Maricopa County, Arizona Do the Right Things Right! Internal Audit Performance Report Fiscal Year 2010 From the County Auditor’s Desk—Fiscal Year 2010 To: Don Stapley, Chairman, Board of Supervisors Fulton Brock, Supervisor, District I Andrew Kunasek, Supervisor, District III Max W. Wilson, Supervisor, District IV Mary Rose Wilcox, Supervisor, District V From: Ross L. Tate, County Auditor Date: October 28, 2010 Fiscal Year (FY) 2010 was a period of high productivity, major achievement, and significant challenge for Internal Audit. We appreciate the Board of Supervisors, the Citizen’s Audit Advisory Committee, and County administration for their strong continued support of the County’s audit function. Significant Work in Fiscal Year 2010 In FY10, we published 24 audit reports including 221 recommendations. The following reports represent a significant part of our FY10 efforts. For a complete summary of our work, see Project Summaries (Appendix C, page 28) and Other Projects (Appendix D, page 36). Vehicle Usage—Controls over County Vehicles and Related Areas County Assessor’s Office—Controls for Capturing and Valuing Properties Network Security—IT Wireless Network Controls County Attorney’s Office—Controls over Payroll Time and Attendance County Financial System—Controls over Security, Accuracy, and Reliability Internal Audit is a Good Investment Internal Audit provides assistance by identifying weak controls, cost savings, and hard dollar recoveries, while reducing various types of risks. For example, in November 2009, Maricopa County received a check in the amount of $190,581 from Cox Communications for unpaid franchise fees. The payment was made after we determined that Cox underreported gross revenues by an estimated $3.8 million during calendar years 2005 - 2008. FY10 audit work would have cost the County more than twice as much if external auditors had been used instead of Internal Audit staff. The average hourly rate for an external auditor was $157 versus $71 for Internal Audit. See page 13 for details. 2i Ten Year Perspective (FY01—FY10) $23 Million in Savings Over the past 10 years, we have reported $23 million in actual recoveries and identified savings. Our costs during this period totaled $16 million, for a net savings of $7 million. An additional $50 million in potential savings was identified, as shown in the graph. See page 13. 3,361 Recommendations We issued 3,361 recommendations over the past 10 years and County management concurred with 98%. Management implemented 2,389 of these recommendations. See page 14. Internal Audit Won 26 Awards From 2001 to 2010, we received 26 awards from 7 professional organizations. See page 5. Internal Audit (IA) Satisfaction Hits New High 3 Years Straight We provide outstanding services and foster an atmosphere of excellence for our staff. IA received the highest employee satisfaction scores of the 50 County departments surveyed by the Office of Research and Reporting in FY08, FY09, and FY10 IA consistently received high satisfaction survey ratings from the Board of Supervisors, Citizen’s Audit Advisory Committee, and County management IA consistently received high satisfaction ratings from County leadership on surveys administered by the Office of Research and Reporting Internal Audit Passes Last Four External Reviews We passed the last four independent peer reviews with no exceptions (2000, 2003, 2006, 2009). Internal Audit Staff Assume Leadership Roles Staff members actively participate in a variety of professional and service organizations and hold 13 leadership positions. See Professional Development (Appendix B, page 27). iii 3 ii Internal Audit’s Mission To provide objective information on the County’s system of internal controls to the Board of Supervisors so they can make informed decisions and protect the interests of County citizens Internal Audit’s Vision To promote the effective, efficient, economical, and ethical use of public resources To learn more about Internal Audit, see the Internal Audit Charter (Appendix H, page 41) and the Internal Audit Profile (Appendix I, page 43) iii 4 Table of Contents Contents Page Independence.........................................................................................1 Audit Committee ...................................................................................2 Awards ..................................................................................................5 Published Articles ...................................................................................8 Performance Results ...............................................................................9 Recoveries, Savings, & Cost Avoidance .........................................11 Internal Audit—A Good Investment ..............................................13 Audit Recommendations .............................................................14 Customer Feedback .....................................................................15 Budget & Benchmarks .................................................................16 IT Audit Services ..................................................................................17 Countywide Audits ..............................................................................17 Internal Control Videos ........................................................................18 Speaking Engagements .........................................................................19 Appendices: A. Organizational Chart & Staff Biographies ........................................21 B. Professional Development ...............................................................26 C. Project Summaries ...........................................................................28 D. Other Projects ................................................................................36 E. Audit Impact ..................................................................................37 F. Audit Committee Biographies ..........................................................38 G. Audit Committee Charter .................................................................39 H. Internal Audit Charter .....................................................................41 I. Internal Audit Profile ......................................................................43 Do the Right 5Things Right! Independence The Maricopa County Internal Audit Department is effectively organized, reporting directly to the Board of Supervisors, with an advisory reporting relationship to a Citizen’s Audit Advisory Committee. Board of Supervisors Fulton Brock District I Don Stapley District II (Chairman) Andrew Kunasek District III Max W. Wilson District IV Mary Rose Wilcox District V Citizen’s Audit Advisory Committee County Management Internal Audit David Smith County Manager Ross Tate County Auditor 1 The Citizen’s Audit Advisory Committee’s primary function is to assist the Board of Supervisors in fulfilling its oversight responsibilities. The Committee accomplishes this function by reviewing the County’s financial information, the established systems of internal controls, and the audit process. See Audit Committee Biographies (Appendix F, page 38) and Audit Committee Charter (Appendix G, page 39). Citizen’s Audit Advisory Committee Ralph Lamoreaux District I Shelby Scharbach Maricopa County Chief Financial Officer Janet Secor District II (Chairperson) Matthew Breecher District III David Benton Maricopa County General Litigation Ryan Brownsberger District IV Ross Tate Maricopa County Auditor Longest Serving Member After a long illness, Richard Lozar passed away on November 20, 2009. He was on the committee for 12.5 years, which makes him the longest serving audit committee member. In 2008, Board of Supervisor Mary Rose Wilcox presented Mr. Lozar an appreciation plaque for his many years of service to Maricopa County. 2 Richard Lozar District V Jay Zsorey Office of the Auditor General Awards GFOA Award for Outstanding Achievement in Popular Annual Financial Reporting The Government Finance Officers Association (GFOA) presented Internal Audit with the Award for Outstanding Achievement in Popular Annual Financial Reporting. This is a prestigious national award recognizing conformance with the highest standards for the preparation of state and local government popular reports. In order to receive this award, a government unit must publish a Popular Annual Financial Report. The report must conform to program standards of creativity, presentation, understandability, and reader appeal. Internal Audit received the award for its Citizens’ Financial Condition Report for FY09. GFOA is a professional association of state/provincial and local finance officers in the United States and Canada, and has served the public finance profession since 1906. We have produced the Citizens’ Financial Condition Report annually since FY98. The audit team: Kimmie Wong, Eve Murillo, Ross Tate, Stella Fusaro, Scott Jarrett Chairman Don Stapley, Maricopa County Board of Supervisors, joins Internal Audit to celebrate the GFOA Award for Outstanding Achievement In Popular Annual Financial Reporting 3 2010 NACo Achievement Award Tech Tips Training Program Internal Audit received the 2010 Achievement Award from the National Association of Counties (NACo) for our Tech Tips Training Program. We developed this technology training program to improve the transfer of knowledge internally and externally, and to provide a low cost alternative for limited training budgets. The Tech Tips program attracted 18 to 26 attendees per session, including Internal Audit staff and employees from other County agencies and local audit shops. A variety of topics were covered: October 2009 Image Editing Excel Pivot Table Basics ACL Benford’s Analysis December 2009 Custom Google Maps Excel VLOOKUP Function Archiving and Retrieving Web Pages Secure Teleworking January 2010 Excel: Converting Text to Columns, Merging Data, and Converting Time to a Number Web Conferencing with DimDim Excel: If, Then Statements & Formula Auditing Nic Harrison and Scott Jarrett lead a Tech Tips training class April 2010 Intro to ACL: Creating a Project and Basic Uses Basic Data Imports from Excel, Access, ODBC, and Other Sources Advanced Data Imports from PDF and Other Sources Linking Data Sets, Built In Functions, Export Data Chairman Don Stapley, Maricopa County Board of Supervisors, joins Internal Audit to celebrate the NACo Award 4 Awards National Association of Counties Association of Local Government Auditors 2010 Achievement Award Tech Tips Training Program 2008 Best Audit Report Knighton Bronze Award Air Quality Audit 2009 Best of Category Award 2009 Achievement Award Internal Controls Video Program 2008 Website Gold Award Internal Audit