OIG No. 24-01: Follow-Up Review of Selected BDO AuditJoseph M. Centorino, Inspector General
TO:
FROM:
DATE:
PROJECT:
PERIOD:
Honorable Mayor and Members of the City Commission
Joseph Centorino, Inspector General
January 17, 2024
Follow-Up Review of Selected BOO Audit Recommendations
(#s 27, 31, 38, 55, and 56)
OIG No. 24-01
October 1, 2022, to September 30, 2023 (2022/23 Fiscal Year)
Upon discovering a $3.6 million fraud in 2016 involving its Treasury and ACH disbursements, the City
Administration and Finance Department, among other responsive actions, hired the independent firm of
BOO USA, LLP (BOO) to perform an audit. After extensive testing, interviews, and analysis, BOO issued
a report on May 17, 2017, containing 60 findings with recommendations on mitigating the City's risk
exposure on these disbursements, affecting other Finance Department functions, including payroll and
accounts payable. The City Finance and Information Technology Departments worked together to take
corrective action to mitigate the identified risks and attain the desired outcomes.
In response to the BOO audit report, the then-existing Office of Internal Audit was assigned to perform
periodic reviews of selected recommendations to ensure that these outcomes continue to be achieved
by the City. On November 1, 2019, the Office of Internal Audit was subsumed into the Office of the
Inspector General (OIG), which has opted to continue performing these reviews. This follow-up review
focuses on testing City staffs compliance with BOO recommendations numbered 27, 31, 38, 55, and 56.
This report is separated by each sampled BOO recommendation and the City's associated management
response. It also includes OIG staffs current testing results and conclusions.
1. BOO Recommendation #27 - Munis should be modified so as not to allow significant payments to
be issued unless the approvals of at least two different City officers have been documented in the
system. Further, Munis should be modified so as not to allow payments exceeding $1,000,000 to
be issued unless the approval of the City Manager has been documented in the system.
Management Response: The City amended the workflow approval policy to say that the City
Manager approves disbursement over $1 million except for debt service payments (principal,
interest, and fees on bonds, loans and notes). These items are approved by the CFO (Chief
Financial Officer), Deputy Finance Director or Assistant Finance Director. The debt service
workf/ow was revised in April 2017.
Current Testing Results #27 - Since the approval of the Disbursement Workflow Citywide
Procedure (Procedure) on January 22, 2019, and its subsequent update on December 3, 2019,
in which two departmental approvals for "Accounts Payable Invoices" or API transactions over
$100,000 are required, OIG staff has performed periodic testing to (1) determine whether the
Munis system configurations for approving API transactions are correctly aligned with the
Procedure; and (2) whether pertinent transactions are being approved by at least two different
designated supervisors at the departmental level. This testing is repeatedly performed because
deficiencies are routinely identified, and it could facilitate mismanagement and/or result in fraud.
Page 1 of 8
The Munis system is the City enterprise resource planning system.
The first related test results were presented in a report issued by the OIG on October 25, 2019,
for transactions equal to or greater than $100,000 but less than $500,000. All 264 pertinent API
transactions occurring between March 1, 2019, and August 31, 2019, were tested, with the results
summarized in the following table.
Type of Issue Number of Amounts of Invoices and
Instances Overall Total
(1) The Munis system configuration is not aligned with the 1) $332,315.67
2) $ 104,822.90 Procedure, as transactions equal to or over $100,000 are released 3 3) $ 204,000.00 for payment with only one department approval. Total$ 641,138.57
1) $180,238.99
(2) The Munis system is correctly configured to request two 2) $106,137.40
departmental approvals on transactions equal to or over $100,000. 4 3) $ 104,745.78
Still, the same department official made both approvals. 4) $ 201,400.00
Total$ 592,522.17
OIG staff expanded its scope to include all transactions equal to or more than $100,000 to
determine whether similar shortcomings existed in subsequent analyses. For example, all 437
API transactions that satisfied these criteria and occurred between September 1, 2019, and March
31, 2020, were tested. A report issued by the OIG on June 29, 2020, concluded that two different
supervisors at the department level did not approve the following six transactions:
Type of Issue Number of Amounts of Invoices and
Instances Overall Total
(1) The Munis system configuration is not aligned with the 1) $ 204,000.00
Procedure, as transactions equal to or over $100,000 are 2 2) $ 110,000.00
released for payment with only one department approval. Total$ 314,000.00
(2) The Munis system is correctly configured to request two 1) $117,714.65
2) $ 906,887.45 departmental approvals on transactions equal to or over 4 3) $375,117.79 $100,000. Still, the same department official made both 4) $ 125,867.76 approvals. Total $1,525,587.65
The transaction with the highest dollar amount, $906,887.45, was also approved at level 55 (granted to the
Assistant City Managers, Executive Staff, or the City Manager), as required by the Procedure for transactions
between $500,000 but less than $1,000,000; however, it does not satisfy the two required departmental approvals
criterion.
