FOR THE PERIOD JULY 1, 2007 THROUGH JUNE 30, 2009 OPERATIONAL AUDIT OKLAHOMA OFFICE OF THE ATTORNEY GENERAL Oklahoma State Auditor & Inspector Audit Report of the Oklahoma Office of the Attorney General For the Period July 1, 2007 through June 30, 2009 This publication is printed and issued by the State Auditor and Inspector, as required by 74 O.S. § 212. Pursuant to 74 O.S. § 3105, six copies have been prepared and distributed at a cost of $22.93. Copies have been deposited with the Publications Clearinghouse of the Oklahoma Department of Libraries. April 29, 2010 TO THE ATTORNEY GENERAL This is the audit report of the Oklahoma Office of the Attorney General for the period July 1, 2007 through June 30, 2009. The Office of the State Auditor and Inspector is committed to serving the public interest by providing independent oversight and by issuing reports that serve as a management tool to the State. Our goal is to ensure a government that is accountable to the people of the State of Oklahoma. We wish to take this opportunity to express our appreciation to the agency’s staff for the assistance and cooperation extended to our office during the course of our engagement. Sincerely, STEVE BURRAGE, CPA STATE AUDITOR & INSPECTOR Oklahoma Office of the Attorney General Operational Audit Agency Background The Oklahoma Office of the Attorney General (Agency) provides legal counsel and representation for state agencies and employees as well as represents the interests of Oklahoma consumers, the state's natural resources and Oklahoma crime victims. Table 1 summarizes the Agency’s sources and uses of funds for fiscal years 2008 and 2009 (July 1, 2007 through June 30, 2009). Table 1 - Sources and Uses of Funds for FY 2008 and FY 2009 2008 Sources: State Appropriations Workers Compensation Awards Other Fees Court Filing Fee Other Licenses, Permits, and Fees Reimbursement for Administrative Expense Federal Funds Registration Fees Court Awarded Judgments Other $ $ Uses: Personnel Services Professional Services Travel Miscellaneous Administrative Rent General Operating Office Furniture and Equipment Library Equipment - Resources Refunds, Indemnities, Restitution Payments to Local Government and Non-Profits Other $ $ 2009 13,944,326 610,970 1,358,185 142,537 354,137 2,745,953 3,580,171 117,925 5,176,892 48,062 28,079,158 $ 13,938,699 1,477,697 258,709 351,130 2,189,121 127,762 107,824 243,691 2,109,100 6,770,864 128,978 27,703,575 $ $ $ Source: Oklahoma PeopleSoft accounting system (unaudited, for informational purposes only) 1 14,772,069 664,030 1,244,951 136,647 280,650 2,662,966 3,315,313 161,811 5,383,238 136,164 28,757,839 14,198,660 1,819,890 168,240 244,258 2,183,543 103,638 203,547 222,301 1,651,558 7,163,844 51,478 28,010,957 Oklahoma Office of the Attorney General Operational Audit Purpose, Scope, and Sample Methodology This audit was conducted in response to 74 O.S. § 212, which requires the State Auditor and Inspector’s Office to audit the books and accounts of state officers whose duty it is to collect, disburse or manage funds of the state and 74 O.S. § 19a which requires the State Auditor’s Office to audit the Law Enforcement revolving fund 1. The audit period covered was July 1, 2007 through June 30, 2009. We selected our samples in such a way that whenever possible, the samples are representative of the populations and provide sufficient evidential matter. Sample methodologies can vary and are selected based on the audit objective and whether the total population of data was available. Random sampling is the preferred method; however, we may also use haphazard sampling (a methodology that produces a representative selection for non-statistical sampling), or judgmental selection when data limitation prevents the use of the other two methods. We identified specific attributes for testing each of the samples. When appropriate, we projected our results to that population. We conducted this performance audit in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. This report is a public document pursuant to the Oklahoma Open Records Act (51 O.S. § 24A.1 et seq.), and shall be open to any person for inspection and copying. Objective 1 - Determine if the Agency’s internal controls provide reasonable assurance that revenues, expenditures, and inventory were accurately reported in the accounting records. Conclusion Methodology The Agency’s internal controls: • Do not provide reasonable assurance that revenues and inventory were accurately reported in the accounting records; • Generally provide reasonable assurance that miscellaneous and payroll expenditures were accurately reported in the accounting records. However, three issues were noted which should be addressed. To accomplish our objective, we performed the following: • Documented internal controls related to the receipting, expenditure, and inventory processes which included discussions with Agency personnel, observation, and review of documents; • Tested controls which included: o 1 2 Reviewing a random sample of 60 expenditure claims (18 victim services claims 2 totaling $197,304.90, 14 travel claims totaling $6,057.28, and 28 miscellaneous claims totaling $115,145.76) from the audit period to determine if:  The claims were supported;  The invoice and voucher jacket was mathematically accurate; The Law Enforcement revolving fund was inactive during the audit period. Seventeen claims were randomly selected and one was judgmentally selected. 