Md State Audit - Secretary Office 2007
Download original document:
Document text
Document text
This text is machine-read, and may contain errors. Check the original document to verify accuracy.
Audit Report Department of Public Safety and Correctional Services Office of the Secretary and Other Units February 2007 OFFICE OF LEGISLATIVE AUDITS DEPARTMENT OF LEGISLATIVE SERVICES MARYLAND GENERAL ASSEMBLY • This report and any related follow-up correspondence are available to the public through the Office of Legislative Audits at 301 West Preston Street, Room 1202, Baltimore, Maryland 21201. The Office may be contacted by telephone at 410-946-5900, 301-970-5900, or 1-877486-9964. • Electronic copies of our audit reports can be viewed or downloaded from our website at http://www.ola.state.md.us. • Alternate formats may be requested through the Maryland Relay Service at 1-800-735-2258. • The Department of Legislative Services – Office of the Executive Director, 90 State Circle, Annapolis, Maryland 21401 can also assist you in obtaining copies of our reports and related correspondence. The Department may be contacted by telephone at 410-946-5400 or 301970-5400. February 16, 2007 Delegate Charles E. Barkley, Co-Chair, Joint Audit Committee Senator Nathaniel J. McFadden, Co-Chair, Joint Audit Committee Members of Joint Audit Committee Annapolis, Maryland Ladies and Gentlemen: We have audited the Office of the Secretary and other units of the Department of Public Safety and Correctional Services (hereinafter referred to as the Office) for the period beginning May 28, 2003 and ending June 30, 2006. The specific budgetary units are indicated on page 19 of this report. Our audit disclosed certain internal control deficiencies relating to the Office’s inmate medical contracts with five contractors to provide health services to inmates in the State’s correctional institutions. For example, the Office did not adequately review contractor invoices before payment and, as a result, certain overpayments were made to contractors. Payments made to contractors under the inmate health services contracts totaled $110 million in fiscal year 2006. Subsequent to our audit fieldwork, the Office negotiated agreements which require the medical services contractor and the mental health services contractor to pay liquidated damages totaling $1.75 million and $130,000, respectively, for the period from July 1, 2005 through January 17, 2007. These agreements also specify that the Office will hold the contractors harmless from any further claims related to this period. Our audit also disclosed that the Office had not established procedures to verify that all 911 Trust Fund fees collected each year by service carriers were remitted to the State. Furthermore, we noted control deficiencies with respect to cash receipts, accounts receivable, fingerprint database security, corporate purchasing cards, and equipment. Respectfully submitted, Bruce A. Myers, CPA Legislative Auditor 2 Table of Contents Executive Summary 5 Background Information 7 Agency Responsibilities Performance Audit Settlement Agreements Current Status of Findings From Preceding Audit Report Findings and Recommendations 7 7 7 8 9 Inmate Health Services Contracts Finding 1 – The Office Did Not Adequately Review Contractor Invoices for 9 Propriety Resulting in Overpayments to Contractors Finding 2 – The Office Reimbursed Contractors for Items Purchased 11 Without Ensuring that the Items Had Been Received Finding 3 – The Office Had Not Ensured that Contractors Complied 11 with Contract Provisions for Identifying Third Party Payments 911 Trust Fund Finding 4 – The Office Lacked Procedures to Verify the Propriety of 911 Trust Fund Fees Remitted by Service Carriers Criminal Justice Information System Cash Receipts Finding 5 – Adequate Controls Were Not Established over Collections 12 13 Accounts Receivable Finding 6 – Non-Cash Credit Transactions Were Not Always Properly Supported 14 Fingerprint Database Security Finding 7 – Controls over Automated Fingerprint Images Need Improvement 15 Corporate Purchasing Cards Finding 8 – Sufficient Controls Were Not Established over Corporate Purchasing Cards 16 3 * Equipment Finding 9 – Proper Controls Were Not Established over the Office’s Capital Equipment 17 Audit Scope, Objectives, and Methodology 19 Agency Response * Appendix Denotes item repeated in full or part from preceding audit report 4 Executive Summary Department of Public Safety and Correctional Services Office of the Secretary and Other Units February 2007 • The Office did not adequately review invoices from the contractors providing inmate health services to ensure that only appropriate payments were made. The Office should verify the propriety of contractor invoices to ensure that payments are proper and within the terms of the applicable contract. • The Office reimbursed contractors for certain items purchased under the terms of the inmate health services contracts without ensuring that the items had been received. Documentation supporting the receipt of items purchased should be received