Next, a report issued by the OIG on June 29, 2020, contained the following response from the
Information Technology Department: Deputy Finance Director contacted the Munis System
Administrator to discuss the said findings and developed a plan of action to update the workflow
business rules for all cost centers so that (1) approvers are only assigned to approve at one step
in the workflow except for level 5 which is not an approval authority; and (2) at least 2 department
approvers are assigned to approve transactions $100,000 and above. Task completed in early
April. We are currently working on building a report to validate these changes.
Later that same year, in a report issued on October 22, 2020, OIG staff similarly tested all 278
transactions of $100,000 and above, approved between April 1, 2020, and September 30, 2020,
to determine compliance with the stated criteria in the Procedure. No discrepancies were noted,
as the needed internal controls appeared to have been implemented.
Similar testing was then performed in a report issued by the OIG on February 1, 2022, testing all
applicable 542 transactions occurring between October 1, 2020, and September 30, 2021, in
which eight deviations from the stated Procedure were noted, as shown below in the following
table.
Page 2 of 8
Type of Issue Number of Amounts of Invoices and
Instances Overall Total
(1) The Munis system configuration is not aligned with the 1) $118,489.50
Procedure, as transactions equal to or over $100,000 are 2 2) $112,73400
released for payment with only one department's approval. Total$ 231,223.50
1) $127,104.81
2) $129,230.18
(2) The Munis system is correctly configured to request two 3) $123,498.18
departmental approvals on transactions equal to or over 6 4) $123,109.94
$100,000, but the same department official made both approvals. 5) $ 440,680.00
6) $1,500,000.00'
Total $2,443,623.11
Next, OIG staff tested all applicable 623 transactions approved between October 1, 2021, and
September 30, 2022, in which seven deviations from the stated Procedure were noted, as shown
below in the following table. Unlike previous results, all seven deviations were related to Munis
system configurations for approving API transactions not correctly aligned with the Procedure.
Type of Issue Number of Amounts of Invoices and
Instances Overall Total
1) $ 246,521.35
2) $ 980,850.00°
The Munis system configuration is not aligned with the Procedure, 3) $ 500,000.00°
4) $ 981,316.67* as transactions equal to or over $100,000 are released for 7 5) $ 984,450.00* payment with only one department's approval. 6) $ 296,349.57
7) $ 441,484.63
Total $ 4,430,972.22
*These transactions were approved by Executive Staff personnel, as required by the Procedure for transactions equal
to or over $500,000 but below 1 million; however, this does not satisfy the two required departmental approval criteria.
OIG staff performed this test during this review to determine whether deviations still occur.
Consequently, all applicable 645 transactions approved between October 1, 2022, and
September 30, 2023, were tested, and nine (9) deviations from the stated Procedure were noted,
as shown in the table below. Similar to the prior 2021/22 fiscal year review, all nine deviations
were related to Munis system configurations for approving API transactions that were not correctly
aligned with the Procedure. Exhibit A at the end of this report provides more detail on these nine
exceptions.
