Audit Report

Department of Human Services
Child Support Administration
May 2019

OFFICE OF LEGISLATIVE AUDITS
DEPARTMENT OF LEGISLATIVE SERVICES
MARYLAND GENERAL ASSEMBLY

 

  

For further information concerning this report contact:

Department of Legislative Services
Office of Legislative Audits
301 West Preston Street, Room 1202
Baltimore, Maryland 21201
Phone: 410-946-5900 ꞏ 301-970-5900
Toll Free in Maryland: 1-877-486-9964
Maryland Relay: 711
TTY: 410-946-5401 ꞏ 301-970-5401
E-mail: OLAWebmaster@ola.state.md.us
Website: www.ola.state.md.us

The Office of Legislative Audits operates a Fraud Hotline to report fraud, waste, or abuse
involving State of Maryland government resources. Reports of fraud, waste, or abuse
may be communicated anonymously by a toll-free call to 1-877-FRAUD-11, by mail to the
Fraud Hotline, c/o Office of Legislative Audits, or through the Office’s website.

The Department of Legislative Services does not discriminate on the basis of age, ancestry, color,
creed, marital status, national origin, race, religion, gender, gender identity, sexual orientation,
or disability in the admission or access to its programs, services, or activities. The Department’s
Information Officer has been designated to coordinate compliance with the nondiscrimination
requirements contained in Section 35.107 of the Department of Justice Regulations. Requests for
assistance should be directed to the Information Officer at 410-946-5400 or 410-970-5400.

 

 DEPARTMENT OF LEGISLATIVE SERVICES
OEEICE or LEGISLATIVE AUDITs
MARYLAND GENERAL ASSEMBLY

 

Gregory A. Hook, CPA
Legislative Auditor

Victoria L. Gruber
Executive Director

May 15, 2019

Senator Craig J. Zucker, CouChair, Joint Audit Committee
Delegate Shelly L. Hettleman, Co-?Chair, Joint Audit Committee
Members of Joint Audit Committee 
Annapolis, Maryland

Ladies and Gentlemen:

We have conducted a ?scal compliance audit of the Department of Human
Services (DHS) Child Support Administration (CSA) for the period beginning
May 5, 2014 and ending July 17, 2017. CSA is responsible for operating the
Statewide child support program, which includes the establishment of paternity
and child support orders, and the collection and distribution of child support
payments. For the federal ?scal year ended September 30, 2017, child support
collections totaled $566 million and unpaid child support due from obligors (non?
custodial parents) totaled $1.3 billion at that date.

Our audit disclosed that controls were inadequate to ensure that delinquent
obligors? driver?s licenses were appropriately reinstated by the Motor Vehicle
Administration under the driver?s license suspension program after obligors made
payments to CSA to remove the delinquency. The audit also disclosed issues with
unnecessary CSA employee access to the Child Support Enforcement System and
the need to ensure that the vendor maintaining the State?s new hire registry
complied with the contract?s system security requirements and appropriately
safeguarded personally identi?able information on Maryland workers.

In addition, CSA did not monitor an interagency agreement with a State
university to ensure that the university complied with contract terms and provided
the required deliverables and services. CSA also did not appropriately oversee
the development of an application by the university under this agreement. Total
payments from inception through October 3, 2018 were $5.7 million.
Furthermore, the audit disclosed inadequate internal controls over child support
account adjustments and manual checking account.

301 W?st Preston Street Room 1202 - Baltimore, Maryland 21201
410?946?5900 - Toll Free in Maryiand 877-486?9964
Fraud Hotline 

Finally, our audit included a review to determine the status of the six ?ndings
contained in our preceding audit report. We determined that CSA satisfactorily
addressed these ?ndings.

response to this audit, on behalf of CSA, is included as an appendix to this
report. In accordance with State law, we have reviewed the response and, while
CSA agrees with the recommendations in this report, we identi?ed certain
instances in which statements in the response con?ict with or disagree with the
report ?ndings. in each instance, we reviewed and reassessed our audit
documentation, and reaf?rmed the validity of our ?nding. In accordance with
generally accepted government auditing standards, we have included ?auditor
comments? within response to explain our position. Finally, there are other
aspects of response which will require further clari?cation, but we do not
anticipate that these will require the Committee?s attention to resolve.

We wish to acknowledge and willingness to address the audit issues

and implement appropriate corrective actions.

Respectfully submitted,

min/4M.

Gregory A. Hook, CPA
Legislative Auditor

 

Table of Contents
Background Information

5

Name Change and Agency Responsibilities
Enforcement Action Overview
Status of Findings From Preceding Audit Report

5
6
6

Findings and Recommendations

7

Driver’s License Suspension Program
Finding 1 – Controls over driver’s license reinstatements were
inadequate to ensure their propriety.

