The URL can be used to link to this page

Home My WebLink AboutAudit Reports - Public - Vendor Management Internal Audit Final Report - 3/4/2021 FINAL REPORT City of Glendale VENDOR MANAGEMENT INTERNAL AUDIT FINAL REPORT March 4, 2021 Moss Adams LLP 999 Third Avenue, Suite 2800 Seattle, WA 98104 (206) 302-6500 Vendor Management Internal Audit Report-for the City of Glendale Table of Contents Executive Summary 1 A. Objectives 1 B. Conclusions 1 Detailed Report 4 A. Introduction 4 B. Background 4 C. Objectives 4 D. Scope and Methodology 5 Findings and Recommendations 7 Process Improvement Opportunities 16 Appendix A: Definitions of Audit Findings Rankings 17 Vendor Management Internal Audit Report for the City of Glendale | 1 EXECUTIVE SUMMARY Moss Adams LLP (Moss Adams) was contracted by the City of Glendale (the City) to evaluate and test internal controls related to the Budget and Finance Department’s vendor management function, including segregation of duties, monitoring the Vendor Master Listing, and integration with the City’s Vendor Self-Service (VSS) platform. We performed a variety of procedures to test internal controls and assess the vendor management function, including testing samples of vendor data changes and additions, analyzing user access levels within the accounts payable (A/P) module of Tyler MUNIS (MUNIS), assessing monitoring of the Vendor Master Listing, and performing a virtual walkthrough of the VSS platform. This internal audit was limited in scope to vendor management and did not include any procedures beyond this related to the procurement or A/P functions; therefore, mitigating controls may be in place that were not assessed during this project, which could lower the risk of the related findings identified. This engagement was performed in accordance with Standards for Consulting Services established by the American Institute of Certified Public Accountants. Accordingly, we provide no opinion, attestation, or other form of assurance with respect to our work or the information upon which our work is based. This engagement was also performed consistent with guidance issued by the Institute of Internal Auditor’s (IIA) International Professional Practices Framework (IPPF). This report was developed based on information gained from our interviews and analysis of sample documentation. The procedures we performed do not constitute an examination in accordance with generally accepted auditing standards or attestation standards. Our objectives for this engagement were:  To determine whether adequate internal controls were in place over the Vendor Master Listing, including the new vendor setup and vendor data maintenance functions.  To assess whether adequate segregation of duties were in place between vendor data management and A/P duties.  To evaluate the VSS platform for ease of use, data maintenance, and overall integration with MUNIS. The procedures and testing performed identified five areas that require improvement. These are highlighted in the following table. Vendor Management Internal Audit Report for the City of Glendale | 2 Vendor Management Segregation of Duties – High Risk 1 Finding Duties were not adequately segregated between those responsible for processing and approving new vendor setup and changes, and those that are involved in or have access to the disbursements process. Recommendation Adequately segregate duties to prevent any individual from having responsibility for or access to processing vendor additions and changes, approving those additions and changes, and processing or having access to process disbursements to the related vendors. Disbursements to Vendors not on the Vendor Master Listing – High Risk 2 Finding Approximately $3 million of disbursements were processed during a nine-month period to vendors who were not included on the City’s approved Vendor Master Listing. Recommendation Limit miscellaneous vendor account use to specific situations where it is warranted, establish a formal policy to guide the process, and perform regular reviews of related disbursements. Systems Access for Vendor Management – Medium Risk 3 Finding Systems access to process additions and changes to vendor data in MUNIS should be properly restricted to individuals who are responsible for the vendor management function. Recommendation Assess systems access levels to the vendor management function in MUNIS, and remove access for all individuals who do not have a need for access based on their current job responsibilities. Vendor Management Policies and Procedures – Medium Risk 4 Finding Comprehensive vendor management policies and procedures are not established and guidance related to vendor management is limited to the VSS Instruction Manual, which does not cover key controls or the roles and responsibilities of the vendor management function. Recommendation Develop and implement policies and procedures that specifically address the overall vendor management function. Vendor Master Listing Reviews – Low Risk 5 Findings Regular reviews of the Vendor Master Listing are not being performed to ensure that all vendors appear reasonable, vendor information is complete, and unused/stale vendors are deactivated after a certain period of time. Recommendation Establish and implement a process to review the Vendor Master Listing on a regular basis to ensure that vendor information is complete and unused/stale vendors are deactivated. Vendor Management Internal Audit Report for the City of Glendale | 3 Although the focus of this internal audit was to identify opportunities for improvement, it is important to note the areas of commendable operations. The City should be commended for the following accomplishments:  VSS Platform: The VSS platform was easy to use, instructions for vendors were clear and comprehensive, and overall, the platform was user-friendly. The Procurement Department was knowledgeable about the platform and could clearly walk a user through a new vendor setup.  