Maricopa County Internal Audit Do the Right Things Right! Annual Performance Report Fiscal Year 2009 From the County Auditor’s Desk—Fiscal Year 2009 To: Max W. Wilson, Chairman, Board of Supervisors Fulton Brock, Supervisor, District I Don Stapley, Supervisor, District II Andrew Kunasek, Supervisor, District III Mary Rose Wilcox, Supervisor, District V From: Ross L. Tate, County Auditor Date: November 13, 2009 Fiscal Year 2009 was a period of high productivity, major achievement, and significant challenge for Internal Audit. We appreciate the Board of Supervisors, the Citizen’s Audit Advisory Committee, and County administration for their continued strong support of the County’s audit function. Internal Audit Achieves Audit Excellence Internal Audit received two awards from the National Association of Counties (NACo) in FY09 for our Internal Controls Video program. We received an Achievement Award as well as the “Best of Category” Award in Personnel Management. These awards recognize outstanding, effective, and creative county programs. Our Internal Controls Video program identifies common control weaknesses, increases organizational awareness of County policy, and stresses the importance of internal controls. Audit organizations across the country have asked to use our videos as a training resource, and many County officials have given us positive feedback. We also received the 2009 Knighton Bronze Award from the Association of Local Government Auditors (ALGA) for our Air Quality report. These international awards recognize the best performance audits by local government audit departments each year. Internal Audit’s Assistance During the Financial Crisis During this period of financial crisis, the County faces many challenges, including declining revenues and reductions in staff. The risk of fraud, waste, and abuse increases during tough economic times. Internal Audit provides assistance by identifying and deterring various risks and identifying cost savings and hard dollar recoveries. Internal Audit Staff Holds Leadership Roles Internal Audit staff members actively participate and assume leadership roles by chairing committees and serving on the boards of directors for a wide variety of professional organizations. Our talented staff strive to make a difference in our communities throughout Maricopa County and across the nation. i Internal Audit Receives Clean “Bill of Health” from Independent Auditor Every three years, the Internal Audit Department undergoes a peer review by an independent auditor to assess its compliance with the Government Auditing Standards issued by the U.S. Comptroller General. In FY09, we received our fourth consecutive “clean” peer review (i.e., no exceptions found). A clean peer review assures the Board of Supervisors, the Audit Committee, and the public that we are following established policies, procedures, and auditing standards. Tips Are Key to Detecting Fraud and Abuse Fraud schemes are much more likely to be detected through tips than by any other method, according to a 2008 study by the Association of Certified Fraud Examiners (ACFE). Nearly half of the cases studied were uncovered by a tip or complaint from an employee, customer, vendor or other source. Internal Audit staff routinely attends fraud training classes, and four staff members are Certified Fraud Examiners (CFEs). Internal Audit helps to deter fraud, waste, and abuse in many ways, including the following: ♦ Conducting a fraud risk assessment for every audit ♦ Providing internal control videos and cash handling classes ♦ Issuing formal and informal audit recommendations ♦ Providing a Citizen Input Form and County Audit Hotline, as discussed below The Citizen Input Form gives the public an opportunity to make recommendations for future audits, report fraud, and suggest ways that County government could be improved. Internal Audit recognizes that citizens may have ideas and information beneficial to the audit process. The form is easily accessible from our website. The County Audit Hotline was established to provide County employees with an opportunity to anonymously report known instances or suspicions of fraud, waste, or abuse. Tips and/or concerns can be reported to us by calling the Hotline number. Emphasizing the Need for a Strong Internal Audit Function Bond rating agencies Fitch and Moody’s consider the existence of an internal audit function a key component of strong management practices. Moody’s uses the Financial Condition Report prepared by Internal Audit to evaluate trends and considers the County’s audit function a deterrent to fraud. 3 ii Internal Audit strengthens Maricopa County by promoting strong internal controls, deterring fraud, and initiating cost recoveries Ten Year Perspective (FY00—FY09) $25 Million in Savings Over 10 Years Over the past 10 years, we have reported $25.3 million in actual and identified savings. Our budget during this period totaled $16 million, for a net savings of $9.3 million. An additional $49.1 million in potential savings was identified, as shown below. Internal Audit—A Good Investment 3,299 Recommendations In the Past 10 Years We issued 3,299 recommendations over the past 10 years. County management concurred with 98% of the recommendations and 98% were implemented within 3 years of being issued. Internal Audit Has Won 26 Awards in the Past 10 Years From 2000 to 2009, we received 26 awards from 7 professional organizations. Internal Audit (IA) Satisfaction Hits New High We provide outstanding services and foster an atmosphere of excellence for our staff. ♦ IA received the highest employee satisfaction scores of the 50 County departments surveyed by the Office of Research and Reporting in FY09 ♦ IA consistently received high satisfaction survey ratings from the Board of Supervisors, Citizen’s Audit Advisory Committee, and County management ♦ IA consistently received high satisfaction ratings from County leadership on surveys administered by the Office of Research and Reporting Internal Audit Passes Last Four External Reviews We passed the last four independent peer reviews with no exceptions (2000, 2003, 2006, 2009). Internal Audit Staff Hold Leadership Roles in Professional & Service Organizations Staff members actively participate in a variety of professional and service organizations and hold 22 leadership positions. iii 4 Table of Contents Contents Page ♦ Independence ................................................... 1 ♦ Audit Committee ............................................... 2 ♦ Awards ............................................................. 3 ♦ Published Articles .............................................. 8 ♦ Performance Results .......................................... 9 Recoveries & Savings ................................... 11 Internal Audit—A Good Investment .............. 13 Audit Recommendations .............................. 14 Customer Feedback ..................................... 15 Budget & Benchmarks .................................. 16 ♦ IT Audit Services .............................................. 17 ♦ Countywide Audits .......................................... 18 Internal Audit’s Mission To provide assistance to the Board of Supervisors so they can ensure Maricopa County government is accountable to its citizens ♦ Being Green ..................................................... 18 ♦ Speaking Engagements .................................... 19 ♦ Internal Control Videos .................................... 19 ♦ 30th Anniversary ............................................. 20 ♦ Community Involvement .................................. 20 Appendices: A. Staff Biographies ............................................ 21 B. Professional Development ............................. 26 C. Project Summaries ......................................... 28 D. Other Projects ................................................ 36 E. Audit Impact .................................................. 37 F. Internal Audit Charter..................................... 38 G. Audit Committee Charter ............................... 40 H. Audit Committee Biographies ......................... 42 I. Internal Audit Profile. ..................................... 43 Do the Right Things Right! Independence The Maricopa County Internal Audit Department is effectively organized, reporting directly to the Board of Supervisors, with an advisory reporting relationship to a Citizen’s Audit Advisory Committee. Board of Supervisors Fulton Brock District I Don Stapley District II Andrew Kunasek District III Max Wilson District IV (Chairman) Mary Rose Wilcox District V Citizen’s Audit Advisory Committee County Management Internal Audit David Smith County Manager Ross Tate County Auditor 1 Audit Committee The Citizen’s Audit Advisory Committee’s primary function is to assist the Board of Supervisors (Board) in fulfilling its oversight responsibilities. The Committee accomplishes this function by reviewing the County’s financial information, the established systems of internal controls, and the audit process. Jay Zsorey, Office of the Auditor General; Bruce White, Office of County Counsel; Jill Rissi, District II; Matthew Breecher, District III; Ralph Lamoreaux, District I; Richard Lozar, District V; Ross Tate, County Auditor; Ryan Brownsberger, Chairman, District IV Audit Committee Members (see Appendix H for biographies) Ralph Lamoreaux, District I Jill Rissi, District II Matthew Breecher, District III Ryan Brownsberger, Chairman, District IV Richard Lozar, District V Jay Zsorey, Office of the Auditor General Bruce White, Civil Division, Maricopa County Attorney’s Office Shelby Scharbach, Maricopa County Chief Financial Officer Ross Tate, Maricopa County Auditor Thank You Jill Rissi for 9 Years of Audit Committee Service After nine years of service, Dr. Jill Rissi is retiring from the Citizen’s Audit Advisory Committee. She is relocating to Portland, Oregon, and beginning a career as a professor at the Hatfield School of Government. We wish Jill the best and appreciate the many contributions she made since joining the Committee in April of 2000. 