The URL can be used to link to this page

Home My WebLink AboutAudit Reports - Public - Detention Services Billings Audit - 11/3/2017 Date: November 3, 2017 To: Kevin R. Phelps, City Manager From: Candace MacLeod, City Auditor Subject: Detention Services Billings Audit As part of the FY18 approved audit plan, the City Auditor’s Office, completed an audit of Maricopa County’s (County) Detention Services Billings that are managed by the Police Department (PD). The audit report includes five recommendations to strengthen controls. Management concurred with all the recommendations and has developed action plans to address them by January 1, 2018. Audit recommendations include: • Further restricting access to inmate health records and personally identifiable information • Performing secondary reviews of PD’s monthly fee sheet audits • Purging detention services records retained beyond their required retention period • Paying County invoices electronically, as opposed to issuing manual checks • Removing expenditure approval authority for a terminated employee to PD’s detention division account We would like to thank City staff for their cooperation during the audit. cc: Michael D. Bailey, City Attorney Lisette Camacho, Assistant Director of Budget and Finance Tom Duensing, Assistant City Manager Jack Friedline, Assistant City Manager Vicki Rios, Director of Budget and Finance Rick St. John, Police Chief 5850 West Glendale Avenue | Glendale, AZ 85301 Detention Services Billings Audit August 2017 ______________________________________________________________________________ _____________________________________________________________________________________ City Auditor’s Office 1 Detention Services Billings Introduction As part of the FY18 approved audit plan, the City Auditor’s Office conducted an audit of detention services billings that are managed by the Glendale Police Department (PD). The City uses Maricopa County’s (County) detention facility to house inmates that are sentenced or held on charges for more than 48 hours and waiting to see a judge. In FY17, the City expended $1.609 million on inmate detention services with the County. City Council authorized expenditures of $1.369 million on May 24, 2016 for inmate detention services in FY17. The expenditure overage was ratified at the September 26, 2017 City Council meeting. Arizona Revised Statutes (ARS) §31-121 requires the County Sheriff to accept individuals that a lawful authority, such as the City, present for detention or incarceration. Although the City has a detention facility, it is only deemed for temporary stays and is not permitted to hold misdemeanor defendants past 48 hours due to the lack of shower facilities, laundry facilities, and a medical clinic, which are standards set by the Commission of Accreditation for Law Enforcement Agencies, Inc. Detention services are funded out of the general fund in PDs Detention Division. The Detention division has 19 FTEs and an operating budget of $3.048 million. During FY17, the City reported 1,122 billable bookings with the Maricopa County jail. The FY17 per diem booking and housing rates, as set by Maricopa County, were $306.84 and $90.37, respectively. The County emails an invoice and fee sheet to the City each month. While the invoice payment is due within 45 days, PD has 90 days to audit the fee sheet for accuracy. The City may request a credit or adjustment for a charge they believe is inaccurate by providing appropriate documentation to the County. Purpose and Objectives The purpose of the audit was to determine whether there are adequate controls over payments to the Maricopa County Sheriff’s Office for detention services, and to assess compliance with applicable laws, regulations, and City policies. Scope and Methodology The scope of the audit was July 1, 2016 to June 30, 2017. To gain an understanding of processes and applicable policies and procedures, we interviewed staff from PD. We also reviewed three monthly billings in FY17 and reviewed various documentation including: • City and departmental policies and procedures • County rate memorandums, invoices, and fee sheets • Credit requests and supporting documentation ______________________________________________________________________________ _____________________________________________________________________________________ City Auditor’s Office 2 Detention Services Billings Observations, Recommendations and Management Responses As a result of our test work, we identified the following observations: 1) Access to personally identifiable information (PII) should be further restricted. The fee sheets provided by County include PII, such as the inmate’s full name, date of birth, gender, and race. PII should be adequately safeguarded to prevent unauthorized access to sensitive information. Both hard-copy and electronic versions of the fee sheets are retained by PD. The hard- copy versions of the fee sheets are stored in two separate PD offices in unlocked cabinets. The electronic versions are maintained on a network folder on the PD N:/ drive. Auditors identified 662 unique user accounts with access to this network folder. However, based on information from PD staff, there are only eight individuals with job duties that necessitate access to this folder. Additionally, Health Screening forms completed for inmates at the time of booking are retained in PDs Records area. These forms contain inmate medical information including their full name and any disclosed medical conditions or prescription medication they are taking. However, access to this area should be reviewed and further restricted. Based on a review of the door access report provided by Security Services dated September 9, 2017, there are 130 individuals with access to the room, including non-Police personnel, Police volunteers, contractors, and other generic (unassigned) cards. The County requires agencies to comply with all Federal and State laws, rules, and regulations, relating to the confidentiality of medical information and health care records, including the Health Insurance Portability and Accountability Act (HIPAA). Potential Risk: High – Compliance, privacy and security concerns increase if PII and HIPAA information is not adequately protected. Recommendation PD should enhance controls to ensure PII and HIPAA-related information is adequately protected. Management’s Response We concur that this information needs to be secure. It should be noted that the Records area is one of the most restricted areas of the Police Department and the people that have access have all been screened (Police Background which includes AZDPS/FBI fingerprints checks and polygraphs). Additionally, we are moving forward with the review of all the information stored in this area to ensure we are following the AZ State Retention schedules. ______________________________________________________________________________ _____________________________________________________________________________________ City Auditor’s Office 3 Detention Services Billings The department will move the electronic data (Inmate Information) to a more secure device or restrict the number of people that have access. We will work with IT. This will be completed by December 1, 2017. As it relates to the hard copies of Inmate Data that are being secured in the Records area, we will review the list of people that have access to the area and, if necessary, reduce the number of people having access. We will only allow people that have a business reason and clearance to have access to this area. The Records area needs to be secure as most of the reports (not just booking data) have personal identifiable information. 