Type of Issue Number of Amounts of Invoices and
Instances Overall Total
1) $ 298,663.48
2) $ 339,042.41
3) $ 222,148.95
The Munis system configuration is not aligned with the Procedure, 4) $ 101,922.56
5) $ 147,603.96 as transactions equal to or over $100,000 are released for 9 6) $ 350,520.00 payment with only one department's approval. 7) $ 373,212.00
8) $ 112,584.44
9) $ 300,000.00
Total$ 2,245,697.80
In sum, five of the last six reviews performed by OIG staff have identified a total of 23 transactions,
with a cumulative value of $7,863,032.09, that were released for payment with only one
departmental approval due to an incorrect workflow configuration. In addition, 14 transactions with
a cumulative value of $4,561,732.93 were approved twice by the same department official.
Page 3 of 8
The Munis System Administrator previously informed the OIG Auditor that the Munis system is
not equipped to flag transactions over $100,000 released with only one approval or to detect and
preclude a sole authorized user from performing both approvals. The OIG considers this an
internal control weakness that may jeopardize the legitimacy of a transaction and could facilitate
mismanagement or possibly fraud, if not sufficiently and promptly resolved.
OIG Recommendation:
For the transactions released for payment with only one approval as noted in Exhibit A, the
corresponding City's departments (Tourism & Cultural Development, Economic Development,
Public Works, Facilities and Fleet Management) should review department personnel approval
levels to ensure at least two department disbursement approval levels for all transactions equal
to or more than $100,000.00. Modifications should be promptly submitted to the Information
Technology Department to be configured as needed for compliance.
Information Technology Department Response:
Modifications should be promptly submitted to the Information Technology Department to be
configured as needed for compliance.
Finance Department Response:
The Finance Department has segregated the findings into 2 categories. ltems 1-3 will be referred
to as category A issues and items 4-9 will be referred to as category B issues.
Category A issues occurred during a transitionary period as responsibilities for Cost Center 7010
were transferred between Tourism and Culture and the Economic Development Departments.
Subsequently, the workflow was corrected to include additional approval levels appropriate to the
dollar values of these items. Finance has also obtained additional manual approvals for these
transactions.
Category B issues are attributed to another transitionary period in the Fleet and Facilities
Department. Based on data and research completed by Finance and information received from
the City's Information Technology Department, Finance has determined that this error was
attributed to the resignation of the Department's Director without an immediate replacement of
another employee into the role at level 40. Once the Director was terminated in the Munis system,
the role of Level 40 ceased to function. This action resulted in a "gap" in the workflow, resulting
in these items to be identified as fully approved at level 38 in error.
To function correctly, the Munis system requires immediate placement of another approver,
segregated from the lower level to properly approve these disbursements. This "gap' was
subsequently corrected with the full implementation of the Interim Director at level 40 and the
addition of separate employees at level 38. Finance has also confirmed that appropriate
employees have been assigned at levels 55 and 60. Manual dual departmental approvals have
been received to be consistent with City policy.
To facilitate in minimizing these types of issues - the Finance team has modified its process to
review all disbursements over $100,000 to ensure that all the API levels 40, 55 and 60 are
appropriately received as required per policy. Items requiring correction/modification will have the
option of obtaining manual approval or resubmitting for "rerouting" to appropriate approvals. To
further minimize these issues in the future, the City will modify/create an interdepartmental
process to include specific steps to ensure proper replacements are identified and established for
all Munis system workflow levels once an approver has terminated employment with the City.
OIG Response:
The OIG appreciates the detailed response received and the efforts in categorizing and
addressing the identified deficiencies. Although the current deficiencies may only pertain to the
Page 4 of 8
Tourism and Culture, Economic Development, and Information Technology Departments,
previous findings involved various other City departments like CIP, Human Resources, and
Planning and occurred, at a minimum, during the last several years in which related testing was
conducted. Consequently, the OIG has concluded that the identified deficiency is a long-standing,
reoccurring systemic issue that needs to be promptly corrected.
The Disbursement Workflow Citywide procedure states, "It is the responsibility of the
Departments/Divisions designee to ensure that the approvals are properly reviewed and approved
in Munis..." Also, the BOO audit consistently referred to transaction approvals as "documented in
the system," which further emphasizes the necessity of using the Munis system for all approval
processes. The OIG agrees that the optimal and most effective procedure to prevent this
deficiency from reoccurring is to require City departments to immediately notify the Information
Technology Department upon reassigning or terminating pertinent departmental approvers so
that it can promptly restructure the associated approval queue in the Munis system. Unfortunately,
it is difficult to immediately update the Munis system approval queue before reviewing and
processing any payments due to various constraints {the need for relevant staff to perform other
duties, or they are out of the office, etc.).