2 Awards 2009 NACo “Best of Category” and Achievement Award for Internal Controls Video Program Internal Audit received the 2009 “Best of Category” Award from the National Association of Counties (NACo). Our Internal Control Video Program received one of only 20 awards given in this category. We also received the Achievement Award, which recognizes unique, innovative county programs. We developed this training program, consisting of web-based videos, to increase awareness of the importance of internal controls. Four videos are available on our webpage for public viewing. We scripted, cast, filmed, edited, and published the videos internally to save production costs of $15,000 per video. This outreach reinforces our leadership role in promoting a strong ethical culture and effective controls. With over 2,000 counties, representing over 80% of the nation’s population, NACo is the only national organization that represents county governments in the United States. Jacqueline Byers, NACo Director of Research, and Dr. Steve Wrigley, Director of the Carl Vinson Institute of Government, University of Georgia, present Ryan Bodnar with the NACo Best of Category Award at the June 2009 Nashville Conference Chairman Max Wilson, Maricopa County Board of Supervisors, joins Internal Audit to celebrate the NACo “Best of Category” Award 3 ALGA Knighton Bronze Award 2008 Best Audit Report The Association of Local Government Auditors (ALGA) awarded the 2008 Knighton Bronze Award to Maricopa County Internal Audit for our Air Quality audit report. The Knighton Awards recognize the best performance audit reports issued by ALGA members each year. With over 2,000 members and growing, ALGA is the professional organization of choice for local government audit professionals in the United States, Canada, and several other countries. Here is what the judges said about our report: “Air quality and its enforcement is a significant topic as it impacts the entire population. In a concise, well-written report by the Maricopa County Auditors Office, the auditors dealt with the issues of how penalties were enforced by the Air Quality Department...The auditors clearly demonstrated weaknesses in the negotiation of penalty violations, lack of clear rationale for penalty reductions and timeliness in imposing and/or resolving penalties due to violations...” Richard Chard and Ross Tate accept the Knighton Bronze Award at the annual May 2009 ALGA conference Chairman Max Wilson, Maricopa County Board of Supervisors, joins Internal Audit to celebrate the ALGA Knighton Bronze Award 4 Awards National Association of Counties Association of Local Government Auditors 2009 Best of Category Award Internal Controls Video Program 2009 Best Audit Report Knighton Bronze Award Air Quality Audit 2009 Achievement Award Internal Controls Video Program 2006 Achievement Award Internet Usage Risk Management 2008 Best Audit Report Knighton Gold Award Environmental Services Audit 2005 Achievement Award Jurors Helping Jurors The Juror Improvement Fund 2008 Website Gold Award Internal Audit Website 2004 Achievement Award Performance Reporting for Citizens 2003 Honorable Mention Knighton Award Countywide Fixed Assets 2004 Achievement Award Continuous Monitoring 2002 Achievement Award Performance Measure Certification 2002 Special Project Award Performance Measure Certification 2001 Achievement Award Financial Condition Report 2001 Special Project Award Financial Condition Report 2001 Achievement Award “Got Controls” Management Bulletin 2000 Special Project Award Cash Handling Workshop 2000 Achievement Award Cash Handling Workshop The Institute of Internal Auditors 2006 Recognition of Commitment Professional Excellence, Professional Quality, Professional Outreach 2002 Commitment to Quality Improvement Award Professional Excellence, Quality of Service, Professional Outreach 5 Association of Government Accountants Awards for Publication Excellence 2006 Certificate of Excellence Service Efforts and Accomplishments 2007 Award of Excellence Annual Report 2004 Certificate of Recognition Service Efforts & Accomplishments Program Charter Participant 2004 Award of Excellence Financial Condition Report 2003 Distinguished Local Government Leadership Award Ross Tate, County Auditor National Center for Civic Innovation Government Finance Officers Association 2007 Trailblazer Award Government Performance Reporting Demonstration Grant Program Service Efforts & Accomplishments 2002 Award of Excellence Performance Measure Certification Articles Featured in National Publications Local Government Auditing Quarterly Public Safety Snapshots by Ross Tate & Derek Barber Local Government Auditing Quarterly Promoting Audit Shop Creativity by Ross Tate Government West Ensuring the Accuracy of Performance Measures by Ross Tate Government Finance Review (Published by GFOA) Performance Measure Certification in Maricopa County by Ross Tate 6 Max Wilson, 2009 Chairman, joins Internal Audit to celebrate the NACo Awards and the ALGA Knighton Bronze Award Andrew Kunasek, 2008 Chairman, joins Internal Audit to celebrate the ALGA Knighton Gold Award and the ALGA Website Award Fulton Brock, 2007 Chairman, joins Internal Audit to celebrate the NCIC and APEX Awards Don Stapley, 2006 Chairman, joins Internal Audit to celebrate the NACo, AGA, and IIA Awards 7 Max Wilson, 2005 Chairman, joins Internal Audit to celebrate the NACo Award Andrew Kunasek, 2004 Chairman, joins Internal Audit to celebrate the NACo, ALGA, APEX, and AGA Awards Published Articles Summer 2009 Local Government Auditors Quarterly Public Safety Snapshots County Auditor Ross Tate partnered with Associate Auditor Derek Barber to write an article for the Local Government Auditing Quarterly, the Association of Local Government Auditor’s quarterly journal. Ross Tate Because public safety tops the Board of Supervisors’ strategic priorities, the article theme is “Public Safety Snapshots.” The article reflects on past audits that addressed building access and security in County buildings, and health and safety inspections conducted by Environmental Services. The article also discusses the collaboration and efficiencies offered by the Integrated Criminal Justice Information System (ICJIS), which is used by departments within the County’s Criminal Justice system. Derek Barber 8 Performance Results Primary Strategic Goals Internal Audit’s goals are designed with the Board of Supervisors (Board) in mind. Internal Audit provides information so the Board can make informed decisions on the issues they deem most important and provide fiscally responsible public services to citizens. In FY09, IA had the highest employee satisfaction scores out of all 50 County departments surveyed by the Office of Research and Reporting, as noted at the bottom of page 10. Customer Satisfaction Our goal is to maintain at least a 95% customer satisfaction rating from our primary customers: the Board, Chiefs of Staff, and Audit Committee members. Based on survey comments, we reinstituted publication of a Highlights page for larger reports and increased efforts to look for cost avoidance and dollar recoveries. Audit Plan Completion We develop the annual audit plan through a formal risk assessment process, with input from the Board and County management. We strive to complete at least 95% of the Board-approved Audit Plan and report this information to the Board by September 30 after the end of the fiscal year. Recommendations Implemented Recommendations are an important part of our audits, as this is where change and improvement often begin. Our goal is to facilitate implementing 95% of the audit recommendations within 3 years of being reported. 9 Secondary Operational Goals Productivity Our goal is to maintain a 75% productivity rate, which is an industry average. Productive time is considered any time spent working directly on audits. Other time, such as staff meetings, training, personal time off, and holidays, is not considered productive time. Secondary Customer Satisfaction With each audit deliverable, we send satisfaction surveys to the County Manager, Deputy County Manager, Assistant County Managers, and Department Directors. Based on scores, comments, and interaction, we are able to validate that our secondary customers believe we are doing a very good job and that we are exceeding expectations. County Leadership Satisfaction Department Directors participate in an annual County satisfaction survey. Although they are not our primary customers, we continue to monitor their feedback and implement improvements. Overall, the surveys indicate County leadership believes we are doing a very good job. Internal Staff Satisfaction Employee satisfaction has increased each year. We had the highest satisfaction rate among all County departments surveyed in FY09 at 86.8%, compared to the Countywide average of 69.7%. 10 Recoveries & Savings Actual & Identified Savings The following table lists FY09 audits with a quantifiable economic impact, including actual and identified increases in revenues, cost recoveries, and other savings. The table on the opposite page lists potential savings that could be realized, although the dollar impact is more difficult to measure. Audit Impact Description Employee Health Initiatives $1,650,000 Estimated annual reduction in County benefit costs that could be realized by verifying eligibility of employeereported dependents. Countywide Audit: Licenses, Fees, & Permits $1,149,188 Estimated annual increase in fee revenues as a result of Countywide fee study and improved fee review practices. Cox Communications Franchise Fee Review $190,582 Increase in franchise fee revenues. Gross revenues were underreported by Cox, resulting in an underpayment of franchise fees. Air Quality Receivables $115,384 Identified unbilled fees (engineer hours worked) that should have been included in permit fees. $96,863 Identified overbillings on software-related services and taxes for tax-exempt services. $93,773 Cost savings attained by not using outside consultants for this mandated review (dollars reflect the variance between internal and external costs). Clerk of the Superior Court Minimum Accounting Standards $61,440 Cost savings attained by not using outside consultants for this mandated review (dollars reflect the variance between internal and external costs). Countywide Contract: Temporary Medical Personnel $23,622 Identified overpayments for temporary medical personnel. Countywide Contract: Software Purchasing Justice Court Minimum Accounting Standards Sheriff’s Office Custody Command Division $8,910 Sheriff’s Posse reimbursement to the Inmate Services Fund for promotional supplies. Countywide Contract: Construction $3,140 Identified overbillings and unallowable costs on two preconstruction contracts for the Downtown Court Tower. Countywide Contract: Outside Consulting, Auditing, & Accounting Services $2,946 Identified overpayments of lodging and meal per diem contract rates. Total Actual & Identified Savings: $3,395,848 11 Potential Savings Many audits result in potential economic benefits that may be difficult to measure. For example, our annual review of Internet usage is believed to increase employee productivity. When employees and management are aware that Internet usage is being monitored, inappropriate usage is expected to decline. FY09 audits with potential savings that are more difficult to quantify appear below. Audit Continuous Monitoring: Internet Usage Countywide Audit: IT Governance Public Defense Services Total Potential Savings: Impact Description Based on an Internal Audit review, if the County reduces non-productive Internet use for 7,913 Internet users by 5 minutes a day, the County could save nearly $3.5 million in personnel costs each year. $3,475,000 Non-productive use is defined as personal use believed to be conducted on “company” time. Internal Audit conducts recurring unannounced monitoring of internet use. This type of monitoring historically decreases the amount of non-productive Internet usage in organizations. $1,000,000 MIT Research Center's findings suggest that strengthening County IT governance could generate $1 million more in ROI each year, even if only applying a conservative 10% higher ROI. $50,000 Potential increase in fee revenues as a result of computer system update to reflect current fees and retroactively include unbilled fees. $4,525,000 12 Internal Audit—A Good Investment Our Cost vs. the Cost to Outsource the Audit Function FY09 audit work would have cost the County more than twice as much if external auditors had been used instead of Internal Audit staff. The average hourly rate for an external auditor was $157 vs. $68 for Internal Audit. One indicator of Internal Audit efficiency is the evaluation of whether or not it is more cost effective to provide the County function in-house or contract it to external consultants. Our Cost vs. Cost Savings to the County Over the past 10 years, Internal Audit has produced $25.3 million in savings (and $49.1 million in potential savings) to the County. During the same period, our department budget totaled $16 million (which includes co-sourcing dollars), resulting in a net savings to the County of $9.3 million. Our savings averaged $2.5 million per year compared with average annual resources of nearly $1.6 million. Internal Audit identifies potential savings to the County by providing fraud deterrence and identifying weak controls that can lead to waste and abuse. A well run internal audit function is an investment that benefits County management and citizens. Internal Audit is a Good Investment 13 Audit Recommendations Internal Audit provides independent analysis and assurance that operations are efficient, economical, and effective. We track implementation of audit report recommendations that identify efficiency gains, provide economical guidance, improve operational effectiveness, and ensure controls are in place to prevent fraud, waste, and abuse. Internal Audit Issued 3,299 Recommendations in 10 Years During the past 10 years, we made 3,299 recommendations of which 3,235 (98%) were agreed to by the audited departments. To date, 2,424 (78%) of these recommendations have been implemented, as shown below. We allow up to 3 years for a recommendation to be implemented. Ten Years of Audit Recommendations and Implementations Fiscal Year # of Recommendations # % FY00 186 173 93% 173 93% FY01 388 383 99% 382 99% FY02 205 200 98% 194 97% FY03 755 750 99% 735 99% FY04 108 108 100% 101 100% FY05 130 125 96% 98 94%* FY06 365 361 99% 341 98% * FY07 184 174 95% 98 53% * FY08 169 168 99% 115 70% * FY09 809 793 98% 187 27% * 3,299 3,235 98% 2,424 78% FY00—FY09 Agreed Implemented ** # % * Recommendations are in the process of being implemented ** Implementation percentages are based upon 3,094 recommendations, which is the total of all recommendations less recommendations that could not be implemented. 14 Customer Feedback During the year, our customers told us ... “These reports and audits are valuable.” "It was a good first experience with the audit process. You have a great demeanor for handling what could be an uncomfortable time for interviewees!" “Thanks so much. I certainly appreciate your patience, understanding and professionalism.” “Thank you for your efforts and report.” “The auditor assigned to conduct this review was friendly and professional.” “The team did a great job given the number of departments and data centers involved.” “I enjoyed working with the Audit staff during this review. Thank you.” “The auditor was great to work with. She was very professional and thorough. It was a very pleasurable experience.” “Overall, the auditors are friendly, professional and helpful. There was a time that the auditors made us feel like we were doing something wrong. Now we feel like they are here to assist with our processes. The recommendations were reasonable. In addition, we have made improvements to our own system of tracking that holds employees and supervisors accountable for valid data entry.” “The information gathered from this audit was useful and changes were implemented. Thank you for completing the audit.” “Money well spent. Thanks to Audit for the work you do.” “The team led a very positive audit experience. Many participants indicated the interviews were “easy,” conducted in a non-threatening manner that put the interviewees at ease.” “Thank you for all you do!!” “My compliments to the Auditing department and our Development department for good accounting practices. Thanks to all.” 15 Budget & Benchmarks Internal Audit Budget Maricopa County’s Internal Audit costs are below average compared with other benchmark counties. Maricopa and a few other counties include co-sourcing dollars in their budgets. County Population, Area, & Auditors The following chart compares Maricopa County’s population, area, and number of auditors with six benchmark counties. * Number of Auditors 16 Innovative Information Technology Audit Services IT Audit Services Information Technology (IT) is an integral part of County operations and its Managing for Results efforts. The proliferation of IT applications, data, networks, and the web creates the need for knowledgeable and experienced IT auditors. Acknowledging the County’s ever increasing reliance on IT, Internal Audit: ♦ Maintains and enhances staff IT skills through training—three staff members are Certified Information Systems Auditors (CISA) ♦ Uses an integrated audit model which blends IT and operational audits, resulting in seamless reviews of County processes ♦ Effectively co-sources with audit consulting leaders for specialized IT expertise ♦ Incorporates IT control standards and best practices into our audit programs Services We Provide Continuous Auditing National Association of Counties Achievement Award (2006) Regularly monitor certain County transactions associated with high-risk areas, such as procurement (credit) card payments, internet usage, and vendor payments. Using powerful auditing software tools, we are able to rapidly analyze 100% of large data transaction files. IT General Controls (ITGC) Conduct reviews of general IT environments, including computer operations, back-up and recovery, disaster recover planning, physical security, access to programs and data, program development, and program changes. Applications Controls Perform audits of transaction processing controls; these are audits of controls specific to the software application under review. Network Security Assessments Assess network security controls, including technology and management processes, to identify vulnerabilities to intentional attacks, unintentional mistakes from trusted insiders, and undue exposure of data assets. System Development Assessments Perform systems development reviews of new or enhanced systems, which consider IT governance, project management, design, testing, conversion, training, and project implementation controls. IT Governance Assess County efforts to employ IT governance, making recommendations for improvement. We also participate in an advisory role on two of the four County IT Governance committees. 17 Presentations / Speaking Engagements Countywide Audits Countywide audits allow for broader coverage with fewer resources. Countywide audits focus on selected areas (contracts, network security, etc.) or transactions (cash handling, p-card, expenditures, travel, etc.) that cross agency boundaries. In FY09, 68% of audit hours were spent on Countywide audits. Countywide audits provide greater coverage and permit us to review more agencies. We performed 14 Countywide engagements encompassing 52 agencies. FY09 Countywide Audit Coverage ‐ 52 Agencies Internet Usage 42 Agencies Fleet 41 Agencies Procurement Cards 22 Agencies Data Centers/Disaster Recovery 18 Agencies/27 Sites Travel Expenditures 17 Agencies IT Network Review 15 Agencies Licenses, Fees, and Permits 13 Agencies Surprise Cash Counts 10 Agencies Contracts 8 Agencies Performance Measure Certification 6 Agencies IT Governance (Countywide IT ) 1 Agency Justice Courts 8 Justice Courts Financial Condition 15 Financial Areas Single Audit 10 Agencies with Grants & 38 Subrecipient Orgs Being Green To support Maricopa County’s efforts in its Green Government program, we participate in the following “green” activities: Green Commuting Options Nearly everyone in our department uses an alternative commuting option on a regular basis. Based on an average car that gets 21 miles to the gallon, we prevent over 106,000 pounds of pollution from entering the atmosphere each year! Commuting Option Participation Rate Miles Saved Bus 38% 66,040 Compressed Schedule 76% 13,546 Telecommute 48% 7,431 Carpool 19% 12,142 Total 95% 99,159 Office Recycling In July 2007, in addition to the paper items accepted as part of the County’s recycling program, our office expanded our recycling program to include all items accepted by the City of Phoenix, such as aluminum cans and foil, plastic bottles and containers, and cardboard. Water Club In May 2008, we switched from a water cooler to a PUR water filter. This has saved water club members money, helped save electricity, and eliminated plastic bottles. Other “Green” Activities • Turn lights off in unused office areas and turn equipment off at night • Conduct meetings with computer/projector (paperless) when possible • Perform audit activities electronically when possible 18 Speaking Engagements Associate Auditor Ryan Bodnar presented the Internal Control videos that won the “Best of Category” Achievement Award at the National Association of Counties (NACo) annual conference in Nashville, Tennessee. Internal Control Videos Internal Audit developed the Internal Control Video Program to provide inexpensive and entertaining films to increase awareness of common ethical and internal controls issues. Ethics This video highlights common ethical dilemmas, including the right and wrong ways to handle them Cash Handling Basic IT Controls Contract Compliance This video highlights common cash control weaknesses and how to fix them This video outlines basic Information Technology controls that every employee should know and practice This video outlines the proper way to handle contract purchases “The 'Controls videos' were published today on County of Kern Compliance website. We also placed a link to your web page and provided acknowledgment of your team's great, award winning, work!!” “You guys always have tons of information and I love the videos!” “Great job, nicely done, very helpful.” “You guys rock! Can I use these for my internal training? I think you’ve all missed your calling in life—head to Hollywood! Thanks for sharing.” “I was very impressed with the videos!!” “IA gets a gold star for some of those hilarious videos, especially the Ethics.” “I like your videos. Would you mind if I used them as training resources for our staff here? We are a government agency that provides housing and related services for people in need in NSW, Australia.” 19 30th Anniversary (08/08/78—08/08/08) Internal Audit celebrated its 30-Year Anniversary on August 8, 2008 by inviting the Board of Supervisors, the Citizen’s Audit Advisory Committee, and County administration to join in the celebration. “Congratulations to Internal Audit for 30 years of great service to Maricopa County employees and citizens. Through the years, Internal Audit has proven to be one of the "best friends" Maricopa County Government and citizens could have. It definitely has THE BEST employees for which we can all be grateful. May the next 30 be even more significant in terms of proving good County Government standards are upheld Countywide.” - Comment received from County department Community Involvement Combined Charitable Campaign (CCC) Every year, Maricopa County works with departments to encourage charitable giving. During the year, Internal Audit handled CCC finances and was an integral part of the Executive Team. Chili Cook-Off Three participants competed in a chili cook-off, with Lisa Scott taking first place. Staff members donated money to taste and vote for their favorite. Our office had 100% participation! Between the paycheck deductions and office events, we raised a total of $8,303 this year. That’s an average of nearly $400 per person! Wii Bowling Tournament We hosted the second annual Wii Bowling tournament. Participants competed head-to-head, with Wendy Thiele being the ultimate winner. Halloween Carnival On Halloween, we hosted a $5 all-you-can eat nacho bar, pumpkin carving contest, and Halloween carnival. Staff donated to participate and vote in the pumpkin carving contest. Kimmie Wong was the winner. 