Montgomery County, Maryland · Montgomery County, Maryland ... TABLE OF CONTENTS Objectives ... The...

of 41 /41
MCIA-15-8 Montgomery County, Maryland Office of the County Executive Office of Internal Audit Follow-up Audit of the 2009 Treasury Risk Assessment March 2, 2015

Embed Size (px)

Transcript of Montgomery County, Maryland · Montgomery County, Maryland ... TABLE OF CONTENTS Objectives ... The...

  • MCIA-15-8

    Montgomery County, Maryland

    Office of the County Executive

    Office of Internal Audit

    Follow-up Audit of the 2009

    Treasury Risk Assessment

    March 2, 2015

  • MCIA-15-8

    HighlightsWhy MCIA Did this AuditThe accounting firm of SC&H,under a contract with the CountysOffice of Internal Audit (MCIA)performed a follow-up review ofan April 2009 risk assessment thatwas conducted by MCIA on theTreasury Division of theDepartment of Finance. The 2009risk assessment identifiedweaknesses within 17 processareas with high risk and oneprocess area with medium risk.Based on the proceduresperformed during the 2009 riskassessment, 18 recommendationswere provided to Finance toaddress these identified risks.The recommendations includedthe formalization of documentedpolicies and procedures, thecross-training of Treasuryemployees, the standardization offinancial reports, and theimplementation of internal controlswithin several key processes,

    What MCIARecommends

    MCIA is making 17recommendations to theDepartment of Finance tostrengthen its internal controls andimprove overall performance.Twelve recommendations addressrisk areas that were identified inthe 2009 risk assessment andhave not yet been fullyremediated. The remaining fiverecommendations addressadditional risks that were identifiedduring this follow-up engagement.Finance concurred with therecommendations and stated ithas since implemented or is in theprocess of implementing thecorrective actions.

    March 2015

    Treasury Risk Assessment Follow-Up Audit

    What MCIA FoundThe Treasury Division has remediated six of the risk areasthat were identified in the 2009 risk assessment through theimplementation of prior recommendations, or other revisionsto its processes and procedures. The risk areas that wereremediated include: Treasury Division Accounting Billing Treasury Information Systems E-PILOT Treasury Information Systems Spreadsheet Controls Cashiering Total Activity Collections Third Party Processor

    There are 12 risk areas that were identified in the 2009 riskassessment that have not been successfully remediated andcontinue to lack the proper controls to mitigate the previouslyidentified risks. These areas include: Policies and Procedures Key Personnel Treasury Division Key Personnel Program Manager II Property Tax Credits Transfer and Recordation Taxes Property Tax Refunds Treasury Information Systems Access Controls Cashiering Reconciliations Cashiering Parking, Speed, and Red Light Violations Call Center (i.e. Adjusting Penalties and Interest Charges) Undeliverable County Issued Checks Rejected Tax Payments from the Lockbox Processor

    Additionally, through the work performed, we noted fiveadditional risk areas that will require remediation in order tomitigate the associated risks. These risk areas include: Key Personnel Program Manager II Key Personnel Treasury Division (Training) Transfer and Recordation Tax Key Personnel Treasury Division (Staffing) Cashiering

  • MCIA-15-8

    TABLE OF CONTENTS

    Objectives ....................................................................................................................... 1

    Background..................................................................................................................... 1

    Scope and Methodology ................................................................................................. 3

    Observations and Recommendations ............................................................................. 8

    Comments and MCIA Evaluation .................................................................................. 28

    Appendix A Documentation Requested...................................................................... 29

    Appendix B Department of Finance Formal Comments.............................................. 30

  • 1MCIA-15-8

    ObjectivesThis report summarizes an audit performed by SC&H Group under contract with theMontgomery County Office of Internal Audit (MCIA) to review the Treasury Divisions currentprocesses to determine whether the risks identified in the prior risk assessment have beenremediated. The primary objective of this audit was to assess the adequacy of any correctiveactions that Treasury/Finance has taken in response to recommendations in the riskassessment report since its issuance on April 17, 2009. Additionally, the review includedreporting on any other control weaknesses observed during our follow-up engagement, and anysuggestions that we may have for additional audit work that should be performed at theTreasury Division.

    This internal audit report was performed in accordance with consulting standards established bythe American Institute of Certified Public Accountants (AICPA) and generally acceptedgovernment auditing standards (GAGAS) established by the Government Accountability Office,as appropriate. SC&H Groups proposed procedures were developed to meet the objectivesstated above, and were reviewed and approved in advance by MCIA. The interviews,documentation review, and field work were conducted from August 2014 to October 2014.

    BackgroundThe Treasury Division, within the Department of Finance, is responsible for the collection ofproperty (real and personal), excise, transfer, and recordation taxes. Additionally, the TreasuryDivision has a Cashiering function responsible for collecting payments received at theCashiering Office. The Treasury Division manages approximately 337,500 real and more than30,000 personal property tax accounts. According to the Summary of Changes in Net Positionin Montgomery Countys Fiscal Year 2013 Comprehensive Annual Financial Report (CAFR),revenue from property taxes constituted approximately 40 percent of the total revenue atapproximately $1.47 billion dollars, making it the largest source of revenue for the County.1

    The Treasury Division generates annual, quarterly, and monthly revised real property tax bills.The process for the annual and quarterly bill generation is similar, while the process for therevised bill generation is different. Before the next levy year, which begins July 1st, multipleCounty departments and external agencies, including but not limited to: the State Department ofAssessments and Taxation (SDAT), the Washington Suburban Sanitary Commission (WSSC),and the Division of Solid Waste Services, will enter applicable information (e.g. propertyassessments, special charges, etc.) into the Tax Assessment System (TAS), which is the intakesystem for all data files required to produce the property tax bills. The information will be sent tothe E-PILOT system, a web-based application that captures Payment In Lieu Of Tax (PILOT)2for assessment and calculation of appropriate taxes. The E-PILOT system will separate theproperty accounts into two groups: one group includes the majority of accounts in which theassessed property tax will be paid (non-PILOT accounts), and the other group consists of theaccounts in which the payments in lieu of tax have been negotiated (PILOT accounts).Currently, there are approximately 334,000 Non-PILOT accounts and 3,500 PILOT accounts.The file of Non-PILOT accounts is imported into MUNIS, the property tax billing system, first forprocessing. Once the Non-PILOT accounts are imported into MUNIS, the Biller (a Treasury

    1 Fiscal Year 2013 Montgomery County Comprehensive Annual Financial Report2 According to Montgomery County Code section 52-18M, when authorized by state law, the Director ofFinance may agree to accept a negotiated payment in lieu of the real property tax that would otherwise bylevied on a qualifying housing development.

  • 2MCIA-15-8

    representative who generates the tax bills) reviews and corrects any errors and runs a series ofreports. Prior to the generation of the tax bills, the Accounting Unit of the Treasury Division willrandomly select a sample of bills to ensure the information from TAS was processed correctly inMUNIS. Once the review has been completed, the Biller will generate the Non-PILOT tax bills.Subsequently, the Biller will complete the same process in MUNIS for the PILOT bills. Theannual tax bills are sent to all taxpayers in July and are also available online. The Countyresidents and businesses are able to pay their taxes due online, by mail, by telephone, or inperson. Accepted forms of payment include: cash, personal check, certified check, cashierscheck, money order, debit card, credit card, bank bill pay, or the Countys electronic check.

