Escolar Documentos
Profissional Documentos
Cultura Documentos
June 1, 2009
Report on Accountability
We appreciate the opportunity to work in cooperation with your Department to promote accountability, integrity and openness in government. The State Auditors Office takes seriously our role to advocate for government accountability and transparency and to promote positive change. Please find attached our report on the Department of Social and Health Services accountability and compliance with state laws and regulations and its own policies and procedures. Thank you for working with us to ensure the efficient and effective use of public resources. Sincerely,
Insurance Building, P.O. Box 40021 Olympia, Washington 98504-0021 (360) 902-0370 TDD Relay (800) 833-6388 FAX (360) 753-0646 http://www.sao.wa.gov
Table of Contents
State of Washington Department of Social and Health Services
Audit Summary.............................................................................................................................................. 1 Related Reports ............................................................................................................................................ 3 Description of the Department ...................................................................................................................... 4 Schedule of Audit Findings and Responses ................................................................................................. 5 Status of Prior Audit Findings...................................................................................................................... 36
Audit Summary
State of Washington Department of Social and Health Services ABOUT THE AUDIT
This report contains the results of our independent accountability audit of the Department of Social and Health Services for the period from July 1, 2007, through June 30, 2008. We evaluated internal controls and performed audit procedures on the activities of the Department. We also determined whether the Department complied with state laws and regulations and its own policies and procedures. In keeping with general auditing practices, we do not examine every transaction, activity or area. Instead, the areas examined were those representing the highest risk of noncompliance, misappropriation or misuse. The following areas were examined during this audit period: Department-wide Background checks Social Service Payment System (SSPS) duplicate payments Crisis Residential Center slot payments Cash receipt internal controls Division of Child Support Agency Financial Reporting System (AFRS) duties Local funds Green Hill School Overcapacity foster homes Payroll Internal controls child care payments Overpayment write-offs Citizen referrals System controls Agency Contract Database (ACD), Automated Client Eligibility System (ACES), Electronic Jobs Automated System (eJAS) and Support Enforcement Management System (SEMS) Loss/misappropriation Division of Developmental Disabilities Case management internal controls Individual Service Plans (ISPs) Social Service Payment System (SSPS) disbursements Contracts Cash receipts Fixed assets
RESULTS
In most areas, the Department complied with state laws and regulations and its own policies and procedures. However, we identified seven conditions significant enough to report as findings: The Department of Social and Health Services, Childrens Administration and Economic Services Administration, paid an adoptive parent, foster care providers and child care providers who had not cleared background checks. The Department of Social and Health Services did not have controls in place to prevent misappropriation and ensure payroll accuracy. The Department of Social and Health Services internal controls over provider payments are not adequate, resulting in misappropriations totaling approximately $230,000. The Department of Social and Health Services does not ensure all payments made through its Social Services Payment System are supported and approved. The Department of Social and Health Services Economic Services Administration systems are vulnerable to misappropriation and inappropriate data changes. The Department of Social and Health Services does not adequately monitor access to critical systems. The Department of Social and Health Services does not adequately monitor contracts with Crisis Residential Centers to ensure compliance with state law and contract requirements. We also noted certain matters that we communicated to Department management. appreciate the Departments commitment to resolving those matters. We
Related Reports
State of Washington Department of Social and Health Services FINANCIAL
We perform an annual audit of the statewide basic financial statements, as required by state law (RCW 43.09.310). Our opinion on these financial statements is included in the Comprehensive Annual Financial Report (CAFR) prepared by and available from the Office of Financial Management. The CAFR reflects the financial activities of all funds, organizations, institutions, agencies, departments and offices that are part of the state's reporting entity. That report is issued by the Office of Financial Management in December of each year and can be found at www.ofm.wa.gov.
FEDERAL PROGRAMS
In accordance with the Single Audit Act, we annually audit major federal programs administered by the state of Washington. Rather than perform a single audit of each agency, we audit the state as a whole. As a result of the federal audit work performed at the Department, including the Medicaid program, we identified 31 conditions significant enough to report as federal findings. The results of that audit are published in a report issued by the Office of Financial Management in March of each year. A link to that report can be found on our Web site.
PERFORMANCE AUDITS
Initiative 900, approved by voters in 2005, gives the State Auditor's Office the authority to conduct independent performance audits of state and local government entities. Performance audits include, but are not limited to, providing objective analysis to improve program performance and operations, reducing costs and identifying best practices. We did not issue any performance audit reports related to the Department since the last accountability report was issued.
OTHER REPORTS
In addition to these reports, we issued 11 reports pursuant to the State Employee Whistleblower Act (Chapter 42.40 RCW), which are available on our Web site.
AUDIT HISTORY
We audit the Department annually. During the past five audits, we reported several areas of concern as follows: Four findings in 2003, one finding in fiscal year 2004, three findings in fiscal year 2005, four findings in fiscal year 2006 and four findings in fiscal year 2007. In addition, we audit several federal programs, including Medicaid, at the Department annually. Audit findings related to those programs can be found in the annual single audit reports, which are issued by the Office of Financial Management. Links to those reports can be found on our Web site, www.sao.wa.gov.
The Department of Social and Health Services, Childrens Administration and Economic Services Administration paid an adoptive parent, foster care providers and child care providers who had not cleared background checks. Background
State law requires adoptive parents, foster care providers and child care providers to have a criminal background check completed prior to the placement of a child. The Childrens Administration administers the foster care and adoption placement programs. In fiscal year 2007, the Department paid approximately $96 million to foster care providers and approximately $72 million to adoptive parents and support service providers. The Economic Services Administration determines eligibility and processes payments for in-home and relative child care providers. The Department paid approximately $40 million to these child care providers during fiscal year 2008. Adoptive parents must undergo one background check. In-home and relative child care providers must be checked every two years and foster care providers every three years. Some providers are paid for foster care services even though no child is placed with them. These services include transportation and respite care. These providers also are required to undergo background checks. Background check requests have been submitted to the Departments Background Check Central Unit and tracked in a database since August 2000. In our audits of fiscal years 2003 through 2007, we reported the Department was not complying with criminal background check requirements. We are repeating the finding in this audit report.