20 Appendix A: Staff Biographies Internal Audit employed the following individuals during FY09: Ross L. Tate, County Auditor Mr. Tate is a Certified Internal Auditor, Certified Management Accountant, and Certified Government Financial Manager. He has a bachelor’s degree from Brigham Young University in business operations & systems analysis, with 22 years of professional internal auditing experience. Mr. Tate joined the Maricopa County Internal Audit Department in 1989 and has been County Auditor since 1994. He serves as an executive officer for the Association of Local Government Auditors, an international audit organization. Mr. Tate previously served as President of the Arizona Local Government Auditor’s Association, and is a member of the Association of Government Accountants, the Institute of Management Accountants, the Institute of Internal Auditors, and Toastmasters International. D. Eve Murillo, Deputy County Auditor Ms. Murillo is a Certified Public Accountant, Certified Fraud Examiner, Certified Law Enforcement Auditor, and has certification in ITIL v3 Foundation/ IT Service Management. She has a bachelor's degree in liberal arts from the University of Illinois, and a master’s degree in business administration from the Florida Institute of Technology. Ms. Murillo has 19 years of accounting and internal auditing experience. She is a member of the Association of Certified Fraud Examiners, the Institute of Internal Auditors, and a committee co-chair for the Information Systems Audit and Control Association. Richard L. Chard, Deputy County Auditor Mr. Chard is a Certified Public Accountant and Certified Law Enforcement Auditor. He graduated from the University of Redlands with a liberal arts degree in history, sociology, and political science. He continued his education with postgraduate work in accounting and public administration. Before joining Internal Audit twelve years ago, he worked six years in Maricopa County's Finance and Health Systems Finance departments. Mr. Chard is active in Toastmasters International. Patra E. Carroll, Audit Supervisor Ms. Carroll is a Certified Public Accountant, Certified Internal Auditor, and Certified Law Enforcement Auditor with over 16 years of financial, compliance, and tax auditing experience within the public sector. She also has certification in ITIL v3 Foundation/IT Service Management. She has a bachelor's degree in accounting and postgraduate work in public administration from Arizona State University. Ms. Carroll is a member of the Institute of Internal Auditors, Arizona Society of Certified Public Accountants, and the Association of Local Government Auditors, where she has been an Advocacy Committee member for the past four years. 21 Carla Harris, Audit Supervisor Ms. Harris is a Certified Public Accountant, Certified Internal Auditor, and Certified Fraud Examiner. She has a bachelor’s degree in business administration from the University of Phoenix, with over 17 years of professional experience in internal auditing and accounting. She is a board member and training director for the Arizona Chapter of the Association of Certified Fraud Examiners, and a member of the National Chapter of the Association of Certified Fraud Examiners, the Institute of Internal Auditors, and the Association of Government Accountants. Christina Black, Audit Supervisor Ms. Black is a Certified Government Auditing Professional and Certified Law Enforcement Auditor with over 13 years of professional internal audit experience and 10 years of accounting and revenue auditing experience. She has a bachelor's degree in accounting from Missouri Western State College. Ms. Black is a member of the Arizona Chapter of the Association of Certified Fraud Examiners, Association of Local Government Auditors, and the Institute of Internal Auditors—Phoenix Chapter, where she serves as chair on the Meeting Administration Committee. Stella J. Fusaro, Audit Supervisor Ms. Fusaro is a Certified Internal Auditor, Certified Government Auditing Professional, and Certified Law Enforcement Auditor with over 18 years of auditing experience. She has a bachelor’s degree in business administration with an accounting concentration from California State University, Fullerton, with post graduate work through Northern Arizona University. Ms. Fusaro is a member of the Institute of Internal Auditors, the Association of Certified Fraud Examiners, the Association of Local Government Auditors, and Toastmasters International. Toni Sage, Information Technology Audit Supervisor Ms. Sage has a bachelor's degree in psychology from Brooklyn College, at City University of New York, a master’s degree in business administration from Fairleigh Dickinson University, and postgraduate work in public administration at Arizona State University. Before joining Maricopa County Internal Audit in 2005, Ms. Sage served as consultant for the development of the Maricopa County Citizens’ Report and had 13 years of experience as an information technology manager for a Fortune 500 company. She is a member of the Association of Local Government Auditors, the Institute of Internal Auditors, and Information Systems Audit and Control Association, serving as co-chair of the Academic Relations Committee. Ms. Sage also volunteers as a director for The Foundation for Public Education, serving as chairperson. 22 Susan Adams, Senior Information Technology Auditor Ms. Adams is a Certified Information Systems Auditor, Certified Law Enforcement Auditor, and has certification in ITIL v3 Foundation/IT Service Management. She has a bachelor's degree in accounting from Utah State University and a master’s of business administration from the University of Utah. She has 16 years of professional experience in accounting and audit, with 10 years as an information systems auditor. Ms. Adams formerly served as vice president of the Information Systems Audit and Control Association's Phoenix Chapter, and is a current member. She is also a member of the Association of Local Government Auditors and the Institute of Internal Auditors. Nic Harrison, Senior Information Technology Auditor Mr. Harrison is a Certified Information Systems Auditor and Certified Law Enforcement Auditor. He has a bachelor’s degree in business administration from the Eller College of Management at the University of Arizona, with majors in management information systems and operations management. He is currently working toward a master of business administration, with an emphasis in information systems. He has four years of experience with military IT systems compliance and three years of audit experience. Mr. Harrison is a member of the Institute of Internal Auditors and the Information Systems Audit and Control Association, where he serves as a volunteer on the Academic Relations Committee. Kimmie Wong, Senior Auditor Ms. Wong is a Certified Law Enforcement Auditor. She has a bachelor's degree in business administrative services from Arizona State University and a master’s degree in public administration from Western International University. She has 12 years of business experience and 13 years of professional internal auditing experience. Ms. Wong is a member of the Association of Local Government Auditors, Arizona Chapter of the Association of Certified Fraud Examiners, and the Institute of Internal Auditors. Paul Joseph Carolan, Jr., Senior Auditor Mr. Carolan is a Certified Public Accountant and a Certified Fraud Examiner. He graduated from the University of Arizona with a bachelor’s in business administration and from Arizona State University with a bachelor’s in accountancy. Mr. Carolan has 21 years experience in governmental auditing and accounting with the State of Arizona and ten years in the private sector as an accountant. Mr. Carolan is a member of the Association of Certified Fraud Examiners, Association of Government Accountants, American Institute of Certified Public Accountants, and Arizona Society of Certified Public Accountants. 23 Ronda Jamieson, Associate Auditor Ms. Jamieson is a Certified Public Accountant and Certified Law Enforcement Auditor, with eight years of governmental auditing and accounting experience. She has a bachelor’s degree in accounting from Rocky Mountain College, Montana, and is a member of the Institute of Internal Auditors, Association of Certified Fraud Examiners, and the International Law Enforcement Auditors Association. Lisa Scott, Associate Information Technology Auditor Ms. Scott is a Certified Information Systems Auditor, Certified ACL Data Analyst, and Certified Law Enforcement Auditor. She has a bachelor’s degree in computer science from Jacksonville State University and a post-baccalaureate certificate in accountancy from Arizona State University. She has extensive professional accounting experience and a strong interest in accounting systems. Ms. Scott is a member of the Association of Local Government Auditors, Institute of Internal Auditors, Association of Certified Fraud Examiners, Information Systems Audit and Control Association, and International Law Enforcement Auditors’ Association. Trisa Cole, Associate Auditor Ms. Cole is a Certified Fraud Examiner. She has five years of government auditing experience and graduated from Arizona State University West/Barrett Honors College with a bachelor’s degree in global business/finance and a post-baccalaureate certificate in accountancy. She is a member of the Arizona Chapter of the Association of Certified Fraud Examiners, Information Systems Audit & Control Association, and the Institute of Internal Auditors. Scott Jarrett, Associate Auditor Mr. Jarrett is a Certified Law Enforcement Auditor. He graduated from Arizona State University West with a bachelor’s degree in accountancy. He served four years in the United States Coast Guard and has three years professional auditing experience. Mr. Jarrett is a member of the Institute of Internal Auditors and participates on the Academic Relations Committee for the Information Systems Audit Control Association. Derek A. Barber, Associate Auditor Mr. Barber is a Certified Law Enforcement Auditor. He has been with the Internal Audit Department for three years. He joined the department with a bachelor's degree in accounting from the University of Phoenix. He has over two years of experience in educational finance, bookkeeping, and transaction auditing. Mr. Barber served in the United States Navy as a Military Police Officer in Sicily, Italy. He is scheduled to complete a master’s degree program through Grand Canyon University in the spring of 2010, and is pursuing the Certified Internal Auditor certification concurrently. 