INTEROFFICE MEMORANDUM TO: Rob Lewis, Executive Director, Planning and Development Services FROM: Mark R. Simmons, Director, Internal Audit DATE: July 7, 2009 SUBJECT: 2009-277 REVIEW, MOBILITY/TRANSIT, SCAT CASH CONTROLS Attached are the results of the special review you requested of cash issues at Sarasota County Area Transit. All of the conditions observed, causes and opportunities for change were discussed with responsible managers. Please let me know if you would like any additional information. cc: Karen E. Rushing, Clerk of the Circuit Court and County Comptroller James Ley, County Administrator David Bullock, Deputy County Administrator Susan Scott, Deputy County Administrator Jeff Seward, Chief Financial Planning Officer Jeanette Phillips, Interim Finance Director, Clerk of the Circuit Court and County Comptroller Anthony Beckford, General Manager, Public Works, Mobility/Transit, SCAT INTEROFFICE MEMORANDUM TO: Mark R. Simmons, Director, Internal Audit FROM: Silas R. Wood, Senior Internal Auditor DATE: June 30, 2009 SUBJECT: 2009-277 REVIEW, MOBILITY/TRANSIT, SCAT CASH CONTROLS Following a conference with Rob Lewis, Executive Director and Anthony Beckford, General Manager to discuss concerns and issues at Public Works, Mobility/Transit, SCAT, Internal Audit agreed to conduct a special review of cash and deposit operating procedures and management controls. The objective of our review was to determine whether the Board of County Commissioners can have reasonable assurance that responsible managers have identified and addressed fraud and loss of cash assets risks and to assess the effectiveness and reliability of efforts to mitigate those risks. Our review indicated that although the responsible managers readily acknowledge the importance of safeguarding and providing accountability of collections and deposits, they have accepted compromised security and controls and a high level of fraud risk because, in their opinion, they are doing all that can be done with current administrative staffing levels to reduce exposures and mitigate the risks. We identified three primary, critical conditions that impact SCAT's ability to effectively mitigate fraud and loss of assets business risks and impede achievement of the department's objectives, in particular, increasing the rate of passenger fare collection; o Vault security, monitoring systems and control activities can not be relied upon to provide adequate and effective safeguards against unauthorized access to farebox or SCAT administration collections, creating significant fraud opportunity. o Existing operating procedures do not provide accountability or reasonable assurance all daily collections are deposited; collections are not counted and agreed to daily receipt records or system control totals. Daily farebox collection control totals are not provided by the GFI Genfare farebox collection system. o Daily collections are not deposited intact or timely, resulting in delays in revenue recognition and significantly increased exposure to fraudulent misappropriation. Up to five day's collections are combined in deposits prepared by the armed courier services provider, resulting in delays up to seven business days between collection and deposit. INTEROFFICE MEMORANDUM Page 2 of 2 To mitigate fraud and loss of asset risks, reduce exposure and enhance security, in compliance with county finance policy and generally recognized good business practice, the responsible manager could: o Provide mandatory joint custody of vault and farebox collections safe access and maintain strict assigned individual responsibility for SCAT administration collections. o Enhance effectiveness and security of access recording and monitoring equipment and ensure the confidentiality, integrity and availability of digital monitoring and access system records and farebox collection system data. o Require the GFI recording system provide daily farebox coin and currency collection control totals and periodically validate the reliability of individual route and system totals. o Reconcile farebox collection deposits to daily GFI system control totals and administration collection deposits to daily receipt and pass inventory issue records. o Maintain daily collections separately and intact and prepare deposits on a timely basis. o Provide clear, written collection and deposit processing procedures and controls, specific for SCAT operations. o Provide fixed collection and deposit processing and reconcilement assignment responsibility and appropriate separation of duties. Responsible management agrees with the opportunities for change and has either taken corrective action or has or is developing action plans to address the issues and conditions observed. Management anticipates the action plan will be accomplished by September 30, 2009 and will provide executive management with regular updates until all issues have been resolved. (Refer to attached Audit Fact Sheets for additional detail) 1 of 3 Project Number: 09-277 Public Works/Mobility Transit/SCAT Cash Controls Safeguarding Collections This fact sheet describes an action, event or outcome that impacts your organization's ability to mitigate important business risks. The issue described