office of the Internal Audit was subsumed into the Office of the Inspector
General (OIG) on November 1, 2019, which has opted to continue performing these semi-annual reviews
for the foreseeable future. The focus of this review is to test City staff's compliance with BOO
recommendations numbered 17, 27, and 38. A reporting of the sampled BOO recommendations, the
results of OIG staff's current testing, and recommendations are separately listed below.
1. BOO Recommendation #17 -Munis should be modified to prevent the same accounts payable
(AIP) employee from entering an invoice and also completed approving it. Alternatively, we
recommend that the AIP employee who posts the batch of final approved invoices print a report
that shows the AIP employee who entered the invoice and the AIP employee who approved the
entry before the batch is posted to insure that the same employee did not enter and approve the
invoice in AIP In situations, where the same AIP employee entered and approved the invoice, the
employee who posts the batch should review the invoice entry before posting the batch.
Current Testing Results #17- The OIG auditor contacted Finance Department management to
inquire whether they had been performing these recommended tests and maintaining a listing of
any shortcomings detected. Their response focused primarily on the fact that Accounts Payable
staff with access to enter invoices were not in the approval workflow; however, no specific
response was received regarding whether the Finance Department was performing the
recommended tests.
Page 1 of 8
First Semi-annual Finance Review - Fiscal Year 2019/20
June 26, 2020
Consequently, the OIG auditor assumed that these tests may not have been conducted.
Therefore, all 71,587 approved accounts payable transactions that occurred between November
1, 2017 and March 31,2020 were reviewed to determine the existence of any transactions where
the same Finance Department employee entered and approved an invoice in the Munis system
{the City's enterprise resource planning system). In doing so, a lack of segregation of duties was
noted for the following four transactions totaling $1,036.33:
Document Entry Clerk Approver Transaction
Number (Employee Number) Entry Date (Employee Number) Approval Date Amount
193398 15842 8/7/2019 15842 8/8/2019 $75.00
198343 15842 9/6/2019 15842 9/6/2019 $ 253.33
198344 15842 9/6/2019 15842 9/6/2019 $ 354.00
198345 15842 9/6/2019 15842 9/6/2019 $ 354.00
While document number 193398 was also approved by an Accounting Manager, the presence of
a second approver does not change the fact that Finance Department staff were acting in roles
that should be separated. Meanwhile, the transactions pertaining to document numbers 198343,
198344, and 198345 were approved only by the same Financial Analyst Ill who had entered the
transaction in the Munis system. Failure to implement an adequate segregation of duties
increases the risk of fraud, as well as the risk that inadvertent mistakes may go undetected.
Finally, the OIG auditor reviewed the supporting documentation for these four transactions, which
did not appear to contain any irregularities.
Recommendations for Current Testing Results: - Since the Munis system does not detect and
preclude an authorized user from performing both the entry and approval of a transaction, it is
recommended that the City's Chief Financial Officer instruct designated staff to review the
approval privileges of all Accounts Payable employees and to perform the monthly tests
recommended by BOO. These completed monthly tests should be sufficiently documented and
maintained so that they can be timely provided to their supervisors or auditors to help substantiate
the analysis performed and the results obtained.
Management Responses (Information Technology Department):
The Information Technology Department (I. T.) complied with BOO recommended #17 back in
2018 by removing Accounts Payable Staff from invoice workflow. I. T. is in the process of building
a report to validate these changes.
Management Responses (Finance Department):
The transactions presented above are a combination of the Accounts Receivable Module (AIR)
and the Accounting Payable Module (AIP) and are showing up this way due to the interfacing of
the two modules when processing refunds to customers. While the Finance and I. T. team has
modified the workflow process that will prevent this from recurring, note that adequate segregation
of duties were in place. The transactions are refunds that originate in the AIR module that must
be approved by either the Assistant Director or Deputy Finance Director. After the refund requests
are approved in the AIR module, the refunds systematically flow to the AIP module where they
follow the AIP workflow approval process, which at the time included employee 15842. The AIP
approval workflow process was modified to exclude employees with access to create AIR refunds
even though the refund requests are approved by the Assistant Director or Deputy Finance
Director.
