The URL can be used to link to this page

Home My WebLink Aboutpresentation - 2CITY OF MIAMI, FLORIDA Management Letter in Accordance with the Rules of the Auditor General of the State of Florida Year ended September 30, 2003 SUBMITTED INTO THE PUBLIC RECORD FOR lTEMDLON 5-6-00t. Executive Summary KPMG LLP (KPMG) hereby submits this management letter to the City of Miami, Florida (the City), for the fiscal year ending September 30, 2003. The management letter is presented in accordance with the Rules of the Auditor General of the State of Florida. In accordance with Government Auditing Standards, we are required to consider the City's internal control during our planning and performing of our audit of the basic financial statements in order to determine our auditing procedures for the purpose of expressing our opinion on the basic financial statements and not to provide assurance on the internal control. In fulfilling this responsibility, estimates and judgments made by management are required to assess the expected benefits and related costs of internal control policies and procedures. The objectives on internal control are to provide management with reasonable, but not absolute, assurance that assets are safeguarded against loss from unauthorized use or disposition, and that transactions are executed in accordance with management's authorization and recorded properly to permit the preparation of its basic financial statements in accordance with accounting principles generally accepted in the United States of America. The management letter is organized in the following manner: • Executive summary; • Current year's observations, recommendations, and management's responses; and • Status of prior years' observations, recommendations, and management's responses. Only comments issued in the prior years that are still relevant are included in this management letter. We would be pleased to discuss these comments with you and, if desired, to assist you and management in implementing corrective action steps. KPMG appreciates the cooperation we received from the City's staff and management and is honored to serve the City as its external auditors. -- IMAfilt,41 KPMG LLP Suite 2800 One Biscayne Tower Two South Biscayne Boulevard Miami, FL 33131 Management Letter in Accordance with the Rules of the Auditor General of the State of Florida To the Honorable Mayor, Members of the City of Miami Commission and City Manager City of Miami, Florida: Telephone 305 358 2300 Fax 305 913 2692 We have audited the basic financial statements of the City of Miami, Florida (the City), as of and for the fiscal year ended September 30, 2003, and have issued our report thereon dated February 27, 2004, which referred to our use of the reports of other auditors. We conducted our audit in accordance with auditing standards generally accepted in the United States of America; the standards applicable to financial audits contained in Government Auditing Standards, issued by the Comptroller General of the United States; and OMB Circular A-133, Audits of States, Local Governments, and Non -Profit Organizations. We have issued our Independent Auditors' Report on Compliance and Internal Control Over Financial Reporting, Independent Auditors' Report on Compliance and Internal Control Over Compliance Applicable to each Major Federal Program and State Project, and Schedule of Findings and Questioned Costs. Disclosures in those reports and schedule, which are dated February 27, 2004, should be considered in conjunction with this management letter. Additionally, our audit was conducted in accordance with Chapter 10.550, Rules of the Auditor General. Those rules (Section 10.554(1)(g)1.a.) require that we address in the management letter, if not already addressed in the auditors' reports on compliance and internal controls or schedule of findings and questioned costs, whether or not inaccuracies, shortages, defalcations, fraud, and/or violations of laws, rules, regulations, and contractual provisions reported in the preceding annual financial audit report have been corrected. We noted no inaccuracies, irregularities, shortages, defalcations, and/or violations of laws, rules, regulations, and contractual provisions disclosed in the preceding annual report. The Rules of the Auditor General (Section 10.554(1)(g)l.b.) require that we disclose in the management letter, if not already disclosed in the auditors' reports on compliance and internal controls or schedule of findings and questioned costs, whether or not recommendations made in the preceding annual financial audit report have been followed. The recommendations made in the preceding annual financial audit report have been corrected, except for those reported below under the heading "Status of Prior Years' Observations, Recommendations and Management's Responses." The Rules of the Auditor General (Section 10.554(1)(g)2.), state that a management letter shall include a statement as to whether or not a local governmental entity complied with Section 218.415, Florida Statutes, regarding the investment of public funds. In connection with our audit, we determined that the City of Miami, Florida complied with Section 218.415, Florida Statutes, relating to local governmental investment policies. EMI KPMG LLP, a U.S. limited 'lability partnership, is the U.S. member firm of KPMG International, a Swiss cooperative. The Rules of the Auditor General (Section 10.554(1)(g) 3.) states that a management letter shall include recommendations to improve the local government entity's present financial management, accounting procedures and internal accounting controls. The recommendations made in the current year are listed in the section titled "Current Year's Observations, Recommendations and Management's Responses (see Appendix A)." The Rules of the Auditor General (Section 10.554(1)(g)4.) require disclosure in the management letter of the following matters if not already addressed in the auditors' reports on compliance and internal controls or schedule of findings