Description of Condition
We obtained foster care, adoption and child care support payment data for fiscal year 2008 from the Social Service Payment System, which is used to authorize and issue payments to these providers. We cross-matched the names of individuals who received payments during fiscal year 2008 with the names in the Unit database to identify individuals who may not have had a background check prior to payment. The cross-match identified 5,902 providers whose names did not have an exact match in the database. Of those, we selected 250 child care providers receiving the highest payments and randomly selected 400 providers of foster and adoption services. We found: Ninety-seven payments were related to adoptions that took place prior to 2002. Records retention requirements permit destruction of background check records after six years, so we were unable to pursue a further review regarding the appropriateness of these payments.
Five hundred names were recorded in the database with slightly different spellings or other minor differences, such as Bob and Robert. Other identifying information, such as Social Security numbers, matched. We consider these resolved. Twenty-seven provided services that did not include having unsupervised access to children. No background check was required. Of the remaining 26, we found the Department paid: Twenty transportation or respite care providers who had not had background checks. One relative child care provider for transportation services whose background check was not completed until nine months after the payment. One provider whose background check was not conducted until more than two years after the adoption. Two child care providers who had not had background checks. One child care services provider who did not have a background check every two years. One provider whose background check was incorrectly cleared using a relatives name. We were not able to determine how the error was made.
Cause of Condition
The Department requires a supervisor to review the background check and sign off before a child is placed in a foster or adoptive home. However, the Department does not have a similar review process in place for child care providers or support service providers.
Effect of Condition
The Department paid adoption, foster care and child care providers who had not had background checks. The lack of background checks increases the risk of people with disqualifying criminal backgrounds having access to children served by the Department.
Recommendation
We recommend the Department do a secondary review of all providers, required to have cleared background checks, prior to being authorized to provide services and receive payment. We further recommend the Department ensure all rejected background check forms are corrected, resubmitted and cleared prior to authorizing payment. The Departments processes should be documented so they can be monitored and enforced.
Departments Response
This finding was directed at the Economic Services Administration and Childrens Administration. Both administrations concurred with the finding. Their individual responses follow. Economic Services Administration Economic Services concurs that four child care cases were missing a background check. The Community Service Division (CSD) did not have a supervisory review process in place for child care providers similar to that which Childrens Administration had for foster and adoptive homes. CSD was aware of the lack of adequate controls in this area and submitted a work request to BarCode April 28, 2008 that included adding an automated feature to BarCode that will prevent SSPS from making a payment to a provider who does not have a current background check. Because of competing priorities, BarCode was unable to complete the request last year. However, as a result of this finding, we will attempt to have the request elevated on the priority list for completion this year.
Washington State Auditors Office 6
CSD does have a front-end process that prevents the background check form from being submitted with incomplete information. The form must include specific data elements before it can be processed by BarCode. When a form is submitted without all required information, it is returned to the client to obtain the missing information from the child care provider. When the completed form is returned, the information is entered and the form is sent through the automated system to be processed. CSD does not track forms that are not returned from clients. CSD does not authorize payment for providers that do not have a completed and current background check on file. However, SSPS does not check with BarCode to see if there is a current background check, consequently some providers may unintentionally get paid. The work request change in BarCode described above will ensure providers that do not have a background check do not receive payments. The client is notified when the chosen provider does not respond to requests for additional information and informed they need to find a different child care provider. When a background check results in a finding that is not disqualifying, the client decides character and suitability of the provider. The client decides whether to use the provider and informs the department of their decision. Supervisory review is not required for this decision. BarCode automatically sends a tickle to the worker 45 days prior to expiration date of the providers background check. CSD is exploring the possibility of staff working the tickler as a mandatory part of their job to help assure background checks are completed every two years as required. Childrens Administration Childrens Administration concurs with this finding. Following the October 2006 enactment of federal Adam Walsh legislation, practices and procedures around background checks were significantly strengthened through implementation of the legislation, which addressed who was to be checked, how often, when providers could be compensated and what is to be covered in the check. Childrens Administration will work with field staff to assist them in complying with Department policy regarding obtaining background checks for providers. For those exceptions identified where a background check was not located, Childrens Administration will confirm whether or not one was completed. If it is determined that one was not done or if it cannot be confirmed, we will conduct background checks. The steps to be taken to address each of these will be outlined in our corrective action plan. Those identified as exceptions because payments were made prior to the completion of a background check cannot be addressed in a corrective action plan because the finding addresses the timeliness of completing the background check, versus not completing a background check. If the background check revealed disqualifying information action would have been taken to terminate the provider as a service provider. If it did not, those providers will continue to provide and be paid for their services. However, the issue of timely completion of checks will be addressed through additional emphasis on compliance with existing policy as referenced above.
Auditors Remarks
We thank the Department for its response and the steps it is taking to prevent future occurrences. We look forward to reviewing these improvements during our next audit.