Finance is actively working with I. T. to create reports that would allow Finance to periodically
review for duplicate approvals in all workflows as well as for individuals who are in the same
Page 2 of 8
First Semi-annual Finance Review - Fiscal Year 2019/20
June 26, 2020
workflow more than once. This will allow for review of items from transaction entry to transaction
posting.
The results of this audit had no findings of direct entry and approval by AIP staff. In addition, the
4 transactions above represent 0.0056% of the total approved accounts payable transactions that
occurred between 11/1/2017 and 3/31/2020.
OIG's Opinion on Finance Department's Response:
The stated transaction is a refund for an overpayment received by the City. Although its origin
involves the Account Receivable module, the testing performed and the identified shortcoming
are specifically related only to the Accounts Payable (A/P) module. The A/P Invoice Tracking
Report obtained from the Munis system and included in the working papers for this review,
confirms the deficiency of the segregation of duties, which was the underlying reason for the
identified finding.
2. BOO Recommendation #27 - Munis should be modified so as not to allow significant payments to
be issued unless the approvals of at least two different City officers have been documented in the
system. Further, Munis should be modified so as not to allow payments exceeding $1,000,000
to be issued unless the approval of the City Manager has been documented in the system.
Current Testing Results #27 - Since the approval of the Disbursement Workflow Citywide
Procedure (Procedure) on January 22, 2019, and its subsequent update on December 3, 2019,
in which two departmental approvals for the "Accounts Payable Invoices" or API transactions over
$100,000 are required, OIG staff have performed testing to (1) determine whether the Munis
system configurations for approving API transactions are aligned with the Procedure and correctly
configured; (2) whether transactions are being approved by at least two different designated
supervisors at the departmental level.
Similar testing was performed in the last semi-annual report issued on October 25, 2019 for
transactions in amounts equal to or greater than $100,000 but less than $500,000. All 264
applicable API transactions that occurred between March 1, 2019, and August 31, 2019 were
tested, and their results summarized in the following table.
Type of Issue Number of Amounts of Invoices and
Instances Overall Total
(1) The Munis system configuration is not aligned with the 1) $332,315.67
2) $ 104,822.90 Procedure as transactions equal to or over $100,000 are released 3 3) $ 204,000.00 for payment with only one department approval. Total$ 641,138.57
(2) The Munis system is correctly configured to request two 1) $ 180,238.99
2) $106,137.40 departmental approvals on transactions equal to or over 4 3) $104,745.78 $100,000, but both approvals were made by the same department 4) $ 201,400.00 official. Total$ 592,522.17
The OIG staff opted to re-perform this test and expand the scope to all transactions that are equal
to or more than $100,000, to determine whether shortcomings continue to exist. As a result, all
437 API transactions that satisfied these criteria and occurred between September 1, 2019 and
March 31, 2020 were tested, in which it was noted that the following six were not approved by
two separate officials:
Page 3 of 8
First Semi-annual Finance Review - Fiscal Year 2019/20
June 26, 2020
Type of Issue Number of Amounts of Invoices and
Instances Overall Total
(1) The Munis system configuration is not aligned with the 1) $ 204,000.00
Procedure as transactions equal to or over $100,000 are released 2 2) $110,000.00
for payment with only one department approval. Total$ 314,000.00
(2) The Munis system is correctly configured to request two 1) $117,714.65
2) $ 906,887.45 departmental approvals on transactions equal to or over 4 3) $375,117.79 $100,000, but both approvals were made by the same department 4) $ 125,867.76 official. Total $1,525,587.65
The transaction with the highest dollar amount ($906,887.45) was also approved at level 55 (Granted to the Assistant
City Managers, Executive Staff or the City Manager), as required by the Procedure for transactions between $500,000
but less than $1,000,000; however, this does not satisfy the two required departmental approvals.
