TxDOT Internal Audit Accounts Payable Audit Report Objective To determine if the design and operating effectiveness of key controls have been identified and implemented for the Texas Department of Transportation’s (TxDOT) Accounts Payable Process.

Opinion Based on the audit scope areas reviewed, control mechanisms require improvement and only partially address risk factors and exposures considered significant relative to impacting financial reporting reliability, operational execution, and regulatory compliance. TxDOT’s system of internal controls requires improvement in order to provide reasonable assurance that key goals and objectives will be achieved. Improvements are required to minimize existing process variation and control gap corrections that may result in potentially significant negative impacts to the organization including the achievement of the organization's business/control objectives. TxDOT’s adoption of the Spirit of Sarbanes-Oxley in 2009 incorporates management's annual assertion that internal controls over financial reporting are effective (Section 404). A reevaluation of underlying activities designed to support this assertion, specifically the identification of key controls that will prevent or detect material financial misstatement, will need to be performed in order to ensure that resources are deployed in a reasonable manner. Overall Engagement Assessment

Needs Improvement

Findings Title

Control Design

Operating Effectiveness

Rating

Finding 1

Segregation of Duties

X

X

Needs Improvement

Finding 2

Utilization of the Sample Audit key control

X

X

Needs Improvement

Finding 3

Voucher Processor Review of Voucher Deck

X

X

Needs Improvement

Finding 4

Duplicate Payments

X

X

Needs Improvement

Finding 5

Documents are Authorized According to Internal Guidelines

X

X

Needs Improvement

Management concurs with the above findings and has prepared management action plans to address deficiencies. This may include update and revision of current key controls for Accounts Payable.

Internal Environment

Accounts Payable was assessed as low risk and high impact for the agency. The assessment is reflective of the experienced and tenured Finance (FIN) personnel at TxDOT and a strong control environment. Management has reviewed the findings contained in the report and has agreed that additional activities are required to improve the performance under the 2009 Deloitte Key Control Analysis and Matrix.

Accounts Payable Audit

TxDOT Internal Audit – Full Scope

Summary Results Scope Area

Disbursements

Certification/Validation, Voucher Processing, Disbursements

Voucher Processing

Finding

1

2

3

Voucher Processing, Disbursements

4

Certification/Validation

5

Key Evidence It was determined through Audit activities that: ƒ 1 of 4 (25%) employees responsible for releasing vouchers for payment to the Comptroller’s Office had system access rights to create vouchers which conflicts with the stated objective of key control EX19 ƒ 2 of 4 (50%) FIN Support Services Employees who provide the payment voucher files to the Comptroller's Office had access rights to create vouchers in the Financial Information Management System (FIMS) which conflicts with the stated objective of key control EX21 ƒ 2 of 4 (50%) FIN Support Services Employees who distribute warrants (i.e., checks) had access rights to change FIMS voucher payables which conflicts with the stated objective of key control EX22 It was determined through Audit activities that: ƒ Sample Audit activities specified by key control EX14 were suspended on August 31, 2011 It was determined through Audit activities that: ƒ 30 of 95 (32%) voucher deck validations were not documented ƒ 3 of 9 (33%) miscellaneous vehicle maintenance items reviewed did not include documentation of the testing of quantity and unit cost on Purchase Orders (POs) to the invoice and receiving documents ƒ 2 of 2 (100%) bulk fuel purchases reviewed did not include the Oil Price Information Service (OPIS) documentation in the voucher deck to substantiate the testing of the contractual fuel price on the invoice ƒ 16 of 95 (17%) payments reviewed did not include a PO, although the applicable PO was obtained from Automated Purchasing System (APS). For the 16 payments: o 1 of 16 (6%) - price did not match the invoice o 4 of 16 (25%) - quantity on the receiving document did not match the invoice o 2 of 16 (13%) - PO was issued after the invoice was received It was determined through Audit activities that: ƒ 14 of 20 (70%) potential duplicates tested were determined to be duplicate payments ($39K) ƒ 13 of 14 (93%) of the actual duplicate payments bypassed the system control indicating a potential duplicate payment It was determined through Audit activities that: ƒ 8 of 95 (8%) documents reviewed were processed incorrectly per the available delegation of authority documents referenced in key control EX01 and the requirements for authorized approval in key control EX08 and EX18

2 of 22

March 11, 2013

Accounts Payable Audit

TxDOT Internal Audit – Full Scope

Audit Scope The audit covered the activities of the Payments Management group in the Finance Division (FIN) and at the field locations including Validation/Certification, Voucher Processing and Disbursements of Accounts Payable. Audit activities included tests to determine whether the key controls were designed to achieve the control objectives (design effectiveness) including the detection of errors in the Accounts Payable process and tested to determine whether the controls consistently operated as designed (operating effectiveness) including the prevention of errors in the Accounts Payable process. The audit was performed by Omar Elsaad, Vivian Cohn, and Yania Munro. Oversight was provided by Sonya Ayers as Engagement Lead. The audit was conducted during the period from October 11, 2012 to November 30, 2012. A limited amount of additional work was performed in January and February 2013.

