Follow-up Review of BDO USA, LLP Audit Report's Recommendation Number 2 2-27-18MIAMI BEACH INTERNAL AUDIT REPORT
City of Miami Beach, 1700 Convention Center Drive , Miami Beach , Florida 33139, www.miamibeachfl .gov
Office of Internal Audit
Tel: 305-673-7020
TO : Jimmy L. Morales, City Manager
VIA: Mark D. Coolidge, Interim Internal
FROM : Norman Blaiotta, Senior Auditor J.j
DATE : February 27, 2018
SUBJECT : Follow-up Review of BOO USA, LLP Audit Report's Recommendation Number 2
The Office of Internal Audit (Internal Audit) issued its Follow-up Review of BOO USA, LLP Audit
Report Findings on October 30, 2017 which evaluated the corrective actions implemented to
date by the Finance and/or Information Technology Departments for the sixty (60) listed findings
and recommendations. The initial BOO USA, LLP (BOO) audit report dated May 17, 2017
focused on how the City should mitigate its risk exposure on Treasury and ACH disbursements,
which also affected other Finance Department functions such as payroll and accounts payable .
In summary, Internal Audit's October 30, 2017 report concluded that 59 of BOO's
recommendations were completed by either fully implementing the stated recommendation (50)
or alternative control(s) were identified and implemented that helped achieve the desired
outcome (9). The one (1) remaining recommendation (number 2 in the BOO report) was
considered as substantially completed which meant that min imal pending items continued to be
outstanding.
BOO's recommendation number 2 can be found in Exhibit A located on page 2 of this report.
Since the October 30, 2017 issuance of Internal Audit's report, Finance Department
management has continued to analyze and revise its staff's assigned Munis System rights and
permissions to help ensure that they were appropriate for their respective role and represent an
appropriate segregation of duties. The Munis System is the City's enterprise resource planning
system that was purchased from Tyler Technologies, Inc. whose Financial Reporting module
went live on May 2, 2016.
Exhibit A also provides a more detailed listing of the corrective actions taken in the section
entitled "Internal Audit's Testing Procedures/Results ". Upon verification that the Information
Technology Department has made all of the Finance Department management's desired
revisions, Internal Audit concludes that BOO recommendation number 2's status can now be
changed from substantially completed to completed. Although it has been confirmed that the
corrective actions initiated by the Finance and/or Information Technology Departments for all
sixty (60) BOO recommendations have achieved the desired tested outcomes as of each
report's measurement dates, one must remember that this is a dynamic process which must be
continually updated as employees' positions and/or duties change.
F:\OBPI\$AUD\INTERNAL AUDIT FILES\DOC17-18\REPORTS-FINAL\BDO Audit Follow-up on Recommendation 2 Feb-27-
2018.docx
cc: John Woodruff, Chief Financial Officer
Allison R. Williams, Deputy Finance Director
Ariel Sosa, Director-Information Technology Department
Page 1 of 2
INTERNAL AUDIT MEMORANDUM
Follow-up Review of BOO USA, LLP Audit Report 's Recommendation Number 2
February 27, 2018
EXHIBIT A
# Recommendations I Internal Audit's Testing Procedures/Results Status
2 Recommendation: The City should review the Munis rights,
permissions, and authority of all Finance Department personnel to
ensure that record-keeping, approval or rejection, adding and
removing approved vendors, and other rights, permissions, and
authority are appropriate for their respective roles and represent
appropriate separation of duties.
Internal Audit's Testing Procedures/Results : Information Technology
Department staff initially generated a 1,579 page report detailing the
rights and permissions assigned to each Finance Department
employee in the Munis System . After reviewing this report, Internal
Audit helped identify the roles and permiss ions that represented the
highest risks which allow users the ability to delete , modify and/o r
override information as well as the ability to view confidential data
(e.g . social security numbers). Furthermore, the assignment of
workflow, payro ll and f ixed asset super user permissions were
analyzed to he lp ensure that an appropriate separation of duties
existed . From this ana lys is , a more condensed report was created
containing 189 ass igned rights and permissions which was more
closely exam ined by Finance Department management.
Upon completion of their review, Information Technology Departmen t Completed
personnel were instructed to make 152 changes (80.4%) to these 189
assigned rights and permissions during January 2018 . After receiv ing
notification that each of these changes was implemented , Interna l
Audit began its ana lysis . Our objective was not to make an
appropriateness assessmen t of the 189 assigned rights and
permissions , but to independently confirm that the Information
Technology Department had made all the changes requested by the
Finance Departmen t.
Testing found tha t three (3) of the requested changes had not bee n
made by the Informatio n Technology Department as of February 5,
2018 . In additio n, it was noted that a Financia l Analyst Ill was a lso
given the payroll super user permissions to perform certa in
transactions by January 31 51 that had similarly not yet been revoked .
Although the payro ll super user permission does not allow by itse lf
allow one to run the payroll , the combination of this permission wi th
others already granted may result in a segregation of duties '
deficiency. The Informati on Technology Department was notified and
made these cor rect io ns on February 14 , 2018 which was promp t ly
verified by Internal A ud it.
Page 2 of 2