In addition, the Finance Department's response also addresses resubmitting transactions for
"rerouting" to correct any incomplete approvals or using manual approvals. The OIG opposes
using manual approvals and endorses the practice of resubmitting transactions through the Munis
system in those instances when the departmental approval queue has been affected. Approving
payments within a system, as opposed to manual approvals, enhances transparency and
provides a clear audit trail, ensures consistent application of policies, minimizes human errors,
speeds up the approval process, prevents fraud through built-in controls, and reduces the risk of
tampering or data loss, making it a more effective and secure approach overall.
2. BOO Recommendation #31 - Munis should be modified so as not to allow payments exceeding
$500,000 to be issued without having the invoice entry approval of at least two employees with
approval levels between 40 and 55 documented in the system.
City Response to BOO Recommendation #31- The necessary workflow analysis and
modification in Munis is anticipated to be completed by June 2017. The IT resources required to
implement this recommendation are currently supporting the Munis: HR/Payroll project
implementation which is scheduled to go-live in May 2017.
Current OIG Testing Results - The OIG Auditor tested all 176 related API transactions exceeding
$500,000 occurring between October 1, 2022, and September 30, 2023. It was observed that the
transactions that were categorized as "Direct Pay (DP) for Debt Services and Payroll Related
Items" were all approved by the Finance Department's Treasury Manager, Assistance Director
Finance and/or Chief Financial Officer. The transactions that were considered not to be under the
"Direct Pay (DP)" category, that either equaled or exceeded $1 million were found to be approved
by the City Manager. Lastly, the transactions under $1 million were approved by at least two
Department Management employees and/or an Assistant City Manager, as the Disbursement
Workflow Policy requires. As a result, it was determined that the selected transactions were
approved per the Disbursement Workflow Policy and were properly aligned with the Munis
approval configuration.
OIG Conclusion - No exceptions were noted as the City was found to be compliant with BOO
Recommendation #31 for the examined period.
3. BOO Recommendation #38 - An employee independent of IT and with no rights to request or
make changes to the approval queues should be responsible for reviewing an audit trail with the
history of approval queue activity to verify whether changes to the invoice approval queues are
authorized.
Page 5 of 8
City Response to BOO Recommendation #38 - IT has generated a report for Internal Audit to
review the audit trail with the history of approval queue activity to verify whether changes to the
invoice approval queues are authorized. Internal Audit will create a process to review the audit
trails on a semi-annual basis by August 2017.
Current OIG Testing Results - The OIG Auditor requested access to the Role Assignment
Changes report from the Information Technology Department to obtain the history of approval
activity performed between October 1, 2022, and September 30, 2023, to verify whether the role
assignment changes were authorized. Additional information such as role/permission description,
employee name, department was added to the report for a better selection criterion. Fifteen Munis
users with role assignment changes were then selected from the population for further analysis.
This judgmental sample was based on such risk factors as permissions granted that allow
employees to add, edit, override, modify, approve, process, or delete transactions.
The OIG Auditor requested the authorizations for the fifteen sampled Role Assignment Changes
to determine whether the Munis System Administrator kept records of changes in roles and
permissions made in the Munis system. OIG staff did not assess the appropriateness of the
role/permission change, but only whether it was authorized, and the supporting documentation
maintained.
Copies of the authorization emails were received to support the changes since the Information
Technology Department regularly handles change approvals on an email-based workflow.
Testing determined that the Munis System Administrator documented the authorization for the
fifteen Role Assignment Changes in charge of performing these changes in the Munis system.
OIG Conclusion - No exceptions were noted as the Information Technology Department was
compliant with BOO Recommendation #38 for the examined Role Assignment Changes.
4. BOO Recommendation #55 - The Payroll Processor's rights to create a new employee or change
employee information in Eden should be revoked.