Exhibit A located at the end of this report provides more detail on these six exceptions that
occurred between September 1, 2019 and March 31, 2020.
In sum, the last two semi-annual reviews have identified five transactions, with a combined
amount of almost $1 million that were released for payment with only one departmental approval
due to an incorrect workflow configuration and eight other transactions where the combined
amounts exceeded $2.1 million that were approved by the same department Official. During the
previous semi-annual report, the OIG auditor was informed by the Munis System Administrator
that the Munis system is not equipped to flag transactions over $100,000 that were released with
only one approval, or to detect and preclude a sole authorized user performing both approvals.
The OIG considers this an internal control weakness that may jeopardize the legitimacy of a
transaction, as well as facilitate mismanagement or even fraud, and for this reason requires
prompt corrective action.
Recommendations for Current Testing Results
For all thirteen noted deficient transactions:
a. The Chief Financial Officer should instruct his staff to promptly review their validity and
correctness.
For the two transactions released for payment with only one approval, the City's Chief Information
Officer should instruct the Munis System Administrator to:
b. Amend each of the four departments' configuration as noted in Exhibit A, with the approval
of their Directors, so that the Munis system requires at least two department approvals for
all transactions equal to or more than $100,000.
c. Review all remaining City departments' configuration for approvals and make the
necessary corrections to prevent similar deficiencies from occurring in the future.
For the four transactions where each was twice approved by the same department official:
d. The Chief Financial Officer, together with the Chief Information Officer, should contact
Tyler Technologies (the parent company of the Munis system) to explore the possibility of
incorporating additional internal controls to the disbursement process. These controls
should not be limited to API transactions, but to any approval process in the Munis system.
e. Until this shortcoming can be rectified, the Finance Department should review all
transactions $100,000 or higher to ensure that they include at least two different
authorized departmental approvers before the payment is issued.
f. All department officials with approval privileges should be aware of the Disbursement
Workflow Citywide Procedure and the requirement of two different departmental approvals
on transactions $100,000 or higher and act accordingly.
Page 4 of 8
First Semi-annual Finance Review - Fiscal Year 2019/20
June 26, 2020
Management Responses (Information Technology Department):
Deputy Finance Director contacted the Munis System Administrator to discuss the said findings
and developed a plan of action to update the workflow business rules for all cost centers so that
(1) approvers are only assigned to approve at one step in the workflow except for level 5 which is
not an approval authority; and (2) at least 2 department approvers are assigned to approve
transactions $100,000 and above. Task completed in early April. We are currently working on
building a report to validate these changes.
Response for recommendation b. - In place since March 2020
Response for recommendation c. - Completed
Response for recommendation d. - /. T. has been in conversation with Tyler Technologies
regarding the Auditing features which are not available or greyed out. The Munis Administrator
has submitted a ticket and Tyler has acknowledged this. The next step is to schedule down time
to apply a script which will open up the Business Rule Audit feature. At that point, we can assess
the full capabilities.
Response for recommendation e. - Created a report to address the need for verification. Finance
to test.
Management Responses (Human Resources Department):
The Human Resources (HR) Department, in coordination with /. T. and Finance, reviewed all
approvers. We adjusted the HR/Risk approvers and backup approvers so that no person was an
approver on more than one level in Munis. This will ensure that two distinct approvers will review
in the case of a transaction that requires more than one approver. This was reviewed in February
and was completed by March 9, 2020.
Management Responses (Tourism and Culture Department):
The Tourism and Culture Department is aware, confirms and approved the invoices reviewed.