24 Ryan M. Bodnar, Associate Auditor Mr. Bodnar has a bachelor’s of science degree in accountancy from Arizona State University. He is a member of the Institute of Internal Auditors, the Association of Local Government Auditors, and the Arizona Chapter of the Association of Certified Fraud Examiners, where he is the Chapter’s webmaster. He is currently pursuing his Certified Internal Auditor designation. Mr. Bodnar joined the Maricopa County Internal Audit Department in 2006 after six years in retail management. Jenny M. Eng, Staff Auditor Ms. Eng started as an Internal Audit intern in May of 2007 and became a staff auditor in October of 2007. She has a bachelor’s degree in accountancy and computer information systems from the W.P Carey School of Business at Arizona State University. Ms. Eng is a member of the Institute of Internal Auditors and the Arizona Chapter of the Association of Certified Fraud Examiners. She is currently working toward the Certified Internal Auditor certification. Jannah Oglesbee, Staff Auditor Ms. Oglesbee joined Internal Audit in July 2008. She is a Certified Internal Auditor, Certified Law Enforcement Auditor, has a bachelor of business administration degree in marketing, and is currently working toward a master of business administration degree with an emphasis in accounting. She has over four years experience in examining and auditing financial institutions and served in the United States Army for over seven years. Ms. Oglesbee is a member of the Institute of Internal Auditors and the Arizona Chapter of the Association of Certified Fraud Examiners. Wendy Thiele, Administrative Operations Specialist Ms. Thiele joined Internal Audit in December 2006. Prior to relocating to Phoenix, she performed medical chart audits for a major healthcare system in Milwaukee, WI. She has 12 years experience in internal auditing. She also has experience in human resources and home health care within a hospital setting. Ms. Thiele is a member of the Arizona Chapter of the Association of Certified Fraud Examiners. 25 Appendix B: Professional Development Internal Audit staff members have extensive knowledge of auditing methods and techniques, and specialized training in information systems and accounting. Many hold advanced professional certifications and graduate degrees, as shown on the right. The total number of professional certifications held by our staff increased 69%, from 26 in FY08 to 44 in FY09. Certifications and Graduate Degrees Held by Maricopa County Internal Audit Staff Number Held Certified Law Enforcement Auditor (CLEA) Certified Public Accountant (CPA) Certified Internal Auditor (CIA) Certified Fraud Examiner (CFE) Master of Business Administration Degree Certified Information Systems Auditor (CISA) IT Service Management (ITIL) Master of Public Administration Degree (MPA) Certified Government Auditing Professional Certified ACL Data Analyst (ACDA) Certified Government Financial Manager Certified Management Accountant (CMA) 13 6 5 4 3 3 3 2 2 1 1 1 Total: 44 Congratulations on Your Certification Achievements! IT Service Management (ITIL) Eve Murillo, Susan Adams, Patra Carroll Certified Law Enforcement Auditor (CLEA) Certified ACL Data Analyst Eve Murillo, Ronda Jamieson, Derek Barber, Jannah Oglesbee, Scott Jarrett, Christina Black, Kimmie Wong, Susan Adams, Stella Fusaro, Nic Harrison, Richard Chard, Patra Carroll, Lisa Scott Lisa Scott CIA Exam Review Sessions Internal Audit staff strive to continually improve their knowledge and skills. In FY09, five staff members formed a self-study group to prepare for the four-part Certified Internal Auditor (CIA) exam. The CIA is the internal audit profession’s premiere designation to demonstrate professional competency. Congratulations on Passing Parts of the CIA Exam! Ryan Bodnar, Derek Barber, Jenny Eng, Scott Jarrett, Ronda Jamieson 26 Internal Audit staff members actively participate in a variety of audit-related professional and service organizations. Many serve as committee chairs and governing board members. Professional & Service Organizations American Institute of Certified Public Accountants (AICPA) Arizona Society of Certified Public Accountants (ASCPA) Association of Certified Fraud Examiners (ACFE—National and Arizona Chapter) Association of Government Accountants (AGA) Association of Local Government Auditors (ALGA) Maricopa County Combined Charitable Campaign Habitat for Humanity Valley of the Sun Chapter Information Systems Audit and Control Association (ISACA) Institute of Internal Auditors (IIA - National and Phoenix Chapter) Institute of Management Accountants (IMA) International Law Enforcement Auditors Association (ILEAA) Maricopa County Blood Drive National Center for Civic Innovation The Foundation for Public Education Toastmasters International Positions Held Leadership Roles in Professional & Service Organizations Association of Certified Fraud Examiners (ACFE): AZ Chapter—Board of Directors AZ Chapter—Training Director AZ Chapter—Elections Committee AZ Chapter—Newsletter Committee AZ Chapter—Webmaster Association of Local Government Auditors (ALGA): International—Board of Directors International—Secretary International—Advocacy Committee Information Systems Audit and Control Association (ISACA) Phoenix Chapter—Co-Chair, Academic Affairs Committee Phoenix Chapter—Academic Affairs Committee Institute of Internal Auditors (IIA): 1 1 1 1 1 1 1 1 2 5 Phoenix Chapter—Meeting Administration Committee Chair 1 Other Organizations Toastmasters—District Treasurer Other Officers/Committee Members 1 5 Total: 27 22 Appendix C: Project Summaries Report Title ♦ Page Report Title Clerk of the Superior Court MAS ..... 29 ♦ Compliance with Federal Immigration Laws ................................................ 29 ♦ Continuous Auditing - Internet ......... 29 ♦ Countywide Contracts Cable Franchise Fees ................ 30 ♦ IT Network Review........................... 33 ♦ Justice Courts Accounting Review... 33 ♦ Licenses, Fees, & Permits ............... 34 ♦ Performance Measure Certification ...................................... 34 ♦ Probation Service Fees Surcharge Review ........................... 34 ♦ Public Fiduciary ............................... 35 ♦ Sheriff’s Office - Detention ............... 35 ♦ Surprise Cash Counts...................... 35 Inmate Canteen Foods ............... 30 Outside Audit, Accounting and Consulting Services .................... 30 Preconstruction Contracts .......... 30 Software Purchasing .................. 30 Temporary Medical Personnel.... 30 ♦ Countywide Fleet ............................. 31 ♦ Countywide P-Cards ........................ 31 ♦ Countywide Travel ........................... 31 ♦ Data Centers & Disaster Recovery .. 32 ♦ Employee Health Initiatives ............. 32 ♦ Financial Condition (FY08) .............. 32 ♦ IT Governance ................................. 33 28 Page Clerk of the Superior Court MAS ~ July 2009 The Clerk of the Superior Court (COSC) performs cash collections and disbursements at various locations throughout Maricopa County. Our audit work was performed at the following COSC divisions: General Accounting & Collections, Civil Court, Family Court, and Juvenile Court. Significant Issues ♦ Bank reconciliations were not prepared for an escrow account with a $10 million balance ♦ COSC’s list of bank accounts was not complete ♦ Access to check requisition forms were not properly restricted ♦ Check requisition forms were not sequentially pre-numbered or reconciled to checks issued ♦ Voided receipts and manual receipts did not always contain evidence of a secondary review Compliance with Federal Immigration Laws ~ July 2009 Recent Arizona legislation requires all local governments to ensure that government contractors and subcontractors comply with federal immigration laws and regulations. The legislation requires agencies to establish procedures to verify employment eligibility. Significant Issue We recommended that County management establish policies and procedures to address the requirements of state laws (A.R.S. § 23-214 and § 41-4401) governing employment eligibility of County contractors and subcontractors. Continuous Auditing - Internet Usage Monitoring ~ July 2009 The County may be at risk for inappropriate or excessive employee Internet usage. National surveys show that, on average, employees access the Internet one-to-two hours a day for personal use (e.g., games, instant messaging, shopping, and banking). Salary.com states that, “While wasted time (using the Internet) has steadily declined, companies are still paying billions in salaries for which no direct benefit is received.” Experts say networks can be exposed to malicious attacks when employees inadvertently access rogue links through personal e-mail accounts. Significant Issues ♦ Management monitoring can determine if Internet abuse is occurring ♦ The County risks losing $3.4 million in productivity each year if employees spend five minutes of work time on personal Internet use daily ♦ The filtering technology currently used by the County limits but does not prevent access to inappropriate sites 29 Countywide Contracts ~ August 2009 Maricopa County spends millions on contract expenditures annually. As part of our efforts to contain costs in these difficult economic times, we examined selected contracts to identify potential overpayments and support collection efforts. Significant Issues We examined 6 contracts that included 11 vendors. We found most contracts either: (a) violated contract pricing terms, (b) lacked sufficient documentation, or (c) lacked sufficient County Vendors/Contracts Cable Franchise Fees (Cox Contract) Agencies Office of Enterprise Technology Cox underpaid the County $190,582 in franchise fees. Sheriff’s Office Some price discrepancies and product substitution occurred. All vendors had some invoices that lacked sufficient detail to verify accuracy of charges. Inmate Canteen Foods (Sheriff’s Contracts) Vendors: ♦ Food Express, USA ♦ Jenny Service Co. ♦ Keefe Supply Co. ♦ Kellogg Supply, Inc ♦ Vistar/Vend Source Outside Audit, Accounting and Consulting Services (Ralph Andersen & Associates Contract) We also identified purchases that were not on contract and violated procurement code. Health Care Mandates/ General Government Preconstruction Contracts (Downtown Court Tower) Vendors: ♦ Gilbane Construction ♦ Gould Evans Assoc Issues The County incurred $2,946 in per diem overcharges and permitted excessive lodging arrangements for one consultant. Gilbane overbilled the County $3,140. Public Works Gould Evans Associates invoiced in compliance with contract terms. Software Purchasing (ASAP Contract) Materials Management Temporary Medical Personnel (Broadlane Contract) Correctional Health Department of Finance Public Health Juvenile Probation 30 County overpayments of $96,863 were identified, including: ♦ $49,375 in pricing overcharges ♦ $47,488 in taxes for tax exempt services The amount paid by the County exceeded the contractual rate for 33% of invoices reviewed, resulting in overpayments of $23,622. Countywide Fleet ~ July 2009 The County’s fleet (Fleet) is comprised of any vehicle or piece of equipment that has a motor and requires an operator for use, or requires a State of Arizona license. Examples include cars, trucks, golf carts, ATVs, walk-in vans, graders, backhoes, water trucks, helicopters, and boats. These assets are generally mobile and represent a substantial financial investment. The County’s financial system valued total Fleet at $83.4 million as of June 30, 2008. The fleet management system reported 2,506 vehicles and equipment, which included 639 alternative fuel (dual and bio-diesel) vehicles, representing 25.5% of the Fleet. Significant Issues ♦ All Fleet assets were accounted for, but inconsistent procedures and incomplete Fleet listings remain a weakness ♦ Fleet purchases appear to be properly recorded ♦ Auction proceeds appear to be properly controlled, but procedures remain weak and inconsistent Countywide Procurement Cards (P-Cards) ~ June 2009 Due to the inherent risk of P-Card transactions, we monitors P-Card activity annually to deter abuse and increase management awareness. County P-Card expenditures averaged $26.9 million over the past four years. We reviewed 120 P-Card transactions from 22 agencies. Significant Issues Although no significant payment irregularities were found, 43% of the transactions reviewed contained exceptions to the County’s approved P-Card procedures, such as improper payment reconciliation or insufficient supporting documentation. These weaknesses could lead to undetected overcharges or other types of fraud, waste, and abuse. Countywide Travel ~ January 2009 The County spent approximately $8.8 million on travel and education in FY08. Our focus was to ensure proper use of County funds and promote compliance with the County’s travel policy. We accomplished this by selecting and reviewing a variety of FY08 travel transactions from various agencies and reviewing the results with agency staff. Significant Issues Of the 61 travel transactions reviewed from 17 County agencies, 44% included a variety of exceptions, most related to missing documents or approval signatures. 