Methodology The work performed consisted of: • review of the 2009 Deloitte Key Control Analysis and Matrix for Voucher Processing and the most current results of TxDOT’s updates (Appendix – Table 1) • research, analysis and review of laws and regulation • inquiry and interview of key personnel • review of internal documents including current procedures, guidelines, organization charts, and delegation of authority matrix • review of prior audit findings including reports from the State Auditor’s Office (SAO) and the Comptroller’s (CPA) post payment audit report • evaluation of control design and operating effectiveness for Accounts Payable processing Evaluation of control design effectiveness focuses on determining whether the key controls are designed and documented to achieve the intended control objective. Evaluation of operating effectiveness focuses on determining whether key controls consistently operate as designed.

Background This report was prepared for the Transportation Commission, TxDOT Administration and Management. The report presents the results of the Accounts Payable Audit which was conducted as part of the Fiscal Year 2013 Audit Plan. The identification of key controls by organizations is performed to focus on controls that will prevent or detect material financial misstatement and relates directly to management’s certification as part of a Sarbanes-Oxley compliance program. Key controls related to the accounts payable process were identified in the 2009 Deloitte Key Control Analysis and Matrix. The identification of key controls was a project approved and accepted by TxDOT as part of the adoption of the Spirit of SOX in response to the federal Sarbanes-Oxley Act of 2002. Effective September 1, 2012, the Finance Division is responsible for payment of all department obligations to contractors, vendors, and employees. Prior to that date, the voucher processors outside of Austin reported to the Regions. All invoices are batched into vouchers in TxDOT’s Financial Information Management System (FIMS) which is used to record obligations and payments to individuals or entities. Final disbursements are made by the Comptroller of Public Accounts through the Uniform Statewide Accounting System (USAS). The department

3 of 22

March 11, 2013

Accounts Payable Audit

TxDOT Internal Audit – Full Scope

processes approximately $32 million per day on average, which represents roughly 2,700 vouchers per month processed. We conducted this performance audit in accordance with Generally Accepted Government Auditing Standards and in conformance with the International Standards for the Professional Practice of Internal Auditing. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. A defined set of control objectives was utilized to focus on financial, operational, and regulatory goals for the identified scope areas. Our audit opinion is an assessment of the health of the overall control environment based on (1) the effectiveness of enterprise risk management activities throughout the audit period, and (2) the degree to which the defined control objectives were being met. Our audit opinion is not a guarantee against financial misstatement, operational sub-optimization, or regulatory non-compliance, particularly in areas not included in the scope of this audit.

4 of 22

March 11, 2013

Accounts Payable Audit

TxDOT Internal Audit – Full Scope

Detailed Findings and Management Action Plans (MAP) Finding No. 1: Segregation of Duties There are TxDOT Finance (FIN) Division employees with key responsibilities in the Accounts Payable process described by key controls EX19, EX21 and EX22 who have conflicting duties. We evaluated system access rights where employees with key roles and responsibilities outlined in the key controls were assigned conflicting duties including: •

1 of 4 (25%) employees responsible for releasing vouchers for payment to the Comptroller’s Office had system access rights to create vouchers which conflicts with the stated objective of key control EX19. Although, the employee was not primarily responsible for processing vouchers, the key control states the persons responsible for releasing the vouchers to the Comptroller should be independent (free from direct responsibility and influence) of the voucher processors responsible for creating payments. Testing to determine whether voucher creators also released payments did not result in additional exceptions.

•

2 of 4 (50%) FIN Support Services Employees who provide the payment voucher files to the Comptroller's Office had access rights to create vouchers in the Financial Information Management System (FIMS) which conflicts with the stated objective of key control EX21. The key control EX21 states that Support Services personnel responsible for sending payment voucher files to the Comptroller should be independent (free from direct responsibility and influence) from the voucher processors creating the vouchers.

•

2 of 4 (50%) FIN Support Services Employees who distribute warrants (i.e., checks) had access rights to change FIMS voucher payables which conflicts with the stated objective of key control EX22. The key control EX22 states that Support Services Unit responsible for distributing warrants and reconciling the Vendor Payment System (VPS) against FIMS Cash Distribution should not have access to change FIMS vouchers payable. To avoid further conflict, employees that distribute warrants as primary or in a back-up capacity should not have access to change FIMS vouchers payable.