(2) A prospective or current employee for a licensed care provider or a person or entity contracting with us; (3) A volunteer or intern with regular or unsupervised access to children who is in a home or facility that offers licensed care to children; (4) A person who is at least sixteen years old, is residing in a foster home, relatives home, or child care home and is not a foster child; (5) A relative other than a parent who may be caring for a child or an individual with a developmental disability; (6) A person who regularly has unsupervised access to a child or an individual with a developmental disability; (7) A provider who has unsupervised access to a child or individual with a developmental disability in the home of the child or individual with a developmental disability; and (8) Prospective adoptive parents as defined in RCW 26.33.020. WAC 388-06-0130, Does the background check process apply to new and renewal licenses, certification, contracts, and authorizations to have unsupervised access to children or individuals with a developmental disability? These regulations apply to all applications for new and renewal licenses, contracts, certifications, and authorizations to have unsupervised access to children and individuals with a developmental disability that are processed by the department after the effective date of this chapter. WAC 388-06-0150, What does the background check cover? (1) The department must review the following records: (a) Criminal convictions and pending charges. (b) For children's administration, child protective service case file information (CAMIS) for founded reports of child abuse or neglect; and (c) For children's administration, administrative hearing decisions related to any DLR license that has been revoked, suspended or denied. (2) The department may also review any civil judgment, determination or disciplinary board final decisions of child abuse or neglect. (3) The department may review law enforcement records of convictions and pending charges in other states or locations if: (a) You have lived in another state; and (b) Reports from credible community sources indicate a need to investigate another state's records. (4) If you have lived in Washington state less than three years immediately prior to your application to have unsupervised access to children or to individuals with a developmental disability, the department requires that you be fingerprinted for a
Washington State Auditors Office 9
background check with the Washington state patrol (WSP) and the Federal Bureau of Investigation (FBI), as mandated by chapter 74.15 RCW. WAC 170-290-0140, When is my in-home/relative provider not eligible for WCCC payment? We do not pay for the cost of in-home/relative care if: (1) Your provider does not meet the requirements in WAC 388-290-0130, 388-290-0135, and 388-290-0138; (2) Your in-home/relative provider has been convicted of, or has charges pending for crimes posted on the DSHS secretary's crime and action list for background checks for ESA. You can find the complete list at http://www1.dshs.wa.gov/esa/dccel/policy.shtml; (3) We do not have background check results according to WAC 388290-0143; (4) The provider is: (a) The child's biological, adoptive or step-parent; (b) The child's non-needy or needy relative or relative's spouse or live-in partner; (c) The child's legal guardian or the guardian's spouse or live-in partner; or (d) Another adult acting in loco parentis or that adult's spouse or live-in partner. (5) We do not have the results of all applicable criminal background checks under WAC 388-290-0143(1) and 388-290-0150. An inhome/relative provider is not an eligible provider (per WAC 388-2900095 and 388-290-0100) prior to receiving these background results. Providers other than in-home/relative providers you can use are described in WAC 388-290-0125; or (6) We determine your provider is not of suitable character and competence or of sufficient physical or mental health to meet the needs of the child in care, or the household may be at risk of harm by this provider, as indicated by information other than conviction information. We will use criteria, such as the following, when reviewing information about incidents/issues/reports/findings: (a) Recency; (b) Seriousness; (c) Type; (d) Frequency; and (e) Relationship to the direct care of a child including health, mental health, learning, and safety.
WAC 170-290-0143, Who must have a background check for the WCCC program and how often is the check done? (1) A background check must be completed for: (a) All in-home/relative providers who apply to care for a WCCC consumer's child; and (b) Any individual sixteen years of age or older who is residing with a provider when care occurs outside of the child's home. (2) A background check must be completed for individuals listed in subsection (1)(a) and (b) of this section at least every two years. (3) Additional background checks must be completed for individuals listed in subsection (1)(a) and (b) of this section when: (a) Any individual sixteen years of age or older is newly residing with a provider when care occurs outside of the child's home; (b) We have a valid reason to do a check more frequently. (c) An in-home/relative provider applies to provide care for a family, such as when: (i) A break in service occurs to the current consumer; (ii) There is a break in consumer eligibility; or (iii) A provider is currently providing care and there are no prior background results for this provider. (4) We do not need to request a new background check for an individual in subsection (1)(a) or (b) if: (a) We have results that were received no more than ninety days prior to the current requested start date of care; and (b) The results indicate that there is no record.
Description of Condition
We found the Department is not using the available system controls and has not compensated for this through increased monitoring. Specifically: The payroll and personnel functions are segregated at Department headquarters. The human resource offices at the institutions perform both functions. HRMS provides separate roles for payroll and personnel processing so those who add employees to the system and enter their salaries are not able to enter and authorize pay. However, the Department granted both roles to 25 employees.
Washington State Auditors Office 12
No control is in place to prevent employees with the payroll processing or personnel administrator roles from changing payroll or personnel records, including their own, without approval. Reports are available to identify individuals who have changed their own records so such changes can be monitored and investigated; however, at headquarters and at one institution we reviewed, management was not running these reports.
Cause of Condition
The Department does not have a uniform payroll process. The 22 institutions fall under three Department administrations; each administration has its own guidelines. Headquarters provides guidance, but each administration can choose to follow that guidance or to have its own policies. Supervisors of employees who enter data directly into HRMS were not familiar with the lack of system controls. Headquarters employees stated they knew about the control issues, but did not have authority over the institutions. Institution personnel stated they could not prevent employees from changing their own records without a formal policy in place. They also stated they needed to key their own payroll in order to meet payroll deadlines. Management stated the report that identifies HRMS changes is too difficult to run and too cumbersome to use.
Effect of Condition
Although our audit work did not identify inappropriate payroll changes, the current process creates significant risks of misappropriation and errors that will not be detected in a timely manner if at all. If detected, the Department could have a difficult time determining who was responsible.
Recommendation
We recommend the Department: Establish and follow compensating controls to monitor transactions entered into HRMS without supervisory approval and changes to payroll records. Ensure individuals responsible for processing payroll do not have the access needed to add individuals to or delete them from the personnel system. Review reports and obtain additional training on how to interpret them in order to more effectively monitor changes made to HRMS data.