31 Data Centers & Disaster Recovery ~ March 2009 Data centers house the vital computer equipment that contains mission-critical information systems and data essential to County operations. End-users, such as accounting clerks who process citizen transactions, view data centers as operating in the background. However, when data center services become unavailable, significant and costly problems can occur. We visited 27 data center sites and reviewed 82 important control points at each site. We found that several locations had already implemented some best practice controls, and others proactively implemented best practice solutions based on our recommendations before the audit closed. Several other locations have solutions in progress. Significant Issue Conditions could improve with policies and standards. Employee Health Initiatives ~ June 2009 As of FY08, the County began self-insuring medical and most other healthcare-related benefits. In FY08, the County expended $123 million for employee benefits. Employee Health Initiatives (EHI) procures and manages the County’s health benefit plans. EHI oversees the setting of premium rates to meet current and future health care liabilities by: 1) Creating the County’s Benefit Plan 2) Ensuring adequate funding levels within the Employee Benefit Trust 3) Monitoring claims processing services administered by outsourced vendors Significant Issues ♦ EHI has adequate processes to establish premium rates and self-insured trust fund reserve levels ♦ EHI could reduce benefit costs by verifying dependent eligibility at open enrollment and during new employee hiring ♦ EHI should continue to periodically review stop-loss coverage for catastrophic medical claims to identify savings Financial Condition (FY08) ~ July 2009 This annual report assesses the County’s financial condition. It uses graphics for a highly visual, user-friendly report. Using Comprehensive Annual Financial Reports as a primary source, we analyzed unreserved fund balance, liquidity, revenues, long term debt, employee retirement plans, and the County Treasurer investment portfolio. We presented key financial indicators in primarily five or ten year historical trends. This report analyzes key financial indicators for the governmental funds, with a special focus on the general fund. We included national and local benchmark analyses. Significant Issues For FY08, we again highlighted the financial strength of the County’s general fund within the context of population growth that led the nation. The nation and local economies are encountering severe financial challenges. The County, because of conservative fiscal policies, has been able to ensure expenditures did not exceed revenues. The general fund unreserved fund balance continued to grow, and long-term debt levels decreased. Key financial indicators compared very favorably to national and local benchmarks. 32 IT Governance ~ June 2009 IT governance is how management formally decides to employ Information Technology (IT) in supervising, monitoring, and directing their organization. Effective governance requires that the chief information officer collaborate with the entity’s executive business leaders to ensure that IT performance creates real value, IT-related risks are managed, and resources are optimized. Effective IT governance can save millions of dollars and ensure that IT solutions successfully meet critical business needs and customer services. Ineffective IT governance can result in costly failed IT projects and poor IT investments. Significant Issue The County’s current IT governance is weak, with outdated and incomplete IT governance policies. In order to strengthen the County’s IT governance, the Office of Enterprise Technology has proposed a new County IT governance model. IT Network Review ~ July 2009 Countywide web application security audits provide an enterprise-wide view of threats facing County web applications and help strengthen the entire County network. A 2008 IT security study found that web application vulnerabilities accounted for 80% of all reported security vulnerabilities. We performed vulnerability testing on 71 County web applications that were accessible from the Internet. Significant Issues ♦ Web application vulnerabilities were identified Countywide and individual recommendations were made to the audited agencies ♦ Several vulnerabilities were classified as either high or medium risk Justice Courts Accounting Review ~ March 2009 The Maricopa County justice court system includes 23 courts at 11 locations. The justice courts handle criminal traffic, misdemeanor, and a variety of civil cases less than $10,000. We performed the procedures outlined in the Minimum Accounting Standards (MAS) Compliance Checklist for Arizona Courts at eight justice courts. The MAS review is an agreed-upon procedures engagement. The Administrative Office of the Arizona Supreme Court sets forth standard audit procedures to be conducted by an independent accountant every three years. The purpose of the engagement is to ensure that Maricopa County courts maintain effective internal control procedures over financial accounting and reporting systems. Significant Issues Of the reported exceptions: ♦ 46% were related to segregation of duties ♦ 21% were related to the reconciliation of financial records ♦ 17% were related to cash handling 33 Licenses, Fees, & Permits ~ August 2009 User financing can be a fair and effective way to fund a variety of County programs. With user financing, all or part of the costs associated with providing certain goods and services are paid by the beneficiaries who receive the services. User financing can be achieved through user fees, charges for services, or targeted excise taxes. Through user financing, the County can reduce the burden on taxpayers and promote greater economic efficiency and equity. To be effective, however, fees must be substantively reviewed regularly and reliable information on the full cost of providing the goods or services must be available. Ineffective fee reviews could cost the County millions in lost revenues. Significant Issues ♦ A Countywide user fee study has not been conducted since 1995 ♦ Agency user fee reviews are generally not timely or effective Performance Measure Certification ~ July 2009 The Board adopted a performance measurement initiative called Managing for Results (MfR) in FY01. Each year, we review agency-reported performance measures to ensure reported results are accurate and reliable. This year, we examined 50 performance measures from six County agencies. Significant Issues ♦ Only 17 (34%) of the 50 measures reviewed were certified ♦ Accuracy of measures has declined significantly since FY07 The main reason that some measures could not be certified was a lack of supporting data. Probation Service Fees Surcharge Review ~ September 2009 In July 2008, the Probation Service Fee (PSF) surcharge assessed by justice and municipal courts was raised from $10 to $20. In February 2009, the Office of Management and Budget (OMB) requested that we audit PSF surcharges deposited into the Adult Probation Fees Fund (201) and the Juvenile Probation Special Fee Fund (228), to determine if the surcharges were properly collected and deposited into the special revenue funds. The scope of this audit was limited to justice and municipal courts. Significant Issue After an initial lag, fee deposits increased in a pattern consistent with the fee increase. OMB and other interested parties may find it useful to arrange follow-up reviews for courts that do not appear to fall within expected deposit patterns. 34 Public Fiduciary ~ April 2009 The Office of the Maricopa County Public Fiduciary’s (MCPF) mission is to provide guardianship, conservatorship, decedent services, and court-ordered investigations for vulnerable persons so their estates and well-being are protected. Statutory requirements and MCPF policies and procedures help ensure that client assets are adequately safeguarded. Significant Issues ♦ Internal policies and procedures are not always clear and are not consistently followed ♦ Account management procedures are not always adequate to prevent or detect theft or misuse of client funds ♦ Quarterly visits were not always conducted Sheriff’s Office - Custody Command Division ~ August 2009 The Maricopa County Sheriff’s Office (MCSO) is the agency established to assist the Sheriff in executing his statutory duties and to provide public safety services to County citizens. Under A.R.S. § 11-441 through 459 and § 31-121, MCSO is responsible for County jails and detention operations. The Custody Command Division within MCSO is primarily responsible for the care, custody, and control of jail inmates. The average number of inmates housed in County jails during FY08 was 9,250. Significant Issues ♦ Expenditures from the Inmate Services Fund and Jail Enhancement Fund need greater oversight ♦ Based on a sample of transactions, inmate court information appears to be accurately processed ♦ Based on a sample of transactions, Inmate Trust Fund account activity appears to be accurate Surprise Cash Counts ~ October 2008 Cash counts deter theft and promote good cash-handling practices. Cash is particularly susceptible to theft or loss. We counted 10 petty cash and change funds totaling $4,750 from 10 County departments. Our review found no significant variances or issues with our cash counts. Significant Issues We identified various policy noncompliance issues, including lack of required reconciliations, unsecured funds, an immaterial overage, and other cash control weaknesses among 7 of the 10 departments. 