Readiness for Change: During our interviews, feedback from City employees indicated an eagerness to adopt improvements to the vendor management function, including establishing comprehensive policies and procedures to cover not only the vendor management function but also the whole A/P function for the City. We would like to thank City staff and management for their willingness to assist with this project. Vendor Management Internal Audit Report for the City of Glendale | 4 DETAILED REPORT Moss Adams was contracted by the City to perform an internal audit over the vendor management function, which is assigned to the A/P Section within the Budget and Finance Department. This internal audit was performed as part of the Fiscal Year (FY) 2020 Annual Audit Plan developed by the City’s Independent Internal Audit Program (IIAP). Our internal audit was performed between August and November 2020. This internal audit was limited in scope to vendor management and did not include any procedures beyond this related to the procurement or A/P functions. Given that the scope was limited to controls surrounding vendor management, it is important to note that mitigating controls may be in place throughout different components of the procurement and A/P cycles that were not assessed during this focused internal audit. The City’s Budget and Finance Department is responsible for the A/P function, which encompasses all aspects of the disbursement process. The A/P Section has one full-time employee, the A/P and Payroll Supervisor (A/P Supervisor), who is primarily responsible for vendor management. A key component of a well-controlled A/P function is proper management and oversight of vendor data. City vendors must be set up and approved in the City’s enterprise resource planning system, MUNIS, in order for payments to be disbursed to them through the established A/P process. Vendors can be set up either directly in MUNIS, or vendors they can request to be approved through the VSS platform. The VSS platform was implemented in early 2019, with the goal of having all City vendors initiated/set up in the platform and then integrated with MUNIS. Although progress has been made in fully aligning the VSS platform and MUNIS, discrepancies still exist, including vendors in MUNIS that are not established in VSS and some changes that are still being processed directly in MUNIS. The Procurement Department is typically responsible for helping vendors get set up through the VSS platform. Once vendor additions and changes are integrated into MUNIS, a workflow is established so that each must be reviewed and approved by the A/P Supervisor. In order to be approved as a new vendor, key demographic information must be established and a valid W-9 must be submitted. Currently, the A/P Supervisor is assigned responsibility for reviewing and approving all new vendor requests, as well as processing vendor setup additions and changes that are made directly in MUNIS. At the time of this internal audit, the City had 3,678 unique vendors assigned an active identification number in MUNIS, and the City recorded approximately $326 million in disbursements during the nine-month period of January through September 2020. Our objectives for this internal audit were related to the City’s vendor management function, including the VSS platform. Specifically, the internal audit focused on the following objectives:  To determine whether adequate internal controls were in place over the Vendor Master Listing, including the new vendor setup and vendor data maintenance functions. Vendor Management Internal Audit Report for the City of Glendale | 5  To assess whether adequate segregation of duties were in place between vendor data management and A/P duties.  To evaluate the VSS platform for ease of use, data maintenance, and overall integration with MUNIS. In order to obtain an understanding of the specific processes and overall vendor management function, we conducted interviews with City personnel within the A/P and Procurement sections of the Budget and Finance Department who have designated responsibilities related to vendor setup, monitoring, and management. We reviewed the City’s draft A/P Policies and Procedures and the VSS Instruction Manual, as well as selected system reports. We performed the following detailed testing procedures:  Systems Access to Vendor Master File: To assess whether systems access to the Vendor Master Listing in MUNIS was properly restricted to authorized individuals based on their job responsibilities, we obtained a MUNIS Roles Report. The report was system-generated and showed all current access levels assigned, including the functionality of each access level and the individuals assigned to each level. We assessed the report for appropriateness based on our understanding of the individuals responsible for vendor management.  