Departments Response
The Department does not agree that the payroll and personnel functions at the institutions are not segregated. Payroll responsibilities and staff are and have been under the direct supervision of the institution, while the personnel data processes are under the supervision of the Human Resources Division within Management Services. The Department concurs with the finding that the Department granted both payroll and personnel processing roles to headquarters and institution employees. When HRMS was initially implemented, the functions within those roles were not clear and neither was the impact of the implementation to the personnel and payroll processes. In order to allow the most flexibility with the resources available, Personnel and Payroll processing roles were given to approximately 30
Washington State Auditors Office 13
employees within the Personnel and Payroll processes to allow for manual intervention if necessary. Even with dual access we maintained a segregation of duties by clearly defined work roles and responsibilities for personnel and payroll staff. In March of 2009 and in response to the SAO audit the department reviewed all HRMS users and removed all conflicting roles. The Department concurs with the finding that we did not have compensation controls in place to prevent employees with payroll processing or personnel administrator roles from changing payroll or personnel records without approval. The HRMS system does not have any controls to prevent an individual from entering or changing data on their own personnel/payroll account. The request for this control to be provided through the system was made on September 17, 2008 to the Department of Personnel (DOP) under Help Ticket # 109793. Completion of this Help Ticket is dependent on DOPs schedule. The Department concurs with the finding that reports are available to identify individuals who have changed their own records. As indicated in the statewide audit report, the HRMS does provide a Logged Changes in the Info type Data Report to monitor data changes. This report is reviewed by Headquarters Payroll Office staff, however as the SAO auditor verbally noted when reviewing this report on site, it is a post-transaction report and not a control that prevents payroll processing staff or personnel administrators from changing payroll or personnel records, including their own, without approval. The Department will continue to examine possible solutions to effectively and efficiently monitor data changes in the system until HRMS system changes providing pre-transaction controls are implemented by DOP.
Description of Condition
Preventive Controls Child care case workers who have the system access needed to set up clients and providers also have the ability to authorize payments. Developmental disability client case managers cannot establish providers. Payments can be authorized only if a provider already is in the Departments Agency Contract Database. However, we found Division case managers can authorize payments to providers even if the provider contract has expired. Detective Controls For the child care program, the Department does not have detective controls in place to verify payments to providers are for services rendered. In addition, no system is in place to prevent child care payments in excess of the maximums established by state law without prior approval from a supervisor or proper supporting documentation on file. A number of Department supervisors stated they relied on a process called Audit 99 to determine if payments are valid.
We learned this process was developed to monitor client eligibility, not as a way to identify invalid payments. We reviewed the process and determined it would not be effective in detecting inappropriate provider payments. The Developmental Disabilities Division has a detective control in place that requires supervisors to select three cases each month, contact the client or client representative and verify that services paid for were rendered. Division supervisors also receive reports of high-risk transactions, such as one-time payments and payments in excess of the maximums allowed by policy. However, supervisors do not consistently do either of these. Similar to the child care program, the Division also lacks controls to prevent developmental disability provider payments in excess of the maximums established by policy without prior approval from a supervisor or proper supporting documentation on file. We also noted for both programs, supervisors perform the audit and verification procedures. In most instances, these supervisors also establish and authorize payments to service providers. No mechanism is in place to ensure transactions initiated by supervisors are independently reviewed.
Cause of Condition
SSPS is a 30-year old system that lacks software to track transactions created or updated within the mainframe. This condition is compounded by a lack of supervisory review of transactions. We also found no process is in place to eliminate providers whose contracts have expired from the Agency Contracts Database. Economic Services Administration management stated they were putting a payment review process in place, but that had not occurred by the end of our audit. Regional offices relied on an audit process designed to evaluate case worker performance. It would not detect inappropriate payments because it does not include verification with anyone associated with the case to ensure services were rendered. The Department stated that adding preventative controls in SSPS is not reasonable because the Department is creating a new social service payment system designed in part to correct these weaknesses. However, the new payment system has been delayed with no new target date set.
Effect of Condition
Two misappropriations continued for several months at the Department. The Department notified our Office of both as required. In May 2007 through January 2008, three child care workers established false providers in the system and authorized and paid them $130,000. In August of 2006, a case resource manager paid $100,000 for services not rendered to clients. A Washington State Patrol investigation found $8,289.92 was misappropriated when the case resource manager issued payments to a relative who was a former contracted client service provider still registered in the system. The remaining payments of $91,000 were issued to a home health agency for services not rendered. We were unable to determine the nature of the relationship, if any, between the case resource manager and the home health agency. We reported these misappropriations as part of our State of Washington Single Audit. That report is available on the Office of Financial Managements web site, www.ofm.wa.gov. Without controls designed to detect and prevent misappropriation, the Department is at risk of these occurring in the future.
Recommendation
The Department stated SSPS cannot segregate the duties of setting up providers and issuing payments. Therefore, we recommend the Department: Develop a process to identify inappropriate child care payments. Increase the number of developmental disability client case files reviewed by supervisors and enforce policies and procedures regarding this review. Establish and follow a process of reviewing child care and Developmental Disability payments issued by supervisors. Develop an approval process for payments in excess of maximums set by state law and Department policy. Establish and follow controls to prevent payments to providers without current contracts.
Departments Response
This finding was directed at the Aging and Disability Services Administration (ADSA) and the Economic Services Administration (ESA). ADSA concurred with the finding and ESA partially concurred. The response from each administration follows. Aging and Disability Services Administration ADSA concurs with these findings. We will increase compliance with the Division of Developmental Disabilities policy requiring supervisory review of client case files and CASIS output reports to at least fifty percent. We will continue supervisor monthly review of all authorization for payments in excess of maximums. Controls currently in place to prevent payments to providers without current contracts will be continued, including worker verification of provider contracts and supervisor verification during client case review. Economic Services Administration ESA concurs with the finding that there are no preventive controls in place to limit child care authorizing workers from having system access needed to set up client cases and authorize payments. In our current automated work environment, the same person who sets up the case can also authorize payments, and the current 1% supervisory audits are designed to check for improper authorization of transactions and adequate documentation. ESA partially concurs that there are no detective controls in place designed to provide evidence that an error or loss has occurred. Current policy requires supervisory review and approval for authorizations in excess of the standard amount; however, that process is not consistently followed. To minimize child care payment errors for authorizations over the standard, on June 1, 2009 ESA will implement a 9-code pre-authorization process. The new process will include system controls that prevent the worker from submitting over the standard authorizations for payments that do not have appropriate supervisory approval. This change will create a separation of duties and enforce tighter controls for this type of authorizations. The change will apply to supervisors who can also authorize over the standard payments as allowed in policy. A non-authorizing supervisor will have to review and approve authorizations created by a child care supervisor. The system will not accept authorizations over the standard if the person submitting the authorization is the same person authorizing the payment. Audit 99 (a multi-level audit tool
used by ESA to complete performance audits on workers and programs) will continue to be used by ESA to ensure eligibility and authorizations are made correctly. Audit 99 was not designed nor expected to detect inappropriate provider payments. To address provider payments, ESA relies on the Quality Assurance (QA) Attendance Reconciliation effort. QA pulls a random sample of Working Connections Child Care cases to compare child care authorizations to attendance records and the payments issued. ESA staff correct errors when identified and establish an overpayment when warranted. Report training for supervisors, stressing payment accuracy, has been developed to assist the field in minimizing payment errors. The training will begin May 1, 2009 and be completed no later than June 30, 2009.