7

Child Support Account Adjustments
Finding 2 – The Child Support Administration (CSA) could not always
provide evidence of supervisory reviews of child support account
adjustments by independent personnel.
Child Support Enforcement System (CSES) Access
Finding 3 – CSA did not ensure that central and local office personnel
conducted periodic reviews of employee access to CSES, as required,
and we noted that critical access had been unnecessarily granted to
certain employees.
New Hire Registry Contract Security Requirements
Finding 4 – CSA did not ensure that the vendor responsible for
administering the State’s new hire registry complied with the
contract’s system security requirements and safeguarded sensitive
personally identifiable information on Maryland workers.
Monitoring of Interagency Agreement
Finding 5 – CSA did not properly monitor its interagency agreement
with a State university for compliance with the agreement terms and
did not ensure required services were provided. Payments related
to the agreement totaled $5.7 million.
Bank Accounts
Finding 6 – Controls were inadequate over CSA’s checking account
that was used to process certain refund payments, and outstanding
checks were not forwarded to the Comptroller of Maryland as
abandoned property when required.
3

8

9

10

11

14

 Audit Scope, Objectives, and Methodology 16

Agency Response Appendix

 

Background Information
Name Change and Agency Responsibilities
Chapter 205, Laws of Maryland 2017, effective July 1, 2017, changed the name
of the Department of Human Resources to the Department of Human Services
(DHS), and changed the name of the Child Support Enforcement Administration,
a unit within DHS, to the Child Support Administration (CSA).
CSA is responsible for operating the Statewide child support program. CSA
provides services to both the noncustodial and custodial parents, which include
the establishment of paternity and child support orders, the collection of child
support payments, and the distribution of such funds.
Local child support offices, under CSA’s oversight, and other state and local
government agencies (such as State’s Attorneys’ Offices) perform various child
support services. Furthermore, a private vendor, under contract to CSA, provides
child support functions in Baltimore City, which handles approximately 27
percent of the State’s child support cases. In addition, CSA uses the services of
two additional private vendors—one vendor maintains the new hire registry,
which is used to identify noncustodial parent wages on a Statewide basis, and the
other vendor centrally receives, processes, and distributes child support payments.
CSA’s Child Support Enforcement System (CSES) is used to record child support
case information, including enforcement efforts, and to account for the collection
and subsequent distribution of support payments. CSES also provides financial
and statistical data for management oversight purposes, and has certain automated
enforcement features to aid in the collection function.
According to CSA’s records, during federal fiscal year 2017 (October 1, 2016
through September 30, 2017), Statewide child support collections totaled
approximately $566 million, representing an increase of approximately one
percent compared to the year-ended September 2014. As of September 2017, the
CSA open caseload totaled approximately 196,867, and the Statewide unpaid
child support due from obligors totaled approximately $1.3 billion, representing
virtually no change from the September 2014 unpaid balance. According to the
State’s records, CSA’s operating expenditures for State fiscal year 2017 totaled
approximately $44 million. This excludes local child support office expenditures,
which are included in a separate DHS budgetary unit.

5

  

Enforcement Action Overview
Child support services are generally performed by local offices throughout the
State, including the Baltimore City office where a vendor provides the services,
with oversight and administration provided by CSA central office personnel.
CSA uses several enforcement tools to pursue court-ordered child support when
an obligor does not pay fully or on time. These tools include withholding wages,
intercepting tax refunds, and seizing funds in personal bank accounts. The
primary source to facilitate the identification of wages for withholding is the
State’s new hire registry which is an automated system for collecting, storing, and
extracting employer-reported information on new hires, mandated by federal law.
The system is maintained by a vendor under contract to DHS. Other enforcement
tools provided for in State law include driver’s license and occupational license
suspensions. For example, State law permits the suspension of driver’s licenses
by the Motor Vehicle Administration (MVA) when an obligor is at least 60 days
delinquent in child support payments.

Status of Findings From Preceding Audit Report
Our audit included a review to determine the status of the six findings contained
in our preceding audit report dated June 26, 2015. We determined that CSA
satisfactorily addressed these findings.