and questioned costs: (a) violations of laws, rules, regulations, and contractual provisions that have occurred, or are likely to have occurred; (b) improper or illegal expenditures; (c) improper or inadequate accounting procedures (for example, the omission of required disclosures from the financial statements); (d) failures to properly record financial transactions; and (e) other inaccuracies, --- shortages, defalcations, and instances of fraud discovered by, or that come to the attention of, the auditor. No such conditions were noted during the audit. The Rules of the Auditor General (Section 10.554(1)g5.) also require that the name or official title and legal authority for the primary government and each component unit of the reporting entity be disclosed in the management letter, unless disclosed in the notes to the financial statements. Disclosure is made in note 1 to the City's basic financial statements. The Rules of the Auditor General (Section 10.554(1)(g)6.a.), state that a management letter shall include a statement as to whether or not a unit of local government is in a state of financial emergency as a consequence of conditions described in Section 218.503(1), Florida Statutes. In connection with our audit, we determined that the City is not in a state of financial emergency as a consequence of the conditions described in Section 218.503(1), Florida Statutes. As required by the Rules of the Auditor General (Section 10.554(1)(g)6.b.), we determined that the annual financial report for the City for the fiscal year ended September 30, 2003, filed with the Department of Financial Services pursuant to Section 218.32(1)(a), Florida Statutes, is in agreement with the annual financial audit report for the fiscal year ended September 30, 2003. As required by the Rules of the Auditor General (Sections 10.554(g)(6)c. and 10.556), we applied financial condition assessment procedures. It is management's responsibility to monitor the City's financial condition, and our financial condition assessment was based in part on representations made by management and the review of financial information provided by same. This management letter is intended solely for the information and use of the Honorable Mayor, Members of the City of Miami Commission, the City Manager, management of the City, the State of Florida Office of the Auditor General, and federal and state awarding agencies and pass -through entities, and is not intended to be and should not be used by anyone other than these specified parties. Very truly yours, K#-PM-ICLLB February 27, 2004 Appendix A-1 CITY OF MIAMI, FLORIDA Management Letter in Accordance with the Rules of the Auditor General of the State of Florida September 30, 2003 Current Year's Observations, Recommendations, and Management's Responses Summary No. Current year's observations 2003-1 Capital Assets 2003-2 Payroll Audit Trail Report 2003-3 Fraud Policies and Procedures CITY OF MIAMI, FLORIDA Management Letter in Accordance with the Rules of the Auditor General of the State of Florida September 30, 2003 Current Year's Observations, Recommendations, and Management's Responses 2003-1 Capital Assets Criteria Appendix A-2 The City should record capital assets at historical cost and depreciate them over their estimated useful lives unless they are inexhaustible. In order to properly record capital assets and related depreciation expense, the City must retain adequate records of all capital assets and update and record activity throughout the year. Additionally, assets purchased with federal or state grant funds should be specifically identified as being acquired with grant funds to help ensure compliance with the equipment and real property management requirements of the respective grant programs. Condition Found The City does not have an adequate accounting system for the capital assets subsidiary ledger and accounting information systems to help ensure that capital assets balances are accurately recorded, properly labeled and monitored. The conditions noted are as follows: • Balances recorded in the current capital assets subsidiary ledger did not include all balances that were inventoried and reported by the City's third -party consultant in fiscal year 2002. ■ The City's accounting information system for capital assets is not designed to report depreciation expense by functional activities, departments, or categories. • The City's accounting information system does not allow for significant modifications to enable updates, changes, and adjustments to previously recorded capital asset balances. • Capital assets purchased with federal and state funding are not specifically identifiable in the capital assets subsidiary ledger as required by Circular OMB A-133 and the State of Florida Single Audit Act. Perspective The finding is considered systemic in nature. Effect Failure to properly record, update and depreciate capital assets balances could result in misappropriations of assets or improper recording of capital assets balances and related depreciation expense for financial statement reporting and also violates federal and state granting requirements. Recommendation We recommend that the City improve the capital assets subsidiary ledger and accounting information systems to help ensure more accurate and complete recording of capital assets balances for financial reporting purposes. The Appendix A-3 CITY OF MIAMI, FLORIDA Management Letter in Accordance with the Rules of the Auditor General of the State of Florida September 30, 2003 Current Year's Observations, Recommendations, and Management's Responses City should also consider upgrading its capital assets module to include depreciation calculation capabilities. Additionally, capital assets purchased with federal and state funds should be appropriately labeled to help ensure accurate identification of the assets. Management's Response The City's accounting information system went through a major upgrade, which was finalized subsequent to year-end. In preparation for this upgrade, information