The URL can be used to link to this page

OIG No. 22-26: Follow-Up Review of Selected BDO Audit RecommendationsI BS TO: FROM: DATE: PROJECT: PERIOD: Joseph M. Centorino, Inspector General Honorable Mayor and Members of the City Commission Joseph Centorino, Inspector General February 3, 2023 Follow-Up Review of Selected BOO Audit Recommendations (#s 11, 12, 13, 14, 15, 16, 17, 27, and 40) OIG No. 22- 26 October 1, 2021 to September 30, 2022 (2021/22 Fiscal Year) Upon discovering a $3.6 million fraud in 2016 involving its Treasury and ACH disbursements, the City Administration and Finance Department, among other responsive actions, hired the independent firm of BOO USA, LLP (BOO) to perform an audit. After extensive testing, interviews, and analysis, BOO issued a report on May 17, 2017, containing 60 findings with recommendations on mitigating the City's risk exposure on these disbursements, affecting other Finance Department functions, including payroll and accounts payable. The City's Finance and Information Technology Departments worked together to take corrective actions to mitigate the risks and attain the desired outcomes. In response to the BOO audit report, the then-existing Office of Internal Audit was assigned to perform periodic reviews of selected recommendations to ensure that these outcomes continue to be achieved by the City. On November 1, 2019, the Office of Internal Audit was subsumed into the Office of the Inspector General (OIG), which has opted to continue performing these annual reviews for the foreseeable future. The focus of this annual review is to test City staff's compliance with BOO recommendations numbered 11, 12, 13, 14, 15, 16, 17, 27, and 40. This report is separated by each sampled BOO recommendation and the City's associated management response, and includes OIG staff's current testing results and conclusions. 1. BDO Recommendation #11- The City should establish documented standard operating procedures for the monthly bank reconciliation process. Each step in the monthly bank reconciliation process should be clearly described. A defined period of time should be established, documented, and included in the procedures for completing each phase of the monthly bank reconciliation. Specific timelines for completion should be established for each division within the Finance Department responsible for researching and correcting differences identified during the bank reconciliation process. 30 days to complete entire process recommended. City Response to BOO Recommendation #11- The existing bank reconciliation procedure was updated in April 2017. To address timelines for completion, at the beginning of each fiscal year, a monthly closing memorandum is prepared by the Finance Department and distributed to all Finance staff. The memorandum includes the dates for recording all transactions into the City financial system. Adherence to the closing dates on the memorandum will meet this recommendation. The CFO has re-distributed the closing memo to staff to reiterate the importance of correcting differences by the closing dates. In Page 1 of 11 addition, the Deputy Finance Director (DFD) has started monthly meetings to ensure that the underlying issues causing reconciling items are addressed. The DFD will follow up on time items not clearing in a timely manner. The procedure states that bank reconciliations shall be completed within 30 days from the close of the books for the month, which is typically 10 to 15 days after the bank statement date. Current OIG Testing Results - Upon request, the Finance Department Internal Procedure for Bank Reconciliations, updated on October 16, 2019, was provided to the OIG Auditor. This formally approved document serves as its Standard Operating Procedure (SOP) related to bank reconciliations. The OIG Auditor performed an evaluation of the SOP to verify that it complied with BOO Recommendation #11. It was found to sufficiently describe the steps in the bank reconciliation process, including the deadline to complete reconciliations, staff responsibilities, corrective actions, documentation, review, and approval. For example, all bank_reconciliations (excluding the 45 days allotted for the Pooled General Depository, 5" & Alton Garage, Miami Beach Golf Course, and Normandy Shores Golf Course bank reconciliations) are to be completed within thirty (30) days following the end of the month being reconciled. OIG Conclusion - No exceptions were noted as the Finance Department continues to comply with BOO Recommendation #11. 