2 Oklahoma Office of the Attorney General Operational Audit Observation  The invoice was initialed by the program manger or the assistant attorney general (victim services unit claims only);  The correct fund and account code was used;  The voucher jacket was signed by the first assistant attorney general (travel only);  The voucher jacket was signed by the Agency finance manager (miscellaneous only); and  The expenditure appeared reasonable given the Agency’s mission; o Determining if the person receiving the warrants was independent of the posting and approval process; o Reviewing nine randomly selected months’ Peoplesoft “six-digit expenditure reports" for vendor names which appeared unusual 3; o Reviewing a random sample of 12 months’ payroll claims. From these months, we randomly selected three employees and haphazardly selected four additional employees (40 employees selected in total) and reviewed the employees’ timesheets to ensure they were signed by them and their supervisors, ensured the hours worked on the timesheets agreed to the hours worked on the payroll claims, and the payroll claims were signed by the Agency’s finance manager; o Reviewing a random sample of two employees whose salary was reduced and 40 employees whose salary was increased to ensure a payroll transaction form or a combined payroll transaction spreadsheet was approved by the first assistant attorney general; o Reviewing a random sample of 40 employees who separated from the Agency to ensure an approved “off-cycle” payroll claim included their name, the date of the claim was no later than the month following their official termination date and the claim was approved by the Agency’s finance manager; and o Reviewing a random sample of three months’ payroll analysis spreadsheets and payroll claims to ensure the 14 employees separated in the month prior to the selected months were not included. Receipting Functions Should be Centralized The Agency receives various types of receipts from restitution payments to telemarketing registration fees. From discussions held with personnel in the finance department, the consumer protection department, and the Medicaid fraud department, the latter two are receipting funds prior to delivering them to the finance department for deposit. Staffs in these two divisions believe it is important for them to have this responsibility to ensure timely processing of pertinent data as well as having the ability to accurately report on funds collected. However, an effective internal control system provides for a centralized receipting system reducing the risk of theft or misappropriation of assets. Management was unaware of the risks created by not ensuring this type of process was in place. Recommendation We understand the certain department personnel need the information included with the payment to perform their jobs. However, they do not appear to need access to the funds 3 Unusual was defined as a vendor name that was unfamiliar to the auditor or not reasonable given the mission of the Agency. 3 Oklahoma Office of the Attorney General Operational Audit associated with that information, only evidence the funds were receipted and deposited by the applicable personnel in the finance department. We recommend management develop policy and procedure requiring all funds to be initially received through the finance department. Any relevant data provided with the funds should then be provided to the appropriate department. Views of Responsible Officials The Office of the Attorney General will consider revising policy to centralize all deposits with the finance department. It is possible a compromise can be worked out with the chiefs of the sections which are voicing opposition to this policy. These deposits are related to the sections’ restitution payments, which each section claims responsibility for tracking. Observation Lack of Segregation of Duties Related to the Receipting Process Daily Deposits Not Occurring The United States Government Accountability Office’s (GAO) Standards for Internal Control in the Federal Government 4 states in part, “Key duties and responsibilities need to be…segregated among different people to reduce the risk of error or fraud….No one individual should control all key aspects of a transaction…”. 