Loading...
The URL can be used to link to this page
Your browser does not support the video tag.
Home
My WebLink
About
Staff Report 2302-1020
CITY OF PALO ALTO Policy & Services Committee Special Meeting Wednesday, April 26, 2023 Community Meeting Room & Hybrid Meeting Location Changed 7:00 PM Agenda Item 2.Office of the City Auditor Presentation of the Electronic Payment Process and Controls Audit Report Presentation 9 2 9 Policy & Services Committee Staff Report From: Adriane McCoy, Interim City Auditor Meeting Date: April 26, 2023 Report #: 2302-1020 TITLE Office of the City Auditor Presentation of the Electronic Payment Process and Controls Audit Report BACKGROUND In 2021, the City of Palo Alto (City) was subject to multiple attempts to misdirect wire payments. Given the importance of the topic, the Office of the City Auditor (OCA) obtained an approval to start a recommended audit activity, Wire Payment Process and Controls Review project, in February 20221 (ID#13891) before finalizing the FY2022-2023 Audit Plan that included the Wire Payment Process and Controls Review project and was subsequently approved by the City Council in April 20222 (ID#13914). DISCUSSION The objectives of the review were to: 1) Determine whether adequate controls are in place and working effectively to ensure that all disbursements are valid and properly processed in compliance with City’s policies and procedures 2) Determine whether end user security awareness training is sufficient to prevent erroneous payments The original scope to review wire payments was changed to review electronic payments that include both wire and Automated Clearing House (ACH) payments due to the similar risks against ACH payments. The OCA’s review included the ACH and wire disbursement processes by the Accounts Payable and Treasury teams, banking information addition and modification, and the user security awareness training to evaluate the design of internal controls. Additionally, 1 City Council Staff Report February 7, 2022 https://www.cityofpaloalto.org/files/assets/public/agendas-minutes- reports/agendas-minutes/city-council-agendas-minutes/2022/20220207/20220207pccsm-revised-final.pdf 2 City Council Staff Report April 4, 2022 https://www.cityofpaloalto.org/files/assets/public/agendas-minutes- reports/agendas-minutes/city-council-agendas-minutes/2022/20220404/20220404pccsmamendedlinked1.pdf 9 2 9 the OCA’s testing was conducted by reviewing the selected disbursement transactions to determine whether the controls are operating effectively. The attached report summarizes the analysis, audit findings, and recommendations. FISCAL/RESOURCE IMPACT The Office of the City Auditor worked primarily with Administrative Services Department and engaged with additional stakeholders, including the City Manager’s Office and the City Attorney’s Office, as necessary. The timeline for implementation of corrective action plans is identified within the attached report. ATTACHMENTS •Attachment A: Report on Electronic Payment Process and Controls . 1 City of Palo Alto City Auditor’s Office Electronic Payment Process and Controls March 14, 2023 2 Executive Summary Purpose of the Audit Baker Tilly US, LLP (Baker Tilly), in its capacity serving as the Office of the City Auditor (OCA) for the City of Palo Alto (the City), conducted an audit of the electronic payment process and controls based on the approved Task Order 4.12. The objectives of this review were to: 1) Determine whether adequate controls are in place and working effectively to ensure that all electronic payments are valid and properly processed in compliance with City’s policies and procedures. 2) Determine whether end user security awareness training is sufficient to prevent erroneous payments caused by phishing. Report Highlights Finding 1: Electronic Payment Instructions (Page 11) In August 2021, management implemented an internal control by formalizing the existing verbal verification process of all new electronic payment instructions and modifications. This is an important control to prevent wire and ACH fraud, as noted in the Best Practices section of this report. However, the City’s Policy and Procedures 1-06/ ASD, Payment Procedures, has not been revised to include the new requirement. The OCA reviewed the supporting documents and approvals for two wire templates and 10 randomly selected vendors for ACH and noted that the control activity performed is not documented to evidence a review of changes made to vendor records. This review is not currently included in the policy. An independent person who did not enter the information in the system should review the vendor record added or changed in the system using the supporting documents for validity and accuracy. The review should be evidenced as defined in the policy. In the absence of control activities and requirements defined in the policy, the City cannot ensure that key internal controls are implemented properly and operate effectively. Key Recommendations The Administrative Services Division (ASD) management should review and update the City’s Policy and Procedures 1-06/ ASD, Payment Procedures, to ensure that an adequate internal control system is in place to mitigate a risk of potential loss resulting from wire and ACH frauds. The control activities and requirements should be clearly defined and communicated to employees to ensure that controls are implemented properly and executed effectively. The ASD management should also train the appropriate employees on the required control activities to ensure that they execute the controls properly. Finding 2: ACH