2. BOO Recommendation #12 - Escalation procedures should be incorporated into the bank reconciliation process and researching, and reconciling differences should be assigned to employees who were not involved in the division that was originally assigned the responsibility for explaining the differences. City Response to BOO Recommendation #12- To facilitate timely follow-up, beginning in February 2017, the Deputy Finance Director (DFD) started monthly meetings to ensure that un-cleared items and the underlying issues causing reconciling items are addressed. Items are escalated to the DFD and CFO {Chief Financial Officer}. Current OIG Testing Results - The OIG Auditor requested and received a copy of the monthly October 2021 through July 2022 bank reconciliation meetings and maintained supporting documentation from the Finance Department Assistant Director in an August 4, 2022 email. The examined documentation included attendance logs of the 19 participating Finance Department employees, detailed meeting notes, Tie-In of Bank Reconciliation to General Ledger analyses, bank reconciliation reports, and other correspondence. Any identified reconciling differences were then assigned to designated Finance Department staff. OIG Conclusion - The Finance Department continues to comply with BOO Recommendation #12; however, the OIG recommends adding the monthly bank reconciliation meetings and related process to the approved SOP. Finance Department Response: While monthly meetings are an internal review procedure involving a number of Finance personnel within the department, its primary function serves to improve communication within the department and its various functions - not necessarily an escalation procedure as required by the BOO finding. However, prior to each monthly meeting, emailed Page 2 of 11 communication is sent to the Assistant Director and CFO, informing Management of possible findings that may require some attention and/or discussion. Finance is of the opinion that the emailed communication to the Assistant Director and CFO should be considered an escalation procedure and more readily meets the requirements of the BOO recommendation. 3. BOO Recommendation #13- The City should re-define and document what constitutes a completed bank reconciliation. A bank reconciliation is complete when the total amount of the difference between the bank balance per the bank statement (as adjusted for certain typical reconciling items) and the bank balance per the general ledger has been researched and explained. City Response to BOO Recommendation #13- The City has re-defined what constitutes a completed bank reconciliation. Effective with the February 2017 bank reconciliation, the City revised the process to include distribution of a preliminary reconciliation to staff to show unclear items. The correspondence includes the date and fiscal period in which the item must be cleared. A final reconciliation with the items clear or showing a valid explanation of why it remains unclear is completed and considered the completed bank reconciliation. In addition, monthly meetings have been implemented to ensure that the underlying issues causing reconciling items are addressed. Current OIG Testing Results - The OIG Auditor examined the Finance Department Internal Procedure for Bank Reconciliations for compliance with BOO Recommendation #13 and reviewed the Finance Department's completed monthly bank reconciliation analyses and related correspondence. The approved SOP describes what constitutes a completed bank reconciliation and provides the necessary steps for reconciling the monthly bank statements to the applicable general ledger accounts. In addition, the monthly bank reconciliation meetings, bank reconciliation analysis spreadsheets, tie-in of Bank Reconciliation to General Ledger reports, and emails used to distribute preliminary reconciliation, research, and follow-up on uncleared items detail provide sufficient supporting documentation for the completed bank reconciliation. OIG Conclusion- The OIG Auditor did not identify any exceptions as the Finance Department continues to comply with BOO Recommendation #13. 4. BOO Recommendation #14- Each division within the Finance Department responsible for researching and correcting items identified in the bank reconciliation process should inform the bank reconciliation group in a documented fashion. The bank reconciliation group should, in turn, document the explanations and dates of corrections in the bank reconciliation and follow up with the responsible division on all unresolved differences. Management Response - Since February 2017, the documentation of bank reconciliation items improved markedly due to the addition of key positions that were previously vacant such as the Treasury Manager. A new Financial Analyst I position in the bank reconciliation group was added in March 201 7 that facilitates timely research and communication throughout the department. In addition, the Deputy Finance Director has started monthly meetings that facilitate communication across divisions to ensure that issues causing reconciling items are addressed. Since these changes were made, there have been substantially fewer bank reconciliation items. Page 3 of 11 5. Current OIG Testing Results - The Finance Department provided its bank reconciliation notes and supporting documentation for its October 2021 through July 2022 monthly meetings and the bank reconciliation group's correspondence for review. The provided evidence includes designated procedures to follow up on unclear items and related resolutions. The OIG Auditor determined that all tested transactions needing additional research and follow-up