is: CRITICAL: This issue of concern is not present in your system of management control. It has caused, or is likely to cause, errors, omissions, misuse of resources, or other adversities of such magnitude that immediate action by you is required to mitigate the adverse impact. This issue is: Persistent: the same issue has appeared in multiple periods, or has arisen in more than one area of your operations. Pervasive: the effects of the issue imperil directly the stewardship of public resources or the accomplishment of your organization's mission. Business Risk(s) at Issue: Fraud; asset misappropriation, skimming Loss of Assets or Resources Non-Compliance with existing county policies and procedures COSO Criteria: Generally recognized, fundamental components necessary for effective management control include: o Control Environment; the foundation for effective control, sets the tone for the organization and influences control consciousness, addressing integrity, ethical values and the attention and direction given by management. o Risk Assessment; the process of recognizing and prioritizing operational risks and obstacles and involves identification of significant business risks and communication of objectives. o Control Activities; the policies and procedures established to minimize risks and the obstacles to desired outcomes, including safeguarding assets and resources, reconciliations, verifications, approvals and segregation of duties. County Finance Accounting Policy and Procedure, 9.2., "Business Center Receipt, Balance, and Deposit of Cash", (Policy 3) requires that cash and check collections always be stored in a secure location, safe, vault, or locked file cabinet with limited access. Good business practices require cash and check collections and deposits and other assets be safeguarded against unauthorized access o Information and Communications; the knowledge needed to meet responsibilities and make decisions by identifying, capturing and communicating key business information and data from internal and external sources. o Monitoring Activities; assessment of control effectiveness by appropriate people on a timely basis using outcome measurement, review and comparison of expected and actual results and performance. Condition(s) Observed: SCAT and CTC administrative and bus route farebox collections are not adequately safeguarded against unauthorized access. Vault access and monitoring systems can not be relied upon to provide effective and adequate protection against unauthorized access. During the thirteen weeks from January 1 through March 29, 2009, weekly farebox collections averaged over $21,000 and SCAT and CTC operations and administrative collections averaged $4,115 per week. Ten other checks over $5,000, totaling more than $614,000 were receipted and deposited during the same time period. Causes of Observed Condition(s): Control Environment and Risk Assessment: Although responsible managers readily acknowledge the importance of safeguarding collections and deposits, in their opinion, they felt they were doing an adequate job with current administrative staff to reduce exposure and mitigate the risk of fraudulent activity and loss of cash assets. 2 of 3 Project Number: 09-277 Public Works/Mobility Transit/SCAT Cash Controls Safeguarding Collections Control Activities: Bus farebox collections: SCAT relies on systems and control procedures that provide only voluntary joint custody of the vault and a GFI Genfare (GFI) farebox collection system safe to safeguard bus fare collections. Vault access control is provided by a door with a key lock and an identification card/security code keypad (installed in the fall of 2008). o Custody of vault door keys has been assigned to the maintenance manager and a supervisor, the SCAT administration business professional and one administrative specialist. The key assigned to the admin specialist is periodically "borrowed" by two other admin staff personnel for access to the vault. o Identification cards and an individual access security codes have also been assigned to each individual with custody of or with "borrowed" access to a door lock key. o Custody of GFI safe keys has been assigned to the maintenance manager, admin business professional, and the same administrative specialist (keeps the GFI safe key on the same key ring as the frequently "borrowed" vault door key). Interviews suggest security procedures did not require joint custody of the vault and GFI safe prior to January 2009 when a manual signature log was implemented. o Between July or August 2008 and January 2009, one other administrative specialist, with custody (at that time) of a vault door and GFI safe key and an ID entry card and access code, was assigned primary, and usually sole responsibility to prepare bus fare collections for armed courier pick up. SCAT and CTC administrative collections: Daily cash, money order and check collections received by mail are receipted and kept in a locked metal cash box secured inside a locked lateral file drawer in the SCAT reception area until picked up each Monday morning for deposit. o The administrative specialist/cashier with assigned, individual responsibility to receipt and safeguard the