Payments (Page 12) There are three employees in the ADP AP team. The OCA noted that all three AP team members have access to post invoices and process payments in the SAP ERP system and in the bank online portal. The access allows the employees to update the vendor records in the SAP ERP system as well. Because of this lack of segregation of duties issue, effective operation of mitigating controls is important to ensure that all electronic payments are valid and 3 properly processed. The mitigating control currently in place is dual authentication of ACH payment batches and bank transactions in the bank online portal. For one of 25 ACH payments reviewed, the actual ACH bank account number used for this payment was different from the ACH bank account number shown on the vendor invoice. This discrepancy was not identified during the payment process, and the payment was made to an incorrect account. The control to prevent erroneous payments did not operate effectively for this payment although there was no financial loss and all supporting documents and approvals were well documented. The quality and effectiveness of independent reviews are especially crucial due to the existing segregation of duties issue, where all AP team members have the same system access. The ACH payments are made from the bank online portal. The OCA determined that the application control requiring dual authorization was in place. However, as the City currently does not require the employees to save the reports that are available in the bank portal only for a month, the audit trails evidencing that the dual authorization control is working effectively are not maintained. Although the mitigating controls such as secondary approver, dual authorization, and bank account reconciliation are in place, ineffective execution of any of the key mitigating controls may lead to invalid and/or inaccurate AP ACH payments. Key Recommendations The ASD management should review segregation of duties among creating/updating vendor records, processing vendor invoices, and processing payments and evaluate risks associated with conflicts. The ASD management should work with IT management to identify the ways to improve segregation of duties and mitigate risks. Until the segregation of duties conflicts are resolved, the ASD management should strengthen mitigating controls over the AP payment process by ensuring that the controls are designed to mitigate risks adequately and operating effectively. The City’s Policy and Procedures 1-06/ ASD, Payment Procedures should be updated to clearly define the controls and communicate to the employees. 4 Table of Contents Executive Summary ........................................................................................................................................................... 2 Purpose of the Audit ..................................................................................................................................................... 2 Report Highlights ........................................................................................................................................................... 2 Introduction ......................................................................................................................................................................... 5 Objective........................................................................................................................................................................... 5 Background ..................................................................................................................................................................... 5 Scope................................................................................................................................................................................. 6 Methodology .................................................................................................................................................................... 7 Compliance Statement.................................................................................................................................................. 7 Organizational Strengths ............................................................................................................................................. 7 Detailed Analysis ............................................................................................................................................................... 8 Policies and Procedures .............................................................................................................................................. 8 User Security Awareness Training ............................................................................................................................ 8 Best Practices ................................................................................................................................................................. 9 Audit Results ..................................................................................................................................................................... 11 Finding 1: Electronic Payment Instructions ......................................................................................................... 11 Recommendation ......................................................................................................................................................... 