Audit Report

Comptroller of the Treasury General Accounting Division January 1998

This report and any related follow-up correspondence may be requested in alternate formats by contacting the Office of Legislative Audits at (410) 767-1400 (Voice), (410) 333-5210 (Fax), and 1-800-735-2258 (Maryland Relay Service).

January 26, 1998

Senator Ulysses Currie, Chairman, Joint Audit Committee Delegate D. Bruce Poole, Vice Chairman, Joint Audit Committee Members of Joint Audit Committee Annapolis, Maryland Ladies and Gentlemen: We have audited the Comptroller of the Treasury - General Accounting Division for the period beginning February 22, 1994 and ending January 31, 1997. Our audit disclosed that procedures to prevent the payment of invoices when State agencies lacked sufficient budgetary appropriations were not used throughout most of fiscal year 1997. This situation occurred primarily because of programming problems with the State’s new accounting system. In addition, certain revenue and expenditure differences between the State’s old and new accounting systems had not been fully resolved. We also found that proper controls had not been established over certain aspects of the Division’s processing of State vendor payments which increased the risk of unauthorized disbursements. Our audit also disclosed procedural deficiencies with respect to the Division’s processing of its cash receipts and certain disbursement transactions. Respectfully submitted,

Bruce A. Myers, CPA Legislative Auditor

Thomas J. Barnickel III, CPA Audit Manager

(This Page Intentionally Left Blank)

2

Table of Contents Executive Summary

5

Background Information

7

Agency Responsibilities Audit of the State’s General Purpose Financial Statements Current Status of Findings from Preceding Audit Report

Findings and Recommendations

7 7 7 9

Statewide Accounting Control Functions Operation of State’s Accounting System Procedures to Prevent Agency Overspending Were Not Used Throughout Most of Fiscal Year 1997 Accounting Differences Between STARS and R*STARS Have Not Been Fully Resolved Vendor Payment Processing Unauthorized Changes Could Be Made to State Agency Invoices Without Prompt Detection Control Procedures for Individuals Picking Up State Vendor Payment Checks Were Not Sufficient Agency Requests for R*STARS Vendor Data File Changes Were Processed Without Supporting Documentation

9 10

10 11 12

Tax Withholdings from Vendor Payments Withholding Required by IRS Regulations Was Not Initiated

12

Accounting Guidance to State Agencies The Division’s Accounting Procedures Manual Has Not Been Updated

13

3

Internal Fiscal Operations and Controls Cash Receipts Controls to Verify the Proper Disposition of Recorded Collections Were Deficient

14

Audit Services Contract Reports of Audit Hours Rendered Were Not Being Obtained to Ensure Compliance with Contractual Requirements

15

Disbursement Processing Automated Security Features Were Not Fully Used to Help Prevent Unauthorized Disbursements

16

Audit Scope, Objectives and Methodology

17

Agency Response

Appendix

4

Executive Summary Legislative Audit Report on the Comptroller of the Treasury General Accounting Division January 1998

Statewide Accounting Control Functions •

Procedures to prevent agencies from violating the State law on budget overspending were not used throughout most of fiscal year 1997, which resulted in numerous temporary overspending conditions. The Division should ensure that procedures, which have been reinstated for fiscal year 1998, remain in effect to prevent the payment of invoices when agencies lack sufficient appropriations for the expenditures.

•

Accounting record keeping differences that existed when the State converted its accounting system had been reduced but not fully resolved as of September 5, 1997. The Division should continue its efforts to resolve the unidentified revenue and expenditure differences between the former accounting system and the new system of approximately $4,400,000 and $3,000,000, respectively.

•

Proper controls were not established over certain aspects of the State vendor invoice payment procedures. The employee responsible for verifying changes made to State agency automated invoice data should be precluded from making such changes. Furthermore, the Division should ensure that vendor checks held for pick-up are released only to authorized individuals.

•

Although required by IRS regulations, tax withholdings were not initiated for State vendors who failed to provide correct taxpayer information. The Division should develop the necessary automated capability to withhold required amounts from State vendor payments in order to avoid potential liabilities.