Auditors Remarks
We thank the Department for its response and the steps it is taking to improve internal controls. We will review the status of the Departments corrective action during our next audit.
Department of Social and Health Services Information Technology Security Policy Manual, 2.2.5 SEPARATION OF DUTIES AND SUPERVISION, Policy Statement 2.2.5, states: Take reasonable precautions to minimize the risk of financial fraud or theft, or of the mishandling of confidential or sensitive information (i.e. categories 2, 3, or 4as defined at Section 3.2.1), through separation of duties and supervision. Standards S1. Design program area workflow to provide as much separation of sensitive functions as possible. S2. Actively supervise and review employee efforts where confidential data or the potential for committing fraud exists.
Description of Condition
The Department pays providers on an invoiced or non-invoiced basis. For invoiced payments, providers approve or change the invoices and return the information to the Department. Non-invoiced payments are paid monthly to the provider over a specified period of time. The Departments Payment Review Program (PRP) contracts with a private company to develop and run algorithms on system data to help identify inappropriate payments. The programs that use the system to pay providers work with PRP and the contractor to develop the algorithms designed to enhance each programs existing provider and payment reviews. The contractor runs the algorithms from once a quarter to once a year, depending upon each programs request. The algorithm logic and data are reviewed and approved by Department staff before the Department determines if an overpayment has occurred. PRP reviews and approves all overpayment data before submitting it to the Office of Financial Recovery, which collects the money back from providers. To follow up on the weaknesses previously identified, we selected 1,234 potentially inappropriate payments for 399 clients based on: Multiple payments to the same provider for the same client for the same time period and amount. Multiple manual override payments to the same provider for the same client for the same time period and amount. Multiple State Supplemental Payments to the same client for the same month.
We reviewed documentation supporting transactions for the Childrens, Aging and Disability Services and Economic Services administrations. We found: Administration Number of Clients 83 155 161 399 Number of Payments 281 523 430 1234 Number of Clients with inappropriate payments 62 124 68 254 Number of inappropriate payments 116 201 93 410 Dollar amount of overpayment identified $40,155.35 $106,587.78 $7,117.54 $153,860.67
We found 33 percent of the payments tested were inappropriate. The Department made 410 inappropriate payments to clients and providers, totaling $153,860.67. The Department identified 49 of these through its review process and our audit identified the remaining 361. The overpayments were a combination of state and federal dollars.
Cause of Condition
The Department relies on internal controls that do not identify all potentially inappropriate payments. The different methods of paying providers coupled with controls designed only to detect overpayments increases the risk of inappropriate payments that will not be identified in a timely manner.
Effect of Condition
The Department overpaid $153,860 for client support and services and risks making future overpayments.
Recommendation
We recommend the Department: Establish and follow controls to prevent duplicate payments from occurring. Strengthen reviews of SSPS payments to identify overpayments. Continue collecting on overpayments identified during the audit. Consult with grantors to determine if funds used for inappropriate payments should be repaid to the federal government.
Departments Response
This finding is directed at the Aging and Disability Services Administration (ADSA), the Childrens Administration (CA) and the Economic Services Administration (ESA). Each administration concurred with the finding. The response for each administration follows.
Aging and Disability Services Administration ADSA concurs with this finding. We agree that the errors identified by the auditor were made and will continue to use and enhance the tools in place to prevent duplicate payments from occurring. ADSA will take steps to ensure quality assurance reviews are being completed as required. Also, ADSA will review established procedures to determine if additional controls can be implemented to reduce duplicate payments. Finally, we will continue to train staff on overpayments, and ensure supervisors are conducting adequate reviews of SSPS payments to identify overpayments. We reviewed all the exceptions identified in the audit. We established overpayments on all duplicate payments and will take action to recover those overpayments. Finally, we will work with the U.S. Department of Health and Human Services to determine if any costs are unallowable. Childrens Administrations CA concurs with this finding. There were a total of 116 exceptions identified during this audit, 17 of which were overpayments that had already been identified by the Department and reported to the Office of Financial Recovery, (OFR) for collection. For the other 99 exceptions the Department will compile the relevant information needed to submit them also to OFR for collection. This activity will be outlined in our corrective action plan for this finding. In response to a similar finding in the 2007 SAO audit, we indicated that Famlink, the new case management system includes many additional edits and controls to prevent such duplicate payments. Familink was implemented in February 2009 and we anticipate the new controls will significantly reduce future duplicate payments. Those not prevented by FamLink controls will be identified and corrected through algorithms run by the Payment Review Program. Economic Services Administration ESA concurs with the auditors finding that we do not have adequate internal controls to identify duplicate authorizations before issuing payments. Staff currently use a pre-authorization process for exception payments. This process requires the supervisor to review and approve payments over the standard prior to authorizing payment; however, the process is not consistently followed. ESA has some controls in place to review authorized payments issued through supervisory audits. Supervisors review and work the Duplicate Payment Report (40N51) monthly to identify duplicate payments, and when warranted, staff corrects the case and completes an overpayment. ESA utilizes two additional safeguards: (1) running algorithms to identify duplicate payments; and (2) Quality Assurance (QA) attendance reconciliation effort. QA pulls a random sample of Working Connections Child Care (WCCC) cases to compare child care authorizations to attendance records and the payments issued. Overpayments are written on duplicate payments found in both of these reviews. ESA has developed report training for supervisors, stressing payment accuracy. The training is scheduled to begin May 1, 2009 and be completed no later than June 30, 2009. Beginning in June 2009 ESA will also implement a 9-code pre-authorization process that will require supervisors to approve authorizations over the standard amount prior to payment. Code 9 is the authorization code a worker uses to authorize exception payments above the standard. ESA does not agree that there were 56 payments that were inappropriate. We reviewed the payments and determined that four payments for two cases were issued for the wrong child. In each case an overpayment will be established and a new authorization issued for the correct child. We determined cases identified as a duplicate payment were not in error. What appeared to be multiple payments to the same provider for the same client were actually appropriate payments based on a Department of Early Learning (DEL) policy that requires staff to pay additional childcare units needed above the maximum rate for travel and work hours that exceed the maximum rate. "Unit of Care" refers to the type of care authorized. For example, if a school age child needs less than 22 half-days per month, the worker authorizes one extra half-day per
week, or up to five additional half-days per month, to allow for school closures/holidays. The authorization for the extra half-days are put on a separate line with a "9" code so the provider will bill the extra half-days only for days when the child is in care five or more hours. The multiple manual override payments often appear as additional half or full day authorizations when in fact they were appropriate authorizations for child care.