prior to processing the related invoices for payment. • The Office had not determined whether the contractors providing inmate health services had complied with the contract provisions for identifying third party payments. The Office should ensure that the contractors comply with the contractual requirement for identifying and obtaining third party payments. • The Office had not established procedures to verify the propriety of the 911 Trust Fund fees remitted by the service carriers operating in the State. The Office should establish procedures to ensure that all fees collected by service carriers for the 911 Trust Fund were subsequently remitted. • The Office had not established adequate controls over Criminal Justice Information System cash receipts. We provided detailed recommendations to improve controls, including the segregation of incompatible duties. 5 • Non-cash credit transactions were not always properly supported. Adequate documentation should be maintained to support non-cash credit transactions. • Access controls over a database that contained fingerprint images for law enforcement purposes need improvement. The Office should restrict the capability to delete fingerprint images from the database to employees who need such access to perform their job duties. In addition, reports of such deletions should be periodically generated for subsequent review. • The Office had not established sufficient controls over corporate purchasing cards. The Office should comply with the Comptroller of the Treasury’s Corporate Purchasing Card Program Policy and Procedures Manual requirements. • An independent control account was not maintained by the Office for computer equipment and the results of the physical inventories of such equipment were not reconciled to the related detail records. The Office should comply with the Department of General Services’ Inventory Control Manual requirements. 6 Background Information Agency Responsibilities The Department of Public Safety and Correctional Services – Office of the Secretary has statewide responsibility for the control and habilitation of incarcerated individuals. The Office is also responsible for the maintenance of the State’s criminal history record information. In addition, the Office is responsible for administering the 911 Trust Fund as required by law. According to the State’s records, during fiscal year 2006, the expenditures for the six budgetary units audited, which are indicated on page 19 of this report, totaled approximately $214 million. Performance Audit Our Office also conducted a performance audit of the process used by the Department of Public Safety and Correctional Services to monitor certain aspects of its inmate healthcare services program which is administered by contractors. The objectives of this performance audit were as follows: 1. To determine whether the Department had established procedures to ensure that the contractors hired sufficient staff with the requisite qualifications as stipulated by contracts and other directives of the Department. 2. To determine whether the Department implemented the necessary contractor monitoring procedures to ensure compliance with significant reporting provisions of the contracts. 3. To determine whether the Department had implemented adequate procedures to ensure effective coordination of the services rendered to the inmate population by the contractors. The results of this performance audit will be reported in a separately issued audit report. Settlement Agreements In January 2007, the Office entered into settlement agreements for liquidated damages totaling $1.75 million and $130,000 from two contactors providing services under the Office’s inmate health service contracts. Specifically, these settlements were with the contractors providing services under the medical services module and the mental health services module of the inmate health 7 contracts, respectively, and were for the period from July 1, 2005 through January 17, 2006. The inmate health services contracts permit the Office to assess liquidated damages against any contractor that fails to perform in a manner consistent with the contract provisions. The settlements were negotiated agreements which specified that the Office would hold the contractors harmless from any further claims related to this period, including any claims associated with billing overpayments or deviations from the contract terms as related to services provided. Current Status of Findings From Preceding Audit Report Our audit included a review of the current status of the seven findings contained in our preceding audit report dated February 18, 2004. We determined that the Office satisfactorily addressed six of these findings. The remaining finding is repeated in this report. 