collections has custody of the keys. Security of the collections is compromised by the maintenance manager and one other admin specialist having custody of spare keys to the lateral file. Monitoring Activities: The electronic vault security system automatically records the identity of only the person who uses the identification card/security code keypad to enter the vault. The identity of the person using the door lock key is not captured in the record. Both personnel entering the vault are required, by security procedures, to (voluntarily) sign the manual log. The data recording and storage equipment for GFI farebox collections, vault access and security camera systems are all housed inside the vault, exposed to anonymous equipment sabotage or data disruption, deletion or corruption. Digital security cameras inside and outside the vault are used to provide about 30 days of temporary visual record of persons entering the vault. o One camera records the room housing the GFI safe but is positioned to record only a back view of the person accessing the currency compartment, not what they are doing. The security camera monitor is also located inside the vault, negating the camera monitoring system's psychological deterrent value (not knowing when someone is watching). Opportunity for Change (What could be done): To mitigate the risk of fraudulent misappropriation and to ensure security procedures adequately safeguard collections, deposits and other assets against unlimited or unauthorized access, in accordance with generally recognized good business practice and in compliance with county finance policy, the responsible manager could: o Provide mandatory joint custody of vault and farebox collections safe access and maintain strict assigned individual responsibility for SCAT and CTC collections. 3 of 3 Project Number: 09-277 Public Works/Mobility Transit/SCAT Cash Controls Safeguarding Collections o Enhance the effectiveness and security of access recording and monitoring equipment. o Ensure confidentiality, integrity and availability of digital monitoring and access system records and farebox collection system data. Responsible Manager's Action Planned or Taken to Address This Issue: Provide mandatory joint custody of the vault and farebox collections safe by September 30, 2009. A solution to prevent the vault door from being opened until two personnel have activated the lock(s), with both automatically recorded in the access system record, is being investigated. This cannot be accomplished with the current locking devices. A separate secure locking mechanism has been ordered for the SCAT and CTC collections lateral file at the cashier's desk, providing strict individual responsibility with the cashier, only having custody of the key. Additional security cameras have been installed in the vault area, providing complete visibility of the vault and the GFI farebox collections safe room. Additional cameras have also been installed at the Downtown Transfer Facility to monitor the office, safe, and change machine. Estimates have been received to move the Farebox PC and related items, as well as the security monitoring DVR, from inside the vault to the SCAT administration building. Although a definite timetable has not yet been established, the relocation will be accomplished before September 30, 2009. Actual or Expected Date of Implementation: September 30, 2009 Signature of Responsible Manager Acknowledging Concurrence with Fact Sheet Contents Date Signature of Responsible Manager Acknowledging Concurrence with Fact Sheet Contents Date 1 of 3 Project Number: 09-277 Public Works/Mobility Transit/SCAT Cash Controls Collection and Deposit Accountability This fact sheet describes an action, event or outcome that impacts your organization's ability to mitigate important business risks. The issue described is: CRITICAL: This issue of concern is not present in your system of management control. It has caused, or is likely to cause, errors, omissions, misuse of resources, or other adversities of such magnitude that immediate action by you is required to mitigate the adverse impact. This issue is: Persistent: the same issue has appeared in multiple periods, or has arisen in more than one area of your operations. Pervasive: the effects of the issue imperil directly the stewardship of public resources or the accomplishment of your organization's mission. Business Risk(s) at Issue: Fraud; asset misappropriation, skimming Loss of Assets or Resources Non-Compliance with existing county policies and procedures COSO Criteria: Generally recognized, fundamental components necessary for effective management control include: o Control Environment; the foundation for effective control, sets the tone for the organization and influences control consciousness, addressing integrity, ethical values and the attention and direction given by management. o Risk Assessment; the process of recognizing and prioritizing operational risks and obstacles and involves identification of significant business risks and communication of objectives. o Control Activities; the policies and procedures established to minimize risks and the obstacles to desired outcomes, including safeguarding assets and resources, reconciliations, verifications, approvals and segregation of duties. County Finance Accounting Policy and Procedure, 9.2., "Business Center Receipt, Balance, and Deposit of Cash", requires that cash, check and other remittance collections be counted and compared to daily cash receipt or collection system summary totals (Procedures 5. 