    Throughout the year, the various departments and external agencies will make adjustments tothe real property accounts in the TAS system. Such adjustments include tax credits, increasedassessments, abatements, or other changes which result in either a supplemental tax bill or arevised tax bill. Once a month, the TAS system will be temporarily closed from accepting newdata for the Treasury Division to begin the revised billing process. The data from TAS will flowthrough E-PILOT and MUNIS similarly to the annual and quarterly process; however, theAccounting Unit does not perform a review. Instead, the Biller will generate the SubsequentChange Report in MUNIS to review the changes for appropriateness. Afterwards, the Billercompletes the remaining steps to generate the revised tax bills.

    In contrast to the real property tax billing process, the personal property tax billing processdiffers as the flow of information is more direct. Personal property information is entered intoTAS by the SDAT. From TAS, the personal property information does not flow through E-PILOT, and therefore, transfers directly into MUNIS. An additional difference between the realand personal property tax billing process is there are no changes or calculations made in TAS tothe personal property tax information. Further, the personal property tax billing rules are similarto the real property tax subsequent change billing or revised billing because SDAT sends datathroughout the year, not all at once like the annual real property tax billing process.

    The Treasury Division is also responsible for applying tax credits to the property tax bills. Manyof these tax credits (e.g. homestead credit, homeowners property tax credit, and senior credit)are calculated and entered into TAS by SDAT. The remaining tax credits (e.g. enterprise zonetax credit, new jobs tax credit, Brownfields3 property tax credit, and historic preservation taxcredit) are calculated by the Treasury Division utilizing Excel spreadsheets. Once calculated,the tax credits will be either uploaded or manually entered into TAS. For Levy Year 2013, theTreasury Division calculated and applied approximately $10.5 million dollars of property taxcredits.

    In addition to processing the property tax bills and applying the property tax credits, theTreasury Division will issue property tax refunds for reasons such as overpayments or a changein underlying tax liability, in which the original tax amount was already paid. Within a threemonth period, June through August 2014, over 1,500 property tax refunds equalingapproximately $6.7 million dollars were processed and issued. In each instance, the TreasuryDivision researches the proposed property tax refund to ensure its validity. Once the validity ofthe requested refund is confirmed, the Treasury Division will process the refund eitherindividually or in a batch. The following tax refunds are processed individually: mass pay4,critical, and time-sensitive refunds. All other refunds are processed in a batch. If a refund isprocessed individually, the refund is prepared, reviewed, and recorded within the Treasury

    3 Brownfields are generally considered to be abandoned or underutilized properties (especially industrialand commercial facilities) where redevelopment or expansion may be complicated by possibleenvironmental contamination (real or perceived).4 Mass pay is when mortgage companies pay the real property tax bills on behalf of their customers.

  • 3MCIA-15-8

    Division. If the refund is processed in a batch, the refund is prepared and reviewed within theTreasury Division and then sent to the Accounts Payable Division of the Finance Department, torecord the batched refunds. Accounts Payable issues all refund checks.

    Additionally, the Treasury Division is responsible for the collection of excise taxes, which is a taxor duty on the privileges of consumption, supply, manufacture, or distribution of variouscommodities and services5. Currently, the Treasury Division administers four types of excisetaxes: fuel-energy taxes, telephone taxes, room rental and transient taxes, and admission taxes.

    The Treasury Division receives and reviews tax account applications and tax reports, collectsand deposits taxes collected, monitors accounts receivable activity, and enforcesnoncompliance, and requests assistance from the County Attorney for further collection ofdelinquent taxes6. Based on the Fiscal Year 2013 CAFR, revenues from consumption/excisetaxes were $292 million dollars7.

    Another key function of the Treasury Division is ensuring the accurate and timely processingand collection of transfer and recordation taxes due from the transfer of real property andrecordation of instruments of writing. A representative from the title company will provide theappropriate documentation to the Treasury Division, either in person or through the web-basedE-Transfer application. The Treasury Division will ensure the accuracy of the transfer andrecordation tax calculations and verify the tax due to the payment received. Once confirmed,the payments will be batched and given to Cashiering for processing.

    The Cashiering function of the Treasury Division will receive and record payments made to theCounty for various services, taxes, and fees. Accepted forms of payment include: cash,personal check, certified check, money order, or credit card for real and personal propertytaxes, tax lien sale, excise tax, transfer taxes, traffic violations (e.g. speed camera, red lightcamera, and school bus camera), business licenses, permits, and other miscellaneous Countyfees and taxes. The Cashiers record the payments in the appropriate systems, which includeMUNIS, Oracle (i.e. the Countys Enterprise Resource Planning system), and eTIMS, the trafficviolation system.

    Scope and MethodologyTo satisfy the stated objectives for this follow-up review, we evaluated each of the deficienciesnoted in the 2009 risk assessment, along with their associated risks. For each deficiency noted,we reviewed the Treasury Divisions current process to determine whether the risks identified inthe 2009 risk assessment had been successfully remediated. In doing so, we conductedinterviews with key Department of Finance personnel from the Treasury Division (Managementand Operations Sections), Controller Division (Accounts Payable and Accounts ReceivableSections), and Fiscal Management Division to discuss the identified risks and to gain anunderstanding of the current processes and controls. Additionally, we observed variousTreasury Division personnel perform their daily functions and reviewed pertinent documentation.In addition to the review of the implementation of previous risk remediation, our follow-up reviewconsisted of identifying and reporting any additional internal control weaknesses or deficienciesthat we observed during our fieldwork. Finally, throughout our review process, we remainedattentive to opportunities to further evaluate the processes and controls within the TreasuryDivision through additional internal audit reviews and assessments.

    5 Division of Treasurys Excise Tax Administration Policy and Procedures6 Division of Treasurys Excise Tax Administration Policy and Procedures7 Fiscal Year 2013 Montgomery County Comprehensive Annual Financial Report

  • 4MCIA-15-8

    We focused our review on the process areas with noted deficiencies from the 2009 riskassessment. Table 1 provides a summary of the previous risk assessment areas and theoriginal observations in each area.

    Table 1 Summary of Prior Risk Assessment

    Risk Assessment Area Original Observation

    1. Policies & Procedures The Division does not have documented Policies and Proceduresfor the majority of Treasury processes.2A. Key Personnel TreasuryDivision Employees are not cross-trained in Division Functions.

    2B. Key Personnel ProgramManager II

    A single employee has responsibility for and access to functionswhich void the segregation of duties.

    3. Treasury Division Accounting

    Management information is gathered through inconsistent queriesrather than standard management reports.

    4. Property Tax Credits There is manual recordation of calculations and an individual canboth prepare and approve transactions.5. Transfer and RecordationTax This area lacks formal documented procedures.

    6. Property Tax RefundsRefunds are subject to high volume and many employees canresearch and process refunds perhaps leading to inconsistentresults.

    7. Billing The review of tax bills from the MUNIS system does not focus onthe highest risk transactions such as exemptions.

    8A. Treasury InformationSystems Access Controls

    Approval access in system is not in line with job responsibilities andpersonnel without authority have access to make changes to datain systems.

    8B. Treasury InformationSystems E-Pilot System

    A PILOT agreement could be entered into the system and a billprocessed based on an incorrect set of business rules.

    8C. Treasury InformationSystems SpreadsheetControls

    Calculations on spreadsheets are subject to input and logic errors.

    9A. Cashiering Reconciliations

    Incomplete reconciliation between the bank and the depositsprocessed by Merkle.

    9B. Cashiering Total Activity There is an incomplete reconciliation of deposits activity.

    9C. Cashiering Parking,Speed, and Red Light Violations

    Improper segregation of duties in recording and reconcilingParking, Speed, and Red Light violation payments.

    10. Collections Merkle There is no evidence that the services provided by Merkle aresupported by a properly approved and executed contract.