were timely cleared. OIG Conclusion - No exceptions were noted as the Finance Department continues to comply with BOO Recommendation #14. BOO Recommendation #15- Employees who prepare bank reconciliations should have their recordkeeping rights cancelled, or a compensating control, such as independent management review of the reconciliation should be implemented. Management Response: Record keeping rights for several bank reconciliation employees were removed in April 2017. As a compensating control, the City's Internal Audit independently reviews all bank reconciliations monthly for timely completion. Current OIG Testing Results - The OIG Auditor requested a listing of Finance Department employees involved in preparing bank reconciliations and the corresponding reviewers. In addition, the Finance Department staff's compliance with related provisions in the Citywide Procedure entitled "Munis, Eden, and Energov Systems User Access Review and Granting/Revoking Access" issued in September 2019 (sequence number IT.13.01) was evaluated. Six Finance Department staff were assigned to the bank reconciliation process, consisting of three preparers and three reviewers/approvers. The OIG Auditor designed a test in the Munis system, the City enterprise resource planning system, to verify User Attributes related to these six Finance Department employees. In addition, a Role Assignment Changes report was obtained from the SQL Server Reporting Services (SSRS) website for any permission changes granted from October 1, 2018 through September 30, 2022. Testing determined that effective permission allowing recordkeeping rights and Information Technology (I.T.) Department role F_GL_POST regarding Financial Management - General Ledger such as "Create Journal Entries" and "Delete Journal Entries" were granted to one employee responsible for bank reconciliations. The OIG verified that this individual is assigned as a bank reconciliation preparer, and the reviewers/approvers adequately review the bank reconciliations. As a compensating control, the OIG performed unannounced periodic examinations of the bank reconciliations completed monthly by designated Finance Department staff, approximately 50 per month, to verify that each was timely prepared and reviewed/approved. The OIG randomly reviewed four months of bank reconciliations completed during the 2021/22 fiscal year (September 2021, December 2021, March 2022, and May 2022), whereby no exceptions were noted. OIG Conclusion - The OIG Auditor concluded that the Finance Department continues to comply with BOO Recommendation #15. Page 4 of 11 6. BOO Recommendation #16 - Bank reconciliations should identify and document the employee(s) who review(s) them. Management Response: The Bank Reconciliation procedure updated in April 2017 states that bank reconciliations are signed by the preparer and reviewed/signed and dated by a supervisor, manager, or Deputy Director. The reconciliation is maintained on file for subsequent reviews and audits. Current Testing Results #16 - For this test, the OIG Auditor examined the Internal Procedure for Bank Reconciliations, the bank reconciliation monthly meetings, and bank reconciliation analysis spreadsheets. The name and initials of the Finance Department staff responsible for preparing and reviewing each sampled bank reconciliation and the corresponding dates each completed the task were consistently recorded. OIG Conclusion - No exceptions were noted as the Finance Department continues to comply with BOO Recommendation #16. 7. BOO Recommendation #17 - Munis should be modified to prevent the same accounts payable (AIP) employee from entering an invoice and also approving it. Alternatively, we recommend that the A/P employee who posts the batch of final approved invoices print a report that shows the AIP employee who entered the invoice and the AIP employee who approved the entry before the batch is posted to ensure that the same employee did not enter and approve the invoice in AIP In situations, where the same AIP employee entered and approved the invoice, the employee who posts the batch should review the invoice entry before posting the batch. Management Response: The accounts payable workflow process was modified in April 2017 to remove all accounts payable staff from the approval process. Accounts payable staff enters invoices into the workflow process and releases them for approval by managers across City departments. The City will continuously review the workflow process to ensure proper segregation of duties and controls. Current Testing Results #17-The OIG Auditor re-performed the test in the First Semi- Annual Finance Review - Fiscal Year 2019/20, issued on June 29, 2020. AII 71,278 approvals in 60,349 account payable transactions between April 1, 2020 and March 31, 2022 were reviewed to determine whether the Finance Department employee(s) entered and approved the same invoice in the Munis system (the City's enterprise resource planning system). OIG Conclusion - No segregation of duties deficiencies were noted as the Finance Department continues to comply with BOO Recommendation #17. 