11 Finding 2: ACH Payments .......................................................................................................................................... 12 Recommendation ......................................................................................................................................................... 13 Appendices ........................................................................................................................................................................ 14 Appendix A: Electronic Payments Process and Controls ................................................................................ 15 Appendix B: Management Response ..................................................................................................................... 16 5 Introduction 1 ACH Costs are a Fraction of Check Costs for Businesses, AFP Survey Shows | Nacha 2022 AFP Payments Cost Benchmarking Survey (afponline.org) Objective The objectives of this review were to: 1) Determine whether adequate controls are in place and working effectively to ensure that all electronic payments are valid and properly processed in compliance with City’s policies and procedures. 2) Determine whether end user security awareness training is sufficient to prevent erroneous payments caused by phishing. Background The City disburses its funds using electronic payments and paper checks. Electronic payments consists of wire transfers and the Automated Clearing House (ACH) payments. During the period between September 1, 2021, and March 15, 2022, the City recorded 3.8K disbursement transactions totaling $430M in the general ledger cash account. The charts below show the following: • Wire transfers are only 4% of all disbursement transactions but 29% of total disbursement amount. • ACH payments processed by the Accounts Payable (AP) team for vendors and employees are just 1% of all disbursement transactions, due to weekly batch processing, but 11% of total disbursement amount. ACH payments cost much less than checks, according to the 2022 Payment Cost Benchmarking Survey 1. A cost for initiating a wire payment can vary widely and generally higher than checks. Similarly, the City’s average costs per unit, not including staff time and processing costs, are approximately $0.22, $0.07, and $4.02 for checks, ACH, and wires, respectively, based on the OCA’s calculation using the Chart 1-A: Payment Methods by Transaction Chart 1-B: Payment Methods by Amount ¹ ACH payments are processed in batches from one bank to another through the Automated Clearing House (ACH) system and often used for payroll, vendor payments, recurring payments, etc. ² Wire payments are electronic interbank payments made through a wire system such as FedWire and typically used for higher value, lower volume, time-sensitive transactions. ³ Automatic Withdraws include automatic bank transfers to the City’s three zero balance accounts and other charges withdrawn such as bank and credit card fees based on agreements. 6 2 Attachment A US Bank and Elavon Contract Extension Agreement and Related Documents (cityofpaloalto.org) 3 2021_IC3Report.pdf by Internet Crime Complaint Center (IC3) - IC3 receives complaints on cyber crimes from the American public and tracks the trends and threats. 4 Suspected Business Email Compromise Ringleader Busted (bankinfosecurity.com) estimated monthly unit volume shown in the existing banking and merchant services agreement 2. Electronic payments are more secure method of payments than checks as paper checks are more susceptible to physical loss and check frauds such as forgery and theft. However, no payment method is completely secure. According to the FBI’s 2021 Internet Crime Report 3, Business Email Compromise (BEC)/Email Account Compromise (EAC) “is a sophisticated scam targeting both business and individual performing transfers of funds” and “is frequently carried out when a subject compromises legitimate business email accounts through social engineering or computer intrusion techniques to conduct unauthorized transfers of funds.” This FBI’s report states that BEC schemes are among the top incidents reported in 2021 and resulted in almost 20K complaints with losses of nearly $2.4B in total (an increase from approximately $1.8B in 2019). The report also shows California had the most victims and losses (67K, $1.2B, respectively) among all states, American Territory, and the District of Columbia. There was a significant arrest in May 2021 when Interpol received the intelligence from private sector partners including Unit 42 at Palo Alto Networks 4, but a threat of BEC remains. In June 2021, the City became a victim of a BEC scam, resulting in a wire payment of approximately $43K to a fraudster. This incident was identified in late July 2021 when the legitimate vendor inquired about a payment they never received from the City. The City management subsequently reviewed the wire and ACH payments and vendor record changes made between June 2021 and August 2021 and noted no other similar incident. They also formalized an internal control to verbally confirm the new and modified banking information with a payee to prevent similar incidents, which, in August 2021, actually prevented a loss from a similar scheme called Vendor Impersonation Fraud that is often used for public sector entities as the contracting information is a public record. Scope The original scope to review wire payments was changed to review electronic payments that include both wire and ACH payments due to the similar risks against ACH payments. The OCA’s review included the ACH and wire disbursement processes by the AP and Treasury teams, banking information addition and modification, and the user security awareness training to evaluate the design of internal controls. Additionally, the OCA’s testing was conducted by reviewing the selected transactions processed between September 1, 2021, and March 15, 2022, to determine whether the controls are operating effectively. The OCA reviewed the City employees’ access to the bank online portal during this audit. However, for the access to the City’s SAP ERP system, the OCA’s recent assessment results of the segregation of duties in the City’s SAP ERP system (Task Order 4.3), was utilized. A review of cybersecurity risks is covered in a separate cybersecurity audit that is already underway (Task Order 4.14). 