 

6

  

Findings and Recommendations
Driver’s License Suspension Program
Finding 1
Controls over driver’s license reinstatements were inadequate to ensure their
propriety.
Analysis
Child Support Administration’s (CSA) controls over driver’s license
reinstatements processed under CSA’s driver’s license suspension program were
inadequate. State law provides that CSA may refer a delinquent obligor to the
Motor Vehicle Administration (MVA) requesting suspension of his or her driver’s
license when the obligor is at least 60 days out of compliance with the most recent
child support court order. Once the obligor is back in compliance, local office
caseworkers notify MVA via a faxed letter to reinstate the driver’s license. Our
audit disclosed that these reinstatements were often not subject to documented
CSA supervisory review and approval. According to CSA records, 3,476 driver’s
license reinstatements were performed in the month of December 2017.
CSA policy requires supervisory review and approval of driver’s license
reinstatements processed by local office caseworkers; however, an automated
monthly report of driver’s license reinstatements processed in the Child Support
Enforcement System (CSES) was not generated by local offices to facilitate this
supervisory review process. Without such a source document of all recorded
reinstatements, it would not be possible to ensure that all driver’s license
reinstatements were subject to the required supervisory review. In this regard, we
noted that 774 CSES users statewide (caseworkers and supervisors) had access to
record a reinstatement in CSES, which will result in a reinstatement notification
to be sent to MVA.
Our test of 15 reinstated driver’s licenses from 10 local offices (selected from
CSES) disclosed that, in 9 instances, there was no documented supervisory review
and approval of the reinstatement. In addition, we reviewed the 15 cases to
determine if there was sufficient documentation to justify the driver’s license
reinstatement. We noted that one reinstatement that had been subject to
supervisory review and approval lacked adequate documentation to justify the
reinstatement.
Recommendation 1
We recommend that CSA ensure that local offices take appropriate action,
such as by requiring the use of the monthly reinstatement report, to ensure,
7

  

at least on a test basis, that driver’s license reinstatements are proper and
have been subject to supervisory review and approval as required.

Child Support Account Adjustments
Finding 2
CSA could not always provide evidence of supervisory reviews of child
support account adjustments by independent personnel.
Analysis
CSA could not provide documentation that required monthly independent
supervisory reviews of child support account adjustments (such as, adjustments to
the balance of child support owed) were performed at each local office. In
addition, when documentation was available of supervisory reviews at a local
office, we noted that the reviews were not always performed by an independent
employee. According to CSA policy, a supervisor at each local child support
office must use monthly adjustment reports from CSES to perform a documented,
test basis review of account adjustments processed during the month.
We requested documentation in December 2017 of the supervisory reviews of
account adjustments for all 24 local child support offices for the month of June
2017. CSA advised us that all local offices had performed these reviews;
however, CSA could not provide adequate documentation of a review of account
adjustments for 7 local offices, including the 3 largest local offices. According to
CSA records, during June 2017, approximately $15 million in account
adjustments were processed, of which $7.4 million in adjustments were processed
at the aforementioned 7 offices where there was no adequate documentation of
account adjustment reviews.
Furthermore, at 4 of the 17 offices where supervisory reviews were documented,
we found that the employees who performed the supervisory reviews also had the
ability to process adjustments, and consequently would not be independent. We
then performed a test at these 4 offices during June 2017 and found that
supervisory employees initially processed 19 account adjustments totaling $8,000.
As a result, erroneous or fraudulent transactions could be processed without
detection.
Recommendation 2
We recommend that CSA ensure that account adjustments are subject to a
documented monthly review by an independent supervisor on a test basis, as
required.
8

  

Child Support Enforcement System Access
Finding 3
CSA did not ensure that central and local office personnel conducted
periodic reviews of employee access to CSES, as required, and we noted that
critical access had been unnecessarily granted to certain employees.
Analysis
CSA did not ensure that employee access to CSES was subject to a periodic
review for propriety as required, and we noted a number of employees with
critical system access that was not required for their job duties. CSES is used to
record child support case information, including enforcement efforts, and to
account for the collection and subsequent distribution of support payments.
CSA could not document that required periodic access reviews had been
performed for central office personnel and for personnel at all 24 local offices
during the audit period. In addition, during our audit, we identified 15 CSA
employees with critical system access as of May 10, 2017, which was
unnecessary for their job duties. Specifically, 4 employees at 3 local offices had
user access which allowed them to enter or edit customer direct deposit
information in CSES, and 12 employees at 11 local offices (including one
employee in the 4 noted above) had user access to process manual distributions in
CSES, which allowed these employees to manually record payments to a
customer account. These employees did not need such access since these
functions were the responsibility of CSA’s State Disbursement Unit vendor,
which centrally receives and processes child support payments.
As of May 2017, there were 980 CSA employees with various CSES edit
accesses. According to the DHS Information Systems Security Handbook, at least
annually, DHS supervisors should review their employees’ current job duties and
compare them to the employees’ current security access level to determine if any
modifications are needed. According to CSA records, during federal fiscal year
2017 (October 1, 2016 through September 30, 2017), Statewide child support
collections totaling approximately $566 million were recorded in CSES.
Recommendation 3
We recommend that CSA
a. comply with the aforementioned DHS Handbook and ensure that each
employee’s access to CSES is reviewed annually and that the reviews are
documented; and
b. remove any unnecessary CSES access, including those noted above.