5

•

The Division’s Accounting Procedures Manual has not been updated. The Accounting Procedures Manual should be promptly revised to provide guidance to State agencies on current accounting processes and proper internal controls.

Internal Fiscal Operations and Controls •

Adequate controls were not established over the Division’s cash receipts and disbursements. The Division should ensure that employees independent of the cash receipts functions verify the proper disposition of recorded collections. In addition, the available automated security features should be fully used to help prevent unauthorized disbursements.

•

Reports of audit hours rendered by the State’s independent auditor were not being obtained. The actual hours were determined to be less than that required by the contracts. Since the audit firm disputes the need to reimburse the State for the hours that were not provided, the Division should resolve this issue in a manner that serves the best interests of the State.

6

Background Information Agency Responsibilities The General Accounting Division, which is a unit of the Comptroller of the Treasury, is primarily responsible for maintaining the State’s accounting records, centrally processing vendor invoice payments, and distributing checks prepared by the State Treasurer’s Office. The Division is also responsible for annually preparing the State’s general purpose financial statements. The Division has joint responsibility with the Department of Budget and Management and the Comptroller of the Treasury’s Annapolis Data Center for maintaining the Relational Standard Accounting and Reporting System (R*STARS), the accounting component of the Financial Management and Information System (FMIS) which succeeded STARS as the State’s official accounting records on May 5, 1997.

Audit of the State’s General Purpose Financial Statements An independent accounting firm was engaged by the Comptroller of the Treasury for the purpose of expressing an opinion on the general purpose financial statements of the State of Maryland for each of the fiscal years ended from June 30, 1994 to June 30, 1997. In the related audit reports, the firm stated that the general purpose financial statements presented fairly the financial position of the State and the results of its operations for the years then ended in conformity with generally accepted accounting principles.

Current Status of Findings from Preceding Audit Report Our audit included a review to determine the current status of the two fiscal/compliance items and one prior performance audit item contained in our preceding audit report dated July 25, 1994. We determined that the Division satisfactorily resolved these items.

7

(This Page Intentionally Left Blank)

8

Findings and Recommendations Statewide Accounting Control Functions Operation of State’s Accounting System Background To verify the proper operation of R*STARS before discontinuing STARS, the two systems were run in parallel from July 1, 1996 until May 5, 1997. During that period, accounting transactions (e.g., revenues and expenditures) were initially processed by agencies on R*STARS and subsequently recorded by the Division on STARS. The Division was responsible for ensuring the integrity of the accounting data recorded on both systems. Finding #1 Procedures to prevent agencies from violating State law on budget overspending were not used throughout most of fiscal year 1997. Analysis During fiscal year 1997, the Division did not fully utilize the edit capabilities of the State’s accounting systems nor establish other mechanisms to prevent the payment of an invoice when an agency lacked sufficient appropriation for the expenditure. State Financial Procurement Article, Section 7-205 of the Annotated Code of Maryland states that money may be disbursed from the State Treasury only in accordance with the current appropriations for State programs. Our tests disclosed numerous instances in which the Division allowed invoices to be paid during fiscal year 1997 even though the applicable State agency programs did not have an available appropriation at the time of payment. Although sufficient appropriations were subsequently obtained for all payments charged to that year’s budget, procedures to help prevent overspending conditions were not in operation. The Division advised that the necessary budgetary control mechanisms have been in effect for fiscal year 1998. When both systems were being run in parallel, the edit function in STARS was functioning properly but because of certain programming problems, the R*STARS edit function was deactivated. As a result, overspending conditions identified by STARS were ignored because the transactions were previously accepted for payment by R*STARS. The Division advised that rejecting transactions for payment at that point would have further complicated State agency efforts to minimize accounting differences between the two systems.