7 5 Government auditing standards require an external peer review at least once every three (3) years. The last peer review of the Palo Alto Office of the City Auditor was conducted in 2017. The Palo Alto City Council approved a contract from October 2020 through June 2022 with Baker Tilly US, LLP (Baker Tilly) and appointed Kyle O’Rourke, Senior Consulting Manager in Baker Tilly's Public Sector practice, as City Auditor. Given the transition in the City Audit office, a peer review was not conducted in 2020 and will be conducted after the third year of Baker Tilly’s contract. Methodology To achieve the audit objectives, the OCA performed the following procedures: • Reviewed the policies and procedures related to the ACH and wire payment processing. • Interviewed the appropriate individuals within the Administrative Services Division (ASD), including the Treasury (for wires), Accounts Payable (for ACH payments), and General Ledger teams, to discuss the process and controls for electronic payments, including vendor record creation and modification. • Reviewed the approvals and supporting documents for randomly selected samples of electronic payments as well as new and modified vendor records. • Reviewed the access and controls related to the bank online portal. • Interviewed the key process owners of the electronic payment processes to understand the security awareness training they received. • Inquired with the Information Technology Department and the Human Resources Department regarding the user security awareness training the City offers to the employees. • Reviewed the employees’ completion status of the latest user security awareness training the City provided. • Identified the best practices related to electronic payment processing to mitigate risks of wire and ACH frauds. Compliance Statement This audit activity was conducted from March 2022 to July 2022 in accordance with generally accepted government auditing standards, except for the requirement of an external peer review5. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. Organizational Strengths During this audit activity, we observed certain strengths of the City. Key strengths include: • Approvals of payments are well documented using e-signature software called DocuSign • Supporting documents are consistent and well organized • The staff members are devoted and professional and were responsive to the OCA’s questions and requests The Office of the City Auditor greatly appreciates the support of the Administrative Services Department in conducting this audit activity. Thank you! 8 Detailed Analysis Policies and Procedures The City has the Policy and Procedures 1-06/ ASD, Payment Procedures (Revised: February 2007). The Policy Statement of this policy is that the “functionality of Accounts Payable is to ensure that all payment requests are properly authorized, accurately recorded and promptly disbursed in accordance with City policies and contractual terms.” The City’s nine-page Policy and Procedures include the sections shown in the box on this page. The policy does not include the following related processes and controls: • A verbal verification process of all new electronic payment instructions and modifications that was formalized in August 2021 • The controls and requirements for ACH payments including the vendor record creation and modification • The controls and requirements for wire payments including the creation and modification of wire templates for recurring payments and the situation where free-form (non-recurring) wire payments are used • The processes and controls for the bank online portal There is also a six-page document titled “Internal Controls on Cash Disbursement Cycle” that was updated in May 2021. This Cash Disbursement document contains the similar sections as the City’s policy but provides additional descriptions of procedures for payment requests and ACH payments. The OCA documented an overview of the wire and ACH processes and controls, based on the understanding obtained during this audit (Appendix A). User Security Awareness Training The City required all City employees to complete a cybersecurity awareness training by November 25, 2020. This was the latest training provided by the Information Technology (IT) and Human Resources (HR) departments, using a well-established, leading vendor who provides the large library of security awareness training content as well as a simulated phishing campaign tool. The training was delivered through the City’s learning system managed by HR. The employees’ completion status generated from the City’s learning system shows that over 98% of all employees completed the training by December 31, 2020. Although all 10 ASD employees who process electronic payments completed this Policy and Procedures 