8 Findings and Recommendations Inmate Health Services Contracts On June 1, 2005 the Office entered into two-year one-month contractual agreements (with three one-year renewal options) totaling approximately $223 million, with five different contractors to provide inmate health services under six different service modules. The modules are medical, mental health, dental, pharmacy, utilization management and electronic patient health records/health management information system. The contractors are to provide these services to all inmates and arrestees in the custody of the Department. According to the Office’s records, payments made to these contractors under the contracts totaled $110 million in fiscal year 2006. Finding 1 The Office did not adequately review contractor invoices to ensure that only appropriate payments were made. Analysis The Office did not adequately review contractor invoices for propriety. Specifically, our review disclosed that the Office’s procedures required contractor invoices to be subject to only a cursory review before being approved for payment. For example, the Office did not verify the propriety of rates or hours billed by the contractors. Subsequent to payment, the invoices were to be reviewed by the Office of Inmate Health Services and any overpayments identified noted were to be recovered at the conclusion of the review process. Our test of 10 invoices totaling approximately $2.1 million processed during fiscal year 2006 disclosed certain billing problems that were not identified prior to invoice payment as follows: • For the medical module of the contract, we identified an overpayment of $34,600 on one monthly invoice which had not yet been detected by the Office. This overpayment occurred because the contractor improperly billed the Office a higher hourly rate for one service category than the hourly rate specified in the contract. After we brought this matter to the Office’s attention, the contractor adjusted a subsequent invoice to recover these overpayments. • For dental services, the contractor improperly calculated the amounts due on two monthly invoices resulting in overpayments totaling $55,200. The 9 contractor subsequently identified and adjusted a later invoice to recover these overpayments. • During fiscal year 2006, a contractor billed and was paid $54,300 for telephone related charges even though the contract specifically stated that the Office would provide telephone related services. When questioned about these charges, Office management stated that the contractor had been provided certain space in a facility where telephone service was not available and that the Office had instructed the contractor to obtain telephone service and provided reimbursements to the contractor to meet its contractual obligation. However, the Office could not provide specifics regarding services provided to, and reimbursed by, the Office. Therefore, the propriety of this payment under the terms of the contract was questionable. It is preferable to verify the propriety of contractor invoices prior to payment to avoid overpayments and negate the need to recover such overpayments. In addition, the existence of overpayments is significant since the process of subsequently reviewing paid invoices, on which the Office was relying to identify overpayments, was not effective. In this regard, as of November 2006, such a review had only been initiated for certain expenditures related to the medical module for the month of November 2005. Furthermore, the review process had not been completed for this one month, no overpayments had been recovered and the process was not initiated timely. The preliminary results of this one-month review resulted in a potential cost recovery of $219,805 for work hours deemed not in compliance with the contract. As noted in the Background Information section of this report, the Office subsequently entered into settlement agreements with the contractors providing services under two of the inmate health services contracts (including the medical module). These agreements preclude the Office from pursuing any additional claims related to the period from July 1, 2005 through January 17, 2007. Recommendation 1 We recommend that the Office conduct a more thorough review of contractor invoices for inmate health services prior to payment. These reviews should include a verification of the propriety of rates and the reasonableness of the hours being billed. To the extent that the Office must rely on reviews of contractors’ invoices after payment as the mechanism to ensure invoice propriety, we recommend that the Office complete those reviews and recover any overpayments in a timely manner. 