Website 2006 Achievement Award Internet Usage Risk Management 2005 Achievement Award Jurors Helping Jurors The Juror Improvement Fund 2007 Best Audit Report Knighton Gold Award Environmental Services Audit 2004 Achievement Award Performance Reporting for Citizens 2003 Honorable Mention Knighton Award Countywide Fixed Assets 2004 Achievement Award Continuous Monitoring 2002 Achievement Award Performance Measure Certification 2002 Special Project Award Performance Measure Certification 2001 Achievement Award Financial Condition Report 2001 Special Project Award Financial Condition Report 2001 Achievement Award “Got Controls” Management Bulletin 2000 Special Project Award Cash Handling Workshop 2000 Achievement Award Cash Handling Workshop The Institute of Internal Auditors 2006 Recognition of Commitment Professional Excellence, Professional Quality, Professional Outreach 2002 Commitment to Quality Improvement Award Professional Excellence, Quality of Service, Professional Outreach 5 Association of Government Accountants Government Finance Officers Association 2006 Certificate of Excellence Service Efforts and Accomplishments 2010 Award for Outstanding Achievement in Popular Annual Financial Reporting Citizens’ Financial Condition Report 2004 Certificate of Recognition Service Efforts & Accomplishments Program Charter Participant 2002 Award of Excellence Performance Measure Certification 2003 Distinguished Local Government Leadership Award Ross Tate, County Auditor Awards for Publication Excellence National Center for Civic Innovation 2007 Award of Excellence Annual Performance Report 2007 Trailblazer Award Government Performance Reporting Demonstration Grant Program Service Efforts & Accomplishments 2004 Award of Excellence Financial Condition Report Articles Featured in National Publications Local Government Auditing Quarterly (Spring 2010) Monitoring Internet Usage by Ross Tate & Lisa Scott Local Government Auditing Quarterly (Summer 2009) Public Safety Snapshots by Ross Tate & Derek Barber Local Government Auditing Quarterly (Summer 2008) Promoting Audit Shop Creativity by Ross Tate Government West (Nov/Dec 2003) Ensuring the Accuracy of Performance Measures by Ross Tate Government Finance Review (Published by GFOA, Feb 2003) Performance Measure Certification in Maricopa County by Ross Tate 6 Don Stapley, 2010 Chairman, joins Internal Audit to celebrate the NACo Award and GFOA Award Max Wilson, 2009 Chairman, joins Internal Audit to celebrate the NACo Awards and the ALGA Knighton Bronze Award Andrew Kunasek, 2008 Chairman, joins Internal Audit to celebrate the ALGA Knighton Gold Award and the ALGA Website Award Fulton Brock, 2007 Chairman, joins Internal Audit to celebrate the NCIC and APEX Awards 7 Don Stapley, 2006 Chairman, joins Internal Audit to celebrate the NACo, AGA, and IIA Awards Max Wilson, 2005 Chairman, joins Internal Audit to celebrate the NACo Award Andrew Kunasek, 2004 Chairman, joins Internal Audit to celebrate the NACo, ALGA, APEX, and AGA Awards Published Articles Spring 2010 Local Government Auditors Quarterly Monitoring Internet Usage County Auditor Ross Tate and Associate IT Auditor Lisa Scott teamed up to write an article for the Association of Local Government Auditor’s journal, Local Government Auditing Quarterly. The article, “Monitoring Internet Usage,” reflects on how personal Internet use during working hours can significantly impact productivity. Because of this significance, Internal Audit monitors County Internet usage each year. 8 Performance Results Primary Strategic Goals Internal Audit’s goals are designed with the Board of Supervisors (Board) in mind. Internal Audit provides information so the Board can make informed decisions on the issues they deem most important and provide fiscally responsible public services to citizens. Customer Satisfaction Our goal is to maintain at least a 95% customer satisfaction rating from our primary customers: the Board, Chiefs of Staff, and Audit Committee members. Based on survey comments, we reinstituted publication of a Highlights page for larger reports and increased efforts to look for cost avoidance and dollar recoveries. Audit Plan Completion We develop the annual audit plan through a formal risk assessment process, with input from the Board and County management. We strive to complete at least 95% of the Board-approved Audit Plan and report this information to the Board by September 30 after fiscal year-end. Recommendations Implemented Recommendations are an important part of our audits, as this is where change and improvement often begin. Our goal is to facilitate implementing 95% of the audit recommendations within 3 years of being reported. The decrease to 90% is due to a number of FY07 recommendations that are still in process at several County agencies. 9 Secondary Operational Goals Productivity Our goal is to maintain a 75% productivity rate, which is an industry average. Productive time is considered any time spent working directly on audits. Other time, such as staff meetings, training, personal time off, and holidays, is not considered productive time. Secondary Customer Satisfaction With each audit deliverable, we send satisfaction surveys to the County Manager, Deputy County Manager, Assistant County Managers, and Department Directors. Based on scores, comments, and interaction, we are able to validate that our secondary customers believe we are doing a very good job and that we are exceeding expectations. County Leadership Satisfaction Department Directors participate in an annual County satisfaction survey. Although they are not our primary customers, we continue to monitor their feedback and implement improvements. Overall, the surveys indicate County leadership believes we are doing a very good job. Internal Staff Satisfaction For the third year in a row, Internal Audit staff had the highest employee satisfaction rate among all County departments, based on survey results by the Office of Research and Reporting. 10 Recoveries, Savings, & Cost Avoidance Potential Dollar Recoveries & Identified Savings The following table lists FY10 audits with a quantifiable economic impact, including actual and identified increases in revenues, cost recoveries, and other savings. The table on the opposite page lists potential savings and cost avoidance that could be realized, although the dollar impact is more difficult to measure. For additional information on projects that have yielded benefits over time, see Audit Impact (Appendix E, page 37). Audit Impact Description $527,194 Increased revenue from parcels that were incorrectly classified and rental registration fees that were uncollected. $294,480 Ten agencies could save $292,000 by expanding the fleet versus reimbursing employees for mileage. In addition, the County could save $2,480 in fuel costs if County fuel stations are used instead of commercial stations. $37,440 Cost savings attained by not using outside consultants for this mandated review (dollars reflect the variance between internal and external costs). Adult Probation Minimum Accounting Standards $24,492 Cost savings attained by not using outside consultants for this mandated review (dollars reflect the variance between internal and external costs). Single Audit Review $13,250 Cost savings attained by not using outside consultants for this mandated review (dollars reflect the variance between internal and external costs). Assessor Vehicle Usage Justice Court Minimum Accounting Standards Contract: Election Ballots $6,875 Total Identified Savings: $903,731 Overpayment of sales tax (net of $1,301 underpayment of separate invoice line item) 11 Other Potential Savings/Cost Avoidance Our audit work is not always measurable and may not result in quantifiable dollar recoveries or cost savings. Many times, audit recommendations result in unquantified efficiencies that improve service delivery or program quality. In other cases, audit recommendations result in a quantifiable cost avoidance. For example, our annual review of Internet usage is believed to increase employee productivity. When employees and management are aware that Internet usage is being monitored, inappropriate usage is expected to decline. This cost avoidance can be quantified by a few calculations using average hourly pay and number of Internet users as its basis. FY10 audits with a quantifiable cost avoidance appear below. Audit IT Contracts & Agreements Impact Description $4,000,000 Compliance reviews could result in cost avoidance for penalties and other charges at various County agencies. The County could save an estimated $3 million in personnel costs annually by reducing non-productive Internet use by 5 minutes a day. Continuous Monitoring: Internet Usage $3,013,564 County Financial System (Advantage) $451,647 Total Cost Avoidance: Non-productive use is defined as personal use believed to be conducted on “company” time. Internal Audit conducts recurring, unannounced monitoring of Internet use. This type of monitoring decreases the amount of non-productive Internet usage in organizations. If a data breach occurred, the County could incur notification and investigation costs required by Arizona Revised Statutes. $7,465,211 12 Internal Audit—A Good Investment Our Cost vs. the Cost to Outsource the Audit Function FY10 audit work would have cost the County more than twice as much if external auditors had been used instead of Internal Audit staff. The average hourly rate for an external auditor was $157 vs. $71 for Internal Audit. One indicator of Internal Audit efficiency is the evaluation of whether or not it is more cost effective to provide the County function in-house or contract it to external consultants. Our Cost vs. Cost Savings to the County Over the past 10 years, Internal Audit produced $23 million in savings (and $50 million in potential savings/cost avoidance) to the County. During the same period, our costs (including cosourcing dollars) totaled $16 million, resulting in a net savings of $7 million to the County. Our savings averaged $2.3 million per year compared with average annual resources of approximately $1.6 million. Internal Audit identifies potential savings to the County by detecting weak controls that can lead to waste and abuse and by deterring fraud. A well run internal audit function is an investment that benefits County management and citizens. Internal Audit is a Good Investment 13 Audit Recommendations Internal Audit provides independent analysis and assurance that operations are efficient, economical, and effective. We track implementation of audit report recommendations that identify efficiency gains, provide economical guidance, improve operational effectiveness, and ensure controls are in place to prevent fraud, waste, and abuse. Internal Audit Issued 