9

  

New Hire Registry Contract Security Requirements
Finding 4
CSA did not ensure that the vendor responsible for administering the State’s
new hire registry complied with the contract’s system security requirements
and safeguarded sensitive personally identifiable information on Maryland
workers.
Analysis
CSA did not ensure that the vendor that operates and maintains the State’s new
hire registry complied with the contract’s system security requirements and that
sensitive personally identifiable (PII) information on Maryland workers was
appropriately safeguarded. The registry is an automated system for collecting,
storing, and extracting employer-reported information on new employee hires as
mandated by federal law, with the primary goal of increasing child support
collections by identifying wages of noncustodial parents who may be eligible for
wage withholding. The vendor processes all new hire reports for Maryland
employers and transmits the information to CSA to be uploaded to CSES. The
original contract term was for a three-year period beginning November 2013 and
contained two one-year renewal options. As of December 2016, the estimated
total contract value was approximately $1.2 million.
The registry includes sensitive PII for employees such as name, address, date of
birth, and social security number. The contract required the vendor to ensure
proper security for the registry, including the implementation of firewalls, the use
of encryption, and the logging of changes to network devices, as well as to
maintain the confidentiality of information, to implement authorization controls,
and to develop a disaster recovery plan. However, there was no requirement in
the contract for these security measures to be independently verified or assessed.
After our inquiry, CSA provided us with certain vendor-provided assertions
regarding the security measures it had taken in the form of two one-page letters
(one of which was undated); however, the information provided by the vendor
was general in nature and CSA had taken no documented action to verify the
vendor’s assertions and to ensure the security measures in place were sufficient.
While the number of employee records processed was not readily available, for
the five months of invoices which we reviewed (dating between June 2016 and
March 2017), the vendor was paid approximately $141,000 for processing
546,000 records.
PII is commonly associated with identity theft. Accordingly, appropriate
information system security controls need to exist to ensure that PII is
safeguarded and not improperly disclosed. The State of Maryland Information
10

  

Security Policy requires that agencies protect confidential data using encryption
technologies and/or other substantial mitigating controls and the vendor is
required to adhere to the Policy.
One option to obtain comprehensive and independent assurance of the
safeguarding of data by service organizations is a System and Organization
Controls (SOC) report issued by an independent auditor, which is the subject of
guidance from the American Institute of Certified Public Accountants. One type
of report, referred to as a SOC 2 Type 2 report, includes the results of the
auditor’s review of controls placed in operation and tests of operating
effectiveness for the period under review and could include an evaluation of
system security, availability, processing integrity, confidentiality, and/or privacy.
In addition, subsequent to the awarding of the original contract, the Department of
Budget and Management has advocated for a SOC review for certain contracts
and now requires, through the use of a standard Request for Proposals template,
certain contracts to include a clause requiring a SOC review (SOC 2 Type 2).
Recommendation 4
We recommend that
a. CSA ensure that the vendor is properly complying with the contract’s
system security requirements and, specifically, that all PII maintained on
the vendor registry is adequately protected; and
b. future contracts for the new hire registry include, as appropriate, a
requirement for the vendor to obtain periodic SOC 2 Type 2 reviews, and
that CSA obtain and review the resulting reports to ensure that sensitive
worker data maintained by the vendor is properly safeguarded.

Monitoring of Interagency Agreement
Finding 5
CSA did not properly monitor its interagency agreement with a State
university for compliance with the agreement terms and did not ensure
required services were provided. Payments related to the agreement totaled 
$5.7 million.
Analysis
CSA did not properly monitor its interagency agreement with a State university,
including the development of an application by the university, and did not ensure
that the university complied with the agreement terms and provided the required
deliverables and services. CSA entered into an agreement with a university for
local area network (LAN) services, which included LAN management,
11