10 Finding 2 The Office reimbursed contractors for items purchased without ensuring that the items had been received. Analysis The Office reimbursed contractors for items purchased without ensuring that the items had been received. Our test of 14 invoices totaling $400,000 paid during fiscal year 2006 disclosed that, for 8 invoices totaling $314,000, there was no documentation that the related goods had been received. According to the Office’s records, supplies purchased under the terms of the inmate health services contracts totaled approximately $3.5 million during fiscal year 2006. Under the terms of the inmate health services contracts, the contractors are permitted to purchase supplies, pharmaceuticals and materials after approval by the Office and are reimbursed upon the submission of appropriate third party invoices. While the contractors submitted third party invoices to support their reimbursement requests, in many instances verification of receipt (such as a receiving report) was not obtained. Recommendation 2 We recommend that documentation supporting the receipt of items purchased be obtained prior to processing the invoices for payment. Finding 3 The Office had not ensured that contractors complied with contract provisions for identifying third party payments. Analysis The Office had not determined whether the contractors providing inmate health services had complied with contractual requirements for identifying third party payments. Specifically, the Office had not determined whether the contractors had established a system to identify and collect potential third party payments from insurance companies and government agencies for medical services rendered to inmates and did not obtain quarterly reports from contractors detailing all third party payments received, as required. Office management advised us that, in their opinion, such a system would cost more than any monies received. However, management could provide no documentation (a study or cost/benefit analysis) to substantiate its opinion. 11 Under the terms of the contracts, the contractors are required to establish a system to identify and collect third party payments from insurance companies or other entities for medical services provided inmates and submit quarterly reports detailing payments received. For example, third party payments may be available from insurance coverage obtained through inmates’ previous employment or through Medicaid. These payments are to be remitted to the Office. Recommendation 3 We recommend that the Office ensure that the contractors providing inmate health services comply with the contractual requirements for identifying and obtaining third party payments, unless these requirements are determined to not be cost effective based on a documented analysis performed by the Office. 911 Trust Fund Finding 4 The Office had not established procedures to verify that all 911 Trust Fund fees collected by the service carriers were remitted to the State. Analysis The Office had not established procedures to verify that all 911 Trust Fund fees collected by mobile telecommunication service carriers (wireless providers) and by telephone service carriers (wired providers) operating in the State were properly remitted. According to the Office’s records, receipts deposited in the 911 Trust Fund totaled approximately $58 million in fiscal year 2006, of which $27 million was remitted by the wireless providers and $31 million was remitted by wired providers. The Public Safety Article of the Annotated Code of Maryland requires that, effective October 1, 2003, the Office adopt procedures for auditing these fee collections and remittances from the wireless providers. In response to a request for information from the General Assembly regarding the 911 Trust Fund, the Office reported in December 2003 that it was their intention to design the process and format for independent audits of wireless providers that should provide verification from the carriers records of the accuracy of the fees collected and remitted. However, as of November 2006, the Office had not established the audit procedures required by law. The law does not specifically address auditing 12 the fee collections and remittances made by the wired providers; however, it is our opinion that, because of the significance of collections and remittances, procedures should also be established for auditing the wired providers. The Public Safety Article of the Annotated Code of Maryland requires all counties and Baltimore City to operate an enhanced 911 system for both wired and wireless services. The Office is responsible for administering the 911 Trust Fund, which finances the operation, maintenance, and enhancement of 911 systems. The Fund is financed by a monthly fee paid by subscribers to their service carriers. The monthly subscriber fee, which is included on customers’ bills, consists of a State fee of $.25 per subscriber and a local fee of up to $.75 per subscriber. Carriers are required to report activity and remit collections monthly to the Comptroller of the Treasury for deposit to the 911 Trust Fund. The Comptroller forwards these activity reports to the Office. Recommendation 4 We recommend that the Office establish procedures to verify that all fees collected by service carriers for the 911 Trust Fund, including those received since October 1, 2003 if practicable, were subsequently remitted. Criminal Justice Information System Cash Receipts Finding 5 Adequate controls were not established over the Criminal Justice Information System (CJIS) collections. Analysis Adequate controls were not established over collections, such as for criminal background and fingerprint checks, received at the CJIS office. According to the Office’s records, collections at this location totaled approximately $2.7 million during fiscal year 2006. Specifically, we noted the following conditions: • Independent verifications were not performed to ensure that amounts collected and recorded were subsequently deposited. • Employees who recorded collections on the automated system had the capability to void transactions without obtaining documented supervisory approval. 