1-06/ ASD* Payment Procedures Contents A. Purchasing Authorization B. Change Order Process C. Routine Accounts Payable Payment Process D. Department Approvals E. Accounts Payable Editing and Posting F. Check Printing, Reversal and Re-issuance, and Wire Transfer G. Year-end Accruals H. Reconciliations I. Quarterly sales tax reporting * Administrative Services Department 9 training, some of them did not complete by the due date set by HR. The City does not require those 10 ASD employees to receive additional fraud training courses that are more directly related to AP and cash disbursement. According to the AP and Treasury teams, they share news and articles related to fraud incidents among team members and have taken fraud-related training courses on their own. Table 1: 2020 Security Awareness Training Completed in 2020-2022 Best Practices As people increasingly conduct business online and communicate digitally, fraud attempts such as phishing are growing. Electronic payments are susceptible to fraud schemes due to the speedy and irrevocable transaction. Fraudsters gather information on target organizations, take advantage of a weak internal control system, and take money from victims using compromised or impersonated methods. Therefore, an effective internal control system is key to protect an organization from becoming a victim of fraud schemes. Through researches around wire and ACH frauds and best practices to prevent them, the OCA compiled the following best practices. Practices to guard against wire and ACH fraud • Educate and train employees on fraud schemes to ensure they recognize red flags and take appropriate actions such as: 10 o Do not click on links and attachments in an unsolicited e-mail or text message or respond to them before verifying the legitimacy. o Cautiously inspect the e-mail address, URL, and spelling in a message to identify the slightly modified address/URL. o Be watchful if there is a sense of urgency. o Do not use “reply” for e-mail communication. Instead, use “forward” and add the correct e-mail address. • Implement a verbal verification process that uses a phone number used previously or obtained independently from the information provided in the current request. o Conduct an internet search or compare against reputable databases. o Do not call a phone number provided with a request o Use a script to verify both the existing account information and the information to be changed. • Process payments using dual control (two people authorization). • Work with the IT department to ensure that appropriate cybersecurity controls are implemented. • Review the insurance policy for an appropriate coverage of financial losses due to cybersecurity fraud. • Periodically review all control procedures to keep them current and relevant to current threats. 11 Audit Results Finding 1: Electronic Payment Instructions In August 2021, the ASD management implemented an internal control by formalizing the existing verbal verification process of all new electronic payment instructions and modifications. The formalized verification process involves the following steps: 1) Calling a phone number independently obtained from the sources such as the signed original instructions and the company website 2) Confirming the banking and relevant information 3) Writing down on the new or modified instructions the name of an individual who confirmed, date, the information verified, and the initials of the staff member who performed the verification. This is an important control to prevent wire and ACH fraud, as noted in the Best Practices section of this report. However, the City’s Policy and Procedures 1-06/ ASD, Payment Procedures, has not been revised to include the new requirement. Between September 1, 2021, and March 15, 2022, ASD had two new or modified wire templates (the payee banking information stored in the bank online portal) for the payees with recurring wire payments. ASD also added or changed records for 2,057 vendors, 32 of which had new or modified ACH banking information. The OCA reviewed the supporting documents and approvals for two wire templates and 10 randomly selected vendors for ACH and noted the following: • The City receives a request to update various payee information such as tax number, payment method, and name. The current practice is that not all changes require documentation of the verbal verification performed. Only the verbal verification of the changes to the banking information is documented, which should be defined in the policy. • AP Senior Accountant runs a "display changes to vendor" report and review banking changes listed in the report prior to approving a weekly ACH batch. However, a supervisory review of changes made in the system is not documented, or a report used for a supervisory review is not included in the ACH payment packet that AP Senior Accountant signs off on. Therefore, the control activity performed is not documented to evidence a review of changes made to vendor records. This review is not currently included in the policy. An independent person who did not enter the information in the system should review the vendor record added or changed in the system using the supporting documents for validity and accuracy. The review should be evidenced as defined in the policy. In the absence of control activities and requirements defined in the policy, the City cannot ensure that key internal controls are implemented properly and operate effectively. Recommendation The ASD management should review and update the City’s Policy and Procedures 1-06/ ASD, Payment Procedures, to ensure