3,361 Recommendations in 10 Years During the past 10 years, we made 3,361 recommendations of which 3,308 (98%) were agreed to by the audited departments. To date, 2,389 (76%) of these recommendations have been implemented, as shown below. We allow up to 3 years for a recommendation to be implemented. Ten Years of Audit Recommendations and Implementations Fiscal # of Agreed Implemented ** Year Recommendations # % # % FY01 388 383 99% 382 98% FY02 205 200 98% 194 97% FY03 755 750 99% 720 97% FY04 108 108 100% 101 100% FY05 130 125 96% 98 94% * FY06 365 361 99% 344 99% * FY07 184 174 95% 129 71% * FY08 169 168 99% 138 84% * FY09 836 820 98% 244 34% * FY10 221 219 99% 39 18% * FY01—FY10 3,361 3,308 98% 2,389 76% * Recommendations are in the process of being implemented ** Implementation percentages are based upon 3,153 recommendations, which is the total of all recommendations less recommendations that could not be implemented 14 Customer Feedback During FY10, our customers told us ... “Ross, to you and your audit team: Thanks for your hard work. This is an excellent report.” "You and the Department really seem to strive for excellent customer service despite the difficult position you must often times be in. We appreciate your professionalism." “The report is well written and very professional. We enjoyed working with your team during the audit process.” “We always appreciate working with your office.” “Without this input I would have no knowledge that this type of activity was taking place.” “The audit staff is very professional and was easy to work with during the audit.” “We see Internal Audit as a resource.” “We appreciate your recent audit and report. We will promptly implement your recommendations. We appreciate your professionalism in conducting audits and providing us with ways we can improve.” “Excellent report. Thank you.” “Excellent audit team.” “The auditor was professional, friendly, and intelligent. It was a pleasure to work with him on this audit.” “We have a good working relationship with the audit team and consider them to be an integral part of how we achieve success. Without proper auditing, we cannot guarantee that we are performing our work with fiscal and managerial responsibility.” “The audit results were insightful and helpful. Through this process we are able to improve our measures to obtain more meaningful results.” “I want to take this opportunity to thank you and your colleagues on behalf of our entire team for your assistance. Your prompt responses to all of our questions and your organization of our meetings with your colleagues was invaluable in helping our team get our work done in Arizona. It seemed as if you were able to anticipate what we needed and had the right people with the answers ready when we asked the questions. Again, thank you and I hope to have the opportunity to work with you and Maricopa County in the future.” (GAO regarding federal stimulus funds) 15 Budget & Benchmarks Internal Audit Budget Maricopa County’s Internal Audit costs are below average compared with other benchmark counties. Maricopa and a few other counties include co-sourcing dollars in their budgets. County Population The following chart reflects total population for Maricopa County and five benchmark counties. 16 IT Audit Services Information Technology (IT) is an integral part of County operations and Managing for Results efforts. The proliferation of IT applications, data, networks, and the web creates the need for knowledgeable and experienced IT auditors. Acknowledging the County’s ever increasing reliance on IT, Internal Audit provides the following services: Continuous Auditing - National Association of Counties Achievement Award (2006) IT General Controls (ITGC) Assessments Applications Controls Assessments Network Security Assessments System Development Assessments IT Governance Countywide Audits Countywide audits allow for broader coverage with fewer resources. Countywide audits focus on selected areas (e.g., contracts, network security, etc.) and/or transactions (e.g., cash handling, Pcards, expenditures, travel, etc.) that cross agency boundaries. A summary of FY10 Countywide audit coverage is reflected below. FY10 Countywide Audit Coverage Network Security Continuous Auditing County Financial System Performance Measures Surprise Cash Counts Single Audit Internet Usage Procurement Cards Contracts & Agreements Vehicle Usage 17 Presentations / Speaking Internal Control Videos Engagements Internal Audit developed the Internal Control Video Program to provide inexpensive and entertaining films to increase awareness of common ethical and internal controls issues. Contract Compliance Cash Handling Outlines the proper way to handle contract purchases Highlights common cash control weaknesses and how to fix them Basic IT Controls Ethics Outlines basic information technology controls that every employee should know and practice Highlights common ethical dilemmas, including the right and wrong ways to handle them Some of the comments we received were: “I was very impressed with the videos!!” — Kern County, CA “You guys always have tons of information and I love the videos!” — City of Bowling Green, KY “Great job, nicely done, very helpful.” — City of Garland, TX “The 'Control videos' were published today on Kern County’s (CA) compliance website. We also placed a link to your web page and provided acknowledgment of your team's great, award winning work!!” — Kern County, CA “IA gets a gold star for some of those hilarious videos, especially the Ethics.” — Maricopa County “You guys rock! Can I use these for my internal training? I think you’ve all missed your calling in life—head to Hollywood! Thanks for sharing.” — City of Reno, NV “I like your videos. Would you mind if I used them as training resources for our staff here? We are a government agency that provides housing and related services for people in need.” — NSW, Australia Look for our videos at: www.maricopa.gov/internal_audit and on 18 Presentations / Speaking Engagements Speaking Engagements ALGA Conference The Association of Local Government Auditors (ALGA) invited Ross Tate, County Auditor, and Ryan Bodnar, Associate Auditor, to San Antonio to present “Audit 2.0—Using Technology to Educate, Inform and Observe.” Their presentation received the highest satisfaction ratings—a 6.69 on a scale of 1 to 7. ILEAA Conference The International Law Enforcement Auditors Association (ILEAA) invited Richard Chard, Deputy County Auditor, to San Diego to present on Performance Measures Certification. COBIT Workshops Patra Carroll, Audit Supervisor, and Susan Adams, Senior IT Auditor, presented two Control Objectives for Information and Related Technology (COBIT) workshops for the Office of Enterprise Technology’s executive team and management team. COBIT is a set of best practices that assists managers, auditors, and IT users in maximizing the benefits derived through the use of IT. ACL Training Lisa Scott, Associate IT Auditor, presented on Audit Command Language (ACL) topics at the ACL users monthly meeting. Auditor Training Lisa Scott presented tips and tools available using ACL at the Local Government Audit Training program sponsored by the cities of Phoenix and Scottsdale. Combined Charitable Campaign Jannah Oglesbee, Associate Auditor, presented Internal Audit’s initiatives to raise money for United Way at the Mid-Campaign Pep Rally. Internal Audit Annual Retreat Internal Audit put on the best retreat ever this year! The day was filled with creative and enlightening presentations by staff members. Using Geographic Information Systems (GIS)—Kimmie Wong War Driving and GIS—Nic Harrison Data Visualization—Lisa Scott, Patra Carroll Something Cheesy: Who Moved My Cheese—Jannah Oglesbee, Wendy Thiele Public Corruption—Derek Barber, Ryan Bodnar, Scott Jarrett Internal Audit Tech Tips Training Program Tech Tips sessions were presented by Ryan Bodnar, Derek Barber, Scott Jarrett, Nic Harrison, Lisa Scott, Jannah Oglesbee, and Patra Carroll. See page 4 for more details. 19 Task Force / Work Groups GASB Task Force Eve Murillo, Deputy County Auditor, was one of 17 professionals to be appointed by the Chairman of the Governmental Accounting Standards Board (GASB) to the Economic Condition Reporting— Fiscal Sustainability Task Force. GASB is an independent, not-for-profit organization formed in 1984 to establish and improve financial accounting and reporting standards for state and local governments. AGA Fraud Prevention Work Group Eve Murillo was also invited to participate with 15 others on the Association of Government Accountants’ (AGA) Fraud Prevention Tool Kit Work Group. Federal, state, and local professionals from across the nation come together to work on fraud prevention. American Recovery and Reinvestment Act (ARRA) Work Group The American Recovery and Reinvestment Act of 2009 (Act) was enacted in February 2009 to stimulate recovery in response to the most severe economic crisis since the Great Depression. The $787 billion Act cuts federal taxes, increases unemployment benefits, and provides spending for education, health care, and infrastructure improvements. (For more information on the Act see www.recovery.gov.) In October 2009, Internal Audit was asked to participate in U.S. Government Accountability Office (GAO) Congressional Report meetings to discuss the County’s efforts in monitoring ARRA funds and related topics. In addition to GAO and Internal Audit, the group included senior managers from the County Manager’s Office, Office of Management and Budget, and Department of Finance. GAO was very pleased with the work of the group and stated that our presentations were the best they have received during their review of ARRA spending in the West; they wish they could have published more about the good work we have done with our ARRA funds. Total ARRA grant awards as of June 2010 are shown to the right. 