    11. Call Center Call Center staff may adjust interest and penalties withoutsupervisory approval.12. Undeliverable CountyIssued Checks

    The number and value of returned checks are not tracked to ensurechecks are properly accounted for until voided, or processed.

    13. Rejected Tax Paymentsfrom Lockbox Processor

    The number and value of rejected checks are not tracked to ensurechecks are properly accounted for until voided, or processed.

    Prior to the commencement of this detailed audit work, the Department of Finance provided uswith the current status and key contact(s) for each deficiency noted on the prior riskassessment. Based on this information, we scheduled our initial interviews. As additionalinformation was obtained about the various process areas through our inquiries, additional

  • 5MCIA-15-8

    interviews were scheduled as needed. The list of the interviews that we conducted is in thetable below.

    Table 2 Conducted Interviews

    ReferenceNumber Interview Topic

    1 Billing

    2 Cashiering Parking, Speed, and Red LightViolations3 Cashiering Reconciliations4 Cashiering Total Cash Activity5 Collections Merkle6 Employee Cross-Training7 Key Personnel Program Manager II8 Policies and Procedures9 Program Manager II Responsibilities

    10 Property Tax Credits11 Property Tax Refunds12 Rejected Checks from the Lockbox Processor13 Rejected E-Transfer Wire Payments14 Transfer and Recordation Tax15 Transfer and Recordation Tax (E-Transfer)16 Treasury Division Accounting

    17 Treasury Information Systems AccessControls18 Treasury Information Systems E-PILOT

    19 Treasury Information Systems SpreadsheetControls20 Undeliverable County Issued Checks

    Remediation Status of the 2009 Risk Assessment DeficienciesAlong with detailed discussions regarding each of the process areas that included previously-recognized deficiencies, we reviewed applicable supporting documentation and observedpersonnel performing related tasks. We have identified each process area below, along withthe testing methodology used for our assessment of the remediation status, for each of thedeficiencies identified in the 2009 risk assessment. The results of these review procedures arepresented in Table 3 below. Additionally, reference Appendix A for a list of specific documentsthat were requested and the corresponding date that each item was received.

    To evaluate the policies and procedures implemented since the previous risk assessment,we requested all policy and procedure documents related to Treasury functions. Wereviewed the policy and procedure documents that we received in an effort to determinewhether the documents are complete, accurate, and up-to-date. As a result of this review,

  • 6MCIA-15-8

    we identified any process areas where the policies and procedures were not formallydocumented, where the documentation was not consistent with the activities that wereperformed, or where the documentation was not reviewed and updated on a consistentbasis.

    We requested evidence to support that Treasury personnel have been adequately cross-trained, that they have received on-the-job training, and that their job responsibilities areproperly documented. In addition to the detailed discussions that we conducted, weselected and received five employee work plans for Fiscal Year 2015. The work plans listthe applicable job responsibilities, upon which each employee is evaluated.

    To assess whether the Program Manager IIs system access is appropriate, we combinedthis review with the Treasury Information Systems User Access review, where weevaluated the employee system access in the key Treasury Information Systems (i.e. TAS,E-PILOT, MUNIS8, and the Lender Services Site) to determine whether appropriate accessis granted to the Treasury employees to ensure that segregation of duties issues do notexist within or between systems.

    To gain an understanding of how Management information is gathered through the use ofreports, we discussed each of the relevant systems used with the Accounting Unit, alongwith the reporting capabilities of each system. Once we understood the current reportingenvironment, we observed the Accounting Unit utilizing available MUNIS reportingcapabilities, as well as customized reports created using Crystal Reports9, which is abusiness intelligence software application.

    We spoke directly with the Treasury employee responsible for property tax credits, and wealso requested the spreadsheets used for property tax credit calculations to determine if theproper spreadsheet controls are in place. We also selected a sample of 10 property taxcredits from Levy Year 2013, calculated by the Treasury Division, to verify that there wasadequate supporting documentation, and sufficient evidence of review.

    To learn about the Transfer and Recordation Tax processes, we reviewed the Transfer andRecordation Tax procedure document and conducted a meeting with several Transfer Taxpersonnel, as well as the Tax Operations Manager, who oversees the Transfer Tax area.Additionally, we observed two Transfer Tax employees performing the batching process forpayments that were received both over the counter, and through the E-Transfer webapplication. We also selected a sample of 15 days between September 1, 2013 and August31, 2014 and performed testing designed to validate that reconciliations were properlyperformed, and that sufficient evidence of review was retained.

    Our process to properly understand the property tax refund process began by conducting ameeting with several Property Tax employees. Additionally, we selected a sample of 20property tax refunds that were processed between June 1, 2014 and August 31, 2014. Ourtesting was designed to ensure that sufficient evidence of review and approval wasobtained.

    8 Due to the limited reporting capabilities in MUNIS, we judgmentally selected six Treasury employees,including the current Program Manager II, to review system access. For the remaining systems reviewed,all user access was assessed.9 Due to the limited reporting capabilities in the MUNIS system, the Treasury Division utilizes CrystalReports to provide supplemental information to the aggregated reports generated out of MUNIS.

  • 7MCIA-15-8

    We met with several Treasury employees and gained a firm understanding of the monthly,quarterly, and annual billing processes, as well as the billing review process. To confirm thereview process, we received evidence to support the implemented sampling technique.

    We conducted a meeting with the E-PILOT Administrator and defined the E-PILOT process.Based on the information that we documented as a result of this meeting, we obtainedsample documents from the Department of Housing and Community Affairs (DHCA) thatprovided us with examples of the documentation used during the process to set up PILOTaccounts within the E-PILOT system.

    Using the spreadsheets that we evaluated and process information that we documented, weassessed the internal controls associated with the spreadsheets used for key Treasuryfunctions.

    We met with the Cashiering Manager to document the Cashiering Reconciliation process.After defining the process, we selected a sample of five days between September 1, 2013and August 31, 2014. For each sample selected, we reviewed the reconciliations betweenthe payments received by the lockbox processor and the lockbox payments deposited at thebank. For the same dates, we also reviewed the payments received through OfficialPayments and the payments deposited at the bank.

    After all of the interviews were conducted and various reconciliations were reviewed, wewere able to gain a firm understanding of Cashiering total activity and evaluate whether therisks identified in the prior risk assessment were remediated.

    We were able to learn and assess the Cashiering Parking10, Speed, and Red LightViolations process through conversations with the employee overseeing the Cashiering Unitand a Cashier, as well as the Cashiering Operation Manual.

    Through various conversations with Treasury and Fiscal Management, we learnedbackground information regarding the third party service providers for lockbox11 services.Prior to June 2014, Montgomery County was utilizing Merkle for its lockbox services. Theagreement with Merkle was established through an evergreen12 contract with First UnionBank, Montgomery Countys prior primary bank, many years ago. Since June 2014,Montgomery County has switched its primary lockbox processor to PNC Bank; however, theCounty continues to utilize Merkle for limited lockbox services. The formal agreements withMontgomery County and the third party service providers of lockbox services wererequested for review.

    As the Treasury Division no longer has a Call Center function, as was referenced in the2009 risk assessment, we met with three Property Tax employees to document the processfor adjusting penalties and interest on tax bills.

    We reviewed the process for undeliverable County issued checks and rejected taxpayments through discussions with Treasury Division personnel.

    10 Parking violation payments are no longer processed by the Treasury Division. Additionally, theTreasury Division now processes payments for school bus camera violations.11 Lockbox banking is a service provided by banks to companies for the receipt of payment fromcustomers. Under the service, the payments made by customers are directed to a special post office box,rather than going to the company. The bank will then go to the box, retrieve the payments, process them,and deposit the funds directly into the company bank account.12 An evergreen contract is a legal agreement that will automatically start again unless one of the peopleor businesses involved officially terminates it.