35 Appendix D: Other Projects Audit Follow Up The goal of the Internal Audit process is to increase the overall effectiveness of County operations and procedures. Audit recommendations for improvements become meaningful only when needed changes are recognized and implemented by clients. Following up on audit recommendations is an integral part of the audit process. On a regular basis, Internal Audit sends a Status Report Request to clients with open audit recommendations. This process may also include site visits, interviews, phone calls, or a review of additional documentation. When all recommendations for an audit have been implemented, a closing memo is sent to the client. Risk Assessment / Audit Planning Effective internal auditing is based on systematically reviewing an organization’s operations at intervals commensurate with associated risks. The annual risk-assessment process produces an audit plan that maximizes audit coverage and minimizes risk. Auditing every County activity on a regular basis would not be cost efficient; therefore, Internal Audit uses an annual risk assessment, along with professional judgment, to ensure resources are focused on high-risk areas. Single Audit Review We conduct annual compliance reviews for federal grant funds distributed through Maricopa County to various subrecipients. We reviewed the audited financial and grant compliance reports (Single Audit reports) of 45 federal grant subrecipients to determine compliance with the Federal Single Audit Act. In 1984, the United States Congress passed the Single Audit Act to consolidate a fragmented and inefficient approach to auditing federal grants. The Federal Office of Management and Budget issued Circular A-133, Audits of States, Local Governments, and Non-Profit Organizations, to implement the Single Audit Act. Currently, non-federal entities that expend $500,000 or more in federal assistance in a fiscal year are required to undergo a comprehensive financial and compliance audit each year (Single Audit). We found that 26 of 45 audit reports contained 259 findings, with 112 material weaknesses, related to federal grant compliance or internal controls. The findings reported by the independent auditors do not appear to impact funds passed through by the County. Video Online Reporting Tool (VORT) The Video Online Reporting Tool (VORT) is a brief summary video report that covers recent audits. It summarizes the audit area, scope of work performed, and the result of the findings and recommendations of the audit project. Currently, we have the following VORTs available: (1) Data Centers & Disaster Recovery; (2) IT Governance; (3) Licenses, Fees, & Permits; and (4) Public Fiduciary. 36 Appendix E: Audit Impact Some audits have an immediate impact while others yield organizational benefits over time. Some recommendations have a measurable financial impact (e.g., increased revenues, cost recoveries, etc.) while others add value over time (e.g., operational efficiencies, improved controls, decreased risk of fraud, waste and abuse, etc). The four audits below illustrate this. FY09 - Licenses, Fees, and Permits We found that agency user fee reviews are not timely or effective, Countywide user fee studies are infrequent, and the gap between fee revenues and expenditures has increased significantly in the past 10 years. At the direction of the County Manager, the Department of Finance assembled a team to address our findings, and an outside consultant was hired to assist in implementing our recommendations. We estimate that fee revenues could increase by more than $1 million annually as a result. FY08 - Environmental Services We found that the Arizona Legislature had not approved Environmental Services’ 2003 application for a National Pollutant Discharge Elimination System (NPDES) permit, which is required by the Clean Water Act. The lack of a permit exposed the County to legal liabilities and fines up to $25,000 per day, per violation. Following the audit, Environmental Services received support from County management for the required legislation, which was cosponsored by five other Arizona counties. The Board directed County management to implement the program by the general permit and begin collecting fees for plan reviews. FY07 - Materials Management We found that Countywide contract monitoring was inadequate given the hundreds of millions of dollars spent annually on contracts. We recommended that management evaluate the costbenefit of centralizing procurement and consider adopting centralized policies and standards. In FY09, the County Manager announced a newly consolidated Chief Procurement Officer position to oversee contracts and advise on contract specifications and processes that control excessive or unjustified payments. The announcement stated that, “The net result will be cost savings by helping departments and offices improve their contract administration….These function have been proposed by Internal Audit and also by a group of management….Even a small percent savings on a $600 million annual expenditure will be substantial dollar savings.” FY06 - Construction Contracts We found that the County was overcharged by over $57,000 under the Public Health/ Environmental Services facility construction contract. As a result, Facilities Management (FMD) requested that we perform construction contract audits annually at their expense. We also review FMD’s construction program and job order contracts. This year, we reviewed three preconstruction contracts for the Downtown Court Tower and identified control weaknesses and overbillings. We have been asked to review the Downtown Court Tower project’s expenditures and contracts annually until project completion. 37 Appendix F: Internal Audit Charter Purpose The Maricopa County Board of Supervisors (Board) hereby establishes the Maricopa County Internal Audit Department. The mission of the Internal Audit Department is to provide objective, accurate, and meaningful information about County operations so the Board and management can make informed decisions to better serve County citizens. Responsibility County management has primary responsibility for establishing and maintaining an effective system of internal controls. Internal Audit evaluates the adequacy of the internal control environment, the operating environment, related accounting, financial, and operational policies, and reports the results accordingly. Authority and Access Internal Audit is established by the powers granted to the Board in A.R.S. § 11-251. The Board is authorized to supervise the official conduct of all County officers, to see that such officers faithfully perform their duties, and present their books and accounts for inspection (A.R.S. § 11-251.1). The Board is also authorized to perform all other acts and things necessary to fully discharge its duties (A.R.S. § 11-251.30). Internal Audit will report directly to the Board, with an advisory reporting relationship to the Board-Appointed Citizen’s Audit Advisory Committee. In addition, the County Auditor will meet, as needed, with an oversight committee comprised of the County Administrative Officer and two Board members appointed by the Board Chairman. While conducting approved audit work, Internal Audit will have complete access (except where restricted by legal privilege) to all County property, records, information, and personnel. Premise and Objectives Internal Audit’s basic premise is that County resources are to be applied efficiently, economically, and effectively to achieve the purposes for which the resources were furnished. This premise is incorporated in the following four objectives: A. Compliance with Laws and Regulations Those entrusted with County resources are responsible for establishing and maintaining effective controls to ensure identification of and compliance with applicable laws and regulations. B. Effective Program Operations Those entrusted with County resources are responsible for establishing and maintaining effective controls to ensure that programs meet their goals and objectives. 38 C. Validity and Reliability of Data Those entrusted with County resources are responsible for establishing and maintaining effective controls to ensure that valid and reliable data are obtained, maintained, and fairly disclosed. D. Safeguarding of Resources Those entrusted with County resources are responsible for establishing and maintaining effective controls to ensure that resources are safeguarded against waste, loss, and misuse. Independence The Internal Audit Department will remain outside the control of management. Internal Audit employees will have no direct responsibility for, or authority over, any of the activities, functions, or tasks reviewed by the department. Accordingly, Internal Audit staff should not develop or write policies and procedures that they may later be called upon to evaluate. They may review draft materials developed by management for propriety and completeness. However, ownership of and responsibility for these materials will remain with management. Audit Standards and Ethics Internal Audit will adhere to applicable industry standards and codes of ethics issued by authoritative sources (such as those issued by the Institute of Internal Auditors and the U.S. General Accounting Office). Each member of the department is expected to consistently demonstrate high standards of conduct and ethics as well as appropriate judgment and discretion. Audit Planning The County Auditor will prepare an annual audit plan that will be reviewed by the Citizen’s Audit Advisory Committee and approved by the Board. Additions, deletions, or deferrals to the annual audit plan will also be approved by the Board. Follow-Up Internal Audit will follow up on the status of its report recommendations on a regular basis. Adopted by the Board of Supervisors—6/11/97 Last Amended—12/18/02 39 Appendix G: Audit Committee Charter The committee’s primary function is to assist the board of supervisors in fulfilling its oversight responsibilities. The committee accomplishes this function by reviewing the County’s financial information, the established systems of internal controls, and the audit process. In meeting its responsibilities, the committee shall perform the duties outlined below. 1. Provide an open avenue of communication between the county auditor, the auditor general, and the board of supervisors. 2. Review the committee's charter annually and seek board approval on any recommended changes. 3. Inquire of management, the county auditor, and the auditor general about significant risks or exposures and assess the steps management has taken to minimize such risks to the county. 4. Consider and review the audit scope and plan of the county auditor, and receive regular updates on the auditor general’s county audit activities. 5. Review with the county auditor and the auditor general the coordination of audit efforts to assure completeness of coverage, reduction of redundant efforts, and the effective use of all audit resources including external auditors and consulting activities. 6. Consider and review with the county auditor and the auditor general: 7. a. The adequacy of the county's internal controls including computerized information system controls and security. b. Any related significant findings and recommendations of the auditor general and the county auditor together with management's responses thereto. At the completion of the auditor general’s annual examination, the committee shall review the following: a. The county's annual financial statements and related footnotes. b. The auditor general's audit of the financial statements and report thereon. c. Any serious difficulties or other matters related to the conduct of the audit that need to be communicated to the committee. 40 8. Consider and review with management and the county auditor: a. b. c. d. e. f. Significant audit findings during the year and management's responses thereto. Any difficulties encountered during their audits, including any restrictions on the scope of their work or access to required information. Any changes required in the planned scope of their audit plan. The internal audit department's budget and staffing. The internal audit department's charter. The internal audit department's overall performance and its compliance with accepted standards for the professional practice of internal auditing. 9. Report committee actions to the board of supervisors with such recommendations as the committee may deem appropriate. 10. Prepare a letter for inclusion in the annual report that describes the committee's composition and responsibilities, and how they were discharged. 