Auditors Remarks
We thank the Department for its response and the steps it is taking to improve internal controls. We will review the status of the Departments corrective action during our next audit.
Description of Condition
We interviewed Department staff, reviewed policies and procedures, identified and assessed the adequacy of general and application controls and examined how the controls were used. As part of our review of SEMS, we also evaluated controls over two related systems that interface with SEMS: the Financial Management Imaging System, which is used to create an electronic image of all incoming support payment checks, and the Automated Clearing House (ACH) Manager, which processes electronic transfers of support payments, both to and from the Department. We noted the following weaknesses related to system access: SEMS users can make changes to system records, such as amounts of child support owed, addresses and names without approval. The Department reviews only changes that result in a refund being issued. The ACH Manager processes payments with financial institutions. Twelve ACH Manager users share a system logon and password.
Supervisors do not review changes to payment data in the ACH Manager. Program changes to SEMS and ACH Manager are not always authorized and adequately tested. No system is in place to track the most recent versions of SEMS, ACH Manager or ejAS programs or to identify prior versions, should one be needed. Programmers have the access needed to work on separate versions of the same program at the same time and make different changes. One version could overwrite the other and eliminate valid modifications. The system does not maintain an audit trail of program changes, which prevents changes from being traced to the individual who made the changes. Changes made to the ejAS program code are documented either in notes written by the programmer or not at all. Changes to programs cannot be traced to the individual who made them. Independent approval is not required before changes are made to ejAS. Emergency program changes to ejAS are not monitored or approved
Cause of Condition
The systems were not designed to require approvals prior to data changes. The Department has no formal procedures requiring a review of logs or reports sufficient to detect potential unauthorized changes to data. Management did not enforce a policy on shared logins and passwords. The Department did not focus on controls over change management as an area of potential high risk.
Effect of Condition
The risk of error or misappropriation is increased. Failure to review all adjustments to payments increases the risk money could be shifted between accounts and/or refunded inappropriately. Also, the conditions increase the risk that changes could be made to programs in error or unauthorized programs could be run with no record of who made the changes.
Recommendation
We recommend the Department: Put in place SEMS system edits to ensure staff does not make changes without supervisory approval. Regularly review changes to provide reasonable assurance that inappropriate or unauthorized changes are detected. Use a system for eJAS, SEMS and ACH Manager to ensure program changes are properly authorized, reviewed and accurate.
Require all staff, who process payments through the ACH Manager, to use a unique logon and password. Review and maintain logged changes to ACH Manager data to ensure changes were appropriate.
Departments Response
SEMS The Department does not concur with the finding regarding the need for supervisory approval of changes made in SEMS with an additional audit to detect inappropriate changes. With approximately 2 million changes made each month, requiring supervisory approval for system changes as well as an after-the-fact audit are cost and resource prohibitive. Similarly, reprogramming SEMS to add a supervisory review function prior to a change would not only involve significant programming time but additional FTEs. Adding additional layers of approval would have detrimental impact on DCS ability to complete our mission of improving the lives of children, families and communities and could impact federal performance measures. There are currently controls in place to ensure accountability for changes made in the system. DCS staff that processes payments does not have the ability to make changes to customer address data. Conversely, staff that has the ability to change addresses, cannot process payments. This prevents staff from intercepting a payment and/or redirecting it. Changes to addresses, legal names, bank accounts and other individual level records are automatically recorded in SEMS on the Individual Comment (IC) screen along with the Employee ID of the person making the change and the date and time of the action. All changes are logged and reports are generated that allow auditing and ensure compliance with laws and regulations. In addition, DCS customers have the ability to view the information 24-hours a day, seven days a week online. Finally, if a debt is reduced on a support case, a letter is automatically generated to the custodial parent advising them of the reduction. DCS will make changes to Access Control to ensure appropriate update and view rights for SEMS. Users should only have update and view rights to the level of their supervisor. Additionally, the supervisor may limit the rights for their direct reports based on the needs of the position. DCS staff are hired and trained specifically to perform sensitive functions that carry with them great responsibility. Systems Access and Changes The Department concurs with the findings related to the review of payment changes in ACH Manager and a system in eJAS, SEMS, and ACH to ensure program changes are authorized and accurate. DCS is developing a new ACH Manager that uses SEMS Access and Control for logging into the program. Each SEMS user has a unique ID and password. Only authorized staff will be able to log into the ACH Manager. The new program is scheduled for implementation by fall 2009. Changes to payment data will be logged in with the ID of the person making the change as well as the date and time. Only a limited number of staff will be authorized to make changes. Supervisors will be able to audit the changes made. Since the FY05 audit, ESA has been looking for change control software that will work for our specific and unusual needs in eJAS. Because of the need to control/package both natural and asp programs into a single change, the search has been difficult. Recently, however, new change
Washington State Auditors Office 26
control software has demonstrated promise. When the budget permits, we will look more closely at this product. While we will continue to pursue automated solutions, we believe current processes and standards provide reasonable controls. Changes to the ACH Manager will use the same signoff/approval process currently used for SEMS. Program code will be checked in and out by the developer and signed off by the developer and tester. Changes to the codes will be logged. We will also put a two-step process in place to prevent changes to SEMS program code between the time it is approved until release. This will assure that the approved changes match the implemented changes. We will look for an off-the-shelf product that allows source version control in order to track changes to code and allow code rollback as needed. The versions are dated and should be able to be tied to the CMR. This will provide a means to limit the risk of overwrites and provide an audit trail for program changes. We will use the same two-step process identified above to mitigate risk while automated options are evaluated.