  

application development and maintenance, onsite training, reporting, and periodic
meetings. The agreement included specific monthly deliverables and details of
the key personnel to be provided by the university. The agreement was for a fiveyear term from July 1, 2013 through June 30, 2018 for approximately $5.6 million
and, as of June 2018, the agreement was valued at $6.1 million, including two
change orders. From inception through October 3, 2018, total payments were 
$5.7 million.
Our review found that required deliverables were not always provided, and
payments were made on a cost reimbursable basis as reflected on monthly
invoices, which did not provide any details on the actual services provided during
the month. For example, rather than obtaining the required monthly progress
reports to provide overviews of the activities of all related personnel and
deliverables, CSA advised us that it relied on periodic verbal communication with
the university staff to obtain information on the services performed and its
progress on application development and other tasks. Some limited progress
reports were provided during the audit period, but these reports were general in
nature and sporadic. For example, the only status report available for the
application development services covered the period from April 2014 through
June 2014. Furthermore, there was no documentation to support that formal
monthly monitoring meetings between the university and CSA staff were
conducted, as required by the agreement.
In addition, CSA was not able to document that onsite training from the university
had occurred. The agreement funded a trainer to administer training programs to
CSA personnel and to expand its current training program to include an online
training portfolio, and to provide regional face-to-face training throughout the
year.
We also found that the university developed a new “dashboard” application to
assist CSA staff in monitoring child support activity by interacting with CSES,
and prompts employees to take required actions on cases. However it was
developed without establishing project specifications or related deliverables and
consequently, there was a lack of formal CSA monitoring during the development
of the dashboard. Although according to CSA, the “dashboard” appeared to be
successfully developed, we were advised that it was developed based on a
methodology that relied on verbal agreements and discussions between the
various parties. In our opinion, key decisions and events in the process should be
documented for the record, to prevent misunderstandings and to fix responsibility.
In addition to the lack of documentation of formal CSA monitoring of the
project’s development, there was also no documentation of how the university
ensured that the application included adequate measures for system security,

12

  

business continuity, and disaster recovery in accordance with the State of
Maryland Information Security Policy, which governs such applications.
Finally, the agreement was silent with respect to the ownership of the
“dashboard” application, which was a point of dispute between CSA and the
university during our audit period. While CSA entered into a new agreement with
the university for a continuation of the same services, effective July 1, 2018, the
ownership of the application was not resolved.
Interagency agreements are used by State agencies to obtain services from State
institutions of higher education (State universities). Interagency agreements are
exempt from State procurement laws, including the requirements for competitive
procurement, publication of solicitations and awards, and Board of Public Works’
approval. After our fieldwork, in accordance with State law, the Department of
Budget and Management began a review of this agreement to determine whether
the arrangement was appropriate and whether it would be in the best interest of
the State to attempt to competitively procure these services going forward.
Recommendation 5
We recommend that CSA
a. ensure that all required contract deliverables are provided before
approval of payments;
b. adequately document receipt of all requirements and deliverables under
the aforementioned agreement, including those for the application
development function;
c. ensure that, as applicable, information technology work performed under
interagency agreements complies with the State Information Security
Policy; and
d. in consultation with legal counsel, resolve the dispute over ownership of
the “dashboard” application.

13

  

Bank Accounts
Finding 6
Controls were inadequate over CSA’s checking account that was used to
process certain refund payments, and outstanding checks were not
forwarded to the Comptroller of Maryland as abandoned property when
required.
Analysis
Sufficient controls were not established over disbursements from CSA’s checking
account as one employee was given incompatible capabilities. The account was
generally used to process refund payments to individuals or entities which did not
have an account in CSES, such as to employers for misdirected wage
withholdings. According to its records, CSA processed disbursements from this
checking account totaling approximately $219,000 during the six-month period
ending April 2017. Specifically, one CSA employee maintained control over the
blank check stock, had administrative rights over the automated system used to
process the disbursements, was one of two authorized check signers (dual
signatures required on checks), and was responsible for approving the monthly
bank reconciliation of the account. With administrative rights, this employee
could print checks and record or delete transactions. In addition, this employee
was one of the two authorized signers for wire transfers from the main child
support disbursement account to all of the other CSA bank accounts, including
this checking account.
We also noted that 625 outstanding checks totaling $170,000 that were issued
during the years between 2003 and 2014 remained uncashed for more than three
years as of March 2018, but had not been voided and forwarded to the
Comptroller of Maryland as abandoned property, as required by State
regulations.
Recommendation 6
We recommend that CSA ensure that
a. authorized check signers do not have access to check stock or the ability
to process checks on the automated system;
b. administrative rights are assigned to an employee who has no checking
account responsibilities; and
c. checks that remain outstanding for longer than three years are voided
and the associated funds are forwarded to the Comptroller of Maryland
as abandoned property, as required.

14

  

We advised CSA on accomplishing the necessary separation of duties using
existing personnel.