City Response to BOO Recommendation #55- The City will be converting to Munis in May 2017.
The Payroll Processor's rights to create a new employee or change employee information in
Munis were removed in May 2017.
Current OIG Testing Results - The OIG Auditor requested a list of Finance Department employees
involved in payroll processing and was informed that three Finance Department staff were
assigned as payroll processors. The OIG Auditor designed a test in the Munis system, the City
enterprise resource planning system, to validate this information and to verify User Attributes
related to creating a new employee or changing employee information for these three Finance
Department employees.
Testing verified that only these three Finance Department's employees were assigned active roles
as Payroll Processors corresponding to role key: F _PR_PAYROLL_PROC. In addition, it was
determined that effective permission to create a new employee or change employee information
was not granted to any of these Finance Department staff assigned as payroll processors.
OIG Conclusion - No exceptions were noted as the Finance Department is currently compliant
with BOO Recommendation #55.
5. BOO Recommendation #56 - The Payroll Processor should not be permitted to perform the two
levels of approval of the payroll process that is required in Eden.
Page 6 of 8
City Response to BOO Recommendation #56 - The City will be converting to Munis in May 2017:
HR/Payroll in May 2017. With the implementation of Munis, the Payroll Processor will not be able
to perform two levels of approval.
Current OIG Testing Results - The OIG Auditor requested the Finance Department provide a list
of all employees assigned as Payroll Processors for the examined period. In response, he was
informed that three Finance Department employees were assigned to the Payroll Processors
function. A test was then conducted in the Munis system to verify User Attributes for the
employees assigned to processing payroll. No role corresponding to the description of Payroll
Approval was found in Munis Role Assignments for these employees. In addition, it was verified
that the Finance Department personnel with Payroll Approval roles are not granted permissions
related to processing payroll.
OIG Conclusion - A proper segregation of duties was observed, and no exceptions were noted
as the Finance Department complied with BOO Recommendation #56.
cc: Jason Greene, Chief Financial Officer
Frank Quintana, Chief Information Officer
Page 7 of 8
Exhibit A
Doc Approval Approval Check/Wire Check/Wire # Num Step Position Department Date Amount Date Number Number
1 386812 38 ADMIN SERVICES MANAGER TOURISM & CULTURAL DEVELOPMENT 10/12/2022 $ 298,663.48 10/21/2022 8764
2 396499 38 ADMIN SERVICES MANAGER TOURISM & CULTURAL DEVELOPMENT 12/5/2022 $ 339,042.41 12/7/2022 8944
3 401609 38 ADMIN SERVICES MANAGER ECONOMIC DEVELOPMENT 1/26/2023 $ 222,148.95 1/30/2023 9156
4 426552 38 ASSISTANT DIRECTOR PROPERTY PUBLIC WORKS PROPERTY MGMT 7/3/2023 $ 101,922.56 7/11/2023 490814
5 430708 38 ASSISTANT DIRECTOR PROPERTY PUBLIC WORKS PROPERTY MGMT 7/24/2023 $ 147,603.96 7/25/2023 491543
6 435996 38 ASSISTANT DIRECTOR PROPERTY PUBLIC WORKS PROPERTY MGMT 8/9/2023 $ 350,520.00 8/10/2023 492393
7 436473 38 ASSISTANT DIRECTOR PROPERTY PUBLIC WORKS PROPERTY MGMT 8/17/2023 $ 373,212.00 8/22/2023 492879
8 436696 38 ASSISTANT DIRECTOR PROPERTY PUBLIC WORKS PROPERTY MGMT 8/15/2023 $ 112,584.44 8/17/2023 492710
9 436906 38 ASSISTANT DIRECTOR PROPERTY PUBLIC WORKS PROPERTY MGMT 8/15/2023 $ 300,000.00 8/17/2023 492714
OFFICE OF THE INSPECTOR GENERAL, City of Miami Beach
1130 Washington Avenue, 6" Floor, Miami Beach, FL 33139
Tel: 305.673.7020 • Hotline: 786.897.1111
Email: CityofMiamiBeachOIG@miamibeachfl.gov
Website: www.mbinspectorgeneral.com
Page 8 of 8