6. and 9.). Good business practices require daily cash and check collections be counted and agreed or reconciled to daily receipt system control totals. o Information and Communications; the knowledge needed to meet responsibilities and make decisions by identifying, capturing and communicating key business information and data from internal and external sources. o Monitoring Activities; assessment of control effectiveness by appropriate people on a timely basis using outcome measurement, review and comparison of expected and actual results and performance. Condition(s) Observed: Current operating procedures and controls do not provide accountability for cash and check collections. Collections and deposits are not counted and agreed to daily receipt records or system control totals. During the thirteen weeks ending March 29, 2009... o Weekly farebox coin collections averaged $10,807 and currency averaged $10,404. o Ten deposited SCAT and CTC collection checks over $5,000 averaged $9,449 a week and ranged from $5,444 to $264,417. o SCAT and CTC Admin cash, money order and other check (under $5,000) collections averaged $4,115 per week. 2 of 3 Project Number: 09-277 Public Works/Mobility Transit/SCAT Cash Controls Collection and Deposit Accountability Causes of Observed Condition(s): Control Environment and Risk Assessment: Although responsible managers readily acknowledge the importance of providing accountability for cash and check collections and deposits, in their opinion, considering current administrative personnel staffing levels, all that is possible is being done to mitigate the risk of fraud and loss of cash assets. Information and Communication: Comprehensive, written cash handling, collection and deposit processing procedures and controls, specific to SCAT operations have not been provided for reference and training. Daily GFI Genfare (GFI) farebox collection data for each route is downloaded and currency and coin fares collected are released directly into the GFI safe every evening. The GFI system reports rider data and the of bills collected number (without denominations) but does not provide daily collection control totals, either by route or in total. Control Activities: Bus farebox collection: Farebox coins are dumped, uncounted and currency is "stuffed", unsorted and uncounted twice weekly from the GFI safe into sealed, clear plastic bags for scheduled pick-up by armed courier service (Brinks). Brinks counts the collections, prepares deposit documents, delivers the deposits to the bank and reports the totals to SCAT. o Neither the collections nor the reported deposit totals are agreed to any collection control totals. SCAT and CTC Administrative Collections: A record of mail received and delivered to the administrative specialist/cashier for processing is not maintained. The cashier opens the mail and issues a manual, pre-numbered county "Official Receipt" for each cash, money order or check transaction received, retaining the pink copy in the receipt book. The remittance is attached to yellow receipt copies and in most cases, kept in a locked cash box, in a locked lateral file until picked up once a week, on Monday by another admin specialist. The collections are counted, agreed to and separated from the attached yellow receipt copies and placed into a sealed plastic bag, with Transfer Station collections, by the admin specialist. The bag is kept in a file drawer until picked up by Brinks later the same day to be counted and a deposit prepared and delivered to the bank. The admin specialist agrees the deposit confirmation amount to the original receipt total then prepares and sends a "Receipt For Deposit of County Funds", with the yellow receipt copies, to Clerk Finance for recording. o Collections picked up weekly by the admin specialist are not reconciled to the cashier's receipt records to provide assurance all receipted collections are processed for deposit and account for the numeric sequence of issued receipts. 1) One day's collections, receipted on 2/10/09 ($288.60, 28 receipts) by a substitute cashier, were "overlooked" in the wrong file drawer and not discovered and deposited until 4/20/09 o Mitigating controls are in place to provide assurance all payments received by mail have been properly receipted by the cashier except to purchase bus passes and tickets, issued and mailed to patrons by the cashier. Collections submitted for deposit and the receipt record are not agreed to bus pass and ticket inventory/issue control records maintained by the cashier. o Deposits totals are not reconciled to receipt records by someone other than the person responsible for preparing collections for deposit. o Grant checks and other large, miscellaneous receipted payments are delivered upon receipt to the admin specialist for recording and processing. For all other payments, the white receipt, mail envelope, enclosed papers and, if needed, a copy of the check are provided to others for processing and recording, with the original payment retained in the custody of the cashier. 