The invoice for $110,000 is the final payment for the City of Miami Beach commissioned work of
art by Joseph Kosuth as part of the Art in Public Places collection for Miami Beach Convention
Center. The Kosuth work was a five (5) year project, approved by the City Commission pursuant
to Resolution 2016-29480. The payments were disbursed via purchase order pursuant to
executed agreement signed by the Mayor. The second invoice for $375, 117.79 is a monthly
funding - cash flow payment to Spectra Management pursuant to our Miami Beach Convention
Center management agreement. Tourism and Culture continues to work with the Finance and I. T.
departments to identify and implement effective, efficient and productive workflows consistent
with City internal controls. Unfortunate/y, as we work to perfect the workflows, a couple of invoices
were approved twice or required a secondary department approval. This is not how the workflow
should operate and occurred inadvertently, without intent or knowledge.
Management Responses (Capital Improvement Projects):
An invoice for the Pride Park Project in the amount of $906,887.45 was processed by the Office
of Capital Improvements and final approval was done on September 12, 2019. Munis is configured
to request two departmental approvals for transactions equal to or over $100,000. The Office of
the Inspector General (O/G) performed a test on Munis approvals and found that the transaction
did not meet the required workflow approval queues. CIP is refuting the finding and providing the
following explanation.
The transaction met the Munis workflow requirement of having two approvals at the department
level. First approval was performed by Aida Rodriguez and the second approval by Maria Cerna.
Page 5 of 8
3.
First Semi-annual Finance Review -- Fiscal Year 2019/20
June 26, 2020
The Pride Park Project is part of the Convention Center Project and it is being managed by CIP.
The Convention Center Project is managed by Convention Center Staff in the City Manager's
office. The accounts for the Convention Center Project were setup with their budget code 0821.
Munis approvals are separately configured for each budget code, as requested by each separate
department. Some departments may have more than two workflow approvals. For this particular
project, and because the accounts were configured using budget code 0821, each time an invoice
was processed, we had to request Convention Center staff to forward the invoice back to CIP. On
this particular transaction, the invoice was forwarded from Tracy Hejl to Aida Rodriguez (first CIP
approval), the invoice was then forwarded from Thais Vieira to Maria Cerna (second CIP
approval), because the Convention Center approval workflow has a third approval, Maria
Hernandez forwarded the invoice to Maria Cerna again. The approval the second time was not
intentionally performed. On this project, the department is always careful to have that third
approval performed by David Martinez. After the receipt of this finding, the Finance Department
was able to change the budget code to 0820 so that this issue does not happen again.
QIG's Opinion on Capital Improvement Projects Response:
Ms. Rodriguez's action in the approval queue for transaction number 199315 was at level 5 or
"reviewer", which is not an approval authority. Please refer to the Information Technology
Department's management response on finding two in this report for more clarification. The two
approvals in this transaction correspond to the levels 38 and 40, both being performed by Ms.
Cerna, which were the underlying reasons for the identified finding.
BOO Recommendation #38 - An employee independent of I. T. and with no rights to request or
make changes to the approval queues (workflow) should be responsible for reviewing an audit
trail with the history of approval queue activity to verify whether changes to the invoice approval
queues are authorized.
Current Testing Results #38 - The OIG auditor requested the authorizations for 12 sampled Role
Assignment Changes performed between January 1, 2019 and December 31, 2019 to determine
whether the Munis System Administrator kept records of changes in roles and permissions made
in the Munis system. OIG staff did not assess the appropriateness of the role/permission change,
but only whether it was authorized, and the supporting documentation maintained.
Copies of 18 different emails were received to support the changes, since the Information
Technology Department regularly handles change approvals on an email-based workflow.
Testing determined that the authorization for one of the 12 Role Assignment Changes was not
documented by the Munis System Administrator in charge of performing these changes in the
Munis system. This document's omission could mean that an unauthorized change went
undetected, which could result in an employee being given an overbroad access level that
compromises the segregation of duties principle.