  • 8MCIA-15-8

    Identification of Control Weaknesses Not Noted in the 2009 Risk AssessmentThroughout the procedures that we performed to evaluate the status of the remediation of eachof the deficiencies identified in the 2009 risk assessment, we also identified and reportedadditional instances of internal control weaknesses that were observed during our fieldwork.These observations are presented in Table 4 herein.

    Observations and RecommendationsDuring our review of the status of the remediation for each of the deficiencies identified in the2009 risk assessment, we found that six deficiencies from the 2009 risk assessment have beenadequately remediated; however, the remaining 12 process areas continue to lack the propercontrols to mitigate the identified risks. Table 3 lists the results of our review. Additionally, weidentified five new risk areas--control weaknesses--which are listed in Table 4. Ourrecommendations to the Director of Finance are contained in the last columns of Tables 3 and4.

  • 9MCIA-15-8

    Table 3 Remediation Status of the 2009 Risk Assessment Deficiencies Results

    RiskAssessment

    AreaOriginal Deficiency

    Noted Current Observation Risk Recommendation

    1. Policies &Procedures

    The Treasury Divisiondoes not have formallydocumented policiesand procedures for themajority of processes inthe Treasury Division.The key elementsassociated with thedevelopment of formalpolicies and proceduresinclude a standardformat fordocumentation of thepolicies andprocedures; approval orauthorization of thepolicies by theappropriate level ofmanagement; andcommunication of thepolicies and proceduresto those individualsresponsible for theirexecution. Theseelements werefrequently not evident.

    1. A number of policy and proceduredocuments were formalized as aresult of the 2009 risk assessment;however, these documents areincomplete and outdated, as theyhave not been updated since 2009,2010, or 2011. These policiesinclude: Adjusting Penalty and Interest

    Charges; Transfer and Recordation Taxes; Property Tax Refunds; Cashiering; and, Excise Tax.

    Additionally, there are instruction andguidance documents available foraccounting activities, E-PILOT, BagTax, billing, and multiple MUNISfunctions; however, these documentshave not been documented in aformat that is consistent with existingpolicy and procedure documents.Additionally, these documents havenot been reviewed or approved.

    Lastly, there is a lack of writtenpolicies and procedures for: Tax credits; Collections; Official Payments reconciliations; Rejected lockbox payments; and, Undeliverable County-issued

    checks.

    Without documentedprocedures,employees may nothave: Awareness of their

    job responsibilities; A reference for

    infrequentlyperformed ortechnicallychallengingprocesses;

    Consistent handlingor processing oftransactions;

    Appropriate on thejob training; and,

    Procedures toprevent loss ofknowledge due toemployee turnover.

    1.1. Establish a formalprocess to assure thatdetailed, comprehensivepolicy and proceduredocuments are developed ina consistent format for allTreasury processes.

    1.2. Establish a process toensure that all policy andprocedure documents areappropriately updated,reviewed, and approved ona consistent basis so that alldocuments remain reflectiveof the current processes andcontrols.

  • 10MCIA-15-8

    RiskAssessment

    AreaOriginal Deficiency

    Noted Current Observation Risk Recommendation

    2. The Treasury Division does nothave a formalized process fordocumenting, reviewing,approving, or updating policiesand procedures on a regularbasis.

    2A. KeyPersonnel TreasuryDivision

    Treasury staff are notcross-trained; there isusually only oneemployee whothoroughly understandscertain subject areas(e.g. tax credit,recordation tax,accounting function,etc.). Only one personmay understand how toprocess or approvecertain transactions.

    Based on information obtainedthrough discussions with TreasuryManagement, we were not able toobtain sufficient evidence todetermine which processesemployees had been cross-trained toperform, and when the cross-trainings were administered.

    Further, we noted that the TreasuryDivision is working on formalizingand documenting the cross-trainingprocess.

    The lack of cross-training can result ininefficiencies,inaccuracies, or anoverall lack ofknowledge duringemployee turnover orextended employeeabsence.

    2A.1. Establish a scheduleof on-going cross-trainingsto ensure that all applicableemployees are cross-trained, and that allapplicable positions havebeen cross-trained.

    Additionally, employees whohave been cross-trainedshould be informed of anychanges to the processes onwhich theyve been cross-trained.

    Further, establish a methodto track and monitor thecompletion of conductedcross-trainings.

    2B. KeyPersonnel ProgramManager II

    1. Vast knowledge ofthe Treasury functionsis concentrated in oneemployee whosecurrent responsibilitiesincluded:a. Detailed reviewer for

    key divisiontransactions such asrefunds and tax

    1. Remediated. Since the 2009 riskassessment, the Program Manager IIhas retired; however, she is currentlyworking under a Knowledge Transfercontract with the Treasury Division.

    The current Program Manager IIsresponsibilities are not as vast as theprevious Program Manager II. Theformer Program Manager II was

    The Program ManagerIIs current accesslacks propersegregation of duties.

    2B.1. Assure that users donot have the ability to enter,modify, and post significanttransactions within both theMUNIS and TAS systems.

    Additionally, develop aprocess to review thesystem accesses for eachTreasury Information System

  • 11MCIA-15-8

    RiskAssessment

    AreaOriginal Deficiency

    Noted Current Observation Risk Recommendation

    credits;b. Reviewer with the

    most technicalknowledge for mostrefund transactions;and

    c. Provider of trainingand oversight for asignificant number ofkey processes suchas refunds, taxcredits, lenderservice site, and thePILOT program.

    d. Program Manager IIperforms systemadministrator duties,such as changinguser passwords, inseveral informationsystems (LenderService Site).

    2. Program Manager IIcan approve paymentsin FAMIS13 related totransactions possiblyself-entered andapproved in otherinformation systems.

    responsible for overseeing bothBilling and Collections. The Billingprocess is currently managed by theformer Program Manager II.The current Program Manager IIoversees Collections and isresponsible for reviewing refunds,along with two other Property Taxemployees, as well as addressingany miscellaneous billing questions.The current Program Manager II isnot the system administrator for anyTreasury Information Systems.

    2. The current Program Manager IIdoes not have approver access inOracle (i.e. FAMISs replacement);however, the current ProgramManager II is able to enter, modify,and post significant transactionswithin both the MUNIS and TASsystems accesses that should notreside within a single users profile.The Program Manager IIs access toenter, modify and post transactionsrepresents a risk that assets could bemisappropriated.

    on a recurring basis toassure appropriateness andproper segregation of duties.

    13 FAMIS was the Treasury Divisions General Ledger System at the time of the 2009 risk assessment. FAMIS has since been replaced by Oracle.

  • 12MCIA-15-8

    RiskAssessment

    AreaOriginal Deficiency

    Noted Current Observation Risk Recommendation

    3. TreasuryDivision Accounting

    Most managerial,financial reporting andstatus reports areproduced by generatingqueries using CrystalReports.

    The identified risk for this processarea has been remediated.

    The Accounting Unit utilizes standardreports out of MUNIS and customCrystal Reports for gatheringmanagerial information. As thereports produced out of MUNIS areat an aggregated level, CrystalReports is used to generatesupplemental reports by pullinginformation from a MUNIS datasource. The Accounting Unit willrequest a report that provides theappropriate level of detail. TheFinancial Program Manager willcreate a custom report in CrystalReports and work with theAccounting Unit to validate theaccuracy and completeness of thereport prior to its use in order toensure that the data is populatedcorrectly. Once confirmed, theAccounting Unit will utilize thefinalized report for its ongoing needs.