9

When the conversion to R*STARS was completed on May 5, 1997, the Division activated the R*STARS edit function for some agencies, but it remained inactive for a number of agencies because some related problems still had not been resolved. Recommendation #1 We recommend that the Division ensure that mechanisms remain in effect to prevent the payment of invoices when agencies lack sufficient appropriations for the expenditures.

Finding #2 Accounting differences between STARS and R*STARS that existed at conversion have been significantly reduced but not fully resolved. Analysis Differences in the revenue and expenditure amounts recorded in STARS and R*STARS when system conversion was completed on May 5, 1997 had not been fully resolved as of September 5, 1997. Although the differences were significantly reduced during the four-month period, revenue and expenditures recorded on both systems still differed by approximately $4,400,000 and $3,000,000, respectively. Recommendation #2 To ensure the accuracy of the State’s accounting records, we recommend that the Division, in conjunction with the applicable agencies, continue its efforts to properly resolve the remaining differences.

Vendor Payment Processing Finding #3 Unauthorized changes could be made to State agency invoices during the Division’s invoice audit process without prompt detection. Analysis An adequate level of internal control was not established over changes that could be made by the Division to automated invoice data submitted by State agencies for payment processing. One employee in the Division’s invoice audit section,

10

who was responsible for verifying any on-line changes to invoice amounts, vendor names and addresses made by other section personnel, was also capable of making the same changes. Consequently, this individual could misdirect and/or alter State vendor payments processed by the Division. Such payments totaled in excess of $11.5 billion during fiscal year 1997. Recommendation #3 We recommend that the employee responsible for verifying changes made to automated invoice data being processed by the Division be precluded from making such changes.

Finding #4 Control procedures for individuals picking up State vendor payment checks were not sufficient. Analysis The Division did not always ensure that State vendor payment checks, which were held for pick-up at the request of State agencies, were released to properly authorized State agency personnel or to employees/designees of the payee vendors. Our tests of the approximately 1,000 checks held for pick-up during December 1996 disclosed that for 148 checks valued in excess of $6,100,000, the Division’s check pick-up log did not contain evidence (i.e., initials of the check issuer) that the identity of each individual who picked up the checks had been verified. In addition, 20 of these checks totaling $3,307,000 were released to State agency personnel who had not been previously authorized by the Division to receive checks. The lack of an adequate verification process could result in checks being improperly released. Recommendation #4 We recommend that the Division ensure that checks are released only after verifying the identities of individuals picking up checks and ensuring that such individuals have been properly authorized to receive the checks. We also recommend that the Division employee(s) who issues the checks initial the check pick-up log to evidence that the verification procedure was performed for each check issued.

11

Finding #5 Agency requests for R*STARS vendor data file changes were processed without supporting documentation. Analysis The Division processed changes to vendor information on the State’s R*STARS vendor data file based on written requests from agencies without obtaining supporting documentation (e.g., copy of vendor invoice to support address change) to determine the necessity and propriety of those requests. Since the data file information is used during the processing of State agency invoices to assign payee names and addresses to vendor payments, the failure to verify change requests could result in misdirected payments. Recommendation #5 We recommend that the Division require appropriate supporting documentation accompany requests for R*STARS vendor data file changes. We also recommend that the Division review the documentation for propriety prior to processing the requests.

Tax Withholdings from Vendor Payments Finding #6 The Division did not withhold taxes from payments made to certain State vendors as required by IRS regulations. Analysis Back-up tax withholdings were not initiated for certain vendors paid by the State when required by Internal Revenue Service (IRS) regulations because, according to the Division, the related automated capability did not exist. Nevertheless, IRS regulations require the State to withhold amounts from vendors who have not provided the State with correct taxpayer information (e.g., taxpayer identification number) for preparation of IRS Forms 1099. The failure to initiate the withholding procedure, which helps ensure that payees’ report the payments on their tax returns, could result in the State being liable for Federal penalties of $50 for each applicable vendor as well as any unpaid taxes from these vendors. There were 367 vendors who failed to respond to the Division’s request to provide correct taxpayer information to the State. An IRS review of the calendar year 1995 Forms 1099 issued by the Division had previously identified inconsistencies

12

between the State reported vendor information and Federal taxpayer records for these vendors. Our tests of 61 of these vendors disclosed that 10 vendors received calendar year 1996 payments from the State totaling $377,000. The Division did not withhold 31 percent of these payments for remittance to the IRS as required. Recommendation #6 We recommend that the Division develop the necessary automated capability to withhold amounts from State vendor payments when required by IRS regulations.