technology resources were limited, hence delaying updates and purges to the accounting information system of capital asset information. In addition, the City acknowledges the limitations of the current financial accounting system and a result plans to procure an Enterprise Resource Processing (ERP) system that will allow for a simplified and complete budget module in 2004. The ERP implementation is planned to start in Fiscal 2004 and to be completed in Fiscal 2005. Appendix A-4 CITY OF MIAMI, FLORIDA Management Letter in Accordance with the Rules of the Auditor General of the State of Florida September 30, 2003 Current Year's Observations, Recommendations, and Management's Responses 2003-02 Payroll Audit Trail Report -- Criteria The City has formal policies and guidelines related to the safeguarding and processing of human resources information including the processing of changes to employee records. Condition Found -- The complete payroll audit trail reports are not reviewed each pay period to help ensure that no unauthorized changes were made to employee records. Perspective This finding is considered systemic in nature. Effect Failure to monitor and review the payroll audit trail reports could result in unauthorized changes made to employees' records without the knowledge of human resource management, resulting in inaccurate reporting of payroll expenses and the City's obligations to its employees. Recommendation We recommend that the City enhance its current policies and procedures to help ensure that all modifications to human resource records are reviewed and approved each pay period to help ensure that all changes to employee records are properly authorized. Management's Response The City has policies and procedures in place to help ensure that all changes to employee records that do not require the review of the payroll audit trail reports are properly authorized. These reports are not user friendly and would require excessive amounts of time to accurately review them each pay period. Due to system and time constraints already imposed on the payroll section to make the payroll deadlines, review of this lengthy report is not feasible. Additionally, all changes to the HR/Payroll system are monitored through the use of payroll action form which goes through a series of manual reviews from Employee Relations before it is received in the payroll section of the Finance Department. All payroll action forms are then reviewed again by the Finance Department before the changes are made in the Moore Payroll system. The City Plans to procure an ERP System that will produce payroll edit change reports in order to identify all payroll changes made thereby providing a mechanism of review for any unauthorized payroll changes. Appendix A-5 CITY OF MIAMI, FLORIDA Management Letter in Accordance with the Rules of the Auditor General of the State of Florida September 30, 2003 Current Year's Observations, Recommendations, and Management's Responses 2003-03 Fraud Policies and Procedures Criteria In October 2002, the AICPA's Auditing Standards Board issued Statement on Auditing Standards (SAS 99), Consideration of Fraud in a Financial Statement Audit. This standard requires the establishment of effective policies and procedures to deter and detect fraud activities, which is designed to form the basis for an effective control environment to help ensure the integrity of financial statement reporting and the safekeeping of the entity's assets. Condition Found The City currently has no written formal policies and guidelines for employee training specifically related to fraud. Perspective This finding is considered systemic in nature. Effect The lack of clear and specific written policies and procedures related to intentional or unintentional fraud activities may leave the City susceptible to such activities and place the City at risk of misappropriation of assets. Recommendation We recommend that the City implement written fraud policies and procedures into its employee -training manual to communicate more effectively its no -tolerance policy on fraudulent activities. Management's Response The City concurs with this recommendation and will draft a written fraud policy and include it into the employee training manual to communicate more effectively its no -tolerance policy on fraudulent activities. Appendix B-1 CITY OF MIAMI, FLORIDA Management Letter in Accordance with the Rules of the Auditor General of the State of Florida September 30, 2003 Status of Prior Years' Observations, Recommendations, and Management's Responses Summary Observation Observation addressed or is still no longer No. Prior years' observations relevant relevant 2002 Risk Management — Workers' Compensation — 2002-1 Claims 2002-2 Managing Critical Network Characteristics X X 2001 — 2001-1 Single Audit Compliance 2001-2 Budgeting X _ 2001-3 Time Recording — Overtime X 2001-4 Vendor Master Files X 2001-5 Requisition vs. P.O. Encumbrance X 2001-6 Business Continuity X X 2000 2000-2 Statement on Auditing Standards (SAS) 70 Report X 2000-5 Grant Accounting X 2000-6 Business Continuity Plan X 2000-7 Logical Security — User Termination X 1999 99-3 Financial Reporting X 99-5 Network Management and Security X 1998 98-7 Changes in the Government Reporting Model X 1997 97-4 IT Organization Structure X 97-5 Disaster Recovery and Business Continuity Plan X 97-6 User Access Codes X *See observation 2001-6 Appendix B-2 CITY OF MIAMI, FLORIDA Management Letter in Accordance with the Rules of the Auditor General of the State of Florida September 30, 2003 Status of Prior Years' Observations, Recommendations, and Management's Responses 2002-1 Risk Management — Workers' Compensation Claims Criteria The City has formal polices and procedures over the processing and payment of workers' compensation claims. These policies and procedures have been developed to control the propriety of payments to claimants. Condition Found The City is not adhering to its policies and procedures for the processing and payment of