20 Appendix A: Organizational Chart & Staff Biographies FY10 Internal Audit Department Organizational Chart Board of Supervisors Citizen’s Audit Advisory Committee Wendy Thiele Administrative Operations Specialist Ross Tate County Auditor Eve Murillo Deputy County Auditor Richard Chard Deputy County Auditor Patra Carroll Audit Supervisor Stella Fusaro Audit Supervisor Christina Black Audit Supervisor Carla Harris Audit Supervisor Susan Adams Senior IT Auditor Kimmie Wong Senior Auditor Ronda Jamieson Associate Auditor Derek Barber Associate Auditor Nic Harrison Senior IT Auditor Scott Jarrett Associate Auditor Ryan Bodnar Associate Auditor Jenny Eng Associate Auditor Lisa Scott Associate IT Auditor Jannah Oglesbee Associate Auditor 21 Ross L. Tate, County Auditor Mr. Tate is a Certified Internal Auditor, Certified Management Accountant, and Certified Government Financial Manager. He has a bachelor’s degree from Brigham Young University in business operations & systems analysis, with 23 years of professional internal auditing experience. Mr. Tate joined the Maricopa County Internal Audit Department in 1989 and has been County Auditor since 1994. He is currently serving as President-Elect of the Association of Local Government Auditors, an international audit organization. D. Eve Murillo, Deputy County Auditor Ms. Murillo is a Certified Public Accountant, Certified Fraud Examiner, Certified Information Technology Professional, and is certified in ITIL v3 Foundation and ISO/IEC 20000. She has a bachelor's degree from the University of Illinois, a master’s degree from the Florida Institute of Technology, and 20 years of accounting and auditing experience. She is a member of AICPA, Association of Certified Fraud Examiners, Institute of Internal Auditors, and is a committee chair for the Information Systems Audit and Control Association. Richard L. Chard, Deputy County Auditor Mr. Chard is a Certified Public Accountant. He graduated from the University of Redlands with a degree in history, sociology, and political science, with postgraduate work in accounting and public administration. Mr. Chard worked as a financial auditor for CPA firms in Los Angeles and Phoenix before joining the Maricopa County Department of Finance in 1991. For the past 14 years, he has enjoyed working for the County Auditor. Mr. Chard is a long standing and active member of Toastmasters International. Patra E. Carroll, Audit Supervisor Ms. Carroll is a Certified Public Accountant, Certified Internal Auditor, Certified Information Technology Professional, and Certified Law Enforcement Auditor with 17 years of public sector performance and IT auditing experience. She is ITIL v3 Foundation/IT Service Management and ISO 20000 Foundation certified. She has a bachelor's degree from Arizona State University. Ms. Carroll serves on the Association of Local Government Auditors Advocacy Committee and the local ISACA Academic Relations Committee. Carla Harris, Audit Supervisor Ms. Harris is a Certified Public Accountant, Certified Internal Auditor, and Certified Fraud Examiner. She has a bachelor’s degree in business administration, with nearly 20 years of experience in internal auditing and accounting. She is a former board member and training director for the Arizona Chapter of the Association of Certified Fraud Examiners, and a member of the National Chapter of the Association of Certified Fraud Examiners, the Institute of Internal Auditors, and the Association of Government Accountants. 22 Christina Black, Audit Supervisor Ms. Black is a Certified Government Auditing Professional and Certified Law Enforcement Auditor with over 14 years of professional internal audit experience and 10 years of accounting and revenue auditing experience. She has a bachelor's degree in accounting from Missouri Western State College. Ms. Black is a member of the Arizona Chapter of the Association of Certified Fraud Examiners, Association of Local Government Auditors, and the Institute of Internal Auditors—Phoenix Chapter, where she serves as Secretary. Stella J. Fusaro, Audit Supervisor Ms. Fusaro is a Certified Internal Auditor, Certified Government Auditing Professional, and Certified Law Enforcement Auditor with over 19 years of auditing experience. She has a bachelor’s degree in business administration with an accounting concentration from California State University, Fullerton. Ms. Fusaro is a member of the Institute of Internal Auditors, the Association of Certified Fraud Examiners, the Association of Local Government Auditors, and Toastmasters International. Susan Adams, Senior Information Technology Auditor Ms. Adams is a Certified Information Systems Auditor and a Certified Law Enforcement Auditor. She has a bachelor's degree in accounting from Utah State University and a master’s of business administration from the University of Utah. She has 17 years of professional audit/accounting experience, with 11 years as an information systems auditor. Ms. Adams serves on the ISACA Phoenix Chapter’s Academic Relations committee and is a member of the Association of Local Government Auditors and the Institute of Internal Auditors. Nic Harrison, Senior Information Technology Auditor Mr. Harrison is a Certified Information Systems Auditor and holds a bachelor’s degree in business administration from the University of Arizona, with majors in management information systems and operations management. He is currently pursuing a master’s of business administration, with an emphasis in information systems. He has four years of experience with military IT systems compliance and four years of IT audit experience. Mr. Harrison is a member of ISACA, where he serves as a volunteer on the Academic Relations Committee. Kimmie Wong, Senior Auditor Ms. Wong is a Certified Law Enforcement Auditor. She has a bachelor's degree in business administrative services from Arizona State University and a master’s degree in public administration from Western International University. She has 12 years of business experience and 14 years of professional internal auditing experience. Ms. Wong is a member of the Association of Local Government Auditors, Association of Certified Fraud Examiners, Institute of Internal Auditors, and International Law Enforcement Auditors Association. 23 Lisa Scott, Associate Information Technology Auditor Ms. Scott is a Certified Information Systems Auditor, Certified ACL Data Analyst, and a Certified Law Enforcement Auditor. She has a bachelor’s degree in computer science from Jacksonville State University and a post-baccalaureate certificate in accountancy from Arizona State University. Ms. Scott is a member of the Association of Local Government Auditors, Institute of Internal Auditors, Association of Certified Fraud Examiners, Information Systems Audit and Control Association, and International Law Enforcement Auditors’ Association. Ronda Jamieson, Associate Auditor Ms. Jamieson is a Certified Public Accountant and Certified Law Enforcement Auditor. She has a bachelor’s degree in accounting from Rocky Mountain College, Montana. She has nine years of governmental auditing and eight years of general ledger experience. Ms. Jamieson is a member of the Institute of Internal Auditors, Arizona Society of Certified Public Accountants, Association of Certified Fraud Examiners, and the International Law Enforcement Auditors Association. She is also active in Toastmasters International. Scott Jarrett, Associate Auditor Mr. Jarrett is a Certified Internal Auditor, Certified Government Auditing Professional, and a Certified Law Enforcement Auditor. He graduated from Arizona State University West with a bachelor’s degree in accountancy. He served four years in the United States Coast Guard and has four years professional auditing experience. Mr. Jarrett is a member of the Institute of Internal Auditors and participates on the Academic Relations Committee for the Information Systems Audit Control Association. Derek A. Barber, Associate Auditor Mr. Barber is a Certified Internal Auditor, Certified Government Auditing Professional, and a Certified Law Enforcement Auditor. He has a bachelor's degree in accounting from the University of Phoenix and a master’s degree with an emphasis in accounting through Grand Canyon University. He has over three years of experience in educational finance, bookkeeping, and auditing. Mr. Barber served in the United States Navy as a Military Police Officer in Sicily, Italy. Ryan M. Bodnar, Associate Auditor Mr. Bodnar is a Certified Internal Auditor and Certified Government Auditing Professional. He has a bachelor’s of science degree in accountancy from Arizona State University. He is a member of the Institute of Internal Auditors, the Association of Local Government Auditors, and the Arizona Chapter of the Association of Certified Fraud Examiners, where he is the Chapter’s webmaster. Mr. Bodnar joined Maricopa County Internal Audit Department in 2006 after six years in retail management. 24 Jenny M. Eng, Associate Auditor Ms. Eng started as an Internal Audit intern in May of 2007 and became a staff auditor in October 2007. She has a bachelor’s degree in accountancy and computer information systems from the W.P Carey School of Business at Arizona State University. Ms. Eng is a member of the Institute of Internal Auditors and the Arizona Chapter of the Association of Certified Fraud Examiners. She is currently working towards the Certified Internal Auditor and Certified Government Auditing Professional certifications. Jannah Oglesbee, Associate Auditor Ms. Oglesbee joined Internal Audit in July 2008. She is a Certified Internal Auditor, Certified Law Enforcement Auditor, and has a bachelor of business administration degree in marketing. She has over five years experience in examining and auditing financial institutions and governments. She has served in the United States Army for over eight years, and is currently in the Army National Guard. Ms. Oglesbee is a member of the Institute of Internal Auditors and the Arizona Chapter of the Association of Certified Fraud Examiners. Wendy Thiele, Administrative Operations Specialist Ms. Thiele joined Internal Audit in December 2006. Prior to relocating to Phoenix, she performed medical chart audits for a major healthcare system in Milwaukee, WI. She has 13 years experience in internal auditing. She also has experience in human resources and home health care within a hospital setting. Ms. Thiele is a member of the Arizona Chapter of the Association of Certified Fraud Examiners and has attended numerous auditing conferences and seminars, which have contributed to her overall knowledge of the audit process. 