Vendor Additions and Changes: We obtained a MUNIS system-generated Change and Addition Report showing all vendor data activity processed between January 1, 2020 and September 1, 2020. We reviewed the listing of changes and additions for unusual activity (e.g., several changes to one vendor, vendor names that appear to be similar to someone in a key A/P and Procurement position). We assessed the users that processed changes and approved them in MUNIS, to determine whether users were limited to individuals who were identified in the interviews as having responsibility for this function. We assessed the number of instances where changes and additions were requested/processed and approved by the same person (e.g., A/P Supervisor). We randomly selected a sample of 65 changes and additions and performed the following: ○ Determined whether supporting documentation was on file to show if changes were requested by vendors through VSS or requested via phone/email ○ Assessed whether the changes processed within MUNIS tied to underlying requests ○ For any new vendor or change to a vendor name, address, or tax identification number (TIN), determined if a W-9 was submitted and on file to support the addition or change ○ For bank account information changes and additions, assessed for supporting documentation of bank account information  Vendor Master Listing: We obtained a MUNIS system-generated Vendor Master Listing and a full City-wide disbursement listing from January through September 2020. We performed database comparisons to identify the following for additional analysis: ○ Vendors that were on the Vendor Master Listing but had not been used (dormant or inactive) in the nine-month period ○ Vendors that received disbursements but were not included on the Vendor Master Listing. ○ Total volume and dollar amount of disbursements made to miscellaneous vendor identification (ID) numbers (e.g., vendor accounts set up that were not related to one specific vendor, such as temporary vendor or one-time use vendors). Vendor Management Internal Audit Report for the City of Glendale | 6  Policies and Procedures: We obtained the draft Vendor Management Policies and Procedures, as finalized policies were not in place. We assessed the draft policies and procedures for adequacy, internal controls, and best practices. We also assessed the City’s Procurement Policies and Procedures for any information related to the vendor management process, given that policies and procedures specific to the A/P function were not established.  VSS Platform: We obtained the current Vendor Registration Instructions and evaluated them for ease of use, completeness, and clarity. We performed a virtual walkthrough of the VSS platform with Procurement Department personnel. We walked through the process of requesting a new vendor setup and compared each step with the instructions. We assessed for opportunities to improve the use and functionality of the VSS platform. Vendor Management Internal Audit Report for the City of Glendale | 7 FINDINGS AND RECOMMENDATIONS 1. Finding Duties were not adequately segregated between those responsible for processing and approving new vendor setup and changes, and those that are involved in or have access to the disbursements process. Recommendation Adequately segregate duties to prevent any individual from having responsibility for or access to processing vendor additions and changes, approving those additions and changes, and processing or having access to process disbursements to the related vendors. Condition: Based on interviews and detailed testing, we determined that the A/P Supervisor was primarily responsible for processing all vendor additions and changes in MUNIS, and was also the established approver for all vendor additions and changes. No independent reviews of all vendor additions and changes were performed to ensure they were processed accurately and properly supported. Vendor change reports showing all vendor data additions and changes and the user who processed and approved them were also not monitored or reviewed. Criteria: Best practices for internal controls over the disbursement process require duties to be adequately segregated between vendor management and those responsible for processing disbursements to vendors. When this is not possible, adequate oversight and monitoring controls should be established. Cause: The City does not have current policies and procedures for vendor management. The standard practice has always been for A/P to own the vendor management function, and given that the A/P Supervisor is the primary individual involved in A/P, the MUNIS workflow was originally established to have that position review and approve all vendor additions and changes. This was regardless of whether or not the A/P Supervisor was also the original requester of the addition or change. A formal independent monitoring or review process was never established. Effect: The lack of segregation of duties creates the risk that one person could set up a new vendor, approve that vendor to be active in MUNIS, and process a disbursement to that vendor. The current responsibilities of the A/P Supervisor result in the same person processing vendor additions and changes that are not submitted through the VSS, as well as approving those additions and changes and the ones that come through the VSS. The lack of an independent review or monitoring could result in potential errors or inappropriate activity going undetected. While mitigating controls may be in place throughout the procurement and A/P functions, they were not assessed during the course