Accounting Guidance to State Agencies Finding #7 The Division’s Accounting Procedures Manual has not been updated. Analysis The Division’s Accounting Procedures Manual, which was issued to provide guidance to State agencies in their day-to-day accounting processes, has not been revised to reflect the FMIS accounting related environment, nor does it provide comprehensive internal control guidance. Although interim accounting instructions have been issued, no comprehensive revision to the Manual has been undertaken. This could impair the effectiveness and efficiency of State agency accounting operations and, in our opinion, has contributed to internal control deficiencies at many State agencies. For example, our audits typically find that FMIS security features have not been properly used to restrict the invoice processing capabilities of individuals. Definitive FMIS security guidance with respect to payment processing could lead to improved controls and ultimately reduce the likelihood of improper disbursements. Recommendation #7 We recommend that the Division promptly revise the Accounting Procedures Manual to reflect Statewide accounting policies and procedures under FMIS. We also recommend that the Division include comprehensive internal control guidance, particularly with regard to automated transaction processing, to help agencies safeguard assets and ensure the reliability of accounting data.

13

Internal Fiscal Operations and Controls Cash Receipts Finding #8 Controls to verify the proper disposition of recorded collections were deficient. Analysis Adequate control had not been established over the Division’s cash receipts, which totaled approximately $53,000,000 during fiscal year 1997 and included misdirected checks (i.e., checks intended for other agencies) totaling approximately $2,500,000. Specifically, one of the two employees responsible for verifying the disposition of collections recorded in the mail log also had access to the cash receipts. Consequently, this individual was in a position to misappropriate collections without being detected. Furthermore, the proper disposition of misdirected checks frequently was not verified because written receipts from the receiving agencies were not routinely forwarded to the individual responsible for the verification. To further minimize risk, we believe that the Division should consider changing its current cash receipt processing practices. Since most of the Division’s collections come from State agencies (e.g., return of working fund advances) or represent recurring transactions from certain entities affiliated with the State (i.e., biweekly payroll cost reimbursements), the Division could request these entities to use electronic funds transfers, rather than checks, to remit funds to the Division. Furthermore, instead of forwarding misdirected checks to State agencies, which is inherently risky, the Division could deposit the funds to the credit of the applicable agencies. Recommendation #8 We recommend that the employees responsible for verifying the proper disposition of all recorded collections not have access to cash receipts. We also recommend that written receipts obtained from State agencies for misdirected checks be sent directly to the employee responsible for the related verification procedure. In addition, we recommend that the verifications performed be documented. Finally, we recommend that the Division investigate the feasibility of having entities remit the funds due to the Division via electronic transfer procedures, as well as having its personnel deposit misdirected checks.

14

Audit Services Contract Finding #9 Reports of audit hours rendered by the State’s independent auditor were not being obtained to ensure compliance with contractual requirements. All required hours were not provided. Analysis The Division did not ensure that the accounting firm that audited the State’s general purpose financial statements had provided the audit hours specified in the related contracts. Specifically, reports of the actual number of audit hours used annually by the firm were not being obtained, as permitted under the terms of the applicable contracts, to ensure that the required hours for the agreed upon annual fee had been provided. After we discussed this matter with the Division, it obtained the information from the firm and determined that required hours valued at approximately $120,000 were not rendered during the audits of fiscal years 1994 through 1996. For those years, the firm submitted monthly billings totaling $1,237,820 which were based on predefined payment schedules included in the contracts. The Division was advised by its legal counsel that the audit contracts covering the three fiscal years permit the State to recover funds when actual audit hours used are less than the hours stipulated in the contracts. However, the firm disputes the need to reimburse the State because it disagrees with legal counsel’s interpretation of the related contractual provisions. Since the current contract has a four-year term extending through fiscal year 1999, this issue needs to be resolved so that future services are not adversely impacted. Recommendation #9 We recommend that the Division resolve this issue in a manner that serves the best interests of the State (e.g., recover funds). We also recommend that the Division pursue any necessary clarifications to the contract provisions involving the audit hours and resulting fee adjustments. Finally, we recommend that, in the future, the Division obtain reports of actual audit hours and ensure that the related contract requirement was met.