25 Appendix B: Professional Development Internal Audit staff members have extensive knowledge of auditing methods and techniques, and specialized training in information systems and accounting. Many hold advanced professional certifications and graduate degrees, as shown on the right. The total number of professional certifications held by our staff has increased nearly 14%, from 44 in FY09 to 50 in FY10. Certifications and Graduate Degrees Held by Maricopa County Internal Audit Staff Number Held Certified Law Enforcement Auditor (CLEA) Certified Internal Auditor (CIA) Certified Government Auditing Professional (CGAP) Certified Public Accountant (CPA) Certified Information Systems Auditor (CISA) IT Service Management (ITIL) Master of Business Administration Degree (MBA) Certified Fraud Examiner (CFE) Certified Information Technology Professional (CITP) ISO/IEC 20000 Foundation Certified ACL Data Analyst (ACDA) Certified Government Financial Manager (CGFM) Certified Management Accountant (CMA) Master of Public Administration Degree (MPA) Total: 13 8 5 5 3 3 3 2 2 2 1 1 1 1 50 Congratulations on Your Certification Achievements! Certified Information Technology Professional (CITP) and ISO/IEC 20000 Foundation Certifications Patra Carroll and Eve Murillo Certified Internal Auditor (CIA) and Certified Government Auditing Professional (CGAP) Certifications Ryan Bodnar, Derek Barber, and Scott Jarrett In FY10, Derek Barber also received his master’s degree in business administration 26 Internal Audit staff members actively participate in a variety of audit-related professional and service organizations. Some serve as committee chairs and governing board members. Professional & Service Organizations American Institute of Certified Public Accountants (AICPA) Association of Certified Fraud Examiners (ACFE—National and Arizona Chapter) Association of Government Accountants (AGA) Association of Local Government Auditors (ALGA) Audit Command Language (ACL) Users Group Information Systems Audit and Control Association (ISACA) Institute of Internal Auditors (IIA - National and Phoenix Chapter) Institute of Management Accountants (IMA) International Law Enforcement Auditors Association (ILEAA) Maricopa County Blood Drive Maricopa County Combined Charitable Campaign Toastmasters International Positions Held Leadership Roles in Professional & Service Organizations Audit Command Language (ACL) Users Group: Secretary/Treasurer 1 Association of Certified Fraud Examiners (ACFE): AZ Chapter—Chapter Newsletter Committee AZ Chapter—Webmaster Association of Local Government Auditors (ALGA): International—Secretary International—Advocacy Committee Information Systems Audit and Control Association (ISACA): Phoenix Chapter—Co-Chair, Academic Affairs Committee Phoenix Chapter—Academic Affairs Committee Institute of Internal Auditors (IIA): 1 1 1 1 2 3 Phoenix Chapter—Secretary 1 Other Organizations: Toastmasters—Treasurer Toastmasters—District Treasurer 1 1 Total: 27 13 Appendix C: Audit Summaries Report Title Page Adult Probation MAS .................................................................................. 29 Citizen’s Financial Condition Report ........................................................... 29 Continuous Auditing—Employee Termination Procedures......................... 29 County Assessor’s Office ........................................................................... 30 County Attorney’s Office............................................................................. 30 County Financial System............................................................................ 30 Countywide Contracts: Arizona Legal Workers Act .............................................................. 31 Biodiesel Bulk Fuel Purchase and Delivery ..................................... 31 Election Ballots Printing ................................................................... 31 Sheriff’s Office Bus Procurement..................................................... 32 Software Licensing .......................................................................... 32 Temporary Personnel Services ....................................................... 32 Internet Usage Review ............................................................................... 33 Justice Courts MAS .................................................................................... 33 Network Security—Wireless ....................................................................... 33 Performance Measure Certification ............................................................ 34 Purchasing Cards (P-Cards) ...................................................................... 34 Single Audit—Grant Compliance Review ................................................... 34 Surprise Cash Counts ................................................................................ 35 Treasurer’s Office—Taxpayer Information Fund ........................................ 35 Vehicle Usage ............................................................................................ 35 28 Adult Probation MAS ~ January 2010 The Minimum Accounting Standards (MAS) review is an Agreed-Upon Procedures engagement. The Administrative Office of the Arizona Supreme Court (AOC) sets forth standard audit procedures to be conducted by an independent accountant every three years. The purpose of the engagement is to ensure that Maricopa County courts maintain effective internal controls. The Adult Probation Department has field offices in various County locations. Audit work was performed at the following locations: Downtown Justice Court Center, Black Canyon, Garfield Probation Services Center, Southport, and Probation Services Center. Significant Issues Most exceptions were related to cash handling and deposits. For instance, monies were not always recorded upon receipt, deposits were not always timely, and voided receipts did not always reflect the reason for the void. Exceptions of this type increase the risk that errors and/ or fraud could occur and go undetected. Citizens’ Financial Condition Report ~ January 2010 The Citizens’ Financial Condition Report is based on the County’s FY09 Comprehensive Annual Financial Report and summarizes the County’s key financial information and trends. The report uses graphics for a highly visual, interesting, and understandable report for the benefit of elected officials, management, and the public. The report presents significant financial trends and national benchmark analyses. Report Highlights Conservative fiscal policies have guided spending The General Fund unreserved fund balance remained healthy Key County financial indicators compared very favorably to national benchmarks County net assets, an indicator of long term health, continued to increase Funding for the County’s primary employee retirement plan decreased slightly Continuous Auditing—Employee Termination Procedures ~ July 2010 Since FY05, the County has experienced an increase in terminations due to the economy. Effective controls over terminated employees’ access to buildings and computer networks are necessary to protect County assets. This audit was done to review several key controls over terminated employees’ access. Significant Issues The County has formal written procedures for deactivating terminated employees’ access to buildings and computer networks. However, our system tests showed that these procedures could be strengthened by better coordinating and sharing of information among key agencies. 29 County Assessor’s Office ~ April 2010 The Maricopa County Assessor is an elected official whose office is responsible for truly and fairly valuing all real and personal taxable property within Maricopa County. The Assessor’s Office annually determines full cash value (market value) and limited value for taxable property within the County, which had a combined net assessed value of nearly $50 billion as of February 2010. Overall, we found adequate controls for capturing and valuing taxable property. Significant Issues Improvements could be made in the following areas: Valuation changes Legal classifications Business personal property Information technology County Attorney’s Office ~ July 2010 The Maricopa County Attorney is an elected official whose office is responsible for prosecuting all felonies that occur within Maricopa County and all misdemeanors that occur in unincorporated areas of the County. The Arizona State Constitution provides the County Attorney’s operational authority, while the Arizona Revised Statutes (A.R.S.) describes the roles, powers, and duties. Payroll and related expenditures totaled $72.9 million in FY09, representing 80% of total expenditures. These large costs highlight the importance of a strong internal control environment. Significant Issues Overall, controls over the processing and reporting of payroll transactions are adequate. Payroll amounts appear to be accurately calculated, recorded, and disbursed. However, there is no reliable system in place to ensure the accuracy of time and attendance records, and thus, the propriety of payroll disbursements. We identified a high rate of corrections going back as far as 18 months and an overall lack of oversight. County Financial System ~ February 2010 Advantage, the County’s core financial system, accounts for all critical financial data and contains essential information used in making financial and operational decisions. It processes over 2 million transactions annually, totaling nearly $15 billion. This audit was done to review the system’s security, accuracy, and reliability. Significant Issues Based on the work performed, the financial system appears to process data accurately and reliably. However, improvements could be made in the following areas: Data transmission security Segregation of duties Vendor oversight 30 Countywide Contracts Arizona Legal Workers Act ~ May 2010 In May 2008, A.R.S. § 41-4401 was signed into law. Among other things, the statute requires government entities to conduct random verifications to ensure that contractors/subcontractors are complying with the Arizona Legal Workers Act (Act). The Act prohibits businesses from knowingly hiring an unauthorized alien. It also requires employers to use the E-Verify system (a free web-based service offered by the Federal Department of Homeland Security) to verify the employment eligibility of all employees hired after December 31, 2007. Under the Act, the County may bring suit against employers for knowingly hiring unauthorized aliens. An employer found liable, faces possible suspension or revocation of its business license. Significant Issues One contractor was randomly selected for review; no unauthorized employees were identified. However, we noted that County contracts do not include all provisions required by A.R.S. § 414401. Specifically, there is no clause whereby contractors warrant their compliance with A.R.S. § 23-214(A). (That subsection requires employers to use E-Verify to verify employment eligibility.) Biodiesel Bulk Fuel Purchase and Delivery Contract ~ July 2010 We reviewed the Biodiesel Bulk Fuel Purchase and Delivery Contract with Pro Petroleum, Inc. Equipment Services administered the contract and approved invoices during the audit period. FY09 expenditures to the vendor totaled $2,725,110. We reviewed 50 invoices totaling $772,366 (28%). Significant Issues The vendor was in compliance with the contract terms reviewed. However, Equipment Services has not established a reliable inventory control system. A reconciliation of agency records shows that fuel inventory on hand exceeded the quantity reflected in the fleet management database by 26,928 gallons as of June 30, 2009. As a result, Equipment Services is unable to (a) ensure appropriate fuel inventory levels, or (b) properly track usage, which significantly increases the risk of fraud, waste, and abuse. Election Ballots Printing Contract ~ September 2010 We reviewed the Printing and Distribution of Election Ballots Contract with Runbeck Election Services. The Maricopa County Elections Department administered the contract and approved invoices during the audit period. FY09 expenditures to the vendor totaled $7,468,113. We reviewed 13 invoices totaling $5,370,988 (72%). Significant Issues The vendor was generally in compliance with contract terms and conditions. However, contract administration needs improvement, as evidenced by ambiguous contract pricing terms and sales tax overpayments on 52 invoices totaling $8,175. In addition, there was no reliable system in place to ensure the accuracy of invoices prior to payment. 