of this internal audit. Recommendation A. The City should assess whether the current responsibility for setting up new vendors and editing vendor information could be transferred to someone outside of the A/P Section. This responsibility typically lies with the Procurement Department or with someone otherwise not involved in the A/P function. Vendor Management Internal Audit Report for the City of Glendale | 8 B. The current workflow established in MUNIS should be assessed to prevent one user from having the ability to request additions and changes and also approve their own additions and changes to vendor data. Ideally, those involved with A/P processing should not have any access to edit vendor data. C. A report of all vendor additions and changes, along with the user who processed the changes, should be ran on a regular basis (quarterly or biannually) and reviewed by someone independent of the A/P and Procurement functions to ensure that all vendor changes and additions appear reasonable and appropriate. If duties cannot be segregated, consider incorporating additional steps into this independent review, such as assessing for multiple changes to one vendor, assessing supporting documentation for a sample of vendor additions and changes, and reviewing all vendor name changes for unusual or unknown vendors. Management Response Management Agreement Owner Target Completion Date Concur Levi Gibson, Assistant Director of Budget and Finance March 31, 2021 Action Plan: Budget and Finance will develop vendor management policies and procedures that adequately segregate duties between those responsible for processing and approving new vendor setup and vendor changes, define the appropriate use of miscellaneous vendors, and define the process for reviewing the vendor master listing and system access by March 31, 2021. The vendor master listing, vendor changes and additions, and system access will be reviewed on a quarterly basis. 2. Finding Approximately $3 million of disbursements were processed during a nine-month period to vendors that were not included on the City’s approved Vendor Master Listing. Recommendation Limit miscellaneous vendor account use to specific situations where it is warranted, establish a formal policy to guide the process, and perform regular reviews of related disbursements. Condition: Based on our comparison of the Disbursement Listing for January through September 30, 2020 to the Vendor Master Listing, we identified many disbursements made to vendors that were not established City vendors with a unique vendor identification. This would mean those vendors had not gone through the vendor setup and approval process with the City. In total, approximately $3 million of disbursements were processed during the nine-month period to vendors that were not on the City’s Vendor Master Listing. Given that this internal audit was performed during the COVID-19 pandemic, the use of Purchase Cards (P-Cards) was likely significantly increased in comparison to their use previously, so this high level of usage identified may have been reasonable and appropriate; however, given the scope of this project, we were unable to perform an evaluation or testing in this area. Vendor Management Internal Audit Report for the City of Glendale | 9 We analyzed the disbursements mentioned above in more detail and identified the following categories of activity:  Temporary Vendors: There were 35 vendor ID numbers (IDs 4000 to 6000 series) categorized as temporary vendors, which received disbursements but were not on the Vendor Master Listing. These vendor accounts were used when there was a need for a temporary vendor (a vendor that will only receive City disbursements during a short period of time). Only one disbursement was processed to each of the 35 vendors during the nine-month period, and they were for small amounts (all 35 disbursements totaled less than $10,000). This appeared to be a reasonable use of a temporary vendor account, if adequate monitoring was in place.  One-Time Vendors: There were 12 vendor ID numbers (IDs 99987 through 99997 and 99999) being used regularly; however, they were accounts being used to process specific types of disbursements. Based on discussions with A/P personnel, this series of ID numbers were used for vendors considered to be one-time payment vendors, and include instances where one vendor may have several name variations and locations that need to be added during invoice entry. These were also used for refunds (including those related to permits, cancelled facility rentals, etc.), overpayments, or certain P-Card transactions. To determine whether these appeared reasonable and the related disbursement activity supported this explanation, we extracted all related disbursements for analysis. Based on the analysis, we found that approximately $980,000 of disbursements were made to these one-time payment vendors (3,083 unique vendors) in the period. Nine vendors received $10,000 or more in disbursements, 394 vendors received two or more disbursements, and 10 vendors received 10 or more disbursements.  