2) Some potential credit opportunities were not identified during PDs audit of the fee sheet. PD has developed procedures to audit the fee sheet, which serves as the detail for the County’s monthly detention services invoices. The fee sheet, which can be 70 to 80 pages in length, is manually audited by one employee with limited secondary or supervisory review. The fee sheet audit must be completed and any credit requests submitted to the County within 90 days of the invoice date. As a result of this audit process, PD requested and received $47,546 in credit in FY17. Auditors reviewed the fee sheets for December 2016, March 2017, and June 2017, and selected a sample of 88 bookings across those three months. Based on our review, we noted six instances of potential credit opportunities that were not identified and researched by PD, either due to error or insufficient training. Auditors worked with PD staff to determine if these bookings would have been eligible for an invoice credit and determined the following: • Three bookings were not eligible for credit as the dollar amount related to the charge did not exceed the threshold necessary for reimbursement. • Two bookings were not eligible for credit as no dollar amount was input into the CHIPS system; therefore, PD staff were unable to determine if the threshold necessary for reimbursement was exceeded. According to PD, policies and procedures have not been established over data entry requirements into the CHIPS system. • One booking was not eligible for reimbursement, as the charge was a misdemeanor. Additionally, the fees sheets were not recalculated to ensure accuracy. However, technology is available to reformat the fee sheets, allowing PD to further analyze and re-add fee sheets. Potential Risk: High – The City may not obtain reimbursements it is entitled to or may pay for expenditures that are not valid. ______________________________________________________________________________ _____________________________________________________________________________________ City Auditor’s Office 4 Detention Services Billings Recommendation PD should develop controls requiring secondary levels of review of fee sheet audits, establish policies for CHIPS data entry requirements, and train staff. PD should also explore opportunities to utilize technology to increase the accuracy and efficiency of the fee sheet audits. Management’s Response We concur. We will add a secondary review; this secondary review will involve randomly selecting 10 percent of the individual charges and conducting the second review. If errors are found by the secondary reviewer (who will be different person than the initial auditor) a full audit will be conducted. This task will begin on December 1, 2017. We will look at our procedures and policies as they relate to the process. With the CHIPS system being phased out, we will need to review the new RMS system to ensure that we are tracking the information needed to audit MCSO invoices. 3) Detention services records were retained beyond their required retention period. According to the County’s annual memorandum, agencies shall maintain detention records and documents for three years after the end of the fiscal year in which such records are created or received in accordance with the Arizona State Library, Archives and Public Records (AZLAPR) General Record Retention Schedule for all Public Bodies related to Finance Records. However, hard-copy and electronic records were retained dating back to January 2013, as PD staff managing fee sheet audits were not aware of the record retention period. Potential Risk: High – Keeping records longer than the prescribed retention period poses financial, legal, audit, and investigative risks to the City. Recommendation PD should develop controls to ensure records related to detention services are retained in accordance with the AZLAPR and train staff. Management’s Response We concur and will ensure that we comply with our filed retention schedule by working with both Detention and Records to shred what needs to be destroyed. This task will be completed by December 1, 2017. 4) One invoice was paid late and electronic funds transfer (EFT) payments are not currently utilized to pay County invoices. In FY17, detention services invoices were paid, on average, 18 days after the invoice date. However, auditors identified one invoice that was paid 4 days after the 45-day due date. According to staff, the check request was prepared 35 days after the invoice ______________________________________________________________________________ _____________________________________________________________________________________ City Auditor’s Office 5 Detention Services Billings date, resulting in the late payment. Although PD has historically paid County invoices using a check request, follow-up with the County indicated that they accept ACH/EFT payments, which may streamline the payment process by replacing paper checks. Potential Risk: Moderate/High – Late payment of invoices could result in added fees or lack of compliance with agreed upon terms. Inefficiencies increase the cost and time of doing business. Recommendation PD should ensure that County invoices are paid within 45 days of the invoice date, and consider utilizing ACH/EFT payments to minimize the processing time for detention services invoices. Management’s Response We concur that invoices need to be paid on time. In discussions and reviewing the recommendation with the Police Budget Administrator, we will contact Maricopa County to set up payments utilizing ACH/EFT. This task will be completed by January 1, 2018. 5) A terminated employee had expenditure approval authority for PDs Detention division account. While reviewing the expenditure approval of the detention services invoices, it was noted that an employee who was terminated in 2013 had expenditure approval authority for the PD – Detention division account. Auditors reviewed the terminated employee’s approval authority and verified their access was removed for three other accounts in April 2017, but had not been removed for the PD – Detention division account. Potential Risk: Moderate/Low – Not promptly removing employees’ expenditure approval authority could result in unauthorized expenditures. Recommendation PD should ensure that all network and application access is promptly removed for terminated employees, including expenditure approval authority in the PeopleSoft system. Management’s Response We concur that this is an issue. Steps will be taken to remove people from having this authority. We have reached out to Police Personal Management Unit (PMU). It was reported that once the employee separates from the organization, a notification is sent out to deactivate access to systems and building. One of the groups contacted with ______________________________________________________________________________ _____________________________________________________________________________________ City Auditor’s Office 6 Detention Services Billings this notification is the Police Budget Administration. The Police Budget Office staff was not aware of the requirement to take action and remove individuals from the capability of accessing this system. This was completed October 4, 2017.