13 • The employee who initiated and recorded non-cash credit adjustments to the accounts receivable records also had access to the related cash receipts. As a result of these conditions, receipts could be misappropriated without detection. Recommendation 5 We recommend that an employee independent of the CJIS cash receipts function verify that all collections are subsequently deposited by agreeing the amounts recorded on the initial source documents to deposit documentation provided by the bank. In addition, we recommend that voided transactions be reviewed and approved by supervisory personnel and that this review be documented and retained for future verification. Finally, we recommend that the employee who initiates and records the non-cash credit adjustments to the accounts receivable records not have access to the related cash receipts. We advised the Office on accomplishing the necessary separation of duties using existing personnel. Accounts Receivable Finding 6 Non-cash credit transactions were not always properly supported. Analysis The Office did not always maintain adequate documentation to support non-cash credit transactions. Our test of 10 non-cash credit transactions totaling $119,084 disclosed that, for 6 transactions totaling $76,597, the Office was not able to locate any documentation to support the propriety of the related transaction. These accounts receivable were primarily related to billings for services provided by the Office’s data center to various State and local law enforcement and criminal justice agencies. According to the State’s accounting records, during the period from May 2003 through April 2006, non-cash credits processed by the Office for these accounts receivable totaled approximately $1.4 million. Recommendation 6 We recommend that the Office maintain adequate documentation to support the non-cash credit transactions. 14 Fingerprint Database Security Finding 7 Controls over the deletion of fingerprint images in the Maryland Automated Fingerprint System (MAFIS) need improvement. Analysis Five accounts assigned to current users had authority to delete fingerprint images in the MAFIS Database Management System and did not require this capability. Furthermore, reports of fingerprint deletions were not generated for subsequent review by supervisory personnel. Consequently, there was a lack of assurance that the fingerprint images deleted were authorized for deletion by management. DBM’s Information Technology Security Policy and Standards states that State agencies must establish adequate access controls. The Policy and Standards further requires that agencies ensure that all systems have the ability to log and report specific actions (such as deletions) to data produced by information technology systems, and this capability must be enabled at all times. The Office, through its Information Technology and Communication Division (ITCD), receives automated management information services and criminal history record information which is used by the Department of Public Safety and Correctional Services (DPSCS) and other criminal justice agencies in the State. The ITCD supports several critical applications, such as MAFIS. Recommendation 7 We recommend that the Office comply with DBM’s Information Technology Security Policy and Standards and restrict the capability to delete fingerprint images to only those users who require such access to perform their job duties. We also recommend that reports of deleted fingerprint images be regularly generated and that these reports be subject to a documented supervisory review to ensure that all fingerprint image deletions are appropriate and authorized by management. 15 Corporate Purchasing Cards Finding 8 Sufficient controls were not established over corporate purchasing cards. Analysis The Office, which is responsible for coordinating the corporate purchasing card program for all units of DPSCS, did not exercise sufficient control over the assignment and use of DPSCS corporate purchasing cards. According to the records of the State’s credit card bank, as of April 2006, there were 229 active corporate purchasing cards throughout DPSCS. In addition, the corporate purchasing card expenditures for all DPSCS units, according to the State’s accounting records, totaled $9.7 million for the period from July 2005 to April 2006. Specifically, we noted the following conditions: • Our test of the corporate cardholder agreements for eight Office employees disclosed that four were not approved by the Office’s procurement card program administrator (PCPA), as required. • The Office did not maintain a current list of cards issued to DPSCS employees, as required. Consequently, there was no