Vendor ID 99998: Vendor ID 99998 processed 6,514 disbursements to 2,328 unique vendor names, totaling approximately $1.9 million. Based on discussions with A/P personnel, vendor ID 99998 is used for P-Card transactions without an established vendor account; however, determining whether this population of disbursements was truly related to only P-Card activity was outside the scope of this internal audit. Among these vendors, 19 received over $10,000 in disbursements, including one that received almost $130,000. In assessing disbursements to this vendor ID, several were made for $24,999, which is just under the Department Head approval threshold defined in the City’s Procurement Policies and Procedures. There were also instances where several disbursements were processed on one day, including one instance where a single day’s total was approximately $113,000, which exceeds the City’s $50,000 formal bid threshold. In addition, in scanning through these disbursements it was revealed that in many instances purchases were broken out into smaller-dollar purchases falling just below procurement solicitation requirements and approval thresholds. In this way, several charges to the same vendor were recorded in a single day, but broken into smaller amounts. Based on discussions with management, a large majority of these were auto-coded during the P-Card bank activity coding process and they were confident that adequate controls (including reviews, approvals, and usage monitoring) were in place over P-Card activity; however, this internal audit did not test those controls. In addition, based on inquiry, many of the larger purchases were incurred through the emergency procurement process during COVID, including some of the $24,999 purchases included in the $130,000 instance identified above.  Other Vendors: Based on an analysis performed, 29 “other” vendors were paid during the period that were not on the Vendor Master Listing. Six of these seemed to be a result of a timing difference between when the reports were produced, four were related to the transition to the MUNIS system, and the remaining appeared to be related to P-Card transactions. There were a total of 177 disbursements made to these 29 vendors, totaling approximately $91,000. Many of these vendors were paid several times (2 to 21 times). Three vendors were paid over $10,000. Vendor Management Internal Audit Report for the City of Glendale | 10 Criteria: While the City does not have established vendor management policies, best practices suggest that a formal vendor management function should be established and all new vendors should be set up following a predefined process of due diligence, including obtaining a current W-9 (for vendors the City plans to do business with). Disbursement activity should be monitored and controlled to protect City assets, and a well-controlled vendor setup and approval process is a significant component of that. Cause: Based on the details above, it appears that the use of vendors not established in the Vendor Master Listing is a pervasive issue and is likely being overused, without adequate monitoring controls in place. There are no City A/P policies and procedures to define when a formal new vendor setup process is required and what situations allow for a simplified payment method to be utilized. One contributing factor is that A/P has not determined how to set up a vendor that has multiple addresses or locations in MUNIS. Therefore, the default for these situations has continued to be to use a miscellaneous vendor ID. In addition, based on the volume of disbursements processed to vendor IDs designated for P-Card purchases, it appears that the use of P-Cards may not be adequately controlled and situations where a purchase should go through the standard procurement and the new vendor setup processes are not being identified timely. Effect: This creates several risks to the City, including the risk of disbursing funds to illegitimate vendors or to vendors that should have gone through the standard new vendor setup process, including obtaining and verifying a vendor’s W-9. When miscellaneous vendor accounts are used to process such a large volume of vendor disbursements, it creates the risk that the City will not be in compliance with 1099 regulations, disbursements to specific vendors will not be scrutinized to identify when additional approvals or solicitation requirements are exceeded, and other oversight may not be in place. It appears that employees may try to circumvent the standard procurement and A/P processes by using these alternative methods of payment given that, in many cases, larger vendor amounts were broken down into smaller disbursement amounts that fell right under additional procurement approval thresholds and/or solicitation thresholds. Recommendation A. The City should consider performing a focused audit on the use of the City's P-Card because in many cases, these appear to be used for very large disbursements that are potentially split to circumvent the City’s standard procurement and A/P processes. B. Activity coded to these miscellaneous vendor accounts should be thoroughly reviewed on a regular basis to ensure that their usage appears reasonable and in line with expected activity. For instance, if P-Card transactions are automatically coded when purchase activity is exported from the bank, a thorough review of the related vendor ID activity should be performed to ensure that the only transactions included were those transferred from P-Card activity. Although there may be controls outside the vendor management function (such as procurement reviews, emergency purchase controls, or refund processing controls), given that these established vendor IDs \can be used for miscellaneous reasons, reviewing the activity regularly would establish oversight to prevent inappropriate use of these