8. BOO Recommendation #27 - Munis should be modified so as not to allow significant payments to be issued unless the approvals of at least two different City officers have been documented in the system. Further, Munis should be modified so as not to allow payments exceeding $1,000,000 to be issued unless the approval of the City Manager has been documented in the system. Management Response: The City amended the workflow approval policy to say that the City Manager approves disbursement over $1 million except for debt service payments (principal, interest, and fees on bonds, loans and notes). These items are approved by the Page 5 of 11 CFO (Chief Financial Officer), Deputy Finance Director or Assistant Finance Director. The debt service workflow was revised in April 2017. Current Testing Results #27 - Since the approval of the Disbursement Workflow Citywide Procedure (Procedure) on January 22, 2019, and its subsequent update on December 3, 2019, in which two departmental approvals for "Accounts Payable Invoices" or API transactions over $100,000 are required, OIG staff performed testing to (1) determine whether the Munis system configurations for approving API transactions are correctly aligned with the Procedure; and (2) whether pertinent transactions are being approved by at least two different designated supervisors at the departmental level. The first related test results were presented in the OIG report issued on October 25, 2019, for transactions equal to or greater than $100,000 but less than $500,000. All 264 pertinent API transactions occurring between March 1, 2019 and August 31, 2019 were tested, with the results summarized in the following table. Type of Issue Number of Amounts of Invoices and Instances Overall Total (1) The Munis system configuration is not aligned with the 1) $332,315.67 2) $ 104,822.90 Procedure, as transactions equal to or over $100,000 are released 3 3) $ 204,000.00 for payment with only one department approval. Total$ 641,138.57 1) $ 180,238.99 (2) The Munis system is correctly configured to request two 2) $106,137.40 departmental approvals on transactions equal to or over $100,000, 4 3) $104,745.78 but the same department official made both approvals. 4) $ 201,400.00 Total $ 592,522.17 OIG staff expanded the scope to include all transactions equal to or more than $100,000 to determine whether similar shortcomings existed in subsequent analyses. For example, all 437 API transactions that satisfied these criteria and occurred between September 1, 2019 and March 31, 2020, were tested. The OIG report issued on June 29, 2020 concluded that two different supervisors at the department level did not approve the following six transactions: Type of Issue Number of Amounts of Invoices and Instances Overall Total (1) The Munis system configuration is not aligned with the 1) $ 204,000.00 Procedure, as transactions equal to or over $100,000 are released 2 2) $110,000.00 for payment with only one department approval. Total$ 314,000.00 1) $117,714.65 (2) The Munis system is correctly configured to request two 2) $ 906,887.45* departmental approvals on transactions equal to or over $100,000, 4 3) $375,117.79 but the same department official made both approvals. 4) $ 125,867.76 Total $1,525,587.65 The transaction with the highest dollar amount, $906,887.45, was also approved at level 55 (granted to the Assistant City Managers, Executive Staff, or the City Manager), as required by the Procedure for transactions between $500,000 but less than $1,000,000; however, it does not satisfy the two required departmental approvals criterion. Next, the OIG report issued on June 29, 2020, contained the following response from the Information Technology Department: Deputy Finance Director contacted the Munis Page 6 of 11 System Administrator to discuss the said findings and developed a plan of action to update the workflow business rules for all cost centers so that (1) approvers are only assigned to approve at one step in the workflow except for level 5 which is not an approval authority; and (2) at least 2 department approvers are assigned to approve transactions $100,000 and above. Task completed in early April. We are currently working on building a report to validate these changes. Later that same year, in the report issued on October 22. 2020, OIG staff similarly tested all 278 transactions of $100,000 and above, which were approved between April 1, 2020 and September 30, 2020, to determine compliance with the stated criteria in the Procedure. No discrepancies were noted, as the needed internal controls appeared to have been implemented. More recently, in the report issued on February 1, 2022, all applicable 542 transactions occurring between October 1, 2020, and September 30, 2021, were tested, in which eight deviations from the stated Procedure were noted, as shown below in the following table. Type of Issue Number of Amounts of Invoices and Instances Overall Total (1) The Munis system configuration is not aligned with the 1) $ 118,489.50 Procedure, as transactions equal to or over $100,000 are 2 2) $112,734.00 released for payment with only one department's approval. Total $ 231,223.50 1) $127,104.81 2) $ 129,230.18 (2) The Munis system is correctly configured to request two 3) $123,498.18 departmental approvals on transactions equal to or over 6 4) $ 123,109.94 $100,000, but the same department official made both approvals. 