31 Countywide Contracts (Continued) Sheriff’s Office Bus Procurement Contract ~ October 2009 The In October 2008, the Maricopa County Sheriff’s Office (MCSO) purchased a 58passenger bus in October 2008 for $456,222 from the Jail Enhancement Fund (JEF). We reviewed laws, policies, guidelines, and documentation related to this procurement. Significant Issues MCSO did not deposit JEF monies with the County Treasurer as required by JEF Guidelines and A.R.S., and did not comply with the County Procurement Code or JEF Guidelines for the bus procurement. The following required approvals were not obtained: Board of Supervisors’ approval prior to the bus purchase Board approval of contract to purchase over $250,000 Board approval for sole source purchase over $50,000 Office of Management and Budget/Board approval for exemption to capital purchasing freeze Software Licensing Contract ~ July 2010 The County operates over 16,000 computing devices, each with various software applications installed. County policies and federal copyright laws require all users and agencies to comply with software licensing agreements. This audit was done to determine how well the County manages software licensing. Significant Issues County information technology agencies have taken steps to manage software and most have: Written policies and procedures Automated software management tools Restrictions on end-user software installation Temporary Personnel Services Contract ~ July 2010 Countywide expenditures to 5 contract vendors totaled $1.5 million in FY09. Of this amount, $734,812 was paid to Kelly Services, with the majority expended by the Department of Public Health (DPH). The scope of our review was limited to DPH expenditures to Kelly Services in FY09. Significant Issues Contract administration needs improvement, as evidenced by the following: We were unable to verify the propriety of the amount billed for most (90%) invoices reviewed due to a lack of supporting documentation Service requests were very informal, with no documentation retained of service level requests or agreed-upon rates Invoices were approved for payment based solely on a review of mathematical accuracy (i.e., billing rates were unverified) 32 Internet Usage Review ~ July 2010 The County may be at risk for inappropriate or excessive employee Internet usage. National surveys show that, on average, employees access the Internet one -to-two hours a day for personal use (e.g., games, instant messaging, shopping, and banking). Salary.com states that, “While wasted time (using the Internet) has steadily declined, companies are still paying billions in salaries for which no direct benefit is received.” Experts say networks can be exposed to malicious attacks when employees inadvertently access rogue links through personal e-mail accounts. Significant Issue Management monitoring can determine if Internet abuse is occurring The County risks losing $3.1 million in productivity each year, if employees spend 5 minutes of work time on personal Internet use daily The filtering technology currently used by the County limits but does not prevent access to inappropriate sites Justice Courts MAS ~ May 2010 The Maricopa County Justice Court system includes 25 courts at 12 locations. The Justice Courts handle criminal traffic, misdemeanor, and a variety of civil cases less than $10,000. The MAS review is an Agreed-Upon Procedures engagement. The AOC sets forth standard audit procedures to be conducted by an independent accountant every three years. The purpose of the engagement is to ensure that Maricopa County courts maintain effective internal control procedures over financial accounting and reporting systems. Significant Issues Most exceptions were related to cash handling, segregation of duties, disbursements, and reconciliations of financial records. Exceptions of this type increase the risk that errors and/or fraud could occur and go undetected. Network Security—Wireless ~ May 2010 Wireless networks can become a target for attack by unauthorized parties trying to access sensitive data. This audit was done to determine if the wireless network is well managed, equipment is properly deployed and secured against attack, incidents are handled properly, and unauthorized devices are detected and removed from the network. Significant Issues Overall, the County’s wireless network is well-secured in accordance with good information security practices. We found strong controls over wireless security processes such as project management, equipment deployment and disposal, security management and monitoring, and incident response. Management resolved the few vulnerabilities we noted. 33 Performance Measure Certification ~ May 2010 The Board adopted a performance measurement initiative called Managing for Results in FY01. Each year, we review agency-reported performance measures to ensure reported results are accurate and reliable. This year, we examined 41 performance measures from 5 County agencies. Significant Issues 21 (51%) of the 41 measures reviewed were certified Accuracy of measures reviewed this year exceeded those reviewed in FY09 Purchasing Cards (P-Cards) ~ March 2010 Internal Audit monitors P-Card activity annually to deter abuse and increase management awareness. P-Card expenditures have averaged $28.2 million over the past four years. We reviewed supporting documentation for 69 P-Card transactions from 14 agencies. Significant Issues Although we did not find any inappropriate purchases, 33% of the transactions reviewed contained exceptions to County P-Card procedures (e.g., incomplete or late reconciliations, insufficient supporting documentation, etc.). We also conducted limited testing of certain system safeguards and found that cardholders are prevented from obtaining PIN numbers for cash advances or receiving cash back on purchases. In addition, some cards are set to exclude certain Merchant Category Codes (e.g., dating and escort services, bars, and amusement parks). However, cards cannot be restricted by individual commodity or product (e.g., liquor, cigarettes, etc.). Single Audit—Grant Compliance Review ~ April 2010 In 1984, the United States Congress passed the Single Audit Act. The Federal Office of Management and Budget implemented the Single Audit Act. Currently, non-federal entities that expend $500,000 or more in federal assistance during a fiscal year are required to undergo a comprehensive financial and compliance audit each year (Single Audit) by an independent auditor. In our annual compliance reviews for federal grant funds distributed through Maricopa County to various subrecipients, we examined the audited financial and grant compliance reports of 19 federal grant subrecipients ($13.9 million) to determine compliance with the Single Audit Act. Significant Issues Twelve of 19 reports contained 46 findings, with 13 material weaknesses related to federal grant compliance or internal controls. The findings reported by the independent auditors do not appear to directly impact funds passed through by the County. 34 Surprise Cash Counts ~ December 2009 Due to the inherent risk of cash and cash transactions, we regularly review cash funds to verify that County officials have established and maintained adequate controls over cash to guard against theft and misuse. We conducted surprise cash counts of 18 funds in 7 agencies to ensure adequate controls were in place. Significant Issues We did not identify any material shortages during our cash counts. However, we observed several cash control weaknesses and policy exceptions, such as: Cash not properly secured Year-end reconciliations were either inaccurate or were not submitted to Finance Custodian change not reported to Finance Treasurer’s Office—Taxpayer Information Fund (TIF) ~ November 2009 A.R.S. § 11-495 establishes a Taxpayer Information Fund (TIF) within each county treasury. TIF consists of monies collected from various treasurer functions, interest on treasurer fund balances, and various other sources. The monies must be spent to defray the cost of converting or upgrading an automated public information system. Significant Issues Multiple bids were not obtained as required by the County’s Procurement Code for purchases made from two vendors Formalized agreements were not in place as required by the Maricopa County Employee Compensation Plan for payments made to two contract employees Vehicle Usage ~ July 2010 Maricopa County owns approximately 1,851 cars, sport utility vehicles, vans, and trucks. Vehicles, by nature, are associated with legal, personal, and financial risks. We examined vehicle usage for compliance with applicable policies and to identify opportunities to improve efficiency and utilization. Significant Issues The County has 21 separate policies related to vehicle usage. Many are outdated and are not effectively communicated. In addition, some agencies tasked with enforcing the policies do not have sufficient authority to do so. As a result, there is a lack of consistent oversight and accountability, which can result in increased costs, mismanagement, and abuse. We found control weaknesses, compliance exceptions, and opportunities for increased efficiency and utilization in numerous areas. Driver Accountability Suspended Licenses Mileage Reimbursements Overnight Usage Permits Taxable Fringe Benefits Photo Enforcement Tickets Fleet Management Fleet Utilization/Costs Fuel Usage Fleet IT Systems Authorized Vehicle Use Leased Vehicles 35 Appendix D: Other Projects Audit Follow—Up The goal of the Internal Audit process is to increase the overall effectiveness of County operations and procedures. Audit recommendations for improvements become meaningful only when needed changes are recognized and implemented by clients. Following up on audit recommendations is an integral part of the audit process. On a regular basis, Internal Audit sends a Status Report Request to clients with open audit