    Risk has beenremediated.

    N/A

    4. Property TaxCredits

    1. Due to limitations inMUNIS, the following isoccurring:a. Tax credits are

    calculated in anExcel spreadsheetor manually onpaper with nocontrols.

    1. Property tax credits are currentlycalculated in Excel spreadsheets thatcan be processed from start (i.e.receiving the application/certification)to finish (i.e. applied to a tax bill) byone individual, without requiredreview or approval.

    The lack of properreview and/orindependent approvalmay result in incorrector unjustified taxcredits applied to taxbills, which couldadversely impact theamount of funds owedto the County.

    4.1. Adjust the currentprocess to include dollaramount and/or complexitythresholds for the tax creditscalculations to be reviewedand approved by a secondreviewer or supervisor priorto being applied to customertax bills. Property tax creditsabove a certain thresholdshould be approved bysenior management.

  • 13MCIA-15-8

    RiskAssessment

    AreaOriginal Deficiency

    Noted Current Observation Risk Recommendation

    b. Tax credits arerecorded manuallyin MUNIS withsome tax creditrecapture scenariosnot being recordedin MUNIS at all.

    2. During our review ofTreasury Divisionaccess to FAMIS, wenoted that the TaxCredit Accountant isresponsible forcalculating andprocessing the journalentries related to taxcredits has approverrights in the GeneralLedger.

    3. The process to obtainthe required approval oftax credits is delayeddue to the volume oftransactions (tax creditsand others) that thesingle approver mustreview and approvemanually.

    2. The Property Tax Accountant nolonger enters journal entries withinOracle; however, we noted theaccountant continues to have accesswithin Oracle to post journal entriesto the General Ledger. Refer toObservation 8A for the TreasuryInformation Systems AccessControls observation andrecommendation.

    3. Two of the 15 tax credits (i.e. newjobs tax credit and brownfields taxcredit) calculated by the TreasuryDivision are reviewed; however, theyare only reviewed the first year of thetax credit. The preparer may sendadditional tax credits calculations tobe reviewed; however, it is up to thepreparer's discretion, rather than arequired step.

  • 14MCIA-15-8

    RiskAssessment

    AreaOriginal Deficiency

    Noted Current Observation Risk Recommendation

    5. Transfer andRecordation Tax

    1. The area lacksformally documentedpolicies and procedures(the personnel in thearea have createdinformal manuals frommemorandums andsample documentation).

    2. The staff oftenprocess complextransactions with littleoversight and informalreview. The transactiondocumentation isreviewed by only onestaff person and thetransfer and recordationtaxes are calculatedand approved manuallyby that one staff person.The Supervisor is spotchecking during thefiling process after thetransaction has beencompleted.

    3. The staff responsiblefor processing transferand recordation taxesmay calculate the taxesowed manually. Thestaff only uses the E-Transfer system for thesimplest of transactionssince it takes more timeto complete taxes owed

    1. The documented policies andprocedures for transfer andrecordation taxes are inadequate asthere are several inconsistencies andinstances of incompleteness betweenthe documented procedures and thecurrent process.

    2. The staff continue to processcomplex transactions with minimaloversight and review. Additionally,there is not a formalized process thatdefines when complex transactionsare to be reviewed.

    3. For payments received over thecounter, the employees verifying thetransfer and recordation taxes enterthe applicable information into anExcel spreadsheet, which willautomatically calculate theappropriate tax amounts due.However, for payments received overE-Transfer, the transfer andrecordation taxes, in particular the50K exemption and CapitalImprovements Program relatedtaxes, are calculated manually.

    4. Remediated. The batchingprocess includes reconciling theamount of taxes due on the Intakesheet to the payment received bothover the counter and through E-Transfer.

    1. Withoutdocumentedprocedures,employees may nothave: Awareness of their

    job responsibilities; A reference for

    infrequentlyperformed ortechnicallychallengingprocesses;

    Consistent handlingor processing oftransactions;

    Appropriate on thejob training; and,

    Procedures toprevent loss ofknowledge due toemployee turnover.

    2. Manually calculatingtransfer andrecordation taxesincreases the risk oferror.

    5.1. Review and update theTransfer and RecordationTax policy documentation toensure that the contents areup-to-date, complete, andconsistent with the currentprocess. Additionally, theTransfer and RecordationTax policy should include: A formalized process for

    the review of complextransactions,

    The process to checkfor rejected E-Transferpayments; and,

    The process to collectrejected E-Transferpayments.

    5.2. Enforce the use of theTransfer RecordationWorksheet to process alltransfer and recordation taxpayments received toreduce the risk of errorsresulting from manualcalculations.

  • 15MCIA-15-8

    RiskAssessment

    AreaOriginal Deficiency

    Noted Current Observation Risk Recommendation

    calculations using theE-Transfer system thento manually processthem.

    4. There is no evidenceof a formal process forreconciling activity andpayments received inperson or through theonline E-Transfersystem.

    5. There is noconsistent documentedreconciliations of dailyactivity funds(settlement sheets)received via the E-Transfer system or overthe counter to deposit tothe bank. There is notracking of over thecounter activity.

    6. Transfers areaccepted andprocessed in the E-Transfer system prior tothe wire transfer of thefunds from the taxpayer.There are noprocedures at theTransfer Office to re-collect funds based onwire transfers or ACHswith insufficient funds.

    5. Remediated. The batchingprocess for E-Transfer also includesreconciling the payments receivedagainst the payments deposited inthe bank. The Transfer area doesnot reconcile the payments receivedagainst the payments deposited inthe bank; however, a BankingAnalyst at Montgomery County willreconcile the bank deposit amountsagainst the payments posted byCashiering.

    6. Although it is rare to see rejectedACH payments through E-Transfer,as the payments are made bymortgage companies on behalf of thetaxpayers, a payment could berejected (e.g. changed bankinginformation was not updated in thesystem or a new user did not enterhis/her banking information into thesystem). Therefore, a Transfer Taxemployee will log into E-Transferdaily to check if any payments havebeen rejected. However, the processto check for rejected payments andthe process of reclaiming funds fromrejected ACH payments is notdocumented.

  • 16MCIA-15-8

    RiskAssessment

    AreaOriginal Deficiency

    Noted Current Observation Risk Recommendation

    6. Property TaxRefunds

    The refund processentails a large volumeof accounts and hastwelve TreasuryDivision staff that canprepare refunds butonly one staff that canreview and manuallyapprove the technicaltransaction. There areeight staff with theauthority in FAMIS toapprove the financialtransaction. Thisimbalance results in thefollowing:a. Untimely

    processingtransactionapproval withoutdetail review; and,

    b. Inconsistent level ofreview bytransactionreviewers.

    Eight property tax employees areable to prepare property tax refunds,three of which are also designatedreviewers. Additionally, the currentprocess requires that any refundgreater than $10,000 be reviewedand approved by the TreasuryDivision Chief. This is a lowerthreshold than the Countys policy,which requires review and approvalfor refunds greater than $25,000.

    Twenty property tax refunds werereviewed and we confirmed that eachsamples' preparer and reviewer wereindependent, as well as any refundsover $10,000 were reviewed andapproved by the Treasury DivisionChief. However, a control gap wasfound in the refund batching process,as a refund could be prepared andreviewed by the same employee andcontinue through the processundetected because the preparer isthe employee preparing the batch ofrefunds and not the employeeresearching and preparingthe refund.

    A refund could beprocessed withoutreview, resulting in thepotential theft ofCounty funds.