15

Disbursement Processing Finding #10 Automated security features were not fully utilized to help prevent unauthorized disbursements of the Division. Analysis The Division was not utilizing the available FMIS security features to achieve a proper separation of duties over certain disbursements it processed (e.g., working fund advances to State agencies). Such disbursements totaled approximately $5,400,000 during the period of July 1, 1996 through January 31, 1997. We noted that six employees were assigned incompatible on-line processing capabilities that allowed them to both initiate and approve these disbursements, as well as release the approved transactions for payment. Although the Division relied on certain manual controls to detect any improper payments, in our opinion, these controls did not provide the same degree of control as the automated FMIS security features. Such features are designed to prevent the occurrence of unauthorized disbursements. Recommendation #10 We recommend that the Division fully utilize the available FMIS security features to provide adequate control over the processing of transactions. Specifically, we recommend that the individuals responsible for approving disbursement transactions be denied the capability to initiate those transactions. We advised the Division how to achieve the needed separation of duties utilizing existing personnel.

16

Audit Scope, Objectives and Methodology We audited the Comptroller of the Treasury - General Accounting Division for the period beginning February 22, 1994 and ending January 31, 1997. The audit was conducted in accordance with generally accepted government auditing standards. As prescribed by the State Government Article, Section 2-1221 of the Annotated Code of Maryland, the objectives of this audit were to examine the Division’s financial transactions, records and internal controls, and to evaluate its compliance with applicable State laws, rules and regulations. We also determined the current status of the findings included in our preceding audit report. In planning and conducting our audit, we focused on the major financial related areas of operations based on assessments of materiality and risk. Our audit procedures included inquiries of appropriate personnel, inspection of documents and records, and observation of the Division’s operations. We also tested transactions and performed other auditing procedures that we considered necessary to achieve our objectives. Our audit did not include certain support services provided to the Division by the Comptroller of the Treasury - Office of the Comptroller. These support services (e.g., processing of disbursements for operating expenses, maintenance of accounting records and related fiscal functions) are included within the scope of our audits of the Office of the Comptroller. The Division’s management is responsible for establishing and maintaining an internal control structure. The objectives of an internal control structure are to provide management with reasonable, but not absolute, assurance that assets are safeguarded and that transactions are processed and properly recorded in accordance with management’s authorization. Because of inherent limitations in any internal control structure, errors or irregularities may nevertheless occur and not be detected. The Division’s management is also responsible for compliance with applicable laws, rules and regulations. Our reports are designed to assist the Maryland General Assembly in exercising its legislative oversight function and to provide constructive recommendations for improving State operations. As a result, our reports generally do not address activities we reviewed that are functioning properly.

17

This report includes findings relating to conditions that we consider to be significant deficiencies in the design or operation of the internal control structure that could adversely affect the Division’s ability to safeguard its assets or properly record authorized transactions. Our report also includes findings regarding significant instances of noncompliance with applicable laws, rules or regulations. The Office of the Comptroller’s response to our findings and recommendations, on behalf of the Division, is included as an appendix to this report. As prescribed in the State Government Article, Section 2-1224 of the Annotated Code of Maryland, we will advise the Office of the adequacy of its response. Our audit reports and any related follow-up correspondence are available to the public and may be obtained by contacting the Office of Legislative Audits or the Department of Legislative Services - Office of the Executive Director, 90 State Circle, Annapolis, Maryland.

18