1) A check for over $35,000 from Manatee County BOCC, receipted on 12/22/08, was reportedly "misplaced" and not deposited until 1/12/09. 3 of 3 Project Number: 09-277 Public Works/Mobility Transit/SCAT Cash Controls Collection and Deposit Accountability Opportunity for Change (What could be done): To facilitate accountability, provide assurance all collections are properly receipted and deposited, and to mitigate risk of loss or fraudulent misappropriation, in accordance with generally recognized good business practice and compliance with county finance policy, the responsible manager could: o Require the GFI collection system provide daily farebox coin and currency collection control totals, by individual route and in total. o Ensure farebox collections are reconciled to daily GFI control totals, adopt procedures to agree administration collections to receipt issue and inventory sales records and account for the numeric sequence of pre-numbered receipts and items sold. o Periodically validate the reliability of GFI collection system control totals and, on a test basis, verify individual route collection totals. o Provide clear, written collection and deposit processing procedures and controls, specific for SCAT operations. o Ensure collection receiving, recording, deposit preparation and reconcilement procedures and assignments provide fixed responsibility. Responsible Manager's Action Planned or Taken to Address This Issue: The availability of daily GFI farebox collection control totals, by individual bus and in total, for comparison to Brinks reported deposit totals has been identified. Report formats and uses are being developed. Written deposit, collection funds handling and rider pass issue procedures are being developed and duty assignments reviewed to define roles and responsibilities. Although specific action plans are still being developed, responsible management agrees with and accepts the importance of addressing collection and deposit accountability and reconciliation issues and conditions. o A determination of how best to reconcile and account for daily collections from all sources is in process. Actual or Expected Date of Implementation: September 30, 2009 Signature of Responsible Manager Acknowledging Concurrence with Fact Sheet Contents Date Signature of Responsible Manager Acknowledging Concurrence with Fact Sheet Contents Date 1 of 3 Project Number: 09-277 Public Works/Mobility Transit/SCAT Cash Controls Timely Collection Deposits This fact sheet describes an action, event or outcome that impacts your organization's ability to mitigate important business risks. The issue described is: CRITICAL: This issue of concern is not present in your system of management control. It has caused, or is likely to cause, errors, omissions, misuse of resources, or other adversities of such magnitude that immediate action by you is required to mitigate the adverse impact. This issue is: Persistent: the same issue has appeared in multiple periods, or has arisen in more than one area of your operations. Pervasive: the effects of the issue imperil directly the stewardship of public resources or the accomplishment of your organization's mission. Business Risk(s) at Issue: Loss of Assets or Resources Fraud; asset misappropriation, skimming Non-Compliance with existing county policies and procedures COSO Criteria: Generally recognized, fundamental components necessary for effective management control include: o Control Environment; the foundation for effective control, sets the tone for the organization and influences control consciousness, addressing integrity, ethical values and the attention and direction given by management. o Risk Assessment; the process of recognizing and prioritizing operational risks and obstacles and involves identification of significant business risks and communication of objectives. o Control Activities; the policies and procedures established to minimize risks and the obstacles to desired outcomes, including safeguarding assets and resources, reconciliations, verifications, approvals and segregation of duties. County Finance Accounting Policy and Procedure, 9.2, "Business Center Receipt, Balance, and Deposit of Cash", requires that cash and check collections be deposited within one business day. (Policy 4, Procedures 8 and 9). Good business practices require that collections be deposited intact and on a timely basis. o Information and Communications; the knowledge needed to meet responsibilities and make decisions by identifying, capturing and communicating key business information and data from internal and external sources. o Monitoring Activities; assessment of control effectiveness by appropriate people on a timely basis using outcome measurement, review and comparison of expected and actual results and performance. Condition(s) Observed: Daily collections are not deposited on a timely basis and up to five day's collections are combined in deposits prepared by the armed courier services provider. Procedural delays in depositing daily collections create significant, preventable exposure of SCAT assets to fraudulent misappropriation. Causes of Observed Condition(s): Control Environment and Risk Assessment: Although responsible managers readily acknowledge the importance of making timely and intact daily deposits in efforts to limit risk and exposure to fraudulent activity and loss of cash assets, in their opinion, existing collection processing and deposit procedures are the best that can be provided with current staffing levels. Information and Communication: Comprehensive, written cash handling, collection and deposit processing procedures and controls, specific to SCAT operations have not been provided for reference and training. 