that an adequate internal control system is in place to mitigate a risk of potential loss resulting from wire and ACH frauds. The control activities and requirements should be clearly defined and 12 communicated to employees to ensure that controls are implemented properly and executed effectively. The ASD management should also train the appropriate employees on the required control activities to ensure that they execute the controls properly. Additionally, the ASD management should implement a mechanism (such as periodic meetings, training, e-mail communications, etc.) that is a little more proactive than the current practice to keep appropriate employees informed on wire and ACH fraud schemes and trends in addition to the user security awareness training provided by the City. Finding 2: ACH Payments There are three employees in the ASD AP team. The OCA noted that all three AP team members have access to post invoices and process payments in the SAP ERP system and in the bank online portal. The access allows the employees to update the vendor records in the SAP ERP system as well. The AP segregation of duties issue was reported in the ERP Planning: Separation of Duties audit report dated October 17, 2018. Recently, the SAP Functionality and Internal Control Assessment revealed that: 1) “Process Vendor Invoices” and “AP Payments” are the two of three processes with the most conflicts out of 12 business processes that are part of the SAP Finance and Accounting (FI) module 2) “AP Payments and Process Vendor Invoices” is one of top 10 SAP FI conflicts. Because of the existing conflicts, effective operation of mitigating controls is important to ensure that all electronic payments are valid and properly processed. The mitigating control currently in place is dual authentication of ACH payment batches and bank transactions in the bank online portal. Between September 1, 2021, and March 15, 2022, ASD AP team processed 31 weekly ACH batches totaling approximately $45M. The OCA reviewed approvals for 10 ACH batches and the supporting documents for 25 individual ACH payments selected from those 10 batches. Each ACH batch payment packet is signed by the following three individuals using DocuSign: • Preparer (AP Account Specialist) who creates the batch file in the SAP ERP system, assembles a payment packet containing the supporting documents approved by the applicable departments for the batch, and uploads the batch file to the bank online portal • First Approver (AP Senior Accountant) who reviews and approves a payment packet and approves the uploaded batch file in the bank online portal • Second Approver (Treasury Manager) who reviews and approves a payment packet Then OCA compared the bank information in the SAP ERP system to the bank information shown in the supporting documents. For one of 25 ACH payments reviewed, the actual ACH bank account number used for the payment was different from the ACH bank account number shown on the vendor invoice. This discrepancy 13 was not identified during the payment process, and the payment was made to an incorrect account. There was no financial loss since the bank returned the payment that was made to the closed account, and the City was able to issue a check to the vendor. However, if the wrong account had not been closed, the error would have gone unnoticed without the vendor’s notification. The control to prevent erroneous payments did not operate effectively for this payment although all supporting documents and approvals were well documented. The quality and effectiveness of independent reviews are especially crucial due to the segregation of duties issue as noted above. The ineffective execution of internal control (a thorough review to detect errors and irregularities) may result in erroneous payments, financial loss, and/or inefficient use of resources. The ACH payments are made from the bank online portal. The access to this account is limited but all three AP team members can initiate and approve ACH payment batches. According to Manager of Treasury, Debt, Investment, he set the dual authorization requirement in the account setting in the bank online portal around October 2018 so that the same individual cannot approve the transaction he/she initiated. The OCA determined that the application control requiring dual authorization currently in place. The names of the individuals who initiated and approved each ACH batch are listed in the ACH Audit Report and ACH Daily Batch Detail. However, these audit trails are available in the portal only for a month unless a report is generated and saved offline by a user. As the City currently does not require the employees to save the reports, the audit trails evidencing that the dual authorization control is working effectively are not maintained. It took a week for the City to receive the information after submitting a request to the bank’s customer service department. Audit trails are detailed records of financial transactions and are used to verify and track transactions. It is necessary for the City to maintain a complete audit trail to be able to trace back any irregularities and investigate them when they happen. Although the mitigating controls such as secondary approver, dual authorization, and bank account reconciliation are in place, ineffective execution of any of the key mitigating controls may lead to invalid and/or inaccurate AP ACH payments. Recommendation The ASD management should review segregation of duties among creating/updating vendor records, processing vendor invoices, and processing payments and evaluate risks associated with conflicts. The ASD management should work with IT to identify the ways to improve segregation of duties and mitigate risks. Until the segregation of duties conflicts are resolved, the ASD management should strengthen mitigating controls over the AP payment process by ensuring that the controls are designed to mitigate risks adequately and operating effectively. The City’s Policy and Procedures 1-06/ ASD, Payment Procedures should be updated to clearly define the controls and communicate to the employees. 