Effect/Potential Impact: There is an increased potential for undetected errors and missed opportunity to prevent errors which could result in unintended/unauthorized payments and/or financial misstatement. Management Action Plan (MAP): MAP Owner: Lanny Wadle - Deputy Director, Finance Division (FIN), Paul Campbell - Section Director, Payments Management (FIN) MAP 1.1 - We will ensure that all FIN employees responsible for releasing vouchers in Uniform Statewide Accounting System (USAS) to the Comptroller will have read only access to the applicable areas of FIMS, thereby eliminating their capability to create vouchers. A request to deactivate these capabilities for employees will be submitted immediately to prevent further conflict of applicable key controls. We will ensure that the FIN employees who are responsible for physical warrant distribution do not have access to change vouchers payable. Immediate transfer of tasks within the support service unit will be conducted to prevent further conflict of applicable key controls. We will implement quarterly reviews by Support Services, under the review of the Section Director, for all Accounts Payable personnel to determine that employees with key roles and

5 of 22

March 11, 2013

Accounts Payable Audit

TxDOT Internal Audit – Full Scope

responsibilities are not assigned conflicting duties. Results of the review will be reported to the Deputy Director of Finance and the Director of Finance. We will re-evaluate key controls in this area to reflect best practices as considered appropriate by management within its tolerable level of risk and adjust documentation and processes accordingly. Completion Date: March 15, 2013

6 of 22

March 11, 2013

Accounts Payable Audit

TxDOT Internal Audit – Full Scope

Finding No. 2:

Utilization of the Sample Audit key control Sample Audit activities as outlined in key control EX14 were suspended on August 31, 2011. The key control EX14 outlines a process whereby the “Finance Audit Section, on a sample basis, tests payment voucher transactions before payment vouchers are released to the Comptroller for payment. The test includes checking for proper coding, justification, fiscal year and proof of payment for reimbursements”. Prior to 8-31-11: We observed evidence of a review by dedicated personnel prior to August 31, 2011. However, we did not observe retained documentation in Finance (FIN) related to the actual specific reviews performed. FIN indicated that there are no details of frequency of reviews, results of testing or reporting of results. We concluded that the activities performed prior to August 31, 2011 did not conform to the stated intent of the key control. Post 8-31-11: We confirmed that there is no evidence of the sample audit activity described by key control EX14 since August 31, 2011. FIN concurred that this was the period that the audit activity was suspended. Current Activities: In January 2013, we observed that limited activities have resumed by one full-time staff member. The activities are limited to specific voucher types and include capture of information related to exceptions noted and communication to resolve exceptions. Retention of documentation, results and reporting of testing related to the all reviews performed are not addressed in the current activities. We have concluded that the activities do not conform to the stated intent of the key control.

Effect/Potential Impact: There is an increased potential for undetected errors and missed opportunity to prevent errors which could result in unintended/unauthorized payments and/or financial misstatement. Management Action Plan (MAP): MAP Owners: Lanny Wadle - Deputy Director, Finance Division (FIN), Paul Campbell - Section Director, Payments Management (FIN) MAP 2.1 - The control activity was suspended during a period of employee turnover due to retirement and constrained resources, approximately August 31, 2011. A new employee was hired in October 2012 and is assigned the primary task of performing a Quality Control review of randomly selected vouchers submitted for payment. The employee will retain the list of vouchers that are randomly selected for review and incorporate the information into a spreadsheet. This employee will contact the applicable voucher processors with questions, suggestions, or for any other purpose arising from their review. Documentation of notable findings or necessary changes are recorded on an excel spreadsheet and saved on the network drive with password protection. Management will review quarterly for performance management, training and improvement purposes. Future staffing plans include hiring a second employee to this renamed Quality Control unit to increase the value of our review effort even further. We will also re-evaluate key controls in this area to reflect best practices as considered appropriate by management within its tolerable level of risk. Completion Date: April 15, 2013 7 of 22

March 11, 2013

Accounts Payable Audit

TxDOT Internal Audit – Full Scope

Finding No. 3: Voucher Processor Review of Voucher Deck Validation procedures as specified in key control EX06 and EX09 and as outlined in the voucher manual used in Accounts Payable were not documented including: • • •

•

30 of 95 (32%) voucher deck scans supporting payments 3 of 9 (33%) miscellaneous vehicle maintenance items testing of quantity and unit cost on Purchase Orders (POs) to the invoice and receiving documents 2 of 2 (100%) fuel bulk purchases did not include Oil Price Information Service (OPIS) documentation in the voucher deck or an alternative worksheet to substantiate the testing of the contractual fuel price on the invoice (price on date of delivery as stated on the OPIS) and the Materials & Supply Management Systems (MSMS) receiving documents 16 of 95 (17%) payments did not include POs, as outlined in the FIN voucher manual o Through additional audit activity, we obtained the applicable PO from Automated Purchasing System (APS) for the 16 payments and the following was noted: • 1 of 16 (6%) - price did not match the invoice • 4 of 16 (25%) - quantity on the receiving document did not match the invoice • 2 of 16 (13%) - PO was issued after the invoice was received

While there is no specific statement in the voucher manual making the PO a required document in the voucher deck, the manual does state the processor should include in the voucher deck all documents that support a payment. The voucher manual also states that the quantity and unit cost totals should always match.