15

  

Audit Scope, Objectives, and Methodology
We have conducted a fiscal compliance audit of the Department of Human
Services (DHS) – Child Support Administration (CSA) for the period beginning
May 5, 2014 and ending July 17, 2017. The audit was conducted in accordance
with generally accepted government auditing standards. Those standards require
that we plan and perform the audit to obtain sufficient, appropriate evidence to
provide a reasonable basis for our findings and conclusions based on our audit
objectives. We believe that the evidence obtained provides a reasonable basis for
our findings and conclusions based on our audit objectives.
As prescribed by the State Government Article, Section 2-1221 of the Annotated
Code of Maryland, the objectives of this audit were to examine CSA’s financial
transactions, records, and internal control, and to evaluate its compliance with
applicable State laws, rules, and regulations.
In planning and conducting our audit, we focused on the major financial-related
areas of operations based on assessments of significance and risk. The areas
addressed by the audit included enforcement procedures (for example,
occupational and driver’s license suspensions and wage withholding), access and
controls over CSA’s Child Support Enforcement System (CSES), monitoring of
local child support offices, and contracts. We also determined the status of the
findings contained in our preceding audit report.
Our audit did not include various support services provided to CSA by DHS.
These support services (such as payroll, purchasing, maintenance of accounting
records, and related fiscal functions) are included within the scope of our audit of
DHS’ Office of the Secretary and Related Units. Our audit also did not include an
evaluation of internal controls over compliance with federal laws and regulations
for federal financial assistance programs and an assessment of CSA’s compliance
with those laws and regulations because the State of Maryland engages an
independent accounting firm to annually audit such programs administered by
State agencies, including CSA.
To accomplish our audit objectives, our audit procedures included inquiries of
appropriate personnel, inspections of documents and records, observations of
CSA’s operations, and tests of transactions. Generally, transactions were selected
for testing based on auditor judgment, which primarily considers risk. Unless
otherwise specifically indicated, neither statistical nor non-statistical audit
sampling was used to select the transactions tested. Therefore, the results of the
tests cannot be used to project those results to the entire population from which
the test items were selected.
16

  

We also performed various data extracts of pertinent information from the State’s
Financial Management Information System (such as expenditure data). The
extracts are performed as part of ongoing internal processes established by the
Office of Legislative Audits and were subject to various tests to determine data
reliability. We determined that the data extracted from this source were
sufficiently reliable for the purposes the data were used during the audit. We also
extracted data from CSES for the purpose of testing various enforcement efforts.
We performed various tests of the relevant data and determined that the data were
sufficiently reliable for the purposes the data were used during the audit. Finally,
we performed other auditing procedures that we considered necessary to achieve
our audit objectives. The reliability of data used in this report for background or
informational purposes was not assessed.
CSA’s management is responsible for establishing and maintaining effective
internal control. Internal control is a process designed to provide reasonable
assurance that objectives pertaining to the reliability of financial records;
effectiveness and efficiency of operations, including safeguarding of assets; and
compliance with applicable laws, rules, and regulations are achieved.
Because of inherent limitations in internal control, errors or fraud may
nevertheless occur and not be detected. Also, projections of any evaluation of
internal control to future periods are subject to the risk that conditions may
change or compliance with policies and procedures may deteriorate.
Our reports are designed to assist the Maryland General Assembly in exercising
its legislative oversight function and to provide constructive recommendations for
improving State operations. As a result, our reports generally do not address
activities we reviewed that are functioning properly.
This report includes findings relating to conditions that we consider to be
significant deficiencies in the design or operation of internal control that could
adversely affect CSA’s ability to maintain reliable financial records, operate
effectively and efficiently, and/or comply with applicable laws, rules, and
regulations. Our report also includes findings regarding significant instances of
noncompliance with applicable laws, rules, or regulations. Other less significant
findings were communicated to CSA that did not warrant inclusion in this report.
The response from DHS, on behalf of CSA, to our findings and recommendations
is included as an appendix to this report. As prescribed in the State Government
Article, Section 21224 of the Annotated Code of Maryland, we will advise DHS
regarding the results of our review of its response.

17

 APPENDIX

. MARYLAND DEPARTMENT OF
HUMAN SERVICES
a: KL Larry Hogan, Govemorl Boyd K. Rutherford, Lt. Govemorl Lourdes R. Secretary

 

 

April 26, 2019

Mr. Gregory A. Hook

Legislative Auditor

Of?ce of Legislative Audits
.301 West Preston Street, Room 1202
Baltimore, Maryland 21201

Mr. Hook,

Please ?nd enclosed the Department of Human Services? (DHS) response to the draft Legislative
Audit Report of the Department of Human Services Child Support Administration for the period
beginning May 5, 2014 and ending July 17, 2017.

If you have any questions regarding the responses, please contact Inspector General Kevin Carson at
443-378-4060 or at kevin.earson@maryland. gov.