62 O. S. § 7.1 C. 1. requires receipts of $100 or more to be deposited daily. The following was noted: • The assistant finance manager “A” and the finance manager (victim services unit) are both responsible for: o Receipting funds; o Preparing the deposit; and o Posting the deposit into the PeopleSoft accounting system. Additionally, the assistant finance manager “A” was responsible for performing the clearing account reconciliation (July 2007 through December 2008) as well as informally reconciling the Agency’s records to PeopleSoft accounting records (entire audit period); • Daily deposits were not occurring for funds receipted of $100 or more. Management was unaware of the risks created by not ensuring there was adequate segregation of duties or by not making daily deposits. Deficiencies such as these increase the risk that misappropriations of assets may occur. It should be noted management had taken steps to address a portion of the issues discussed prior to the start of the audit. During the audit period, assistant finance manager “B” was the first person to receive the funds in the finance department. She then passed the funds to assistant finance manager “A” and the finance manager (victim services unit) for receipting. However, in August 2009, the assistant finance manger “B” began entering the funds received into an excel spreadsheet prior to delivering the funds to the applicable personnel. Additionally, in January 2009, the Agency finance manager 4 Even though this publication addressed controls in the federal government, this criterion can be treated as best practices. The theory of controls applies uniformly to federal or state government. 4 Oklahoma Office of the Attorney General Operational Audit began performing the clearing account reconciliation rather than the assistant finance manager “A”. Recommendation Views of Responsible Officials We recommend the following: • Funds received of $100 or more should be deposited daily; • The assistant finance manager “B” should continue entering all funds received by her into the excel spreadsheet log. Processed deposit slips should be mailed directly to the Agency finance manager from the State Treasurer’s Office (OST) where he should agree the date and amounts to the excel spreadsheet log prepared by the assistant finance manager “B”; and • The Agency’s reconciliation to PeopleSoft accounting records should be formalized, performed by an employee independent of the receipting process, and reviewed by the Agency’s finance officer. Changes to the Office of Attorney General (OAG) finance procedures early in 2009 have accommodated some of the recommendations. The current policy will be amended to include daily deposits and formalizing the PeopleSoft reconciliation process. Observation Funds 700 and 705 Are Not Adequately Secured Inadequate Segregation of Duties An effective internal control system provides adequate security for unissued vouchers. The United States Government Accountability Office’s (GAO) Standards for Internal Control in the Federal Government 5 states in part, “Key duties and responsibilities need to be…segregated among different people to reduce the risk of error or fraud….No one individual should control all key aspects of a transaction…”. The following was noted: • Fund 700 6 and 705 vouchers are not adequately secured; • The Agency finance manager has the ability to print fund 700 and 705 vouchers, is responsible for reconciling both funds as well as preparing all financial information presented to executive management related to the funds. Management was unaware of the risks associated with not ensuring there was adequate segregation of duties or by not adequately securing unissued vouchers. Deficiencies such as these increase the risk that misappropriations of assets may occur. Recommendation We recommend: • Vouchers from fund 700 and 705 should be adequately secured and accessible to authorized personnel only; 5 Even though this publication addressed controls in the federal government, this criterion can be treated as best practices. The theory of controls applies uniformly to federal or state government. 6 Fund 700 is used to pay for any court cost associated with the Agency, the state of Oklahoma (including legal expenses for other state agencies), or any other matter within the official responsibility of the Agency. Fund 705 accepts settlements in consumer protection matters, pays out restitution to victims, as well as other matters within the official responsibility of the Agency. 5 Oklahoma Office of the Attorney General Operational Audit • The duties performed by the Agency finance manager be segregated to ensure the employee posting the payments into the Agency’s internal accounting software 7 is independent of the approval process; and • The employee reconciling the fund is independent of the receipting and expenditure approval and posting process. Although not an ideal process, the Agency should be commended for performing this reconciliation as it is not required by the Office of State Finance. Views of Responsible Officials Generally, vouchers/checks for the 700 and 705 are secured. More diligence will be made to insure the safety of blank checks, current policy requires them to be locked in the Finance Officer’s office or secured in a locked closet with the personnel files at all times. We will segregate the reconciling function to an employee that is separate from the writing and posting process. We understand the need to separate the duties, however, segregation of the employee posting the payments and the person writing the payments will be difficult as there are only three finance staff. The approval process for checks written from the 700 and 705 requires two people separate from the process to review and sign each