14 Appendices 15 Appendix A: Electronic Payments Process and Controls 16 Appendix B: Management Response Recommendation Responsible Department(s) Agree, Partially Agree, or Do Not Agree and Target Date and Corrective Action Plan Finding: Electronic Payment Instructions The ASD management should review and update the City’s Policy and Procedures 1-06/ ASD, Payment Procedures, to ensure that an adequate internal control system is in place to mitigate a risk of potential loss resulting from wire and ACH frauds. The control activities and requirements should be clearly defined and communicated to employees to ensure that controls are implemented properly and executed effectively. Administrative Services Concurrence: Agree Target Date: February 2023 Completion Date: February 22, 2023 Action Plan: ASD has drafted revisions to Policy and Procedures 1- 06/ASD, Payment Procedures to align the policy document with staff’s current practices for electronic payments through ACH and wire transfer. Controls already in practice and added to the updated policy include: ACH Payments • AP staff verbally confirms bank information on the ACH enrollment form by calling an independently obtained phone number from the company website and/or master vendor record in SAP. • ACH batches are signed by three individuals before the batch is processed: preparer (A/P Accounting Specialist); first approver (A/P Senior Accountant); and second approver (Manager, Treasury, Debt & Investments). Wire Transfers • The Manager, Treasury, Debt & Investments, confirms bank information from the ACH enrollment form by calling an independently obtain phone number from the company website and/or master vendor record in SAP. • Wire transactions are entered in U.S. Bank’s online portal. The wire is initiated by the Manager, Treasury, Debt & Investments; a second approval is required to execute the wire. The revised policy was distributed to City employees in February 2023. 17 The ASD management should also train the appropriate employees on the required control activities to ensure that they execute the controls properly. Additionally, the ASD management should implement a mechanism (such as periodic meetings, training, e-mail communications, etc.) that is a little more proactive than the current practice to keep appropriate employees informed on wire and ACH fraud schemes and trends in addition to the user security awareness training provided by the City. Administrative Services Concurrence: Partially Agree Target Date: March 2023 Completion Date: To be determined during the OCA’s follow-up review Action Plan: Key ASD employees (Finance Manager; AP Senior Accountant, Manager; Treasury, Debt & Investments; and Assistant Director, ASD) stay current control environment and activities through continuing education requirements, government association training opportunities, and news articles on the subject. ASD staff are members of the Government Finance Officers Association and the California Society of Municipal Finance Offers and have access to email distribution lists and discussion groups on these topics. As discussed in Management’s Response, Policy and Procedures 1-06/ASD, Payment Procedures has been revised to the City’s practice of verbally confirming payment information through contact information that is independently obtained through the company’s website or the vendor record in SAP; this is a control activity best practice implemented by staff as a result of cybersecurity and control environment training. In addition, the City requires cyber security training biennially. Key ASD Staff will continue to actively pursue training opportunities to remain informed of new control environment practices, fraud schemes, and user security awareness. Finding: ACH Payments The ASD management should review segregation of duties among creating/updating vendor records, processing vendor invoices, and processing payments and evaluate risks associated with conflicts. The ASD management should work with IT to identify the ways to improve segregation of duties and mitigate risks. Administrative Services Concurrence: Partially Agree Target Date: March 2023 Completion Date: To be determined during the OCA’s follow-up review Action Plan: As noted previously, ASD has revised Policy and Procedures 1-06/ASD, Payment Procedures to describe mitigating controls that ASD has in place over ACH and wire payments. ASD is aware of the system configuration in the ERP and has implemented 18 internal controls to mitigate the risk the system configuration could present. Staff continually to reviews segregation of duties and the internal control structure that is in place with the goal of maximizing use of staff resource and balancing with risk mitigation. Staff agrees that a technology solution to improve segregation of duties is ideal. As part of phase two of the ERP upgrade, staff will evaluate the cost benefit of system configuration modifications. Until the segregation of duties conflicts in the City’s ERP system are resolved, the ASD management should strengthen mitigating