Sincerely,



Lourdes R. Padilla
Secretary

Enclosures:

cc:

Gregory James, Deputy Secretary, Operations

Randi Walters, Deputy Secretary, Programs

David Lee, Assistant Deputy Secretary, Programs

Craig Eichler, Chief of Staff

Kevin J. Carson, Inspector General, OIG

Kevin P. Guistwite, Executive Director, CSA

Samantha Blizzard, Special Assistant, Of?ce of the Secretary

II I 311 W. Saratoga Street, Baitimore, MD 21201-3500 i Tel: 1-800~332-6347 TTY: 1-800-735-2258 

 

Driver’s License Suspension Program
Finding 1
Controls over driver’s license reinstatements were inadequate to ensure their propriety.
Recommendation 1
We recommend that CSA ensure that local offices take appropriate action, such as by
requiring the use of the monthly reinstatement report, to ensure, at least on a test basis,
that driver’s license reinstatements are proper and have been subject to supervisory review
and approval as required.  
The Department’s Response: The Child Support Administration agrees with the finding.
The Child Support Administration (CSA) agrees with the recommendation. The CSA will
schedule training beginning June 2019 for all CSA workers and supervisors to ensure adherence
to the policy requiring supervisory approval prior to reinstatement of a suspended driver’s
license, and documentation of this action in the Case Action Log (CAL) within the Child Support
Enforcement System (CSES) or subsequent system as currently being designed by the Maryland
Total Human-Services Integrated Network (MD THINK) Project.
There is no existing monthly reinstatement report, contrary to what is stated in the analysis and
recommendation. The report of driver’s license reinstatements provided during the audit is not a
standard monthly report and would be prohibitively expensive to produce on a monthly basis.
The report provided to the auditors was a one-time, ad-hoc report developed at their request to
assist in the audit.
Auditor’s Comment: CSA’s response indicates that the report of driver’s license
reinstatements would be too expensive to regularly produce. However, as noted in the
finding, without an automated report of all recorded reinstatements in CSES, it would not
be possible to ensure that all driver’s license reinstatements were subject to the required
supervisory review.
Nevertheless, the CSA Office of Internal Audit and Quality Assurance will periodically, on a test
basis, monitor local office adherence to the aforementioned process and request corrective
actions for non-compliance, when required. CSA will also explore the possibility of producing a
reinstatement report in the future as MD THINK is developed and implemented.

 

  

Child Support Account Adjustments
Finding 2
CSA could not always provide evidence of supervisory reviews of child support account
adjustments by independent personnel.
Recommendation 2
We recommend that CSA ensure that account adjustments are subject to a documented
monthly review by an independent supervisor on a test basis, as required.
The Department’s Response: The Child Support Administration agrees with the finding.
The Child Support Administration (CSA) agrees with the recommendation. CSA and local
office management collaborated in the development and implementation of a standard process
for child support account adjustments and supervisory review at the local office level.
In addition, CSA’s Office of Internal Audit and Quality Assurance will periodically, on a test
basis, monitor local office adherence to the aforementioned process and request corrective
actions for non-compliance, when required.
Of the $15 million in child support account adjustments processed, there were no instances of
erroneous, fraudulent, or inappropriate transactions detected during the audit.
Auditor’s Comment: CSA’s response indicates that there were no instances of
erroneous, fraudulent, or inappropriate transactions detected during the audit with respect
to the $15 million in child support account adjustments. It is important to clarify that the
propriety of all $15 million in adjustments is actually unknown, as the audit was not
intended to nor did it include a review of the entire population of these adjustments. Our
recommendation, if implemented, will provide necessary safeguards over the processing
of adjustments to help ensure their propriety.

 

  

Child Support Enforcement System Access
Finding 3
CSA did not ensure that central and local office personnel conducted periodic reviews of
employee access to CSES, as required and we noted that critical access had been
unnecessarily granted to certain employees.
Recommendation 3
We recommend that CSA
a.
comply with the aforementioned DHS Handbook and ensure that each employee’s
access to CSES is reviewed annually and that the reviews are documented; and
b.
remove any unnecessary CSES access, including those noted above.
The Department’s Response: The Child Support Administration agrees with the finding.
a. The Child Support Administration (CSA) agrees with Recommendation A. A periodic
review of access levels will be conducted and documented during annual employee
performance reviews (June and December) beginning June 2019.
b. CSA agrees with Recommendation B. CSA has already adjusted access to reflect current
job functions for the fifteen (15) individuals identified during the audit who had
unwarranted access to specific attributes of the Child Support Enforcement System
(CSES). In addition, CSA will remove any unnecessary CSES access discovered as a
result of the periodic reviews.

