HomeMy WebLinkAboutAudit Reports - Public - Detention Services Billings - Audit Follow-up - 5/11/2018
Date: May 11, 2018
To: Kevin R. Phelps, City Manager
From: Candace MacLeod, City Auditor
Subject: Audit Follow-up: Detention Services Billings
In August 2017, the City Auditor’s Office completed an audit of the Maricopa County
(County) Detention Services Billings that are managed by the Police Department (PD).
The purpose of the audit was to determine whether there are adequate controls over
payments to the County Sheriff’s Office for detention services, and to assess
compliance with applicable laws, regulations, and policies. The audit included five
recommendations to strengthen controls. Management concurred with all the
recommendations and estimated that action plans to address them would be
completed by January 1, 2018.
In April 2018, an audit follow-up was performed, which indicated that management
had taken measures to reduce all but two reported risks. The open items include:
• Implementing a records management system (RMS) that will electronically store and
control access to HIPAA and personally identifiable information (PII )
• Establishing policies for data entry requirements in the RMS
An additional follow-up will be performed on the outstanding audit recommendations
in FY2019.
Please contact me if you have any questions.
Attachment
cc: Michael D. Bailey, City Attorney
Chris Briggs, Assistant Police Chief
Lisette Camacho, Assistant Director Budget and Finance
Tom Duensing, Assistant City Manager
Jack Friedline, Assistant City Manager
Rich LeVander, Assistant Police Chief
Vicki Rios, Director Budget and Finance
Rick St. John, Police Chief
_____________________________________________________________________________________
City Auditor’s Office 1 Detention Services Billings Follow-up
Recommendation
Management Response
August 2017
Management Response
April 2018 Status
1. PD should
enhance controls
to ensure PII and
HIPAA-related
information is
adequately
protected.
PD concurs that this
information needs to be
secure. It should be noted
that the Records area is one
of the most restricted areas of
the Police Department and
the people that have access
have all been screened
(Police Background which
includes AZDPS/FBI
fingerprints checks and
polygraphs). Additionally, we
are moving forward with the
review of all the information
stored in this area to ensure
we are following the AZ State
Retention schedules.
The department will move the
electronic data (Inmate
Information) to a more secure
device or restrict the number
of people that have access.
We will work with IT. This will
be completed by December
1, 2017.
As it relates to the hard
copies of Inmate Data that
are being secured in the
Records area, we will review
the list of people that have
access to the area and, if
necessary, reduce the
number of people having
access. We will only allow
people that have a business
reason and clearance to
have access to this area. The
Records area needs to be
secure as most of the reports
(not just booking data) have
personal identifiable
information.
Pending the RMS start in
mid-2018, the medical
questionnaire is now
being separated from
documents sent to
Records and is kept for a
retention period of one
year. Once the RMS
project is completed on
June 11, 2018, this form
will be kept
electronically with
secure access.
Open
_____________________________________________________________________________________
City Auditor’s Office 2 Detention Services Billings Follow-up
Recommendation
Management Response
August 2017
Management Response
April 2018 Status
2. PD should
develop controls
requiring
secondary levels
of review of fee
sheet audits,
establish policies
for CHIPS data
entry
requirements,
and train staff. PD
should also
explore
opportunities to
utilize technology
to increase the
accuracy and
efficiency of the
fee sheet audits.
We concur. PD will add a
secondary review; this
secondary review will involve
randomly selecting 10
percent of the individual
charges and conducting the
second review. If errors are
found by the secondary
reviewer (who will be a
different person than the
initial auditor) a full audit will
be conducted. This task will
begin on December 1, 2017.
We will look at our
procedures and policies as
they relate to the process.
With the CHIPS system being
phased out, we will need to
review the new RMS system to
ensure that we are tracking
the information needed to
audit MCSO invoices.
Procedures for
secondary review of fee
sheet audits were
implemented on
December 1, 2017.
However, we have not
developed a policy for
the entry of information
into the old system
(CHIPS). We have had
discussions about
making the dollar
amount of damage or
theft of property a
mandatory field in the
new RMS system, but
that will need to be
completed after it goes
live on June 11, 2018. We
anticipate it will be
completed by October
1, 2018.
Open
3. PD should
develop controls
to ensure records
related to
detention services
are retained in
accordance with
the Arizona State
Library, Archives,
and Public
Records, and
train staff.
We concur and will ensure
that we comply with our filed
retention schedule by
working with both Detention
and Records to shred what
needs to be destroyed. This
task will be completed by
December 1, 2017.
This was completed on
December 1, 2017.
Closed
4. PD should ensure
that County
invoices are paid
within 45 days of
the invoice date,
and consider
utilizing ACH/EFT
payments to
minimize the
processing time
We concur that invoices
need to be paid on time. In
discussions and reviewing the
recommendation with the
Police Budget Administrator,
we will contact Maricopa
County to set up payments
utilizing ACH/EFT. This task will
be completed by January 1,
2018.
PD will process County
invoices for payment as
soon as possible. PD has
had prior discussions with
Maricopa County in
regards to ACH/EFT
payments. Maricopa
County states they do
not prefer this form of
payment (ACH/EFT), as
funds at times are not
Closed
_____________________________________________________________________________________
City Auditor’s Office 3 Detention Services Billings Follow-up
Recommendation
Management Response
August 2017
Management Response
April 2018 Status
for detention
services invoices.
correctly tracked
internally within the
County.
5. PD should ensure
that all network
and application
access is
promptly
removed for
terminated
employees,
including
expenditure
approval
authority in the
PeopleSoft
system.
We concur that this is an
issue. Steps have been taken
to remove people from
having this authority. We
have reached out to Police
Personal Management Unit
(PMU). It was reported that
once the employee
separates from the
organization, a notification is
sent out to deactivate access
to systems and building. One
of the groups contacted with
this notification is the Police
Budget Administration. The
Police Budget Office staff was
not aware of the requirement
to take action and remove
individuals from the capability
of accessing this system. This
was completed October 4,
2017.
This was completed on
October 4, 2017.
Closed