workers' compensation claims. During our testing of workers' compensation claims in the Risk Management Department, we noted the following in several instances: • Forms were not properly filed (e.g., D-slip and Supervisor Report of Injury) in claimant files; • Proper endorsement or signatures were missing for processing and payment of claims; • Supplemental payments were incorrectly calculated; • Adjuster's stamp of approval or stamp indicating date received were missing on some invoices; • Payments were not made within the allowable 45 day time period; and • A claimant file we requested for review could not be located. Perspective This finding is considered systemic in nature. Effect Failure to properly process and pay workers' compensation claims in accordance with the City's policies and procedures could result in unauthorized and/or illegitimate payment of claims. Recommendation We recommend the City adhere to its policies and procedures for the processing and payment of workers' compensation claims. Prior Year's Management's Response We concur with these findings. During the fiscal year, the Risk Management workers' compensation division has implemented policies and procedures to mitigate these types of issued in the future. For example, a checklist has been implemented to assist the adjusters in ensuring that all forms are completed and placed in the files. In addition, all payments are reviewed and initialed by the workers' compensation claims supervisor and all documents are date stamped when received in the department. Appendix B-3 CITY OF MIAMI, FLORIDA Management Letter in Accordance with the Rules of the Auditor General of the State of Florida September 30, 2003 Current Years' Observations, Recommendations, and Management's Responses Current Year's Status _ This observation is still applicable in the current year. Current Year's Management's Response In fiscal year 2004 the functions covered by this audit were transferred to Gallagher Bassett, a third party administrator (TPA). The TPA has adequate internal controls in place to ensure that the worker's compensation payments are process according to policy and procedures as established by the City. Appendix B-4 CITY OF MIAMI, FLORIDA Management Letter in Accordance with the Rules of the Auditor General of the State of Florida September 30, 2003 Status of Prior Years' Observations, Recommendations, and Management's Responses 2002-2 Managing Critical Network Characteristics _ Criteria The City currently has a citywide network in place that links many locations throughout the City. A network of this magnitude should have a mechanism to centrally manage critical network characteristics — such as availability, responsiveness, resilience, and security. Condition Found _ The City currently does not have a mechanism to centrally manage critical network characteristics such as availability, responsiveness, resilience, and security. _ Perspective This finding is considered systemic in nature. — Effect As the City network grows in size and complexity, IT will be unable to detect, diagnose, or troubleshoot network traffic problems that can affect the availability and integrity of City resources. Recommendation We recommend the City purchase a network management tool to configure, administer, and troubleshoot routed wide -area and local segment networks. Prior Year's Management's Response City staff concurs with the recommendation. An appropriate level of funding will be requested during the current budget planning cycle to implement an appropriate network management tool to configure, administer, and troubleshoot wide -area and local network segments during the 2003-2004 Fiscal Year. ITD is currently examining bandwidth utilization on a monthly basis and will use this information to ensure bandwidth is available when and where needed to meet City needs. Appendix B-5 CITY OF MIAMI, FLORIDA Management Letter in Accordance with the Rules of the Auditor General of the State of Florida September 30, 2003 Status of Prior Years' Observations, Recommendations, and Management's Responses Current Year's Status This observation is still applicable in the current year. The City has approved the budget for the purchase and implementation of a centralized management tool. Current Year's Management's Response City staff concurs with the recommendations. The Information Technology Department received initial funding in last years budgetary process (FY03-04) to begin to address the implementation of the _ appropriate network management tools to address this observation. Current plans call for the evaluation of the appropriate tools to begin in the 4th Quarter of this Fiscal Year. Actual implementation of the selected tool will begin in the 1st Quarter of FY04-05. Additional funding to complete the implementation will be requested during the upcoming budgetary process. Appendix B-6 CITY OF MIAMI, FLORIDA Management Letter in Accordance with the Rules of the Auditor General of the State of Florida September 30, 2003 Status of Prior Years' Observations, Recommendations, and Management's Responses 2001-2 Budgeting Observation The City currently utilizes two separate budget databases: the SCI financial management system for finalized budget and procurement purposes and the Access database within the Budget Department to create, track, monitor, forecast and finalize the budget. Numerous amounts of line items are entered into the Access database and reviewed during the budget process. The budget department has utilized the finalized budget of the prior year to start creating the basis for the development of the budget of the upcoming fiscal year. After the budget has been finalized and approved, the information is interfaced with the SCI system. On a monthly basis, data is downloaded from the SCI system into the Access database by the IT Department for forecasting purposes. Maintaining two separate budget databases may result in extensive manual review procedures that are required to verify and ensure the data being utilized by the