Recommendations for Current Testing Results
The Chief Information Officer should:
• Instruct the Munis System Administrator to enforce the requirement that changes in the
system roles and permissions should not be performed unless they are properly
authorized, and the supporting documentation maintained.
• The applicable department head and Munis Access Request should promptly vet the one
identified undocumented Role Assignment Change to determine whether it should have
been implemented or needs to be revoked.
• Explore the possibility of replacing the current email-based approval workflow with a ticket-
based system like the existing "MB Assist" to ensure better control and custody of the
authorizations.
Page 6 of 8
First Semi-annual Finance Review - Fiscal Year 2019/20
June 26, 2020
Although it was not tested during this analysis, it is important to note that the Munis Access
Request should thoroughly vet the department's request to proactively ensure that it does not
result in an improper segregation of duties.
Management Responses (Information Technology Department):
To our knowledge the emails provided to OIG provided proof of authorization for the role
assignment changes.
Response for recommendation a.- The Munis administrator is aware and is following the
appropriate (Current) process for approvals and auditing.
Response for recommendation b. - Incorporated in our current processes.
Response for recommendation c.- I. T. is currently developing an application (intelligent form
using workflows) for City Wide user access requests and approvals for every software platform
which will be incorporated into the I. T. Service Desk system. Estimated time for delivery is October
2020.
QIG's Opinion on Information Technology Department Response:
None of the emails received from the Information Technology Department included a clear
authorization approving the aforementioned employee's role assignment change.
cc: John Woodruff, Chief Financial Officer
Chris Sarandos, Chief Information Officer
Heather Shaw, Assistant Director - Tourism & Cultural Development Department
Michael Smith, Human Resources Department Director
David Martinez, Capital Improvement Projects Director
Conducted by:
Reviewed by:
Norman Blaiotta, Deputy Chief Auditor
Mark D. Coolidge, Chief Auditor
Page 7 of 8
First Semi-annual Finance Review - Fiscal Year 2019/20
June 26, 2020
Exhibit A
# ¡ Doc I Approval I Approver Position I Department I Amount [12z"" [ass I Check/Wire
Num Step Number
38 HUMAN RESOURCES
ASST DIRECTOR
1) 198944 HUMAN RESOURCES $ 117,714.65 9/6/2019 9/11/2019 3671
40 HUMAN RESOURCES
ASST DIRECTOR
38 DIVISION DIRECTOR-
CIP CAPITAL
2) 199315° IMPROVEMENT $ 906,887.45 9/12/2019 9/13/2019 443360
DIVISION DIRECTOR - PROJECTS 40 CIP
38 ADMIN SERVICES
MANAGER TOURISM &
3) 201014 CULTURAL $ 375,117.79 9/25/2019 9/27/2019 3756
ADMIN SERVICES DEVELOPMENT 40 MANAGER
4) 206177 38 PLAN DEPT DEPUTY PLANNING $ 204,000.00 10/21/2019 10/22/2019 444785 DIRECTOR
38 HUMAN RESOURCES
ASST DIRECTOR 1/3/2020
S) 218201 HUMAN RESOURCES $ 125,867.76 1/8/2020 4095
so HUMAN RESOURCES 1/6/2020
ASST DIRECTOR
ASST DIRECTOR TOURISM &
6) 231745 38 TOURISM & CUL CULTURAL $ 110,000.00 3/25/2020 3/27/2020 4389
DEVELOPMENT
This transaction was also approved at level 55 (Granted to the Assistant City Managers, Executive Staff or the City Manager) as required
by the Citywide Disbursement Workflow Procedure.
OFFICE OF THE INSPECTOR GENERAL, City of Miami Beach
1130 Washington Avenue, 6" Floor, Miami Beach, FL 33139
Tel: 305.673.7020 • Fax: 305.587.2401 • Hotline: 786.897.1111
Email: CityofMiamiBeachQIG@miamibeachf.gov
Website: www.mbinspectorqeneral.com
Page 8 of 8