recommendations. This process may also include site visits, interviews, phone calls, or a review of additional documentation. When all recommendations for an audit have been implemented, a closing memo is sent to the client. Risk Assessment / Audit Planning Effective internal auditing is based on systematically reviewing an organization’s operations at intervals commensurate with associated risks. The annual risk-assessment process produces an audit plan that maximizes audit coverage and minimizes risk. Auditing every County activity on a regular basis would not be cost efficient; therefore, Internal Audit uses an annual risk assessment, along with professional judgment, to ensure resources are focused on high-risk areas. Video Online Reporting Tool (VORT) The Video Online Reporting Tool (VORT) is a brief summary video report that covers recent audits. It summarizes the audit area, scope of work performed, and the result of the findings and recommendations of the audit project. Currently, we have the following VORTs available: (1) Data Centers & Disaster Recovery; (2) IT Governance; (3) Licenses, Fees, & Permits; and (4) Public Fiduciary. Data Centers & Disaster Recovery This two-minute video report covers the review of 27 Data Center sites operated by Maricopa County IT Governance This two-minute video report covers the review of the County’s Information Technology Governance efforts 36 Licenses, Fees, & Permits Public Fiduciary This one-minute video report covers the review of the Licenses, Fees, and Permits audit This two-minute video report covers the review of the County’s Office of the Public Fiduciary Appendix E: Audit Impact Some audits have an immediate impact while others yield organizational benefits over time. Some recommendations have a measurable financial impact (e.g., increased revenues, cost recoveries, etc.) while others add value over time (e.g., operational efficiencies, improved controls, decreased risk of fraud, waste and abuse, etc.). The audits below illustrate this. FY10 - Countywide Vehicle Usage We identified 21 separate County policies and found that (a) many are outdated and are not effectively communicated, and (b) some agencies tasked with enforcing the policies do not have sufficient authority to do so. Greater oversight is needed to ensure the fleet is properly sized and effectively utilized. We estimate that approximately $292,000 could be saved by expanding the fleet, given excessive employee mileage reimbursements at ten agencies. In addition, the County could save nearly $2,500 in fuel costs by using County fuel stations more effectively. The County Manager has established a task force to address our findings and implement our recommendations. FY09 - Licenses, Fees, and Permits We found that agency user fee reviews are not timely or effective, Countywide user fee studies are infrequent, and the gap between fee revenues and expenditures has increased significantly in the past 10 years. At the direction of the County Manager, the Department of Finance assembled a team to address our findings, and an outside consultant was hired to assist in implementing our recommendations. We estimate that fee revenues could increase by more than $1 million annually. FY09 - Employee Health Initiatives We found that benefit costs could be reduced by verifying dependent eligibility at open enrollment and during new employee hiring. Research shows the County could save between $1.6 and $3.3 million in the first year of verifying dependent eligibility. We observed that recommendations were implemented and that new and existing employees with dependent additions are required to submit documentation. FY08 - Justice Court Administration We found that collection activities were not clearly defined and monitoring activities were not well documented. We shared our observations with court administrators. As a result, in April 2010, the Justice Courts began sending out notices to collect on unpaid tickets as far back as the early 1980’s. The Justice Courts are in the process of recouping almost $100 million of unpaid fees and sanctions by sending out an average of 15,000 letters to those that have unpaid fines. FY07 - Environmental Services We found that the Arizona Legislature had not approved Environmental Services’ 2003 application for a National Pollutant Discharge Elimination System permit, which is required by the Clean Water Act. The lack of a permit exposed the County to legal liabilities and fines up to $25,000 per day, per violation. Following the audit, Environmental Services received support from County management for the required legislation, which was co-sponsored by five other Arizona counties. The Board of Supervisors directed County management to implement the program and begin collecting fees for plan reviews. 37 Appendix F: Audit Committee Biographies Ralph Lamoreaux, District I Ralph Lamoreaux, CPA, has a master of business administration degree from the University of Utah and a bachelor’s degree in accounting from Southern Utah University. He worked for the U.S. Government Accountability Office (GAO) for 33 years. Mr. Lamoreaux was involved in audits of many federal departments and agencies. He retired from GAO in July 2000. Janet L. Secor, District II Janet L. Secor, CIA, has 20 years of internal auditing experience: nine years in Washington, D.C. at the GAO and ten years as the City of Scottsdale’s Assistant City Auditor. She consulted for the Maricopa County Internal Audit for over two years. She is past president of the Arizona Local Government Auditors Association, and served as the Government Relations Chairman of the local chapter of the Institute of Internal Auditors. Ms. Secor is the management assistant to Scottsdale’s mayor. Matthew E. Breecher, District III Matthew E. Breecher, CPA, CISM, CISA, is an accounting and information systems specialist, with over 15 years professional experience. He currently provides information technology and management advisory services to local Arizona governments and small-to-medium businesses. Mr. Breecher is the managing partner of Breecher & Company, PC, a Phoenix-based professional services firm and a shareholder in Assurance Professionals, PC, a Scottsdale-based public accounting firm. Ryan Brownsberger, Chairman, District IV Ryan Brownsberger, CPA, has an accounting degree from Iowa State University and a master of business administration degree from Arizona State University. He has twelve years of experience in auditing, accounting, budgeting, and business management. Mr. Brownsberger is a business manager for Mesquite Power LLC, a subsidiary of Sempra Energy. Richard Lozar, District V Richard Lozar has extensive experience in accounting and management. He worked as a controller and general manager in the hospitality industry, an accounting and financial consultant, a director of business affairs at a Native American college, and a chief financial officer for a custom furniture manufacturer. Jay Zsorey, Financial Audit Director, Office of Auditor General Jay Zsorey, CPA, graduated from the University of Nevada and is the financial audit director of the Arizona Office of the Auditor General. During his career, Mr. Zsorey has managed the audits of many governmental entities in Arizona and was the audit manager for the annual financial statement and compliance audit of Maricopa County. He has extensive knowledge of government finance and governmental financial reporting requirements. David H. Benton, Senior General Counsel, Office of General Litigation Shelby Scharbach, County Chief Financial Officer Shelby Scharbach, CPA, CGFM, has a bachelor’s degree in accounting and a master of public administration degree. Ms. Scharbach joined the Maricopa County Department of Finance in 1993, served as Deputy Finance Director from 2000-2008, and was appointed Chief Financial Officer in 2009. She serves on the National Association of Counties (NACo) Financial Services Advisory Committee and is the NACo appointee to the Public Finance Authority. She is Chair of the Maricopa County Deferred Compensation Committee, President of the Maricopa County Public Finance Corporation, and serves on the Board of Directors for the International Genomics Consortium. 38 Appendix G: Citizen’s Audit Advisory Committee Charter The committee’s primary function is to assist the board of supervisors in fulfilling its oversight responsibilities. The committee accomplishes this function by reviewing the County’s financial information, the established systems of internal controls, and the audit process. In meeting its responsibilities, the committee shall perform the duties outlined below. 1. Provide an open avenue of communication between the county auditor, the auditor general, and the board of supervisors. 2. Review the committee's charter annually and seek board approval on any recommended changes. 3. Inquire of management, the county auditor, and the auditor general about significant risks or exposures and assess the steps management has taken to minimize such risks to the county. 4. Consider and review the audit scope and plan of the county auditor, and receive regular updates on the auditor general’s county audit activities. 5. Review with the county auditor and the auditor general the coordination of audit efforts to assure completeness of coverage, reduction of redundant efforts, and the effective use of all audit resources including external auditors and consulting activities. 6. Consider and review with the county auditor and the auditor general: 7. a. The adequacy of the county's internal controls including computerized information system controls and security. b. Any related significant findings and recommendations of the auditor general and the county auditor together with management's responses thereto. At the completion of the auditor general’s annual examination, the committee shall review the following: a. The county's annual financial statements and related footnotes. b. The auditor general's audit of the financial statements and report thereon. c. Any serious difficulties or other matters related to the conduct of the audit that need to be communicated to the committee. 39 8. Consider and review with management and the county auditor: a. b. c. d. e. f. Significant audit findings during the year and management's responses thereto. Any difficulties encountered during their audits, including any restrictions on the scope of their work or access to required information. Any changes required in the planned scope of their audit plan. The internal audit department's budget and staffing. The internal audit department's charter. The internal audit department's overall performance and its compliance with accepted standards for the professional practice of internal auditing. 