5) $ 440,680.00 6) $1,500,000.00' Total $2,443,623.11 OIG staff reperformed the test during this annual review to determine whether deviations still occur. Consequently, all applicable 623 transactions approved between October 1, 2021, and September 30, 2022, were tested in which seven deviations from the stated Procedure were noted, as shown below in the following table. Exhibit A at the end of this report provides more detail on these eight exceptions. Unlike previous results, all seven deviations were related to Munis system configurations for approving API transactions not correctly aligned with the Procedure. Type of Issue Number of Amounts of Invoices and Instances Overall Total 1) $ 246,521.35 2) $ 980,850.00° The Munis system configuration is not aligned with the Procedure, 3) $ 500,000.00° as transactions equal to or over $100,000 are released for 7 4) $ 981,316.67* payment with only one department's approval. 5) $ 984,450.00° 6) $ 296,349.57 7 $ 441,484.63 Total $ 4,430,972.22 These transactions were approved by Executive Staff personnel, as required by the Procedure for transactions equal to or over $500,000 but below 1 million; however, this does not satisfy the two required departmental approvals criterion. Page 7 of 11 In sum, four of the last five reviews performed by OIG staff have identified 14 transactions, with a cumulative amount of almost $5.5 million, that were released for payment with only one departmental approval due to an incorrect workflow configuration. Also, 14 transactions with a cumulative amount exceeding $4.5 million were approved twice by the same department official. The Munis System Administrator previously informed the OIG Auditor that the Munis system is not equipped to flag transactions over $100,000 released with only one approval or to detect and preclude a sole authorized user from performing both approvals. The OIG considers this an internal control weakness that may jeopardize the legitimacy of a transaction and could facilitate mismanagement or even fraud, requiring prompt corrective action. OIG Recommendation: For all noted deficient transactions: a. The CFO should instruct his staff to timely review their validity and correctness. Finance Department Response: On a quarterly basis, the Finance Department now obtains a Validate Workflow History Report. The Report is reviewed by the AP supervisor to ascertain that appropriate levels of approvals were obtained. In the event of an exception - a manual approval for the transactions is obtained from each department and uploaded to MUNIS records as evidence of appropriate departmental approvals. Finance obtained manual approval for all transactions noted in Exhibit A OIG Recommendation: For the transactions released for payment with only one approval, the City's Chief Information Officer should instruct the Munis System Administrator to: b. Amend the departments' configuration as noted in Exhibit A, with the directors' approval, so the Munis system requires at least two department approvals for all transactions equal to or more than $100,000. Information Technology Department Response: As part of the existing role-based access yearly review process, IT will provide a detailed listing of departmental personnel and their respective approval levels. Departments will be responsible for evaluating role-based access as well as disbursement approval levels. Modifications will be submitted to I.T. Changes submitted to I.T. will be configured as needed for compliance. OIG Recommendation: c. Review all remaining City departments' configurations for approvals and make the necessary corrections to prevent similar deficiencies from occurring in the future. Information Technology Department Response: The Information Technology Department reviewed all remaining City department configurations for approvals and ensured workflows do not have similar deficiencies. Page 8 of 11 OIG Recommendation: For the transactions approved twice by the same department official: d. The Chief Information Officer and/or the Chief Financial Officer should contact Tyler Technologies Inc. (the parent company of the Munis system) to explore the possibility of incorporating additional internal controls into the disbursement process. These controls should not be limited to API transactions but to any approval process in the Munis system. Information Technology Department Response: The Information Technology department will continue to explore the possibility of incorporating additional internal controls into the disbursement process. Custom functionality is considered by Tyler and added based on needs from all customers. Individual requests are generally not considered and accepted. OIG Recommendation: e. Until this shortcoming can be rectified, the Finance Department should