 

  

New Hire Registry Contract Security Requirements
Finding 4
CSA did not ensure that the vendor responsible for administering the State’s new hire
registry complied with the contract’s system security requirements and safeguarded
sensitive personally identifiable information on Maryland workers.
Recommendation 4
We recommend that
a.
CSA ensure that the vendor is properly complying with the contract’s system
security requirements and, specifically, that all PII maintained on the vendor registry is
adequately protected; and
b.
future contracts for the new hire registry include, as appropriate, a requirement for
the vendor to obtain periodic SOC 2 Type 2 reviews, and that CSA obtain and review the
resulting reports to ensure that sensitive worker data maintained by the vendor is properly
safeguarded.
The Department’s Response: The Child Support Administration agrees with the finding.
a. The Child Support Administration (CSA) agrees with Recommendation A. The contract
with the current new hire registry vendor will expire in September 2019, and CSA is
preparing a new request for proposal (RFP) for this service. Specific measures will be
implemented to protect sensitive personally identifiable information (PII) of Maryland
employees.
b. CSA agrees with Recommendation B. The new RFP will require periodic SOC 2 Type 2
reviews, and CSA will obtain and review reports to ensure that any sensitive PII
maintained by the vendor is properly safeguarded.

 

  

Monitoring of Interagency Agreement
Finding 5
CSA did not properly monitor its interagency agreement with a State university for
compliance with the agreement terms and did not ensure required services were provided.
Payments related to the agreement totaled $5.7 million.
Recommendation 5
We recommend that CSA
a.
ensure that all required contract deliverables are provided before approval of
payments;
b.
adequately document receipt of all requirements and deliverables under the
aforementioned agreement, including those for the application development function;
c.
ensure that, as applicable, information technology work performed under
interagency agreements complies with the State Information Security Policy; and
d.
in consultation with legal counsel, resolve the dispute over ownership of the
“dashboard” application.
The Department’s Response: The Child Support Administration agrees with the finding. It
should be noted that, while monitoring and documentation of receipt of deliverables will be
improved, the required services pursuant to this interagency agreement were in fact provided.
a. The Child Support Administration (CSA) agrees with Recommendation A. CSA will
ensure on a monthly basis that a report on LAN activities is received prior to payment of
invoices. Additionally, all periodic meetings with the State University will be
documented.
b. CSA agrees with Recommendation B. CSA will continue to use an agile methodology.
CSA will, however, immediately improve the documenting and monitoring of application
development to ensure that requirements and deliverables are documented on a monthly
basis.
c. CSA agrees with Recommendation C. The portion of the contract involving information
technology (IT) work will be integrated into the new child support system currently being
developed by MD THINK, thereby ensuring the IT work is developed in compliance with
State’s Information Security Policy.
d. CSA agrees with Recommendation D. The agreement between CSA and the university
which covers the “dashboard” is silent with regards to ownership. CSA will continue to
work with the Office of the Attorney General (OAG) and the university attorneys to
resolve the dispute over ownership.

 

  

Bank Accounts
Finding 6
Controls were inadequate over CSA’s checking account that was used to process certain
refund payments, and outstanding checks were not forwarded to the Comptroller of
Maryland as abandoned property when required.
Recommendation 6
We recommend that CSA ensure that
a.
authorized check signers do not have access to check stock or the ability to process
checks on the automated system;
b.
administrative rights are assigned to an employee who has no checking account
responsibilities; and
c.
checks that remain outstanding for longer than three years are voided and the
associated funds are forwarded to the Comptroller of Maryland as abandoned property, as
required.
We advised CSA on accomplishing the necessary separation of duties using existing
personnel.
The Department’s Response: The Child Support Administration agrees with the finding.
a. The Child Support Administration (CSA) agrees with Recommendation A. CSA ensured
that adequate separation of duties was completed during the beginning of the audit in Fall
2017 to mitigate the risk of fraud or misappropriation of assets. Additionally, dual
signatures are required for all disbursements and all source documentation is reviewed
and approved by CSA’s senior management.
b. CSA agrees with Recommendation B. To strengthen the controls and further mitigate the
risk of fraud or misappropriation of assets, the individual with administrative privileges is
not a signatory relative to the bank account.
c. CSA agrees with Recommendation C. Regarding the outstanding checks, since the
aforementioned checks are outside of the annual automated abandoned property process,
CSA is in the process of the development and implementation of a manual process to be
completed by or before October 2019. This process will ensure outstanding checks are
forwarded to the Comptroller of Maryland as abandoned property when required.
 
 

 

  

AUDIT TEAM
Bekana Edossa, CPA, CFE
Audit Manager

Menachem Katz, CPA
Senior Auditor

Dianne P. Ramirez
Gary B. Staples
Staff Auditors