assurance that active purchasing cards were only held by current employees. During two recentlycompleted audits of DPCSC units, we reported that 8 employees’ cards remained active for periods ranging from 2 to 12 months after their employment was terminated. • Two units of the Office did not use the required monthly activity logs, which are to be used to record and approve purchases made. Consequently, there were no documented approvals for purchases made by unit personnel. During the period from July 2005 through April 2006, the corporate purchasing card expenditures for these two units, according to the State’s accounting records, totaled approximately $700,000. The Comptroller of the Treasury’s Corporate Purchasing Card Program Policy and Procedures Manual requires that the PCPA complete and sign the applicable cardholder agreement form. Furthermore, the Manual requires each agency to maintain a current list of cards issued and to promptly cancel cards upon the termination of the employee. Finally, the Manual requires cardholders to 16 maintain an activity log and the cardholder’s immediate supervisor must certify the accuracy and completeness of the log by signing and dating the log. Recommendation 8 We recommend that the Office comply with the provisions of the aforementioned Manual. Specifically, we recommend that the Office ensure that cardholder agreements are approved by the PCPA. We also recommend that the Office maintain a current list of cards issued and ensure that cards are only held by current employees. Finally, we recommend that activity logs be maintained by all units to ensure that purchases have been reviewed and approved by supervisory personnel. Equipment Finding 9 Proper controls were not established over the Office’s capital equipment. Analysis Record keeping and physical inventory procedures at the Office’s ITCD were not in compliance with certain provisions of the Department of General Services’ (DGS) Inventory Control Manual. According to the Office’s records, as of June 30, 2006, the book value of ITCD’s equipment totaled approximately $45 million, and consisted of computer-related equipment for all units of DPSCS. Our review disclosed the following conditions: • The control account for the computer-related equipment was posted from the same source data used to post the detail records. However, because the control account was based on the same source data as the detail records and was not reconciled to independent records, it did not provide for control over amounts recorded in the detail records. • Although the Office conducted physical inventories of ITCD’s equipment items during the audit period, the results of such inventories were not reconciled to the related detail records. For example, the inventory of ITCD’s computer-related equipment conducted in April 2006 had not been reconciled to the related detail records as of October 2006. A similar condition was commented upon in our preceding audit report. DGS’ Inventory Control Manual requires the maintenance of a control account independent of the detail records, and a periodic reconciliation of the control 17 account to the detail records, which should be approved. The Manual also requires that a complete physical inventory of sensitive capital equipment (such as computer equipment) be conducted at least annually, that the results of the physical inventories be reconciled to the related detail records, and that the related differences be investigated and resolved. Recommendation 9 We again recommend that the Office comply with the aforementioned requirements of the Inventory Control Manual. 18 Audit Scope, Objectives, and Methodology We have audited the following units of the Department of Public Safety and Correctional Services (DPSCS) for the period beginning May 28, 2003 and ending June 30, 2006: Office of the Secretary (including the 911 Trust Fund) Maryland Parole Commission Inmate Grievance Office Police and Correctional Training Commission Maryland Commission on Correctional Standards Division of Correction - Headquarters Our audit was conducted in accordance with generally accepted government auditing standards. As prescribed by State Government Article, Section 2-1221 of the Annotated Code of Maryland, the objectives of this audit were to examine the Office’s financial transactions, records and internal controls, and to evaluate its compliance with applicable State laws, rules and regulations. We also determined the current status of the findings included in our preceding audit report. In planning and conducting our audit, we focused on the major financial-related areas of operations based on assessments of materiality and risk. Our audit procedures included inquiries of appropriate personnel, inspections of documents and records, and observations of the Office’s operations. We also tested transactions and performed other auditing procedures that we considered necessary to achieve our objectives. Data provided in this report for background or informational purposes were deemed reasonable, but were not independently verified. Our audit included various support services (such as payroll, purchasing, maintenance of accounting records and related fiscal functions) provided by the Office on a centralized basis for two other DPSCS units, the Division of Parole and Probation and the Criminal Injuries Compensation Board, which are audited separately. Our audit did not include the computer operations of DPSCS’s Information Technology and Communications Division, which will be the subject of a separate audit and result in the issuance of a separate audit report of the data center. 