Auditors Remarks
We thank the Department for its response and the steps it is taking to improve internal controls. We will review the status of the Departments corrective action during our next audit.
1300 Yes X X
While the EACD does not generate payments, it plays a critical role in payment processing. Inappropriate access to this system could lead to the processing of inappropriate payments through linked systems.
Description of Condition
During our audit, we found the Department does not have adequate internal controls to prevent unauthorized access or misuse. Specifically: The Department did not have accurate information on user access levels in SEMS.
At least 60 individuals have access to directly modify critical data files and programs in both eJAS and SEMS. The Department does not have a uniform policy or guidance on limiting access to the EACD. We found excessive access by outside agencies without adequate justification. The Department failed to remove access to EACD for 34 individuals after they left the outside agencies. Ten of these individuals had the authority to approve contracts. The Department failed to remove ACES access for five individuals after they left the Department and took more than a month to remove it for 27 others after they left the Department. The Department does not have a formal process to ensure user access in eJAS and ACES is updated when employees jobs change. The Department does not have a process to ensure eJAS access is removed when employees leave the Department. More than 1,140 eJAS users have incompatible functions. They can create and pay vouchers in eJAS.
Cause of Condition
The Department stated employees have the access levels needed to carry out their responsibilities. The Department did not identify the ability to change data outside the application as a risk. The mainframe on which SEMS resides does not provide reports with sufficient detail to identify users and their access privileges. Management did not enforce a policy related to sharing logon IDs and passwords. The Department has no process for determining what access privileges are needed for each employee or a policy that requires an individual in each field office to periodically reconcile access levels to job duties. The Department relies on external users to determine which employees are granted access to the EACD and to notify the Department regarding changes in employment status. The Department does not regularly monitor to ensure access is limited.
Effect of Condition
Excessive or incompatible access levels increase the risk of misuse. Critical systems are at risk of unauthorized access, leaving sensitive data vulnerable to inappropriate use or disclosure. Payment systems are at risk of abuse.
Recommendation
We recommend that the Department: Perform on-going assessment to determine the appropriate level of system access for staff and outside users. Develop an accurate report detailing access to systems.
Washington State Auditors Office 29
Limit access to modify critical data files through the use of a temporary emergency ID. Periodically reconcile user access and current job duties to ensure each user has only the access needed for their job duties. Revoke system access from employees who leave the agency in accordance with the Departments Information Technology Security Policy Manual.
Departments Response
This finding was directed at the Economic Services Administration (ESA) and Aging and Disability Services Administration (ADSA). ESA partially concurred and ADSA concurred with the areas of the finding for which it was responsible. The response for each administration follows. Economic Services Administration ESA concurs with the findings for ACES, eJAS, and SEMS regarding systems access and reconciliation, and with the finding regarding the number of users with eJAS and SEMS access to modify critical data files. We will develop and implement internal controls to ensure we address the issues identified in the audit conditions regarding regular review and reconciliation for system access. The new process will be shared with appropriate managers and staff, with training provided as needed, to ensure monitoring and reconciliation of system access. We will also review the list of individuals who have access to modify critical files in eJAS and SEMS and, where appropriate, remove access. ESA does not concur with the finding that eJAS users have incompatible functions or inadequate separation of duties. The voucher payment process in eJAS is a three (3) step process that consists of (1) Create, (2) Pay, and (3) Release. Although more than 1,140 eJAS users have Create and Pay abilities, they do not have authorization to Release payments; therefore there is not a risk of unauthorized payment. The Department believes the current separation of duties and authorizations within the system are adequate to ensure unauthorized payments cannot be made. However, DSHS will continue to monitor system access and ensure that there is a separation of duties between the create and pay functions and the release function to ensure payments are authorized. Aging and Disability Services Administration ADSA concurs with this finding. A quarterly report has been developed and is sent to the Area Agencies on Aging (AAA), Home and Community Services Offices, and Division of Developmental Disabilities Offices each quarter to ensure that ACD access rights are appropriate. Rights are revoked by the headquarters contracts unit if an employees job duties have changed or the individual is no longer employed by the AAA or ADSA.
Auditors Remarks
We thank the Department for its response and the steps it is taking to improve internal controls. We will review the status of the Departments corrective action during our next audit.
Develop and maintain a system of internal controls and internal audits comprising methods and procedures to be adopted by each agency that will safeguard its assets, check the accuracy and reliability of its accounting data, promote operational efficiency, and encourage adherence to prescribed managerial policies for accounting and financial controls. The system developed by the director shall include criteria for determining the scope and comprehensiveness of internal controls required by the classes of agencies, depending on the level of resources at risk. Each agency head or authorized designee shall be assigned the responsibility and authority for establishing and maintaining internal audits following the standards of internal auditing of the Institute of Internal Auditors State Administrative and Accounting Manual (SAAM), Section 20.15.40.e, Monitoring, states in part: An agencys internal control is most effective when there is a proper monitoring control environment, results are prioritized and communicated, and weaknesses are corrected and followed up on as necessary.