miscellaneous accounts. C. If these types of miscellaneous vendor accounts continue to be used for one-time payments or other unusual payment setups, a policy specific to their use should be established. There are situations where it is appropriate to use a simplified vendor setup approach; however, this should be limited to pre-defined situations, and oversight of their use should be in place. The policy Vendor Management Internal Audit Report for the City of Glendale | 11 should include various controls such as use limitations, requirements that must be met to enter a payment to one of these vendor IDs, and regular review of ID activity to assess its reasonableness. ) This policy should also include summarizing vendor payments by vendor name to identify when disbursements meet a defined threshold, and ensuring they go through the standard vendor setup process and are subject to the City's Procurement Policy. Management Response Management Agreement Owner Target Completion Date Concur Levi Gibson, Assistant Director of Budget and Finance March 31, 2021 Action Plan: Budget and Finance will develop vendor management policies and procedures that adequately segregate duties between those responsible for processing and approving new vendor setup and vendor changes, define the appropriate use of miscellaneous vendors, and define the process for reviewing the vendor master listing and system access by March 31, 2021. The vendor master listing, vendor changes and additions, and system access will be reviewed on a quarterly basis. Budget and Finance reviewed the payments identified in the audit report and determined that procurement and account payable policies and procedures were followed and that there were no fraudulent payments. 3. Finding Systems access to process additions and changes to vendor data in MUNIS should be properly restricted to individuals who are responsible for the vendor management function. Recommendation Assess systems access levels to the vendor management function in MUNIS, and remove access for all individuals who do not have a need for access based on their current job responsibilities. Condition: In assessing the MUNIS systems access levels assigned, based on interviews performed we found that several employees who were assigned access to edit the Vendor Master Listing data should not have this level of access, given they were not responsible for processing vendor additions or changes. Specifically, six access levels were established that had edit access to vendor information, including one MUNIS role assigned to several accounting personnel; however, it was unclear if the one “MUNIS role” was still activated at of the time of this internal audit. Criteria: Best practices for internal controls require that all systems access levels to sensitive areas, such as vendor data maintenance, should be adequately restricted, controlled, and reviewed regularly. Systems access should always be restricted to individuals who require access based on their current job roles and responsibilities, to prevent inaccurate or inappropriate changes or access to data. Cause: The City does not have current policies and procedures for vendor management that would typically cover systems access restrictions and reviews. When MUNIS was implemented back in 2018, access levels were assigned and likely not scrutinized. Monitoring controls were never implemented to assess systems access levels on a regular basis based on job roles and responsibilities. Vendor Management Internal Audit Report for the City of Glendale | 12 Effect: A lack of adequately restricted systems access to vendor management functions creates the risk that individuals who should not process vendor additions or changes could process them. Although all changes require the A/P Supervisor’s approval, based on the established workflow setup in MUNIS and given the volume of changes and additions processed and the fact that the related responsibility is all assigned to one user, an inappropriate change or addition may not be identified timely. Recommendation A. These access levels should be assessed, and access to add new vendors and process vendor changes should be restricted to only those individuals responsible for performing those functions as part of their job responsibilities. In particular, follow-up is needed to determine if the MUNIS role is still active and if so, it should be deactivated. B. A systems access report should be run on at least a yearly basis to ensure access is properly restricted to this sensitive system function. The review should be documented and that documentation should be maintained. Management Response Management Agreement Owner Target Completion Date Partially Concur Levi Gibson, Assistant Director of Budget and Finance March 31, 2021 Action Plan: The user IDs identified in the Munis Role do not have access to add or make changes to vendors. The user IDs were disabled when the City upgraded to Munis 2019 and implemented active directory and a single sign on for network access. Budget and Finance confirmed that access to vendor management is appropriate for those employees who have the Munis Role. Budget and Finance will develop vendor management policies and procedures that adequately segregate duties between those responsible for processing and approving new vendor setup and vendor changes, define the appropriate use of miscellaneous vendors, and define the process for reviewing the vendor master listing and system access by March 31, 2021. The vendor master listing, vendor changes and additions, and system access will be reviewed on a quarterly basis. 