Effect/Potential Impact: There is an increased potential for undetected errors and missed opportunity to prevent errors which could result in unintended/unauthorized payments and/or financial misstatement. Management Action Plan (MAP): MAP Owner: Lanny Wadle - Deputy Director, Finance Division (FIN), Paul Campbell - Section Director, Payments Management (FIN) MAP 3.1 - We will ensure performance of processes and documented guidance are in alignment with the purpose of a 3-way match and best practices. This will include a consideration that notations are made in a consistent manner that the voucher processor performed the required steps. The required steps that the voucher processor will perform and document includes: • • • •

Verification of approvals Verification of pre-determined specifications, such as including the OPIS documents to substantiate price for bulk fuel purchases and other documents as determined appropriate to support the payment Three way match (matching receiving documents, purchase order/contract, invoice) Demonstration of compliance with rules, regulations and policies and procedures.

These steps will be part of the review process conducted by the Quality Control unit. We will re-evaluate key controls in this area to reflect best practices as considered appropriate within its tolerable level of risk and adjust documentation/processes accordingly. Completion Date: April 15, 2013

8 of 22

March 11, 2013

Accounts Payable Audit

TxDOT Internal Audit – Full Scope

Finding No. 4: Duplicate Payments

Potential duplicate items in 14 of 20 (70%) tested from the Finance (FIN) ad hoc Duplicate Payment Report were confirmed to be duplicate payments totaling over $39K, as follows: • 3 of 20 (15%) payments were duplicated totaling $1,465 where system warning was ignored • 1 of 20 (5%) payments for $5,975 was duplicated as a voucher processor error • 10 of 20 (50%) payments totaling $31,823 were duplicated for utility service periods submitted incorrectly by a service provider that processes TxDOT utility invoices In 13 of 14 (93%) duplicate payments reviewed, the system warning was bypassed. We did not observe any documentation supporting the decision to bypass the control included on the invoice or in the voucher deck. The system generates a possible duplicate invoice message to warn the voucher processors of a potential duplicate payment. A record of the warning is generated on the FIM.VPP.0304 report (a summary of the contents of the voucher) that is included in every voucher deck. The voucher processor who submits the voucher for processing is responsible for investigating the reason for the warning before processing is continued. The approver of the voucher batch cover has an opportunity to question the processor by a review of the documents in the voucher deck whenever the system warning is observed on the FIM.VPP.0304 report. As outlined in key control EX15, Support Services in Accounts Payable has an opportunity to resolve discrepancies from the FIM.VPP.0304 report as well. We did not observe any review or inquiries as to why the systems warnings were bypassed. We also observed that a reporting process for identifying potential duplicate payments is in place that isolates “potential” duplicate payments in a report. The report is generated from time to time, and is reviewed for duplicate occurrences. Items are researched to determine whether the potential item is an actual duplicate payment. The research includes the review of the voucher deck to determine if the system control warning for the actual duplicate is present. Entries are made to record corrections; however, root cause analysis of the actual duplicate payment is not performed and the results of the review for duplicate payments are not communicated in a routine and consistent fashion to FIN management. Further, information is not retained by FIN for any of the reviews regarding research and collection efforts made to recover amounts determined as actual duplicates in the process. However, through additional testing in February 2013, we were able to determine that 14 of 14 (100%) duplicates were applied as credit balances for TxDOT’s benefit or funds were returned to TxDOT based upon a request for repayment. We have concluded that controls, including system controls, were not utilized fully to alleviate the occurrence of duplicate payments. Further, we observed that when warrants (i.e. checks) are cancelled and reissued or when electronic payments are returned and reprocessed, the payment is reported as a potential duplicate payment on the report for potential duplicate payments. Out of the remaining 6 items that were part of the review and not duplicates, 4 items were determined to be resubmittals. TxDOT policies and procedures for resubmittal of the voucher are outlined by the Voucher Manual. For the 4 items reviewed as resubmittals, we concluded that the prescribed and documented resubmittal procedures are not consistently followed. It was observed that • 2 of 4 (50%) items for resubmittal were warrants (checks) o For $200 and $683 • 2 of 4 (50%) items for resubmittal were electronic payments returned o For $15,582 and $164,742