11. The committee shall meet at least four times per year or more frequently as circumstances require. The committee may ask members of management or others to attend the meetings and provide pertinent information as necessary. Committee meetings are subject to the Open Meeting Law (A.R.S. § 38-431). 12. The committee shall perform such other functions as assigned by the board of supervisors. Committee Composition and Terms The membership of the committee shall consist of five voting members and three non-voting members. The voting members shall be board of supervisor appointees from the public and shall serve two-year terms. The non-voting members shall be the county’s chief financial officer, the county attorney, the auditor general, or their designees. The chairman of the board of supervisors shall appoint a committee chairman from the voting members. The committee chairman shall serve a one-year term. Member Qualifications Committee members must have an understanding of financial reporting, accounting, or auditing. This understanding can be demonstrated through educational degrees (BS, MBA, PhD) and professional certifications (CPA, CMA, CIA), or through experience in managing an organization of more than 25 employees or $20M in revenues. Committee members should be familiar with local government operations and should have sufficient time to effectively perform the duties listed herein. Adopted by the Board of Supervisors—3/26/97 41 Appendix H: Audit Committee Biographies Ralph Lamoreaux, District I Ralph Lamoreaux, CPA, has a master of business administration degree from the University of Utah and a bachelor’s degree in accounting from Southern Utah University. He worked for the U.S. Government Accountability Office (GAO) for 33 years. Mr. Lamoreaux was involved in audits of many federal departments and agencies. He retired from GAO in July 2000. Jill Rissi, District II Jill Rissi, Ph.D., is a researcher and policy analyst with over 20 years of experience in health services research, program and policy analysis, auditing, budgeting and financial management, and clinical nursing. For the past nine years she has been employed by St. Luke’s Health Initiatives where she is the Associate Director for Research and Policy. A third-generation Arizonan, Dr. Rissi is a graduate of Arizona State University where she received baccalaureate degrees in psychology and nursing, and a doctorate in public administration focusing on deliberative democracy and public policy. Matthew E. Breecher, District III Matthew E. Breecher, CPA, CISA, is an accounting and information systems specialist, with over 15 years professional experience. He currently provides accounting, audit, and management advisory services to local Arizona governments. Mr. Breecher is the managing partner of Breecher & Company, PC, a Phoenix-based professional services firm. Ryan Brownsberger, Chairman, District IV Ryan Brownsberger, CPA, has an accounting degree from Iowa State University and a master of business administration degree from Arizona State University. He has twelve years of experience in auditing, accounting, budgeting, and business management. Mr. Brownsberger is a business manager for Mesquite Power LLC, a subsidiary of Sempra Energy. Richard Lozar, District V Richard Lozar has extensive experience in accounting and management. He worked as a controller and general manager in the hospitality industry, an accounting and financial consultant, a director of business affairs at a Native American college, and a chief financial officer for a custom furniture manufacturer. He was reappointed to the Audit Committee by Mary Rose Wilcox on September 19, 2008. Jay Zsorey, Financial Audit Director, Office of Auditor General Jay Zsorey, CPA, graduated from the University of Nevada and is the financial audit director of the Arizona Office of the Auditor General. During his career, Jay has managed the audits of many governmental entities in Arizona and was the audit manager for the annual financial statement and compliance audit of Maricopa County. He has extensive knowledge of government finance and governmental financial reporting requirements. Bruce White, Civil Division, County Attorney’s Office Bruce White has been an attorney with the Maricopa County Attorney’s Office since January 2001. Shelby Scharbach, County Chief Financial Officer Shelby Scharbach, CPA, CGFM, has a bachelor’s degree in accounting and a master of public administration degree. She joined the Maricopa County Department of Finance in 1993, has served as deputy director since 2000 and was appointed chief financial officer in 2009. She serves on the National Association of Counties (NACo) Financial Services Advisory Committee, Maricopa County Deferred Compensation Committee, and is president of the Maricopa County Public Finance Corporation. 42 Appendix I: Internal Audit Profile Definition Internal auditing is an independent, objective assurance and consulting activity that adds value and improves operations. Internal auditing helps an organization reach objectives by bringing a systematic, disciplined approach to improve the effectiveness of risk management, control, and governance processes. Our Value Statement Do the Right Things Right! Our Mission The mission of the Internal Audit Department is to provide assistance to the Board of Supervisors so they can ensure Maricopa County government is accountable to its citizens. Our Vision To promote positive change throughout County operations while ensuring that public resources are used effectively, efficiently, economically, and ethically. Our History The Board of Supervisors appointed the first County Auditor in 1978 and established an internal audit function. In 1994, the Board of Supervisors created a Citizen’s Audit Advisory Committee comprised of private citizens and County officials. (See Appendix G for charter.) In 1997, the Board of Supervisors formalized the County’s internal audit function by adopting a department charter, which was amended in December 2002. (See Appendix F for charter.) Citizen’s Audit Advisory Committee (Audit Committee) The Board Appointed Citizen’s Audit Advisory Committee supports further strengthening of the County’s Internal Audit Department. This committee, comprised of accounting and business professionals, actively engages in analyzing risk throughout the County and making recommendations. This committee is an important link between the Board of Supervisors and the County’s auditors, both internal and external. The Maricopa County Citizen’s Audit Advisory Committee meets regularly to review and comment on audit reports, County financial statements, and other audit information (audit plan, special requests, etc.). Organizational Independence Auditors should be removed from organizational and political pressures to ensure objectivity. As our charter designates, the Maricopa County Internal Audit Department reports directly to an elected Board of Supervisors, thereby establishing an effective level of independence from management. This structure provides the Board of Supervisors with a direct line of communication to Internal Audit and provides assurance that County officials cannot influence the nature or scope of audit work performed. 43 Government Auditing Standards support locating internal audit departments outside the management function in order to encourage independence. Routine meetings with an independent audit committee further enhance independence. The County Auditor also meets with an oversight committee comprised of the County Manager and two Board of Supervisor members, further enhancing our independence. Reporting Structure of the Internal Audit Department Board of Supervisors Audit Committee County Management Internal Audit Resources A fully staffed, professional Internal Audit Department provides value-added services to the County. Each year, Internal Audit analyzes and adapts its resources to meet upcoming County auditing and consulting needs. To provide flexibility and diversified strength, the audit staff has broad-range education and experience in various audit areas: accounting, finance, performance evaluation, information systems, and management services. Each audit is performed by a team that collectively possesses the necessary knowledge and skills to fit the assignment. Government operations are inherently complex; certain functions cannot be properly reviewed without specialized expertise. Hiring a wide variety of staff specialists, however, would not be cost effective. While we have invested in qualified internal staff, we have also reserved resources for specialized contractors; $196,081 was budgeted for this purpose in FY09. This partnership (called “co-sourcing”) provides the County with the collective expertise required by Government Auditing Standards at an affordable price. Risk Assessment Effective internal auditing is based on systematically reviewing an organization’s operations at intervals commensurate with associated risks. The annual risk review process produces an audit plan that maximizes audit coverage and minimizes risk. Auditing every County activity on a regular basis would not be cost efficient; professional judgment ensures resources are focused on high-risk areas. Professional Internal Audit Staff Our auditors have extensive knowledge of auditing methods and techniques plus specialized training in information technology and accounting. (Auditor biographies shown in previous section.) Each auditor is responsible for maintaining Government Auditing Standards requirements of 80 continuing education hours every two years; 24 of those hours must be directly related to government operations. 44 FY09 Internal Audit Department Organizational Chart Board of Supervisors Audit Committee Ross Tate County Auditor Eve Murillo Deputy County Auditor Richard Chard Deputy County Auditor Wendy Thiele Administrative Operations Specialist Patra Carroll Audit Supervisor Toni Sage IT Audit Supervisor Carla Harris Audit Supervisor Christina Black Audit Supervisor Susan Adams Senior IT Auditor Stella Fusaro Audit Supervisor Nic Harrison Senior IT Auditor Kimmie Wong Senior Auditor Lisa Scott Associate IT Auditor Ronda Jamieson Associate Auditor Paul Carolan Senior Auditor Trisa Cole Associate Auditor Scott Jarrett Associate Auditor Derek Barber Associate Auditor Jenny Eng Staff Auditor Ryan Bodnar Associate Auditor Jannah Oglesbee Staff Auditor Who Audits the Auditors? (Peer Review) An independent audit firm conducts a peer review of Internal Audit every three years, as required by national Government Auditing Standards. The Maricopa County Citizen’s Audit Advisory Committee oversees these reviews. The FY00, FY03, FY06, and FY09 reviews by a local CPA firm were positive and showed no findings. We are scheduled to have our next review in FY12. FY09 Peer Review Results This year’s FY09 peer review was performed by Clifton Gunderson LLP, for the period of January 1, 2006 through December 31, 2008. Maricopa County Internal Audit Department’s quality control system was found to be suitably designed and operating effectively to provide reasonable assurance of compliance with Government Auditing Standards. 45 Maricopa County Internal Audit 301 W. Jefferson, Suite 660 Phoenix, AZ 85003 ~ 2148 Telephone: 602 ~ 506 ~ 1585 Facsimile: 602 ~ 506 ~ 8957 E-mail: Thielew@mail.maricopa.gov Visit our website @ www.maricopa.gov/internal_audit Annual Report Project Members Richard Chard, CPA, CLEA, Deputy County Auditor Carla Harris, CPA, CIA, CFE, Audit Supervisor Jenny Eng, Staff Auditor 46