    6.1. Adjust the currentrefund batching process torequire the preparer of therefund (i.e. the employeeresearching the validity ofthe refund as well asgathering the supportingdocumentation) to sign anddate the refund as evidenceto ensure that the preparerand reviewer areindependent.

  • 17MCIA-15-8

    RiskAssessment

    AreaOriginal Deficiency

    Noted Current Observation Risk Recommendation

    7. Billing 1. The review of theannual and quarterlybilling performed by theTreasury AccountingUnit does not includerisk based sampling ofbills under review.

    2. The monthly revisedbills which are changeddue to changes ofassessments ofpreviously existingproperty are notindependently reviewedprior to or after mailing.

    The identified risk for this processarea has been remediated.

    The Accounting Unit's reviewprocess for quarterly and annualbillings is adequate, as randomlyselected samples from each type ofbill (i.e. tax class, exemption code,special credit code, etc.) will bereviewed and recalculated to ensurethat the amounts were processedcorrectly through the MUNIS system.

    During the monthly revised billprocess, the Biller will review theSubsequent Change report, whichdisplays the old and new values inMUNIS, allowing the Biller toinvestigate any anomalies.

    Risk has beenremediated.

    N/A

    8A. TreasuryInformationSystems Access Controls

    1. Some personnelhave access to approvetransactions in onesystem that resultedfrom transactions theyinitiated in anothersystem.a. FAMIS access is

    not in line with thejob responsibilitiesof personnel in theDivision (e.g.supervisors withaccess to multiplesystems thatcreates potentialsegregation issues,non-supervisory

    1. Through our review of user accessto the Treasury Information Systems,we noted instances of inappropriateuser access. Details were provided toTreasury Management.

    2. Remediated. Since the 2009 riskassessment, IMS has been replacedby TAS. During the implementationof TAS in June 2014, FIN-IT obtaineda list of individuals who need accessto the system from each department.No subsequent review of user accesshas been completed followingimplementation.

    Inappropriate useraccesses could resultin a lack ofsegregation of dutieswithin or betweensystems.

    8A.1. Develop andimplement a process toreview all user accesses toTreasury InformationSystems regularly forappropriateness and toensure that the propersegregation of duties ismaintained.

  • 18MCIA-15-8

    RiskAssessment

    AreaOriginal Deficiency

    Noted Current Observation Risk Recommendation

    personnel withapprover access).

    b. The ProgramManager II is seenas the key contactfor operationalunderstanding ofsignificant datasystems (e.g.MUNIS, IMS, E-PILOT, and LenderServices Site) andhas the ability to dothe following:i. Grant and defineTreasury DivisionStaff access in allTreasury systems;ii. Approvepayments in FAMISfor transactionssuch as tax credits,assessments,changes, andrefunds.

    2. The staff frommultipledepartments/agencies(e.g. WSSC, StateAssessment Office,DEP, etc.) have directaccess to IMS data withno periodic review ofaccess granted toensure it is properlyaligned with staff dutiesand responsibilities

  • 19MCIA-15-8

    RiskAssessment

    AreaOriginal Deficiency

    Noted Current Observation Risk Recommendation

    related to Countyassessments and taxes.

    8B. TreasuryInformationSystems E-Pilot System

    Currently, TreasuryDivision staff arerequired to interpret thedetails of each PILOTagreement to determinewhich of the nine pre-defined business rulesprogrammed into the E-PILOT system shouldbe applied to calculatethe assessmentreduction. This can bea complicated processas these agreementsare complex legaldocuments.

    The identified risk for this processarea has been remediated.

    The E-PILOT process does notrequire an employee to interpret thebusiness rules defined in E-PILOT.The employee entering the PILOTagreement into the E-PILOT systemwill utilize the documentation (i.e.PILOT agreement and attacheddocumentation) provided by theDepartment of Housing andCommunity Affairs (DHCA) to set upthe PILOT in the system by selectingthe appropriate pre-defined businessrules in E-PILOT. If there are anyquestions, the employee will contactDHCA for clarification.

    Risk has beenremediated.

    N/A

    8C. TreasuryInformationSystems SpreadsheetControls

    Significant calculationsand processes such astax credits and monthend journal entries arecalculated and trackedon individualspreadsheets without

    The identified risk for this processarea has been remediated.

    The spreadsheets used to calculatesignificant transactions (i.e. propertytax credit calculations, transfer andrecordation tax credit calculations,

    Risk has beenremediated.

    N/A

  • 20MCIA-15-8

    RiskAssessment

    AreaOriginal Deficiency

    Noted Current Observation Risk Recommendation

    controls to ensure theoverall integrity of thespreadsheet ismaintained to preventerrors in calculationsperformed or datacaptured.

    and accounting related) haveadequate controls in place.

    9A. Cashiering Reconciliations

    1. There is no evidenceof a daily reconciliationbeing performed on theactivity between Merkleand the bank, and theTreasury Division.a. The amount of the

    tax paymentscollected andprocessed byMerkle that shouldhave beendeposited into thebank;

    b. The total of the taxcollectionsprocessed ascaptured in theMerkle data file sentto Treasury forentry into MUNIS;

    c. The total of taxcollections recordedin MUNIS from theMerkle data fileuploaded byTreasury.

    d. The amount of taxcollections sent tothe bank by Merkle

    1. Remediated. The reconciliationprocess between the lockboxprocessor and the bank is adequateas the amount of paymentsprocessed by Merkle is agreed to thelockbox payments deposited at thebank, which is part of the dailycashiering reconciliation process.

    2. Remediated. The reconciliationprocess between Official Paymentsand the bank is adequate as theamount of payments received byOfficial Payments is agreed to theamount of payments deposited bythe bank, which is performed by aProperty Tax employee. Bothreconciliations are reviewed duringthe daily cashiering reconciliationprocess by an independentemployee.

    3. We were able to confirm that thereconciliations were occurring;however, the procedures associatedwith the reconciliation activitybetween Merkle and the bank, andbetween Official Payments and thebank, have not been formallydocumented.

    Without documentedprocedures,employees may nothave: Awareness of their

    job responsibilities; A reference for

    infrequentlyperformed ortechnicallychallengingprocesses;

    Consistent handlingor processing oftransactions;

    Appropriate on thejob training; and,

    Procedures toprevent loss ofknowledge due toemployee turnover.

    9A.1. Update the CashieringOperation Manual to includethe procedures to performthe reconciliation betweenMerkle and the bank.

    9A.2. Formally document theprocess to perform thereconciliation betweenOfficial Payments and thebank.

  • 21MCIA-15-8

    RiskAssessment

    AreaOriginal Deficiency

    Noted Current Observation Risk Recommendation

    for depositing.e. The verification of

    the amount ofchecks received bythe Cashiering Unitthat were rejectedby Merkle forprocessing.

    2. There is no evidenceof a daily reconciliationof the followinginformation between thewebsite (Credit cardand ACH) and the bank:a. The amount of

    paymentsprocessed byOfficial Paymentsthat should havebeen deposited intothe bank account.

    b. Comparison of thattotal to the amountof collectionsprocessing inMUNIS after thedata file isuploaded.

    c. The amount fromthe correspondingdeposit received bythe bank.

  • 22MCIA-15-8

    RiskAssessment

    AreaOriginal Deficiency

    Noted Current Observation Risk Recommendation

    9B. Cashiering Total Activity

    1. Currently, theCashiering Unit onlyverified the total cashcollected for the depositand does not review thechecks bundled fordeposit prepared byother departments.

    2. The Cashiering Unitdoes not ensure that thetotal funds collected andsent to the bank fordepositing are recordedby the bank. The bankreconciliation, which isnot completed for aminimum of 45 days, isa delayed detectivecontrol.