19 Our audit scope was limited with respect to the Office’s cash transactions because the Office of the State Treasurer was unable to reconcile the State’s main bank accounts during the audit period. Due to this condition, we were unable to determine, with reasonable assurance, that all Office cash transactions were accounted for and properly recorded on the related State accounting records as well as the banks’ records. The Office’s management is responsible for establishing and maintaining effective internal control. Internal control is a process designed to provide reasonable assurance that objectives pertaining to the reliability of financial records, effectiveness and efficiency of operations including safeguarding of assets, and compliance with applicable laws, rules and regulations are achieved. Because of inherent limitations in internal control, errors or fraud may nevertheless occur and not be detected. Also, projections of any evaluation of internal control to future periods are subject to the risk that conditions may change or compliance with policies and procedures may deteriorate. Our reports are designed to assist the Maryland General Assembly in exercising its legislative oversight function and to provide constructive recommendations for improving State operations. As a result, our reports generally do not address activities we reviewed that are functioning properly. This report includes findings relating to conditions that we consider to be significant deficiencies in the design or operation of internal control that could adversely affect the Office’s ability to maintain reliable financial records, operate effectively and efficiently, and/or comply with applicable laws, rules and regulations. Our report also includes findings regarding significant instances of noncompliance with applicable laws, rules or regulations. Other less significant findings were communicated to the Office that did not warrant inclusion in this report. The Office’s response to our findings and recommendations is included as an appendix to this report. As prescribed in the State Government Article, Section 21224 of the annotated Code of Maryland, we will advise the Office regarding the results of our review of its response. 20 APPENDIX Department of Public Safety and Correctional Services Office of the Secretary 300 E. JOPPA ROAD • SUITE 1000 • TOWSON, MARYLAND 21286-3020 (410) 339-5000 • FAX (410) 339-4240 • TOLL FREE (877) 379-8636 • V/TTY (800) 735-2258 • www.dpscs.state.md.us February 14, 2007 STATE OF MARYLAND MARTIN O’MALLEY GOVERNOR ANTHONY G. BROWN LT. GOVERNOR GARY D. MAYNARD ACTING SECRETARY G. LAWRENCE FRANKLIN DEPUTY SECRETARY MARY L. LIVERS, PH.D. DEPUTY SECRETARY DIVISION OF CORRECTION DIVISION OF PAROLE AND PROBATION DIVISION OF PRETRIAL DETENTION AND SERVICES PATUXENT INSTITUTION MARYLAND COMMISSION ON CORRECTIONAL STANDARDS CORRECTIONAL TRAINING COMMISSION POLICE TRAINING COMMISSION MARYLAND PAROLE COMMISSION CRIMINAL INJURIES COMPENSATION BOARD EMERGENCY NUMBER SYSTEMS BOARD SUNDRY CLAIMS BOARD INMATE GRIEVANCE OFFICE Mr. Bruce A. Myers, CPA Legislative Auditor Office of Legislative Audits Room 1202 301 West Preston Street Baltimore, Maryland 21201 Dear Mr. Myers: The Department of Public Safety and Correctional Services has reviewed the draft audit report dated February 2007 for the Office of the Secretary and Other Units for the period beginning May 28, 2003, and ending June 30, 2006. The Department appreciates the constructive recommendations that were made as the result of this audit. Be assured that appropriate corrective actions have been or will be implemented to ensure full compliance with each agreed upon recommendation. The Department will continue to strive for excellence, and I am pleased that our commitment to the elimination of repeat audit findings is demonstrated in this report. For example, your review of the seven audit findings contained in the Department's preceding audit report reveals that the Department has satisfactorily addressed six of those findings. Below please find the Office of the Secretary's itemized responses that address the report’s audit findings and recommendations: INMATE HEALTH SERVICES CONTRACTS Finding # 1 - The Office did not adequately review contractor invoices to ensure that only appropriate payments were made. We agree in part, disagree in part. The Office will verify the propriety of contractor invoices for inmate health services to ensure that the payments are accurate and within the terms of the applicable contract. These