4. Finding Comprehensive vendor management policies and procedures are not established and guidance related to vendor management is limited to the VSS Instruction Manual, which does not cover key controls or the roles and responsibilities of the vendor management function. Recommendation Develop and implement policies and procedures that specifically address the overall vendor management function. Condition: Guidance available to support the vendor management function was limited to minimal information in the VSS Instruction Manual, which is focused on how vendors are to use the platform and how related information is processed within the platform. A Vendor Management Policy was being drafted; however, it was very high level and did not include adequate coverage to control and guide the related function. Vendor Management Internal Audit Report for the City of Glendale | 13 Criteria: Best practices established by the Government Finance Officers Association (GFAO) and other reputable best practice resources recommend that all governmental entities formally adopt financial policies, including those covering the City’s expenditure process, that encompass vendor management. Cause: Formal policies and procedures have not been established to cover the City’s vendor management function. A/P communicated that they are working on draft policies that will cover vendor management. Effect: Without comprehensive policies and procedures to guide this significant transaction cycle for the City, there are gaps in the internal controls of the vendor management function. Specifically, the lack of policies has led to the following issues that were seen during this internal audit:  The use of miscellaneous vendor accounts is a pervasive issue, and adequate monitoring and review requirements are not established.  Responsibility for reviewing and maintaining a complete and current Vendor Master Listing is not assigned and therefore is not occurring.  One individual has access to perform all duties within the A/P function, and established monitoring and review requirements are not assigned for the related vendor changes and additions. Recommendation: Comprehensive policies and procedures should be developed and implemented that specifically address the vendor management function. Roles and responsibilities should be well-defined and compliance should be monitored. Comprehensive policies and procedures should include all significant areas within the vendor management function, including but not be limited to the following:  New vendor setup requirements, reviews, and approvals  Vendor change requirements, reviews, and approvals, including specifically defining who is responsible for verifying changes  Supporting documentation requirements for all vendors  Vendor change report reviews  Segregation of duties between vendor setup/approval and A/P processing  Systems access controls and related access reviews  The use of miscellaneous vendor accounts, including defined instances in which their use is permitted, what thresholds require the new vendor setup process, and what review controls must be in place to monitor the usage  Vendor Master Listing reviews, trend analysis, and identification of inactive vendors  Deactivating and re-activating unused vendors Although this internal audit was focused on vendor management, we recommend that the City consider the following coverage areas when developing full A/P policies and procedures:  Invoice receipt and approval  Reconciliation between invoices, purchasing documentation, and receiving documentation  Invoice coding and system entry Vendor Management Internal Audit Report for the City of Glendale | 14  A/P processing, including required reviews/approvals, invoice tie out, and pre and post-check register reviews and approvals  Check printing, signature, and check stock maintenance controls  Electronic payment processing, reviews, and approvals  Overall review and monitoring over the A/P function, including those performed by individuals outside the A/P function as well as Vendor Master Listing reviews, cleanup, and trend analysis that should be performed Management Response Management Agreement Owner Target Completion Date Concur Levi Gibson, Assistant Director of Budget and Finance March 31, 2021 Action Plan: Budget and Finance will develop vendor management policies and procedures that adequately segregate duties between those responsible for processing and approving new vendor setup and vendor changes, define the appropriate use of miscellaneous vendors, and define the process for reviewing the vendor master listing and system access by March 31, 2021. The vendor master listing, vendor changes and additions, and system access will be reviewed on a quarterly basis. 