City. Recommendation Management should consider implementing a budget module that would include the entire budgeting process from initiation through adoption, to reduce the amount of time required for the extensive manual reviews currently being performed. In addition, this would provide for up-to-date information when needed for forecasting purposes rather than waiting until the monthly download process occurs. Prior Year's Management's Response City staff concurs with the comment, however, current financial system limitations do not allow for a budget module that would include the entire budgeting process. The City is in the process of researching a new ERP system that will allow for a simplified and complete budget module. Current Year's Status This observation is still applicable in the current year. The City is still in the process of researching a new ERP system and has not implemented any new modules related to the budgeting process. Current Year's Management Response City plans to procure an ERP system that will allow for a simplified and complete budget module in 2004. The ERP implementation is planned to start in Fiscal 2004 and to be completed in Fiscal 2005. Appendix B-7 CITY OF MIAMI, FLORIDA Management Letter in Accordance with the Rules of the Auditor General of the State of Florida September 30, 2003 Status of Prior Years' Observations, Recommendations, and Management's Responses 2001-3 Time Recording — Overtime Observation The City's GSA and Solid Waste Departments utilizes the KRONOS system for tracking, recording, and monitoring employee time and attendance. The other departments within the City rely on manually — recorded, authorized, and submitted Time and Attendance reports. These reports are entered manually into the Moore Personnel/Payroll system. The system edit checks within the Moore Personnel /Payroll system related to overtime do not limit time entry of excessive overtime. Current policy requires approval for time and attendance prior to submission by the responsible departments. An exception report is utilized which indicates overtime hours that have been entered for employees not eligible for overtime. However, this report does not encompass overtime hours in excess of reasonable hours worked per day for all employees. In some instances it is necessary to enter hours worked for an employee retroactively. For this purpose, daily time parameters that could aid in identifying excessive overtime hours have not been set within the system. In addition, there are two different screens — in the Moore Personnel/Payroll system where time can be entered. One is for mass entry of time the other for individual time entry. Predominantly, the screen for mass time entry is utilized, however, the individual time entry screen does not subject data entry to edit or validation checks, including overtime or invalid — codes. Entry of time and attendance with limited or no online parameters for detecting the submission of excessive overtime and part-time hours may contribute in overpaying an employee. Although the system does generate a report that is manually reviewed by the payroll department, this report lists all overtime hours entered for those employees not eligible for overtime but does not indicate those entries that appear excessive or out of the ordinary. Recommendation Management should consider implementing time and entry edit and validation checks for total hours — worked including full-time, part-time and overtime hours for both entry screens. A single exception report should be generated by the system based on submissions that are outside the set parameters. The parameters should factor into account employees who work permanent positions in addition to part-time — position, as well as part-time employees who work multiple positions. This should enable a more accurate and efficient review, and allow payroll personnel to perform other payroll related functions. Prior Year's Management's Response City staff concurs with the comment, however, current financial system limitations do not allow for such an exception report. The City is in the process of researching a new ERP system that will allow for more — accurate and efficient reviews of overtime hours. Appendix B-8 CITY OF MIAMI, FLORIDA Management Letter in Accordance with the Rules of the Auditor General of the State of Florida September 30, 2003 Status of Prior Years' Observations, Recommendations, and Management's Responses Current Year's Status _ This observation is still applicable in the current year. The City is still in the process of researching a new ERP system and has not implemented any new modules for this system. Current Year's Management's Response This observation is still valid. The City Commission approved procurement of an ERP System April 8, 2004. The new Kronos system, which went into production on Feb 8, 2004, provides overtime reports that allow the departments of Solid Waste, General Services Administration and Parks and Recreation to monitor overtime hours more closely. The Police Department is currently in the process of defining the scope of — work to implement Kronos. This will also allow them to monitor overtime more closely. Appendix B-9 CITY OF MIAMI, FLORIDA Management Letter in Accordance with the Rules of the Auditor General of the State of Florida September 30, 2003 Status of Prior Years' Observations, Recommendations, and Management's Responses 2001-4 Vendor Master Files _ Observation There are two vendor master files currently being used by the City: one is updated and maintained by the accounts payable department in the SCI financial system, another is a database in the procurement — department within the Advanced Procurement System (APS). A decision to utilize a separate procurement system initiated the development for maintaining two separate databases. Vendor master data changed or updated within the APS system is not interfaced with the SCI system during the nightly batch process, however changes within the SCI vendor master data updates