    The identified risk for this processarea has been remediated.

    Each department is responsible forreconciling its payments received(except lockbox payments and theproperty tax ACH payments, whichare completed by Cashiering) againsta bank deposit slip or PNC report ofamounts deposited. As part of thedaily Cashiering reconciliation, theCashiering Unit ensures that thetransmittal sheets completed by eachdepartment agree to the bank depositslip or PNC report prior to posting thepayments into Oracle. Also, the bankreconciliations are performed on adaily basis by the BankReconciliation Unit, outside of theTreasury Division.

    Risk has beenremediated.

    N/A

    9C. Cashiering Parking,Speed, and RedLight Violations

    Note: Parkingviolations are nolongerprocessed bythe TreasuryDivision.Additionally, theTreasuryDivision nowprocessesschool buscamera

    The Cashiering Unitrecords the receipts ofpayments to therespective violationsystems as well as theMUNIS cashieringsystem. In addition, theHead Cashier isresponsible forreconciling the reportingof receipts from thethree violation systemsto the cashieringsystem.

    1. Remediated. The traffic violationpayment process as describedappears to be adequate as theCashiers process the payments intoeTIMS, a traffic violation system, andOracle. The payments are includedin the daily cashier closing process,which is reviewed and approved aspart of the daily Cashieringreconciliation process.

    2. The documented procedures forprocessing traffic violation paymentsare incomplete and outdated.

    Without documentedprocedures,employees may nothave: Awareness of their

    job responsibilities; A reference for

    infrequentlyperformed ortechnicallychallengingprocesses;

    Consistent handlingor processing oftransactions;

    Appropriate on thejob training; and,

    9C.1. Update the CashieringOperation Manual to ensurethat the procedures forprocessing violationpayments are complete andaccurate.

  • 23MCIA-15-8

    RiskAssessment

    AreaOriginal Deficiency

    Noted Current Observation Risk Recommendation

    violations. Procedures toprevent loss ofknowledge due toemployee turnover.

    10. Collections Merkle

    There is no evidencethat the servicesprovided by Merkle aresupported by a properlyapproved and executedcontract.

    The identified risk for this processarea has been remediated.

    Currently, the Treasury Divisionutilizes two third party serviceproviders (i.e. PNC Bank and Merkle)to process lockbox payments. InJune 2014, Treasury has transitionedits third party lockbox serviceprovider to PNC Bank from Merkle;however, customers continue to sendits payments to Merkle's lockbox. Asa result, Treasury continues to useMerkle to process these lockboxpayments. Additionally, Treasurydecided to continue utilizing Merklelockbox services to assist inprocessing checks received thatcannot be processed through PNCBanks automated process, andrequire manual investigation andresolution in order to be appropriatelyapplied to customer accounts. Aformalized contract has beenestablished between MontgomeryCounty and PNC Bank for lockboxservices. As PNC Bank pays Merkledirectly on Montgomery Countysbehalf for lockbox services, noformalized contract between Merkleand the County was or could beestablished.

    Risk has beenremediated.

    N/A

  • 24MCIA-15-8

    RiskAssessment

    AreaOriginal Deficiency

    Noted Current Observation Risk Recommendation

    11. Call Center

    Note: TheTreasuryDivision nolonger has itsown Call Center.A centralizedCounty-wideCall Center hasbeen openedsince the 2009riskassessment.

    The Call Centerpersonnel have theability to adjust interestand penalties on taxbills with no approvalnecessary.

    1. Our assessment of Treasuryemployees' ability to adjust interestand penalties in MUNIS resulted ininconsistent understandings by thethree Property Tax employees withwhom we met.

    The first employee with whom wespoke noted that the interest andpenalty charges can only becorrected, not waived, withoutrequired approval.

    The second employee with whom wespoke noted that the interest andpenalty charges can be written off orcorrected without required approval,but only if under $10 or $50,respectively.

    The third employee with whom wespoke noted that the standardprocess does not allow for interestand penalties to be waived, althoughthere are exceptions which arebrought to the attention of aManager.

    2. Policies and procedures havebeen implemented for adjustingpenalties and interest charges;however, the procedures documentsdo not provide steps on how to adjustpenalties or interest. Additionally, thecurrent processes do not follow theguidelines established in theseabove-referenced policies.

    Adjustments topenalties and interestare processedinconsistently amongstthe Treasuryemployees and couldexclude the properapproval as defined inthe AdjustingPenalties and InterestCharges policy.

    11.1. Review and update theAdjusting Penalty andInterest Charges policy toreflect the correct andcomplete process to adjustpenalties and interestcharges within MUNIS.

    11.2. Take action to ensureemployees responsible foradjusting penalties andinterest charges in MUNIS toknow Treasurys policies andprocedures for handlingthese transactions. Thismay include the need formore or better training.

  • 25MCIA-15-8

    RiskAssessment

    AreaOriginal Deficiency

    Noted Current Observation Risk Recommendation

    12.UndeliverableCounty IssuedChecks

    Undeliverable CountyIssued Checks returnedto Treasury are notlogged or tracked todetermine if all checksreturned are properlyforwarded to AccountsPayable Section forprocessing.

    The process of receivingundeliverable County issued checksis inadequate as there is nosegregation of duties between theresponsibilities for recording and thecustody of undeliverable Countyissued checks.

    The Treasury Division receives theundeliverable County issued checks;however, the checks received are notrecorded. The checks are sent toAccounts Payable, where oneemployee is responsible for bothrecording and custody of the checks.

    The undeliverableCounty issued checksare not properlysafeguarded from riskof theft.

    12.1. As long as theTreasury Division receivesundeliverable County issuedchecks, record the returnedundeliverable County issuedchecks and reconcile its logwith Accounts Payable toensure that all checks arereceived and recorded timelyby Accounts Payable.

    13. RejectedTax Paymentsfrom LockboxProcessor

    Rejected checks fromthe lockbox processorforwarded to Treasuryare not counted, trackedor summed to ensure allthe checks received areproperly handled.

    The procedure for processingrejected checks from the lockboxprocessors needs to be improved asthe rejected checks received by theTreasury Division are not recorded ortracked to ensure that all checkswere received and properly handled.

    The rejected lockboxchecks are notproperly safeguardedfrom risk of theft.

    13.1. Update the process toinclude the recording ofrejected lockbox checks on alog.

    13.2. Ensure that theindividuals responsible forrecording the checks areindependent from theindividuals responsible forprocessing the payment.

    13.3. Establish a processwhereby the TreasuryDivision employeeresponsible for thedisposition of the returnedlockbox check updates thelog to reflect the actiontaken.

  • 26MCIA-15-8

    In addition to our evaluation of the status of the remediation of each of the deficiencies identifiedin the 2009 risk assessment, we also identified the following new areas needing improvement.

    Table 4 Identification of Control Weaknesses not noted in the 2009 Risk AssessmentResults

    ProcessArea Type Observation Risk Recommendation

    14. KeyPersonnel ProgramManager II

    InternalControlWeakness

    The 2009 risk assessment statedthat the "vast knowledge of theTreasury functions is concentratedin one employee" Additionally,the 2009 risk assessment'srecommendation for this identifiedrisk stated, "documentation of jobresponsibilities, operational andsystems knowledge is needed toensure a successful transition fromthe Program Manager II to otherswithin the Division".