5. Finding Regular reviews of the Vendor Master Listing are not being performed to ensure that all vendors appear reasonable, vendor information is complete, and unused/stale vendors are deactivated after a certain period of time. Recommendation Establish and implement a process to review the Vendor Master Listing on a regular basis to ensure that vendor information is complete and unused/stale vendors are deactivated. Condition: Based on interviews, regular reviews of the Vendor Master Listing are not being performed to ensure that all vendors appear reasonable, vendor information is complete, and inactive vendors are deactivated after a certain period of time. A full Vendor Master Listing review has not been performed in the two years since the transition to MUNIS. In comparing the disbursements listing for January through September 30, 2020 to the Vendor Master Listing, there were 2,365 vendor IDs on the Vendor Master Listing that were not used in the nine-month period. Criteria: A vendor management system is used to track City-approved vendors and monitor activity with those vendors. In order for the system to be effective, vendors included must be current and active. Cause: The Vendor Master Listing has not been reviewed since the transition to MUNIS, and it is unclear whether any process was in place prior to that. Defined policies in this area are not established, and responsibility for maintaining a current Vendor Master Listing is not assigned. This is likely due to the lack of documented policies and because ownership over the responsibilities for reviewing the Vendor Master Listing has not been assigned. Vendor Management Internal Audit Report for the City of Glendale | 15 Effect: Maintaining a large number of unutilized vendors in the Vendor Master List creates the risk of having long gaps between when the vendor is verified as a legitimate vendor W-9 confirmation, bank information, etc.) and when the vendor is actually used. It also creates the risk of lacking oversight of these vendor accounts to identify potential inappropriate activity. Recommendation: A process should be established and implemented to ensure that the Vendor Master Listing is reviewed on a regular basis, to ensure that vendor information is complete and that unused vendors that meet a defined period of inactivity are deactivated. Management Response Management Agreement Owner Target Completion Date Concur Levi Gibson, Assistant Director of Budget and Finance March 31,2021 Action Plan: Budget and Finance will develop vendor management policies and procedures that adequately segregate duties between those responsible for processing and approving new vendor setup and vendor changes, define the appropriate use of miscellaneous vendors, and define the process for reviewing the vendor master listing and system access by March 31, 2021. The vendor master listing, vendor changes and additions, and system access will be reviewed on a quarterly basis. Vendor Management Internal Audit Report for the City of Glendale | 16 PROCESS IMPROVEMENT OPPORTUNITIES Moss Adams also identified opportunities for process improvements as a result of this internal audit. The table below summarizes these recommendations: CATEGORY PROCESS IMPROVEMENT RECOMMENDATIONS 1 Vendor Master Listing within the VSS Platform The City should work with the VSS platform provider to determine how a listing of all vendors can be produced and exported. At the time of this internal audit, a report could not be provided. A/P should perform a reconciliation between the VSS and MUNIS to identify discrepancies between the two systems. An initiative to resolve all discrepancies should be implemented, to ensure that the systems are consistent and complete and the full benefits expected from implementation of the VSS platform can be recognized. Once the systems are in sync, a process should be implemented to perform a reconciliation between the two systems on a periodic basis. This effort will also help clean up the Vendor Master Listing by identifying old vendors that were migrated into MUNIS but have not been established in VSS, signifying they likely have not been utilized in over two years. 2 Changes and Additions within Vendor Profiles One out of 65 changes and additions to vendor profiles tested had no supporting documentation on file for the addition of bank account information. All changes that City employees make to add or change information for a vendor should be properly supported. Specifically, for any vendor bank information changes or additions, a formal request along with support for the new bank information should be obtained and maintained. Vendor Management Internal Audit Report for the City of Glendale | 17 APPENDIX A: DEFINITIONS OF AUDIT FINDINGS RANKINGS We utilized the City’s Independent Internal Audit Program risk rankings, presented below, and assigned rankings based on our professional judgment. A qualitative assessment of high, medium, or low helps to prioritize implementation of corrective action, as shown in the following table. HIGH Critical control deficiencies that exposes the City to a high degree of combined risks. Recommendations from high-risk findings should be implemented immediately (preferably within three months) to address areas with most significant impact or highest likelihood of loss, misappropriation, or damage related to City assets. MODERATE Represents less than critical deficiencies that expose the City to a moderate degree of combined risks. Recommendations arising from moderate-risk findings should be implemented in a timely manner (preferably within six months) to address moderate risks and strengthen or enhance efficiency in internal controls on areas with moderate impact and likelihood of exposure. LOW Represents low-risk or control deficiencies, and the exposure is not likely to expose the City and its assets to significant losses. However, they should be addressed in order to improve efficiency and effectiveness of operations. Recommendations arising from low-risk findings should be implemented within 12 months.