9 of 22

March 11, 2013

Accounts Payable Audit

TxDOT Internal Audit – Full Scope

Effect/Potential Impact: There is an increased potential for undetected errors and missed opportunity to prevent errors which could result in unintended/unauthorized payments and/or financial misstatement. Management Action Plan (MAP): MAP Owner: Lanny Wadle - Deputy Director, Finance Division (FIN), Paul Campbell-Section Director, Payments Management (FIN) MAP 4.1 - We will train voucher processors on documenting steps to follow when a system warning is observed and on resubmittal process and practices. We will coordinate with General Services Division (GSD) for effective communication to 3rd parties and management of 3rd party performance under agreements, particularly, when duplicate payments are routine and display a consistent pattern of occurrence. We will develop procedures to document in the voucher deck anytime systems controls are disregarded including the reason the system warning is disregarded and the supervisor’s approval of the adequate explanation provided by the voucher processor for the decision to disregard. We will develop written procedures to document the review process of the report for “potential duplicate payments” including definition of the process, procedures to research and document final disposition for items on report. Further, we will establish accountability for reporting and collections, to include TxDOT’s debt collection procedures and timing as necessary, if items are determined to be a duplicate. We will establish a process to perform root cause analysis for items that are determined to be a duplicate payment. We will re-evaluate key controls in this area to reflect best practices as considered appropriate by management within its tolerable level of risk and adjust documentation and processes accordingly. Completion Date: April 15, 2013

10 of 22

March 11, 2013

Accounts Payable Audit

TxDOT Internal Audit – Full Scope

Finding No. 5: Documents are Authorized According to Internal Guidelines Items were processed incorrectly for 8 of 95 (8%) payments per the available Delegation of Authority (DOA) documents referenced in key control EX01 and the requirements for authorized approval in key control EX08 and EX18. The exceptions included: • 1 of 95 (1%) where the newly formed IT Operations Division did not have a DOA on file delegating authority for the signer of a $375 invoice (EX01) • 3 of 95 (3%) in various Districts/Divisions/Office/Regions (DDOR) where there was no signer on the invoice with the proper authority in the DOA documents for that DDOR as follows (EX08): o Payment for $24 in the Lubbock District (LBB) o Payment for $114 in the Occupational Safety Division (OCC) o Payment for $3,344 in the Maintenance Division (MNT) • 4 of 95 (4%) where the approver of a voucher batch cover did not possess the delegated authority to approve the batch cover as follows (EX18): o 3 voucher decks for $325, $11,325 and $1,296 in the East Regional Service Center o 1 voucher deck for $165 in the Finance (FIN) Division Based on fieldwork performed, DOA documents provided by District/Division/Office/Region (DDOR) directors and district engineers do not reflect the most current information related to organizational shifts and changes in TxDOT’s structure. It was also unclear as to the frequency of updates in order to keep DOA documents current. Chapter 3 of TxDOT’s Legal Manual assigns updating responsibility for the DOA documents to the Contract Services Office, not FIN. Included in this report is an observation related to DOA updates.

Effect/Potential Impact: There is an increased potential for undetected errors and missed opportunity to prevent errors which could result in unintended/unauthorized payments and non-compliance with policies and regulations.

Management Action Plan (MAP): MAP Owner: Lanny Wadle - Deputy Director, Finance Division (FIN), Paul Campbell-Section Director, Payments Management (FIN) MAP 5.1 - We will re-emphasize, through training, to all payment processors about the importance of checking the DOAs to ensure an approver’s authority or if they do not recognize the approver’s name and/or title on the document. We will also add the authorized voucher approvers to FIN’s DOA. FIN will work with the Contract Services Office (CSO) to communicate and educate the DDORs on the requirement to have a current DOA form on file with both FIN and CSO. We believe the forms will remain more timely and effective if authorities are delegated by job title only instead of specific names. This method alleviates a required update every time there is a personnel change. We will establish a SharePoint site or similar resource where DOAs can be easily accessed and utilized. FIN cannot know when an update needs to be made by a DDOR. Our indirect power to ensure compliance is to return invoices if proper signature is not obtained.

11 of 22

March 11, 2013

Accounts Payable Audit

TxDOT Internal Audit – Full Scope

We will re-evaluate key controls in this area to reflect best practices as considered appropriate by management within its tolerable level of risk and adjust documentation and processes accordingly. Completion Date: July 15, 2013