9. Report committee actions to the board of supervisors with such recommendations as the committee may deem appropriate. 10. Prepare a letter for inclusion in the annual report that describes the committee's composition and responsibilities, and how they were discharged. 11. The committee shall meet at least four times per year or more frequently as circumstances require. The committee may ask members of management or others to attend the meetings and provide pertinent information as necessary. Committee meetings are subject to the Open Meeting Law (A.R.S. § 38-431). 12. The committee shall perform such other functions as assigned by the board of supervisors. Committee Composition and Terms The membership of the committee shall consist of five voting members and three non-voting members. The voting members shall be board of supervisor appointees from the public and shall serve two-year terms. The non-voting members shall be the county’s chief financial officer, the county attorney, the auditor general, or their designees. The chairman of the board of supervisors shall appoint a committee chairman from the voting members. The committee chairman shall serve a one-year term. Member Qualifications Committee members must have an understanding of financial reporting, accounting, or auditing. This understanding can be demonstrated through educational degrees (BS, MBA, PhD) and professional certifications (CPA, CMA, CIA), or through experience in managing an organization of more than 25 employees or $20M in revenues. Committee members should be familiar with local government operations and should have sufficient time to effectively perform the duties listed herein. Adopted by the Board of Supervisors—3/26/97 Last Amended—6/26/02 40 Appendix H: Internal Audit Charter Purpose The Maricopa County Board of Supervisors (Board) hereby establishes the Maricopa County Internal Audit Department. The mission of the Internal Audit Department is to provide objective, accurate, and meaningful information about County operations so the Board and management can make informed decisions to better serve County citizens. Responsibility County management has primary responsibility for establishing and maintaining an effective system of internal controls. Internal Audit evaluates the adequacy of the internal control environment, the operating environment, related accounting, financial, and operational policies, and reports the results accordingly. Authority and Access Internal Audit is established by the powers granted to the Board in A.R.S. § 11-251. The Board is authorized to supervise the official conduct of all County officers, to see that such officers faithfully perform their duties, and present their books and accounts for inspection (A.R.S. § 11-251.1). The Board is also authorized to perform all other acts and things necessary to fully discharge its duties (A.R.S. § 11-251.30). Internal Audit will report directly to the Board, with an advisory reporting relationship to the Board-Appointed Citizen’s Audit Advisory Committee. In addition, the County Auditor will meet, as needed, with an oversight committee comprised of the County Administrative Officer and two Board members appointed by the Board Chairman. While conducting approved audit work, Internal Audit will have complete access (except where restricted by legal privilege) to all County property, records, information, and personnel. Premise and Objectives Internal Audit’s basic premise is that County resources are to be applied efficiently, economically, and effectively to achieve the purposes for which the resources were furnished. This premise is incorporated in the following four objectives: A. Compliance with Laws and Regulations Those entrusted with County resources are responsible for establishing and maintaining effective controls to ensure identification of and compliance with applicable laws and regulations. B. Effective Program Operations Those entrusted with County resources are responsible for establishing and maintaining effective controls to ensure that programs meet their goals and objectives. 41 C. Validity and Reliability of Data Those entrusted with County resources are responsible for establishing and maintaining effective controls to ensure that valid and reliable data are obtained, maintained, and fairly disclosed. D. Safeguarding of Resources Those entrusted with County resources are responsible for establishing and maintaining effective controls to ensure that resources are safeguarded against waste, loss, and misuse. Independence The Internal Audit Department will remain outside the control of management. Internal Audit employees will have no direct responsibility for, or authority over, any of the activities, functions, or tasks reviewed by the department. Accordingly, Internal Audit staff should not develop or write policies and procedures that they may later be called upon to evaluate. They may review draft materials developed by management for propriety and completeness. However, ownership of and responsibility for these materials will remain with management. Audit Standards and Ethics Internal Audit will adhere to applicable industry standards and codes of ethics issued by authoritative sources (such as those issued by the Institute of Internal Auditors and the U.S. General Accounting Office). Each member of the department is expected to consistently demonstrate high standards of conduct and ethics as well as appropriate judgment and discretion. Audit Planning The County Auditor will prepare an annual audit plan that will be reviewed by the Citizen’s Audit Advisory Committee and approved by the Board. Additions, deletions, or deferrals to the annual audit plan will also be approved by the Board. Follow-Up Internal Audit will follow up on the status of its report recommendations on a regular basis. Adopted by the Board of Supervisors—6/11/97 Last Amended—12/18/02 42 Appendix I: Internal Audit Profile Definition Internal auditing is an independent, objective assurance and consulting activity that adds value and improves operations. Internal auditing helps an organization reach objectives by bringing a systematic, disciplined approach to improve the effectiveness of risk management, control, and governance processes. Our Value Statement Do the Right Things Right! Our Mission The mission of the Internal Audit Department is to provide objective information on the County’s system of internal controls to the Board of Supervisors so they can make informed decisions and protect the interests of County citizens. Our Vision To promote the effective, efficient, economical, and ethical use of public resources. Our History The Board of Supervisors appointed the first County Auditor in 1978 and established an internal audit function. In 1994, the Board of Supervisors created a Citizen’s Audit Advisory Committee comprised of private citizens and County officials. (See Appendix G, page 39, for charter.) In 1997, the Board of Supervisors formalized the County’s internal audit function by adopting a department charter, which was amended in December 2002. (See Appendix H, page 41, for charter.) Citizen’s Audit Advisory Committee (Audit Committee) The Board Appointed Citizen’s Audit Advisory Committee supports further strengthening of the County’s Internal Audit Department. This committee, comprised of accounting and business professionals, actively engages in analyzing risk throughout the County and making recommendations. This committee is an important link between the Board of Supervisors and the County’s auditors, both internal and external. The Maricopa County Citizen’s Audit Advisory Committee meets regularly to review and comment on audit reports, County financial statements, and other audit information (audit plan, special requests, etc.). Organizational Independence Auditors should be removed from organizational and political pressures to ensure objectivity. As our charter designates, the Maricopa County Internal Audit Department reports directly to an elected Board of Supervisors, thereby establishing an effective level of independence from management. This structure provides the Board of Supervisors with a direct line of 43 communication to Internal Audit and provides assurance that County officials cannot influence the nature or scope of audit work performed. Government Auditing Standards support locating internal audit departments outside the management function in order to encourage independence. Routine meetings with an independent audit committee further enhance independence. The County Auditor also meets with an oversight committee comprised of the County Manager and two Board of Supervisor members, further enhancing our independence. Reporting Structure of the Internal Audit Department Board of Supervisors Citizen’s Audit Advisory Committee Internal Audit County Management Resources A fully staffed, professional Internal Audit Department provides value-added services to the County. Each year, Internal Audit analyzes and adapts its resources to meet upcoming County auditing and consulting needs. To provide flexibility and diversified strength, the audit staff has broad-range education and experience in various audit areas: accounting, finance, performance evaluation, information systems, and management services. Each audit is performed by a team that collectively possesses the necessary knowledge and skills to fit the assignment. Government operations are inherently complex; certain functions cannot be properly reviewed without specialized expertise. Hiring a wide variety of staff specialists, however, would not be cost effective. While we have invested in qualified internal staff, we have also reserved resources for specialized contractors; $176,081 was budgeted for this purpose in FY10. This partnership (called “co-sourcing”) provides the County with the collective expertise required by Government Auditing Standards at an affordable price. Professional Internal Audit Staff Our auditors have extensive knowledge of auditing methods and techniques plus specialized training in information technology and accounting. (See Appendix A, page 21, for biographies.) Each auditor is responsible for maintaining Government Auditing Standards requirements of 80 continuing education hours every two years; 24 of those hours must be directly related to government operations. 44 Maricopa County Internal Audit 301 W. Jefferson, Suite 660 Phoenix, AZ 85003 ~ 2148 Telephone: 602 ~ 506 ~ 1585 Facsimile: 602 ~ 506 ~ 8957 E-mail: Thielew@mail.maricopa.gov Visit our website @ www.maricopa.gov/internal_audit Follow us on... Annual Report Project Members Richard Chard, CPA, CLEA, Deputy County Auditor Carla Harris, CPA, CIA, CFE, Audit Supervisor Kimmie Wong, MPA, Senior Auditor Jenny Eng, Associate Auditor 45