2 of 3 Project Number: 09-277 Public Works/Mobility Transit/SCAT Cash Controls Timely Collection Deposits Control Activities: Bus farebox collection: GFI Genfare (GFI) system fareboxes are removed from each bus nightly and the route collections released directly into the GFI safe, automatically sorting coin to one safe compartment, currency in another and combining the fares collected on all routes for three or four days. Twice weekly, unsorted and uncounted currency and bulk, uncounted coin is sealed in clear plastic bags by SCAT personnel to be picked up by the armed courier service (Brinks). The collections are counted by Brinks at it's facilities and deposited, with resulting delays up to 7 days between collection and deposit: Farebox Bagged & Deposited Days To Collection Days In Safe Picked-Up Collections By Brinks Deposit Monday - Wednesday Thursday Coin Friday 2 to 4 days Currency Monday 5 to 7 days Thursday - Sunday Monday Coin Tuesday 2 to 5 days Currency Wednesday 3 to 6 days SCAT and CTC collections: Cash, money order and check payments received by mail Monday through Friday at SCAT Administration are receipted and kept together in a locked lateral file until picked-up by an admin specialist the following Monday morning and prepared for Brinks pick up. Payments received by the downtown transfer station operator are receipted, counted and sealed in plastic bank bags daily, with attached receipt copies, and kept in a safe until taken to the SCAT administration building once a week on Friday. The collections are removed from the sealed bank bags and combined with SCAT admin collections on Monday. All of the week's admin and transfer station collections are counted, agreed to attached receipt copies and put in one sealed, plastic bag. The collections are picked up the same day by Brinks, counted, deposit documents prepared and delivered to the bank on Wednesday, 5 to 9 day after receipt. Calculations and evaluation of collections deposited during the thirteen weeks ending March 29, 2009 revealed that: o weekly farebox coin collections averaged $10,807 and currency averaged $10,404. o SCAT and CTC administration cash, money order and check (under $5,000) collections averaged $4,115 per week. o ten deposited checks over $5,000, ranging from $5,444 to $264,417, averaged $9,450 a week, o based on average daily collections, making deposits the next or earliest business day following receipt could result in an increase of as much as $17 million in annual cumulative deposited revenue value and a reduction of cumulative fraud loss exposure (daily collections held at SCAT offices) by over $10 million annually. The current annual Brinks purchase order provides for twice weekly scheduled pick-up ($50/wk) at the SCAT admin building and the following additional deposit services; o bulk coin counting and deposit ($3.50/bag, up to 94 - 95 bags/wk), o currency, check and money order counting and deposit preparation ($35/hr, up to 4 hrs/wk) o currency and check deposit processing liability ($2,700) Increasing courier pick-up service to daily, Monday - Friday, and having SCAT personnel count and prepare daily currency, check and money order deposits could reduce annual Brinks cost by $6,000 or more. Opportunity for Change (What could be done): To reduce exposure and mitigate risk of loss or fraudulent misappropriation of collections and to comply with county finance policy and generally recognized good business practice, the responsible manager could ensure daily collections are maintained and deposited separately and intact and deposited on a timely basis. 3 of 3 Project Number: 09-277 Public Works/Mobility Transit/SCAT Cash Controls Timely Collection Deposits Responsible Manager's Action Planned or Taken to Address This Issue: Although specific action plans are still being developed, responsible management generally agrees with timely collection deposit issues and will address the opportunities for change and resolve the conditions observed by assessing how best to: o keep separate and increase farebox, SCAT, CTC administration and other collection deposit frequency, limiting impact on existing staff, and o comply with the county's daily collections policy. Meet with Brinks armored services to determine the impact of increasing service to daily pickup. Actual or Expected Date of Implementation: September 30, 2009 Signature of Responsible Manager Acknowledging Concurrence with Fact Sheet Contents Date Signature of Responsible Manager Acknowledging Concurrence with Fact Sheet Contents Date