12 of 22

March 11, 2013

Accounts Payable Audit

TxDOT Internal Audit – Full Scope

Detailed Observation and Audit Recommendation Audit Observation No. 1: Delegation of Authority (DOA) Documents are not up-to-date DOA documents in 22 of 63 (35%) provided by District/Division/Office/Region (DDOR) directors and district engineers do not reflect the most current information related to organizational shifts and changes in TxDOT’s structure. It is also unclear as to the frequency of updates in order to keep DOA documents current. DOA documents available at the Finance Division (FIN), Contract Services Office website and on the DDOR individual website for the Fiscal Year 2012 (FY12) were included in the review. The DOA’s provided by the DDORs, document the delegated authority by title/position to: • Execute various agreements and documents on behalf of TxDOT • Approve an invoice for processing in Accounts Payable • Sign a voucher batch cover indicating approval and certification of the information • Complete other stated duties and responsibilities In addition, authorized personnel are referenced inconsistently in DOA documentation. The most recent DOA documents list authorized personnel by title/position, while the older documents list specific names for their delegation. Chapter 3 of TxDOT’s Legal Manual assigns updating responsibility for the DOA documents to the Contract Services Office. While the requirements in the Legal Manual do not reference a periodic review of the DOA documents by Contract Services or by FIN, without a requirement for a periodic review and update of information, delegation of authority may be misinterpreted and misapplied. At the close of our audit work, we identified exceptions specific to DOA documentation as follows: Delegation of Authority Documents Out of 63 DOA Documents From FIN, Contract Services Office Website and/or the individual DDOR 25 Districts/ Website 4 Regions 25 Divisions Documents that did not meet criteria - missing or dated 12 or more months ago

9 of 29 or 31%

10 of 25 or 40%

9 Offices 3 of 9 or 33%

From 22 documents that did not meet criteria above

Out of 22 DOA Documents

Existing Units without DOA's

-

1 of 10 or 10%

3 of 9 or 33%

Observed DOA referencing titles that do not exist at TxDOT any longer

5 of 9 or 56%

3 of 10 or 30%

-

Observed DOA documents referencing names of individuals that are no longer employed with the unit or are retired from TxDOT

3 of 9 or 33%

4 of 10 or 40%

-

Observed DOA documents that include variance in language or other differences when compared to the language in the most recent Administration DOA (October 18, 2012, subsequent update December 13, 2012)

1 of 9 or 11%

2 of 10 or 20%

-

13 of 22

March 11, 2013

Accounts Payable Audit

TxDOT Internal Audit – Full Scope

Effect/Potential Impact: There is an increased potential for undetected errors and missed opportunity to prevent errors which could result in unintended/unauthorized payments and non-compliance with policies and regulations.

Recommendation: We recommend that: 1. Contract Services analyze TxDOT’s procedures for authorizing the review, signature, and retention of delegated authority documents and make recommendations for simplification and rationalization of the process. 2. The process include a periodic update by Contract Service and the DDOR 3. As a key user of the information, Contract Services include the Finance organization in the analysis and the deliverable design 4. Contract Services identify other groups of key users to include in the analysis 5. Final proposals/recommendations should be sent to Administration for further consideration and action An audit observation does not require further response by management in the form of a management action plan.

14 of 22

March 11, 2013

Accounts Payable Audit

TxDOT Internal Audit – Full Scope

Summary Results Based on Enterprise Risk Management Framework Audit Results Dashboard FS1301 Accounts Payable Audit Scope Areas Evaluated

ERM Component

Control Activities

F, O, R

F, O, R

F, O, R

Certification/Validation

Voucher Processing

Disbursements

3

4

Organizational Tone

Internal Environment

Ethical Culture & Attitude Planning

Objective Setting

Forecasting Goal-Setting Cost-Benefit Analysis

Event Business Continuity Identification Evaluations/Analysis Risk Assessment Risk Response Management Action Plans Policies/Procedure Development & Maintenance Control Activities

5

Approvals/Authorizations

3 3

5

3, 4

4 1 1, 4

2

3 3 3 2

4 4 4 2

Supporting Evidence/Records Availability Segregation of Duties Safeguarding Assets Information Classification

Information & Information Input Communication Information Processing Output/Reporting and Messaging Exception Reporting Review Monitoring

Reconciliations Peer Reviews Management Representations

Scope Area Assessment

Rating Assessment Grid:

Exemplary

Satisfactory

Needs Improvement

Unsatisfactory

Closing Comments The results of this audit were discussed with the Director of Finance and the Section Director for Payments Management in a meeting on January 10, 2013. We thank the employees of the Finance Division contacted during this audit for their assistance and cooperation.

15 of 22

March 11, 2013

Accounts Payable Audit

TxDOT Internal Audit – Full Scope

Appendix – Table 1 Key controls & Evidence Summary Results by Control Activity Control Activity ID EX01

Financial Control Objective (CO) 1) Amounts posted to Accounts Payable represent goods received

EX02

1) Amounts posted to Accounts Payable represent goods received

EX03

1) Amounts posted to Accounts Payable represent goods received

EX04

1) Amounts posted to Accounts Payable represent goods received 2) Accounts Payable amounts are accurately calculated and recorded

Control Activity Description District /Division/Office directors and district engineers provide in writing to the General Services Division the list of delegated individuals with purchasing authority and approval routes required. District/Division/Office Receiver verifies that goods received meet the specifications of the purchase order/contract before completing an Automated Receiving Report (ARRS) in APS. District/Division/Office Receiver completes Automated Receiving Report (ARRS) only for complete receipts that meet specifications of contract/purchase order. Incomplete deliveries or deliveries not meeting specifications are rejected. An Accounts Payable transaction is created only when goods are received and the receipt transaction, the Automated Receiving Report (ARRS) is successfully processed in FIMS. The ARRS is electronically interfaced from APS to FIMS.