check. If the reconciling employee is separate from this function also, it should help in reducing the risk for a misuse of funds. Observation Expenditures Not Approved An effective internal control system provides an appropriate level of review of expenditures. From reviewing 60 expenditure claims, three victim services unit invoices ($38,181.22) and one miscellaneous expenditure voucher jacket ($631.25) were not approved prior to payment. The approving officials believe the lack of approval was an oversight on their part. Expenditure amounts may be inaccurate. Recommendation Views of Responsible Officials Observation We recommend the approving officials exercise diligence when reviewing invoices/voucher jackets and ensure their approving signatures are added to the applicable documents as evidence that a review has been performed. We agree more diligence by approving officials is needed and will be stressed in a revision to the current accounting procedures. Employee Separations An effective internal control system provides assurance separated employees are removed from payroll records in a timely manner. During the period July 2007 through December 2008, a control was not in place to provide management assurance that employees which separate from the Agency are removed from payroll records in a timely manner. In January 2009, the office 7 This internal accounting software is QuickBooks and is used by the Agency finance manger in producing the fund 700 and 705 vouchers as well as in the reconciliation of these funds. 6 Oklahoma Office of the Attorney General Operational Audit administrator began comparing the payroll claims to a payroll analysis spreadsheet 8 (spreadsheet) created by the finance officer. The spreadsheet was not completed for June 2009; however, the employees were not included in the June 2009 payroll claims. Recommendation Views of Responsible Officials We recommend the office administrator continue performing the comparison of the spreadsheet to the payroll claims and ensure the spreadsheet is completed for each month for all payroll types. The office administrator will continue performing the comparison of the spreadsheet to the payroll claims and ensure the spreadsheet is completed for each month for all payroll types. Observation Inventory Policy and Procedures Inconsistent with Oklahoma Administrative Code Oklahoma Administrative Code (OAC) 580:70-1-3(A) establishes the general threshold for tangible asset inventory reports at $500. OAC 580:70-5-1(a) requires an agency to affix a unique identifier as an inventory tag to all tangible assets. Agency policy requires inventory records be maintained in the format requested by the Department of Central Services (DCS) while OAC 580:70-3-1 (c) outlines the information required to be included in the inventory report. After reviewing the Agency’s policy and procedures, the following was noted: • The reporting threshold established for furniture/equipment is $100. Although this amount is less than the $500 established in the OAC, Agency personnel indicate they only include assets valued at $500 or more on the inventory records; • Policy only requires computer/software inventory items be affixed with an inventory tag. Although the risk associated with Agency furniture is less than computer/software items, this policy does not correspond with OAC requirements. Agency personnel confirmed furniture items were not tagged; and • The furniture/equipment inventory listing does not appear to contain all the information required by OAC 580:70-3-1(c). Items noted as being omitted were: o Asset tag number, model and serial number, if applicable, and acquisition date and cost. The Agency’s policies and procedures do not appear to be consistent with the OAC addressing threshold levels, tagging tangible assets or completeness of inventory records. Management was unaware of these inconsistencies. Recommendation We recommend the agency revise their policies and procedures to be consistent with OAC 580:70-1-3(A) (asset threshold), 580:70-5-1(a) (tagging tangible assets) and 580:70-3-1 (c) (required fields of the inventory report). 8 The spreadsheet was created for the main payroll only during the audit period and includes but is not limited to the employees’ names, their funding source, and their salary. 7 Oklahoma Office of the Attorney General Operational Audit Views of Responsible Officials The OAG concurs and will revise the agency policies and procedures to adopt the audit’s recommendations and adhere to Oklahoma Administrative Code. A change of the reporting threshold will be changed from $100 to $500. Observation Lack of Segregation of Duties Related to Inventory Process The United States Government Accountability Office’s (GAO) Standards for Internal Control in the Federal Government 9 states in part, “Key duties and responsibilities need to be…segregated among different people to reduce the risk of error or fraud….No one individual should control all key aspects of a transaction…”. An effective internal control system provides for a periodic physical inventory count. The following was noted: • • For computer/software equipment, the information technology