the information within the APS system during the batch process. Consequently, changes that are made in either of the systems have to be manually reviewed within both systems. a. The two systems do not store the same informational content. For example, SCI has the capability to enter and store multiple addresses for a vendor. The APS system does not provide this functionality. The APS — system, however, has the capability to enter commodity codes for the vendor whereas the SCI system does not. Consequently, for purchasing purposes reports by commodity codes are generated from the APS system. Maintaining vendor master data in two separate files may result in incomplete or inaccurate data being utilized by the City. Recommendation Management should evaluate other solutions to ensure that only one vendor master file is maintained and utilized on a regular basis in order to avoid inaccurate data from being used. Management should also ensure that all the data is centrally accessible. Prior Year's Management's Response City staff concurs with the comment, however, current financial system limitations do not allow for the use of only one vendor master file. The City is in the process of researching a new ERP system that will allow for a centralized vendor database. Current Year's Status This observation is still applicable in the current year. The City did not implement a centralized vendor MEM database during fiscal year 2003. Appendix B-10 CITY OF MIAMI, FLORIDA Management Letter in Accordance with the Rules of the Auditor General of the State of Florida September 30, 2003 Status of Prior Years' Observations, Recommendations, and Management's Responses Current Year's Management's Response In November 2003, the City moved the SCI (now named GEMS) system to an NT server. As a result of this migration Procurement decided to utilize the full functionality of the GEMS Purchasing module, thus eliminating the need for the APS system. Therefore, the City has retired the APS system and now maintains only the one vendor file within the GEMS application. Appendix B-11 CITY OF MIAMI, FLORIDA Management Letter in Accordance with the Rules of the Auditor General of the State of Florida September 30, 2003 Status of Prior Years' Observations, Recommendations, and Management's Responses 2001-5 Requisition vs. Purchase Order Encumbrance Observation A purchase order entered into the APS system of the procurement department and interfaced with the SCI system will be accepted by the financial management system even if the purchase order is greater than the originally approved amount of the requisition, if sufficient funds are available. There are no systematic alerts to the user pertaining to a possible variation of amounts between the requisition and the final purchase order, although the procurement department does have compensating manual review procedures in place to detect such discrepancies before the purchase order is entered into the system. Any discrepancies will be followed -up with the respective department and, if necessary, with the budget department before proceeding. A manual review of the interfaced data into the SCI system is also conducted regularly. Instances have occurred where the dollar amount of the purchase order within the APS system and the dollar amount of the same purchase order within SCI after the interface have occurred are different. Although there are manual detective review procedures in place and the supervisor is notified to make the necessary adjustments in the system, the SCI system does not automatically alert the user to this discrepancy. Purchase orders that have been interfaced with the SCI system without automatically alerting the user when the purchase order is greater than the originally approved requisition may result in purchases of items in excess of authorized amounts, effecting the department's budget and go undetected. Purchase orders encumbered within the SCI system with a higher amount than entered into the APS system may cause inaccurate data within the SCI system which may go undetected. This may expose the department to unexpected and unmonitored expenses that could lead to exceeding funds, resulting in unexpected and unnecessary budget overruns. Recommendation Management should consider implementing automated controls that would alert the user when possible discrepancies exist between approved requisitions and purchase orders. Additionally, controls should either be implemented which would compare the data included in the finalized purchase orders entered into the APS system with the SCI system to enable early detection of possible variances in dollar amounts, or management should evaluate other solutions to ensure a seamless process to minimize the possibility of inaccurate and incomplete data from being utilized. Prior Year's Management's Response The City is in the process of migrating the SCI (GEMS Financial Accounting Software) System from the mainframe platform to the NT platform on an interim basis until an ERP solution is implemented. As part of the migration plan, Purchasing has agreed to use the SCI procurement module and retire the APS system Appendix B-12 CITY OF MIAMI, FLORIDA Management Letter in Accordance with the Rules of the Auditor General of the State of Florida September 30, 2003 Status of Prior Years' Observations, Recommendations, and Management's Responses they are currently using. The migration of SCI to NT is scheduled to be completed by the end of this fiscal year Once the APS system is retired there will no longer be a need to interface two Purchasing files and this audit finding can be closed. Current Year's Status This observation is still applicable in the current year. The City is still in the process of researching a new ERP system and did not implement any new modules related to the purchasing system in fiscal 2003. Current Year's Management's Response As stated in the response to 2004-4 above, the APS system has been retired. With only the GEMS system maintaining requisitions and Purchase