    Since the 2009 risk assessment,the Program Manager II has retiredand the managers operational andsystems knowledge related to billinghas not been formally documented.To compensate, the TreasuryDivision entered into a KnowledgeTransfer Contract with the formermanager, who has provided trainingto the current FIN IT lead and thecurrent Collections employee (i.e.current Program Manager II) ,assisted with the TASimplementation, and remainsinvolved with the revised billingprocess, which has not beenformally documented.

    The TreasuryDivisioncontinues to bedependent onthe formerProgramManager II.Withoutadequateknowledgetransfer andprocessdocumentation,this creates arisk thatoperational andsystemknowledgecould be lost asthe KnowledgeTransferContractexpires.

    14.1. To reducethe dependenceon the formerProgram ManagerII, TreasuryDivisionManagementshould ensure thatthe formerProgram ManagerII transfer allremainingoperational andsystem knowledgethat has not yetbeen transferred.This should beaccomplishedthrough additionaltraining of currentemployees, andformaldocumentation ofremaining processand systemknowledge.

    15. KeyPersonnel TreasuryDivision(Training)

    InternalControlWeakness

    Per a conversation with TreasuryDivision Management, on-the-jobtraining is provided to Treasuryemployees. The trainings andupdates that are provided toemployees are not formallydocumented, and employeecompletion of administered trainingsis not tracked.

    Failure todocument andtrack trainingand updatesprovided toemployees mayresult inemployees notreceiving all theappropriatetraining on atimely basis.

    15.1. The TreasuryDivision shouldtrack completedemployee trainingsto ensure that allrequired trainingsand updates areprovided to allemployees andcompleted timely.

    16. TransferandRecordation

    InternalControlWeakness

    A control gap was found in thetransfer and recordation taxbatching process. A Transfer Tax

    The lack ofsegregation ofduties could

    16.1. The TreasuryDivision shouldmodify the current

  • 27MCIA-15-8

    ProcessArea Type Observation Risk Recommendation

    Tax employee responsible for recordingchecks in the batching processcould have also potentially receiveda check included in the payments tobe batched.This would result in a lack ofsegregation of duties.

    result in thetheft of Countyfunds.

    process to ensurethat the employeeresponsible for thebatching processcould not receive acheck that couldpotentially end upin the paymentshe/she would thenbatch.

    17. KeyPersonnel TreasuryDivision(Staffing)

    InternalControlWeakness

    Based on the below circumstances,we note that the current staffinglevels of the Treasury Division maynot be appropriate:1. A former Treasury Divisionemployee, working in anotherFinance Division department,temporarily performed several keyTreasury functions, including theadministration of the E-PILOTprocess and the annual billingprocess;2. The Treasury Division has aKnowledge Transfer Contract withthe former Program Manager II,who is involved with processing themonthly revised bills;3. There are currently two vacantpositions within the TreasuryDivision;4. Additional Treasury Divisionpersonnel communicated that theyare planning to retire in the nearfuture; and,5. Treasury Division Managementcommunicated their intent to createand fill two additional positions.

    Inadequatestaffing levelscould result inincreasedworkloads forcurrentemployees,which couldresult ininefficientprocesses,controlbreakdowns,and anincreased riskfor theft ofassets asremainingemployees takeon additionaltasks.

    17.1. The TreasuryDivision shouldassess its currentstaffingenvironment andtake the necessarysteps to ensurethat all keyprocesses areadequately staffedto allow for propersegregation ofduties, as well as abeneficialdistribution ofoperational andsystem knowledgewithin the division.This includesproperly staffing allcurrent andprojected openpositions within theTreasury Division.

    18.Cashiering InternalControlWeakness

    We noted a lack of propersegregation of duties within theCashiering Unit, as a supervisorwithin the Cashiering Unit whorecords the cash and checkpayments also has access to thesafe, where cash and checks areretained prior to deposit.

    The lack ofpropersegregation ofduties couldresult in thetheft of Countyfunds.

    18.1. The TreasuryDivision shouldadjust the currentprocess to ensurethe personnelresponsible foraccepting andrecordingpayments areindependent fromthe personnel withaccess to the safe,where cash andchecks areretained prior todeposit.

  • 28MCIA-15-8

    Comments and MCIA Evaluation

    We provided the Department of Finance with a draft of this report for formal review andcomment on January 28, 2015 and Finance responded on February 12, 2015. The Departmentof Finance stated that it concurred with the reports recommendations and has sinceimplemented or is in the process of implementing corrective actions (See Appendix B forFinances response).

  • 29MCIA-15-8

    Appendix A Documentation Requested

    Document Requested DateRequested Date Received

    Current Organizational Chart 8/13/2014 8/20/2014Formalized Policies and Procedures 8/13/2014 8/20/2014Treasury Information Systems Listing 8/13/2014 8/22/2014Draft Bag Tax P&P 8/26/2014 8/28/2014Sample of the Monthly SOS Report 8/26/2014 8/28/2014Transfer & Recordation Tax Spreadsheets 8/26/2014 8/28/2014Examples of Cashiering Daily Reconciliations 8/26/2014 9/4/2014First Union Contract14 8/27/2014 N/APNC Bank Contract 8/27/2014 8/29/2014Tax Credit Spreadsheets 8/27/2014 8/29/2014TAS Access Listing 8/28/2014 9/5/2014MUNIS Access Listing 8/28/2014 9/5/2014Oracle Access Listing 8/28/2014 9/5/2014Copy of the daily Transfer reconciliation/worksheet 8/28/2014 9/3/2014Recapture Homeowners Template Spreadsheet 8/28/2014 9/5/2014Interest calculations Spreadsheet 8/28/2014 9/5/2014Accounting Spreadsheets with Instructions 9/3/2014 9/5/2014Accounting Checklists 9/3/2014 9/5/2014Billing Review Program 9/3/2014 9/5/2014Example of MUNIS A/R report and Crystal Report 9/3/2014 9/5/2014Example of DHCA Memo & Table for PILOT 9/4/2014 9/5/2014MUNIS Import Checklist 9/4/2014 9/9/2014Document of MUNIS Import Screenshots 9/4/2014 9/9/2014Listing of adjusted penalties and interest from 9/1/13-8/31/1415 9/9/2014 N/A

    Screenshots of employee access to folders 9/9/2014 9/10/2014Listing of refunds from 6/1/14-8/31/14 9/9/2014 9/10/2014Samples of daily cashiering reconciliations 9/9/2014 10/9/2014Job responsibilities 9/9/2014 9/10/2014Cross training documentation 9/9/2014 9/10/2014Sample refunds supporting documentation and approvals 9/11/2014 10/7/2014Screenshots of MUNIS user access for selected employees 9/16/2014 10/1/2014Information on Oracle Roles 9/16/2014 10/6/2014Transfer & Recordation sampled batches 9/16/2014 9/17/2014Tax Recordation Worksheet 9/16/2014 9/16/2014Official Payments Reconciliations 10/13/2014 10/20/2014TAS Access Definitions 10/21/2014 10/23/2014MUNIS Roles Explanation 10/21/2014 10/23/2014MUNIS Private Roles Explanation 10/23/2014 10/28/2014

    14 The original agreement for Merkle lockbox services was included in an evergreen contract with FirstUnion Bank, a bank previously utilized by Montgomery County. The contract with First Union Bank couldnot be located.15 The Treasury Division could not generate a report out of MUNIS to produce a population of accountswhere penalties and interest charges were adjusted within the selected time period.

  • 30MCIA-15-8

    Appendix B Department of Finance Formal Comments

  • 31MCIA-15-8

  • 32MCIA-15-8

  • 33MCIA-15-8

  • 34MCIA-15-8

  • 35MCIA-15-8

  • 36MCIA-15-8

  • 37MCIA-15-8

  • 38MCIA-15-8