administrator is responsible for: o Purchasing items; o Updating the inventory records which includes adding, deleting, and surplusing items; and o Conducting the physical inventory count. However, a count has not occurred since 2006. The office administrator maintains the inventory records for furniture and is responsible for conducting the inventory count. However, evidence of the most recent furniture inventory count (January 2009) was not retained. Management was unaware of the risks associated with not ensuring there was adequate segregation of duties or by not conducting a periodic physical inventory count of the Agency’s assets. Deficiencies such as these increase the risk that misappropriations of assets may occur. Recommendation We recommend: • An employee without purchasing ability should be responsible for maintaining the Agency’s inventory records; • An employee without the ability to update inventory records should be responsible for completing the DCS Form 001 surplus inventory form; and • A physical inventory count of the computer/software equipment should be conducted as soon as possible. The physical inventory count (both computer/software equipment and furniture) should be conducted by an employee not responsible for purchasing/surplusing goods or maintaining the inventory records. If discrepancies are noted, the office administrator or designee, other than the personnel involved in the physical count, should investigate and resolve. The Agency should also retain documentation to support who performed the count, when the count was performed, and any discrepancies noted during the count. 9 Even though this publication addressed controls in the federal government, this criterion can be treated as best practices. The theory of controls applies uniformly to federal or state government. 8 Oklahoma Office of the Attorney General Operational Audit Views of Responsible Officials The OAG agrees that physical inventory counts should occur, at a minimum, annually. The finance procedure will be revised to include these counts. We also agree that a separate individual should perform the physical inventory count and use that information to complete the DCS Form 001. However, we do believe that enough purchase controls are in place with the agency approval process and P-Card process that the employee purchasing may also update the inventory record. Documentation of inventory counts will be maintained. Additional Procedures Performed Methodology As a result of the control deficiencies identified under objective 1 of this report, the following procedures were performed: • Reviewed the fund 700 and 705 warrant registers from the Agency’s internal accounting system for payments to the Agency finance manager or vendor names that would appear unusual 10. Thirty-one claims ($2,958,728.24) were reviewed and no exceptions were noted. Objective 2 - Determine whether the Agency complied with 15 O.S. § 775B.7, 74 O.S. § 19.2, 74 O.S. § 19.3, and 74 O.S. § 250.4 3. Conclusion With respect to the claims tested, financial operations complied with the following statues: • 15 O.S. § 775B.7 – funds may be used for the purpose of implementing, administering, or enforcing the provisions of the Telemarketer Restriction Act; • 74 O.S. § 19.2 – funds may be used the purposes of investigation, civil action, criminal action or referral to the district attorney in cases involving suspected workers' compensation fraud; and • 74 O.S. § 19.3 – funds may be used for the purposes of investigation, civil action, criminal action, or referral to the district attorney in cases involving suspected insurance fraud. The Attorney General’s salary complied 11 with the provisions of 74 O.S. § 250.4 3 12 – salary limitation on the position of Attorney General. 10 Unusual was defined as a vendor name that was unfamiliar to the auditor or not reasonable given the mission of the funds. 11 It should be noted the annual salary exceeded the maximum amount by $25. 12 74 O.S. § 250.4 3. states the Attorney General’s salary is equal to the presiding judge of the court of civil appeals. 20 O.S. § 30.2A 1. sets the presiding judge’s salary of the court of civil appeals and 20 O.S. § 3.4 authorizes the Board on Judicial Compensation to set judicial salaries. Two reports issued by the Board on Judicial compensation were in effect during the audit period. The two salary limitations were: 1. 2. $126,500 - effective July 1, 2006 $132,825 - effective July 1, 2008 9 Oklahoma Office of the Attorney General Operational Audit Methodology To accomplish our objective, we performed the following: • Randomly selected 40 expenditures claims (37 from fund 205 totaling $29,249.11, two from fund 220 totaling $51.59, and one claim from fund 225 totaling $22.80) and tested them to ensure compliance with 15 O.S. § 775B.7 (fund 205), 74 O.S. § 19.2 (fund 220), and 74 O.S. § 19.3 (fund 225); • Reviewed the “HR Actions Report” from the PeopleSoft accounting system for the audit period to ensure the Attorney General’s salary did not exceed the limit set by law. 10 OFFICE OF THE STATE AUDITOR AND INSPECTOR 2300 N. LINCOLN BOULEVARD, ROOM 100 OKLAHOMA CITY, OK 73105-4896 WWW.SAI.OK.GOV