16 of 22

Finding

5

Evidence It was determined through Audit activities that: ƒ 8 of 95 (8%) documents reviewed were processed incorrectly per the available delegation of authority documents referenced in key control EX01 and the requirements for authorized approval in key control EX08 and EX18 No exceptions noted.

No exceptions noted.

No exceptions noted.

March 11, 2013

Accounts Payable Audit EX05

1) Amounts posted to Accounts Payable represent goods received

EX06

1) Accounts Payable amounts are accurately calculated and recorded 2) All amounts for goods received are input and processed to Accounts Payable 3) Disbursements are only made for goods and services received

TxDOT Internal Audit – Full Scope All Purchase Orders (PO) must be approved by an individual with Purchase Authority before orders can be placed. The individual with Purchase Authority is responsible for providing all required supporting documentation to process the order. A transaction is posted in FIMS ledgers, only if it passes FIMS Master Data Comptroller (MDC) validation procedures. Validation procedures include front end validations such as verifying for required approvals, matching receipts to purchase orders, verifying specifications against predetermined specifications, validating vendor identification numbers with pre-established vendor information, etc. Back end validations include balancing of transactions among segments and against other subsystems (MES, EOS, MSMS, Site Manager, and CMCS).

17 of 22

No exceptions noted.

3, 4

It was determined through Audit activities that: ƒ 30 of 95 (32%) voucher deck validations were not documented ƒ 3 of 9 (33%) miscellaneous vehicle maintenance items reviewed did not include documentation of the testing of quantity and unit cost on Purchase Orders (POs) to the invoice and receiving documents ƒ 2 of 2 (100%) bulk fuel purchases reviewed did not include the Oil Price Information Service (OPIS) documentation in the voucher deck to substantiate the testing of the contractual fuel price on the invoice ƒ 16 of 95 (17%) payments reviewed did not include a PO, although the applicable PO was obtained from Automated Purchasing System (APS). For the 16 payments: o 1 of 16 (6%) - price did not match the invoice o 4 of 16 (25%) - quantity on the receiving document did not match the invoice o 2 of 16 (13%) - PO was issued after the invoice was received It was determined through Audit activities that: ƒ 14 of 20 (70%) potential duplicates tested were determined to be duplicate payments ($39K) ƒ 13 of 14 (93%) of the actual duplicate payments bypassed the system control indicating a potential duplicate payment

March 11, 2013

Accounts Payable Audit EX07

1) Amounts posted to Accounts Payable represent services received

EX08

1) Amounts posted to Accounts Payable represent services received

EX09

EX10

TxDOT Internal Audit – Full Scope All contracts must be approved by an authorized District/Division/Office individual. All contracts must be fully executed before contractors begin to render services. All invoices for goods and services must be approved by the District/Division/Office authorized individual. The individual approving contract invoices is responsible for providing all required supporting documentation to justify payment and demonstrate compliance with rules, regulations, and policies and procedures.

1) Accounts Payable amounts are accurately calculated and recorded 2) All amounts for services received are input and processed to Accounts Payable 3) Disbursements are only made for goods and services received

Before batching invoices to process the payments, the voucher processors perform a three way match (receiving documents, purchase order/contract, invoice), verify for all required approvals, compliance with laws, regulations, policies, validate object code on APS receipt against Code Chart 10, and check for proper Fiscal Year coding.

1) Accounts Payable amounts are accurately calculated and recorded

Voucher processors responsible for creating the vouchers payables in FIMS, are independent of the receivers accepting receipts, and independent of District/Divisions/Offices individuals approving purchase orders/invoices. 18 of 22

No exceptions noted.

See evidence in EX01.

5

See evidence in EX06.

3, 4

No exceptions noted.

March 11, 2013

Accounts Payable Audit

TxDOT Internal Audit – Full Scope

EX11

1) Amounts for goods or services received are recorded in the appropriate period

FIMS only allows posting goods and services to the period in which the goods were received/services were rendered.

No exceptions noted.

EX12

1) Accounts Payable amounts are accurately calculated and recorded 2) Disbursements are only made for goods and services received 3) All disbursements are recorded

Before releasing the scanned vouchers payables files to Support Services to process the payments, the voucher processors match the vouchers payables transactions that posted in FIMS against the scanned file of vouchers payable to ensure all transactions in payment vouchers posted to FIMS, posted to the correct vendor number, and posted to the correct fiscal year.

No exceptions noted.