controls over the AP payment process by ensuring that the controls are designed to mitigate risks adequately and operating effectively. The City’s Policy and Procedures 1-06/ ASD, Payment Procedures should be updated to clearly define the controls and communicate to the employees. Administrative Services Concurrence: Partially Agree Target Date: February 2023 Completion Date: February 22, 2023 Action Plan: Staff agrees that updates to the City’s Policy and Procedures 1-06/ASD, Payment Procedures will provide clear communication to employees and memorialize the control practices already in place. As listed below, segregation of duties and mitigating control practices exist in the ACH and wire payment process, and updates to 1-06/ASD, Payment Procedures, will ensure clear definition of these controls. Staff believes that the following controls are designed to mitigate risk effectively and operate effectively: • Verbally confirm vendor banking information through independently obtained contact information and/or the master vendor record in SAP. • Invoices cannot be parked and posted by the same AP employee. In addition, invoices cannot be parked and process by the same AP employee • Although all three AP employees can post and process ACH batch payments, this control risk it mitigated by requiring three approvers to process the payment. The third approver, Manager, Treasury, Debt & Investments, has no authorization to park, post, or process payments. Independent review of all 19 ACH payments is done by verifying the vendor, dollar amount, and authorized signature(s). • The AP Senior Accountant reviews banking changes made in the SAP system before approving ACH batch. Documentation of these banking changes began in May 2022. • The ACH batch cannot be uploaded and approved by the same person in the City’s bank online portal (U.S. Bank). • AP staff do not have authority to enter goods receipts in SAP (MIGO). Goods receipt is required for all PO related payments. Baker Tilly US, LLP, trading as Baker Tilly, is a member of the global network of Baker Tilly International Ltd., the members of which are separate and independent legal entities. © 2022 Baker Tilly US, LLP. City of Palo AltoOffice of the City Auditor (OCA) Policy & Services Committee Meeting April 26, 2023 2 2 Presentation of the Remote and Flexible Work Study Report Presentation of the Electronic Payment Process and Controls Report Agenda The OCA greatly appreciates the support of the Human Resources and Administrative Services Departments in conducting these audit activities. Thank you! 3 Remote and Flexible Work Study Report PRESENTATION The objectives of this audit were to: 1) Evaluate the alignment of remote and flexible work policy and procedure to best practices. 2) Identify position eligibility criteria for remote and flexible work schedules. • During the FY2022 risk assessment, the OCA identified recruitment and retention challenges and need for a study of remote positions which affect recruitment and retention as many people prefer remote positions. • The OCA created a framework for the implementation of a remote and flexible work study program based on: − Interviews with the Human Resources management staff − Analysis of current applicable remote work policies, and market research • The framework includes the use of a criteria tool and two potential options for the implementation of the framework. The tool can be used to objectively evaluate City positions for remote and flexible work eligibility. • The report provides market trend research to inform future implementation for this recommended framework and optional surveys to distribute to City employees for assistance in the determination of remote and flexible work eligibility. 4 Policy and Services Committee Action PRESENTATION The City Auditor recommends that the Policy and Services Committee take the following action: •Approve the Remote and Flexible Work Study Report and recommend the City Council accept the report. 5 Electronic Payment Process and Controls Report PRESENTATION The objectives of this review were to: 1) Determine whether adequate controls are in place and working effectively to ensure that all electronic payments are valid and properly processed in compliance with City’s policies and procedures. 2) Determine whether end user security awareness training is sufficient to prevent erroneous payments caused by phishing. • In the summer of 2021, the City was subject to multiple attempts of unauthorized transfers of funds and became a victim of one of the scams, Business Email Compromise (BEC). This incident was identified in late July 2021 when the legitimate vendor inquired about a payment they never received from the City. • According to the FBI’s 2021 Internet Crime Report, BEC schemes are among the top incidents reported in 2021. The report shows California had the most victims and losses (67K, $1.2B, respectively) among all states, American Territory, and the District of Columbia. • OCA reviewed the ACH and wire disbursement processes by the Accounts Payable and Treasury teams, banking information addition and modification, and the user security awareness training to evaluate the design of internal controls. • OCA tested the randomly selected disbursement transactions to determine whether the controls are operating effectively. 6 Policy and Services Committee Action PRESENTATION The City Auditor recommends that the Policy and Services Committee take the following action: •Approve the Electronic Payment Process and Controls Report and recommend the City Council accept the report. Questions?