reviews will include a verification of the propriety of rates and the reasonableness of the hours being billed. In addition, the Office will complete those reviews and recover any overpayments identified in a timely manner. -2- However, Section 15-103 of the State Finance and Procurement Article of the Annotated Code of Maryland requires all invoices to be paid within 30 days, and the Comptroller’s Accounting Procedures Manual requires that invoices be submitted to the General Accounting Division for payment within 25 days of receipt of the invoice. Due to the size and complexity of contractor invoices for inmate health services, the Office would be unable to conduct a thorough review of these invoices within the available time frame prior to payment. Finding # 2 - The Office reimbursed contractors for items purchased without ensuring that the items had been received. We agree. The Office will ensure that documentation supporting the receipt of goods will be obtained to support the validity of payment and retained for audit purposes. Finding # 3 - The Office had not ensured that contractors complied with contract provisions for identifying third party payments. We agree. The Office will contact the contractors providing inmate health services and determine whether the contractors have established a system to identify and collect potential third-party payments for medical services rendered to inmates as required by the contract. In addition, the Office will require the contractors to submit the required quarterly reports detailing all third-party payments. That said, and as reflected in the JCR submitted by the Department on October 1, 2006, institutionalized persons do not qualify for federal financial participation in Medicaid. 911 TRUST FUND Finding # 4 - The Office had not established procedures to verify that all 911 Trust Fund fees collected by the service carriers were remitted to the State. We agree. The Office will establish procedures to ensure that all fees collected by the providers on behalf of the 911 Trust Fund were subsequently remitted. To this end, the Office has contracted with a consultant for assistance in determining the feasibility of auditing surcharge collections and remittances received since October 1, 2003. CRIMINAL JUSTICE INFORMATION SYSTEM CASH RECEIPTS Finding # 5 - Adequate controls were not established over the Criminal Justice Information System (CJIS) collections. We agree. An employee independent of the CJIS cash receipt function will verify that all collections are subsequently deposited by agreeing the amounts recorded on -3the initial source documents to deposit documentation provided by the bank. In addition, voided transactions will be reviewed and approved by supervisory personnel, and this review will be documented and retained for future verification. Furthermore, the employee who initiates and records the non-cash credit adjustments to the accounts receivable records will not have access to the related cash receipts. Accounts Receivable Finding # 6 - Non-cash credit transactions were not always properly supported. We agree. The Office will establish procedures to ensure that non-cash credit transactions are reviewed and approved by supervisory personnel and the related documentation is retained for verification purposes. Fingerprint Database Security Finding # 7 - Controls over the deletion of fingerprint images in the Maryland Automated Fingerprint System (MAFIS) need improvement. We agree. The Office will comply with DBM’s Information Technology Security Policy and Standards and restrict the capability to delete fingerprint records to only those users that require such access to perform their jobs. Additionally, the Office will work with their MAFIS vendor (Sagem Morpho) to generate reports of deleted fingerprint records and subject these reports to a supervisory review to ensure that all fingerprint record deletions are appropriate and authorized by management. Finally, the deletion report reviews by management will be documented and retained for subsequent audit verification. Corporate Purchasing Cards Finding # 8 - Sufficient controls were not established over corporate purchasing cards. We agree. The Office will comply with the provisions of the Comptroller of the Treasury’s Corporate Purchasing Card Program Policy and Procedures Manual. Specifically, the Office will ensure that cardholder agreements are approved by the procurement card program administrator. The Office will also maintain a current list of cards issued and ensure that cards are only held by current employees. Finally, activity logs will be maintained by all units to ensure that purchases have been reviewed and approved by supervisory personnel. AUDIT TEAM James P. Shevock, CPA Audit Manager A. Jerome Sokol, CPA Information Systems Audit Manager William R. Smith, CPA Senior Auditor Richard L. Carter, CISA Information Systems Senior Auditor R. Frank Abel, CPA, CFE Susanne M. Bramowski Ken H. Johanning Elaine D. Kagan Tracey D. Mayet Staff Auditors David J. Burger Information Systems Staff Auditor