Orders there are no longer any discrepancies. Also, the GEMS application will alert the buyers when their changes cause the requisitions to exceed the budget. In this case the buyers do not issue a Purchase Orders until the Budget Department has transferred enough money into the account to cover the increase. Appendix B-13 CITY OF MIAMI, FLORIDA Management Letter in Accordance with the Rules of the Auditor General of the State of Florida September 30, 2003 Status of Prior Years' Observations, Recommendations, and Management's Responses 2000-2 Statement on Auditing Standards (SAS) 70 Report Observation The City, which is self -insured for general liability, property and casualty, and workers' compensation claims, outsources the processing of its claims to a third -party administrator (TPA), which constitutes a — significant amount of claims paid each year. In addition, the City outsources the processing of its Emergency Services billings and collections to a TPA. We noted that the TPA's do not have a service auditor's report (SAS 70 Report — Reports on the Processing of Transactions by Service Organizations _ from its TPA) issued on the internal controls over the administration of their respective services provided to the City. Recommendation We recommend the City request each TPA to obtain a SAS 70 report at least every two years. A SAS 70 report would provide the City and the City's external auditors' assurance, although not absolute, about whether or not the internal controls of the TPA are operating effectively with respect to the services provided to the City. Prior Year's Management's Response City staff concurs with the comment. Staff will implement procedures for future agreements with TPAs to contain language that will require them to provide a SAS 70 report to the City at least every two years. Current Year's Status This observation is still applicable in the current year. Currently, the City processes insurance claims in- house using software provided by Corporate Systems. However, a third -party administrator processes EMS billings and collections. Therefore, the City should request a SAS 70 report from this third -party administrator. Current Year's Management's Response City staff concurs with the comment. Staff will incorporate requirements into all new applicable contracts for TPAs to provide a SAS 70 report to the City at least every two years. Appendix B-14 CITY OF MIAMI, FLORIDA Management Letter in Accordance with the Rules of the Auditor General of the State of Florida September 30, 2003 Status of Prior Years' Observations, Recommendations, and Management's Responses 2000-5 Grant Accounting Observation Each of the City's federal, state, and local grants are currently accounted for in the City's general ledger by project. However, each general ledger grant project does not identify only reimbursable expenditures -- related to the respective grants. As a result, we were unable to agree several grant program expenditures from the schedule of expenditures of federal awards, which were obtained from the general ledger grant project, to the reimbursement packages. Recommendation We recommend the City separately identify, in the general ledger grant projects, those expenditures that —. are reimbursable by the grantor and those expenditures that are not. This will ensure the accuracy of the schedule of expenditures of federal awards. Prior Year's Management's Response City staff concurs with the comment, however, current financial system limitations are such that grant expenditures are recorded on a project level and separately identifying those expenditures that are reimbursable by the grantor is not available. The Finance department is working in conjunction with the Budget department to ensure that the City's general ledger system, on a project level, correctly reflects only budgets for expenditures that are reimbursable under the grant agreement. Unallowed expenditures budgeted under the grant will require a separate budgeted dedicated revenue source. Current Year's Status This observation is still applicable in the current year. Current Year's Management's Response City plans to procure an ERP system that will allow for a fully functional grant accounting module in 2004. The ERP implementation is planned to start in Fiscal 2004 and to be completed in Fiscal 2005. Appendix B-15 CITY OF MIAMI, FLORIDA Management Letter in Accordance with the Rules of the Auditor General of the State of Florida September 30, 2003 Status of Prior Years' Observations, Recommendations, and Management's Responses 2000-7 Logical Security — User Termination Observation The Human Resources department provides Information Technology department (ITD) with a list of monthly users that are no longer employed with the City. ITD relies on this list to ensure that terminated user system access is disabled. In addition, departments should immediately notify ITD of users that are no longer employed by the City. However, this policy is not well enforced. As a result, the possibility exists that users may remain active in the system for an extended period of time should departments not notify ITD. Recommendation Management should disable system users in a more timely manner. Sound practices indicate that users should be disabled on the last day of employment. The current policy should be recommunicated and enforced. Prior Year's Management's Response City staff concurs with the comment. Current City policies require that the director of the respective department notify ITD utilizing the "Security Access Termination Form" in the event that someone is transferred from their department or terminated from employment with the City. When these forms are received by ITD they are acted upon immediately. The "Monthly Separation Report" automatically produced by the City's automated payroll system acts as a secondary notification of staff changes. Additionally, in cases where urgency is dictated, an email from the respective department to the CIO of ITD is utilized to expedite