review all transactions $100,000 or higher to ensure that they include at least two different authorized departmental approvers before the payment is issued. Finance Department Response: The MUNIS disbursement system is fully automated and will prepare disbursements for distribution upon full approval based on associated workflow. The Finance Department is working with the I.T. department to determine if an exception report can be generated for disbursements in excess of $100,000 that do not have appropriate approvers. Finance will review this report on a weekly basis prior to disbursements to identify any payments that do not have appropriate authorized departmental approvers levels, i.e. do not have two different departmental approvers. Departments will then be required to modify approvals prior to disbursing funds. Implementation: Pending based on availability of report. OIG Recommendation: f. All department officials with approval privileges should be aware of the Disbursement Workflow Citywide Procedure and follow the requirement of two different departmental approvals on transactions of $100,000 or higher. Finance Department Response: The Finance Department in conjunction with the I.T., Budget and Procurement Departments updated the City's Administrative Order on the Workflow Disbursement Policy in December 2022, which has been distributed to all Department Directors and Executive Management. Going forward, the Finance Department will work with I.T., EPI and Procurement to develop a more formal process to educate and inform City employees on Workflow Approvals within the respective departments. 9. BOO Recommendation #40 - Accounts Payable employees should have their invoice approval rights removed, except for approval level 3, which is only a cursory review of the invoice entry. Management Response: Effective April 2017, all accounts payable employee approvals, including level 3, have been removed in the system. Page 9 of 11 Current Testing Results #40 - OIG Auditor requested the Finance Department provide a list of the employees assigned to Accounts Payable. In addition, the I .T. Citywide Procedure regarding Munis, Eden, and Energov Systems User Access Review and Granting/Revoking Access, dated September 2019, was reviewed. Four Finance Department employees were assigned to the Accounts Payable function during the reviewed period. A test was conducted in the Munis system to verify User Attributes for the employees assigned to accounts payable. No role corresponding to the description of AP Invoice Approval was found in Munis Role Assignments for these employees. However, according to Effective Permissions under User Attributes, three of the four Finance employees responsible for Account Payable were granted permissions related to authorizing payment of invoice with no purchase order, authorizing payment of a direct pay invoice without commodity code, and authorizing payment of invoice to expired Purchase Order. It was determined that these permissions are granted under role assignment F_AP-ANALYST_II for the employees to be able to conduct their accounts payable functions. In addition, it was verified that the Finance Department personnel with AP Invoice Approval roles are not granted permissions related to authorizing payment of invoices. OIG Conclusion - A proper segregation of duties was observed, and no exceptions were ted, as the City is currently compliant with BOO Recommendation #40. Marlge, Chief Auditor Norman Blaiotta, Deputy Chief Auditor cc: Kathy Brooks, Acting Chief Financial Officer Frank Quintana, Chief Information Officer OFFICE OF THE INSPECTOR GENERAL, City of Miami Beach 1130 Washington Avenue, 6" Floor, Miami Beach, FL 33139 Tel: 305.673.7020 • Fax: 305.206.5509 • Hotline: 786.897.1111 Email: CilyofMiamiBeachOIG@miamibeachfl.gov Website: www.mbinspectorgeneral.com Page 10 of 11 Exhibit A # I Doc Num I Approval I Approver Position I Department I Approval Date !Amount lcheck Date I Check/Wire Step Number 1 347481 38 ADMIN SERVICES MANAGER ECONOMIC DEVELOPMENT 2/4/2022 $ 246,521.35 2/9/2022 7978 38 ADMIN SERVICES MANAGER ECONOMIC DEVELOPMENT 2/8/2022 2 347676° $ 980,850.00 2/22/2022 7985 55 CHIEF OF LEGISLATIVE & EXT AFF CITY MANAGER 2/18/2022 38 ADMIN SERVICES MANAGER ECONOMIC DEVELOPMENT 3/16/2022 3 353027° $ 500,000.00 3/17/2021 8104 40 CHIEF OF LEGISLATIVE & EXT AFF CITY MANAGER 3/16/2022 38 ADMIN SERVICES MANAGER ECONOMIC DEVELOPMENT 5/18/2022 4 361527° $ 981,316.67 5/25/2022 8277 55 CHIEF OF LEGISLATIVE & EXT AFF CITY MANAGER 5/23/2022 38 ADMIN SERVICES MANAGER ECONOMIC DEVELOPMENT 8/4/2022 5 376702° $ 984,450.00 8/12/2022 8546 55 CHIEF OF LEGISLATIVE & EXT AFF CITY MANAGER 8/5/2022 6 378615 38 ADMIN SERVICES MANAGER ECONOMIC DEVELOPMENT 8/23/2022 $ 296,349.57 8/24/2022 8621 7 381650 38 ADMIN SERVICES MANAGER ECONOMIC DEVELOPMENT 9/12/2022 $ 441,484.63 9/14/2022 8670 These transactions were approved by Executive Staff personnel, as required by the Procedure for transactions equal to or over $500,000 but below 1 million; however, this does not satisfy the two required departmental approvals criterion Page 11 of 11