EX13

1) Disbursements are distributed to the appropriate suppliers

FIMS matches the Vendor Identification Number (VIN) input on the transaction with a Master Vendor Identification File. If a match is not found, a warning message, “VID NUMBER IN ERROR OR NOT ON VENDOR FILE (UVD),” is received. Correct input is required or the transaction is rejected.

No exceptions noted.

EX14

1) Disbursements are distributed to the appropriate suppliers

Finance Audit Section on a sample basis test payment voucher transactions before payment vouchers are released in USAS for payment. Test includes checking for proper coding, justification, fiscal year, and proof of payment for reimbursements.

19 of 22

It was determined through Audit activities that: ƒ Sample Audit activities specified by key control EX14 were suspended on August 31, 2011 2

March 11, 2013

Accounts Payable Audit

TxDOT Internal Audit – Full Scope It was determined through Audit activities that: ƒ 14 of 20 (70%) potential duplicates tested were determined to be duplicate payments ($39K) ƒ 13 of 14 (93%) of the actual duplicate payments bypassed the system control indicating a potential duplicate payment and were included on FIMS.VPP.304 Voucher Summary Report

1) Disbursements are distributed to the appropriate suppliers 2) Disbursements are accurately calculated and recorded

Support Services match USAS "Disbursement" file to FIMS VPP.0304 Cash Distribution report. Forwards reconciling items to voucher processors to resolve discrepancies.

EX16

1) Amounts posted to Accounts Payable represent services received

CMCS and Site Manager/CIS require five level approvals to complete monthly progress estimates for construction contracts.

No exceptions noted.

EX17

1) Disbursements are recorded in the period in which they are issued

All voucher numbers are accounted for. Finance Payment Manager reconciles USAS disbursements to Vendor Payment System and investigates discrepancies.

No exceptions noted.

EX18

1) Amounts for goods or services received are recorded in the appropriate period

Chief Accountants have delegated authority to certify the vouchers for their unit. The Comptroller will reject vouchers that have not been certified. By certifying the vouchers the individual represents that all goods or services received correspond in every particular with the contract under which they were purchased; and the invoice for the goods or services is true, correct, and unpaid.

See evidence in EX01.

EX15

20 of 22

4

5

March 11, 2013

Accounts Payable Audit EX19

1) Disbursements are accurately calculated and recorded

TxDOT Internal Audit – Full Scope Finance Audit Section manager responsible for releasing the vouchers to the comptroller, is independent of the voucher processors responsible for creating the vouchers for payment.

EX20

1) Assets and liabilities reflect the existing business circumstances and economic conditions in accordance with the accounting policies being used

A chain of certifications which begins with the time sheet, receiving report, or other source documents, and ends with the signature of the Executive Director or the officer designated is maintained. All persons who sign any document are responsible for ensuring that it is accurate and complete and in compliance with TxDOT policies rules and regulations.

EX21

1) Disbursements are distributed to the appropriate suppliers

Support Services responsible for sending payment voucher files to the Comptroller is independent from the voucher processors creating the vouchers.

EX22

1) Disbursements are recorded in the period in which they are issued

Support Services Unit responsible for distributing warrants and reconciling the Vendor Payment System (VPS) against FIMS Cash Distribution has not access to change FIMS vouchers payables.

21 of 22

1

It was determined through Audit activities that: ƒ 1 of 4 (25%) employees responsible for releasing vouchers for payment to the Comptroller’s Office had system access rights to create vouchers which conflicts with the stated objective of key control EX19 No exceptions noted.

1

1

It was determined through Audit activities that: ƒ 2 of 4 (50%) FIN Support Services Employees who provide the payment voucher files to the Comptroller's Office had access rights to create vouchers in the Financial Information Management System (FIMS) which conflicts with the stated objective of key control EX21 It was determined through Audit activities that: ƒ 2 of 4 (50%) FIN Support Services Employees, who distribute warrants (i.e., checks) had access rights to change FIMS voucher payables which conflicts with the stated objective of key control EX22

March 11, 2013

Accounts Payable Audit

TxDOT Internal Audit – Full Scope

EX23

1) Accounts Payable are only adjusted for valid reasons

District's or division chief accountant or assistant are responsible for authorizing Form 1526Adjustment/Refund before form is submitted to Financial Reports Manager for processing. Districts or division chief accountant or assistant approving the form is responsible for providing all supporting documents to Financial Reports Manager.

Scoped out of Audit, determined in risk assessment.

EX24

1) Credit notes and other adjustments are accurately calculated and recorded 2) All valid credit notes and other adjustments related to Accounts Payable are input and processed 3) Credit notes and other adjustments are recorded in the appropriate period

Financial Reports Management Accountant verifies posted adjusting entries for the period against original supporting documentation.

Scoped out of Audit, determined in risk assessment.

22 of 22

March 11, 2013