security modification/termination requests. The primary policy, as has been noted in past years, is not always followed. ITD will draft a memo for the City Manager's signature reinforcing this policy. Additionally, the CIO of ITD will send an email to all organizational heads confirming the need for adherence to this policy. Moreover, a link to the "Security Access Termination Form" will be provided on the City's Intranet site (CITYNET) giving direct access to this form in electronic format. Current Year's Status This observation is still applicable in the current year. The user termination policy is being modified so that the system access privileges are removed upon user termination. Appendix B-16 CITY OF MIAMI, FLORIDA Management Letter in Accordance with the Rules of the Auditor General of the State of Florida September 30, 2003 Status of Prior Years' Observations, Recommendations, and Management's Responses Current Year's Management Response City staff concurs with the comment. A link to the "Security Access Termination Form" is available on the City's intranet homepage; however, these forms are not always received in an expedited manner. The staff of the Information Technology Department does utilize the "Monthly Separation Report" as a secondary notification of these personnel actions; however, ITD will work directly with the Employee Relations Department to determine if a more effective and timely employee termination notification process can be implemented. Appendix B-17 CITY OF MIAMI, FLORIDA Management Letter in Accordance with the Rules of the Auditor General of the State of Florida September 30, 2003 Status of Prior Years' Observations, Recommendations, and Management's Responses 1999-3 Financial Reporting Observation The Finance department has purchased computerized financial reporting software and developed certain procedures in an effort to assist in the compilation of the annual general purpose financial statements. — However, we noted that the accounting software is not fully used for its intended purpose and, in fact, the financial statements are prepared manually on spreadsheets, which is very time consuming and prone to human error. Recommendation Although the City has purchased computerized financial reporting software in the prior year, we noted that — the implementation process of such software has encountered some difficulties. We recommend that the City continue to aggressively implement the computerized financial reporting software. The use of a formal financial reporting system will improve the timeliness and accuracy of financial data and thereby assist management in meeting their reporting deadlines and provide them with a reliable tool for monitoring the City's progress and making informed decisions. — Prior Year's Management's Response City staff concurs with the comment. The software provider has not yet delivered a working module. The City is willing to implement the module upon delivery. Additionally, the City is in the process of researching a new ERP system that will include a financial reporting module. Current Year's Status This observation is still applicable in the current year. The City is still in the process of researching a new ERP system and has not implemented any new modules related to the financial reporting process. — Current Year's Management's Response City plans to procure an ERP system that will allow for a fully functional financial reporting module in 2004. The ERP implementation is planned to start in Fiscal 2004 and to be completed in Fiscal 2005. Appendix B-18 CITY OF MIAMI, FLORIDA Management Letter in Accordance with the Rules of the Auditor General of the State of Florida September 30, 2003 Status of Prior Years' Observations, Recommendations, and Management's Responses 1997-6 User Access Codes _ Observation User access codes and Userlds (Personnel Identification Numbers) are in clear text, unencrypted/unmasked to users with security administrator level access within the SCI financial systems and the police systems (including the Police Accounting system). Security administrators of the SCI financial software and police systems have the capability to view and print out all access codes and Userlds for this system. Hence, these individuals have the capability to perform any type of transactions within the financial systems and remain undetected. Recommendation The City should evaluate whether or not it is feasible and cost beneficial to enable password encryption for the SCI financial systems and the police systems. Prior Year's Management's Response City staff concurs with the comment. Additionally, the City is in the process of researching a new ERP _ system that will include adequate security that enables password encryption Suggested Action in Prior Year — The Finance Department should advise the security operators via memo (reminding them not to allow people to view these particular screens) and the Finance Department should amend their Departmental procedures to note this danger exists, and advise operators how to avoid same. The Police System is a very old legacy based system and would be prohibitively expensive to address. However, these considerations will be included in any forthcoming RFP for new systems. Appendix B-19 CITY OF MIAMI, FLORIDA Management Letter in Accordance with the Rules of the Auditor General of the State of Florida September 30, 2003 Status of Prior Years' Observations, Recommendations, and Management's Responses Current Year's Status This observation is still applicable in the current year. Current Year's Management's Response _, The SCI Financial System is a product that was developed and is supported by a third party (GEMS). GEMS has been asked by the City to modify the base system to provide for this level of security, however, they have consistently declined to do so. The Police Accounting System is over 20 years old and is not cost effective to modify at this time. The City plans to procure an ERP system in 2004; industry standard security will be a requirement.