Description of Condition
During our 2008 audit, we reviewed the monthly client lists for all Centers to determine if clients were exceeding the maximum allowable stay and reviewed contracts between the Department and the providers.
We found 155 clients exceeded the five-day maximum allowable stay at regional and secure Centers by at least 24 hours:
A 24 - 72 73 - 100 101 - 200 201 - 300 301 - 400 401 - 500 501 - 600 Total Cumulative total 51 32 14 5
B 22 2 1 1
C 4 1 3
D 1
E 20 11 14 14 3 1 2 24 - 72 73 - 100 101 - 200 201 - 300 301 - 400 401 - 500 501 - 600 Total
B 2
C 1
26
65 151
1 4
Cumulative total
We also were unable to determine the length of stay for clients in two regional Centers and three secure Centers: The client list for August was missing for one regional Center. Client lists for July through December and March were from another regional Center. Client lists for July and November through January were missing for a secure Center. The client list for March was missing from another secure Center. The client list for November was missing for another secure Center. When the Department asked the providers to send in the lists, they did not have any data to send to the Department.
Cause of Condition
The Department had not fully implemented its Corrective Action Plan at the time of our fiscal year 2008 audit. The Department did not adequately monitor the Centers compliance with state law and contract requirements by reviewing client lists prior to authorizing payment. Contract language required client lists to be submitted to Childrens Administration headquarters and invoices to be submitted to and paid by regional offices.
Effect of Condition
The Department is not receiving the services agreed to in the contract. Allowing stays beyond contractual deadlines poses a risk that services may not be available for all who need them.
Recommendation
We recommend the Department: Improve contract and payment monitoring to ensure the maximum allowable stay is not exceeded. Pay only for services specified in the contract. Require adequate support for payment from Centers and consider disallowing payment if contract conditions are not met.
Departments Response
The Department concurs we did not adequately monitor crisis centers attendance records and how we paid the centers. This finding is a repeat finding of A07-02 in the FY 2007 Accountability Audit. As the department proceeded to implement its corrective action plan inquiries from legislative staff indicated that legislation impacting the current requirements for regional and secure Crisis Residential Centers would be proposed during the 2008 legislative session. The corrective action plan was then suspended pending the outcome of legislative action. The Department anticipates the passing of legislation SHB2346 that will provide revised direction to the department on maximum stays and payment requirements. When the bill passes the Department will develop a corrective action plan that incorporates the requirements of the new legislation, establishes a payment methodology that allows the Department to only pay the crisis centers for periods that fall within the timeframes outlined by law, and provides improved monitoring of contract and payment provisions. We will detail the approach to these modifications in our corrective action plan for this finding.
Auditors Remarks
We thank the Department for its response, and the steps it is taking to improve monitoring of these contracts. We will review the status of the Departments corrective action during our next audit.
expense to another crisis residential center, the nearest regional secure crisis residential center, or a secure facility with which it is collocated under RCW 74.13.032. Placement in both locations shall not exceed five consecutive days from the point of intake as provided in RCW 13.32A.130. RCW 74.13.0321, Crisis Residential Centers Limit on reimbursement or compensation, states: No contract may provide reimbursement or compensation to a crisis residential center's secure facility for any service delivered or provided to a resident child after five consecutive days of residence. Regional and Secure Crisis Residential Centers Boilerplate Contract, General Terms and Conditions, Compliance with Applicable Law, states in part: At all times during the term of this Contract, the Contractor shall comply with all applicable federal, state, and local laws and regulations . . . . Regional and Secure Crisis Residential Centers Boilerplate Contract, Special Terms and Conditions, Payment Only for Authorized Services, states: DSHS shall pay the Contractor only for authorized services provided in accordance with this Contract. Regional Crisis Residential Centers Boilerplate Contract: Exhibit A: Statement of Work: Length of Stay: Youth may stay in any Crisis Residential Centers (CRC) for up to five (5) days, including Saturdays and Sundays and holidays. If a youth has been transferred between CRCs, the cumulative total number of days spent in both CRCs may not exceed five (5) days. Secure Crisis Residential Centers Boilerplate Contract, Exhibit A, Statement of Work, Length of Service, states: Youth admitted to a Secure Crisis Residential Centers (CRC) must remain in the Secure CRC for, at a minimum, 24 hours, unless the youths parent(s) removes the youth from the Secure CRC. RCW 74.13.034(3) limits a youths stay in any CRC for up to a maximum of five (5) days, including Saturday and Sunday and holidays. If a youth has been transferred between CRCs, the cumulative total number of days spent in both CRCs may not exceed five days.
3.
The Department of Social and Health Services, Childrens Administration did not perform adequate monitoring for background checks of foster care providers. Audit Report 6663, dated July 13, 2007 Background State law requires foster care providers and adoptive parents to undergo criminal background checks prior to placing a child in the home. One respite care provider had no record of a criminal background check. Two foster care providers had no record of a criminal background check. Both providers were relatives of the child; however, the background check requirement still applies. Controls at the Department are inadequate to ensure background checks are performed on all foster care providers upon licensing and every three years thereafter. Status The finding is not resolved. Refer to the current 2008 audit, Finding 1.
4.
Public funds were misappropriated at the Department of Social and Health Services Division of Child Support. Audit Report 6663, dated July 13, 2007 Background We reviewed the investigation performed by the Washington State Patrol and agreed with its conclusion that at least $25,571.58 in public funds was misappropriated by a former employee who took 68 money orders that were mailed to the Division and deposited them into her personal bank account instead of posting them to the appropriate client accounts. The former employee circumvented the Departments internal controls over cash receipting. The cash receipting activities performed by the former employee were inadequately monitored by the Department. Status The finding is partially resolved. management. Remaining issues were relayed informally to Department
Brian Sonntag, CGFM Ted Rutt Doug Cochran Jerry Pugnetti Chuck Pfeil, CPA Jim Brittain, CPA Jan Jutte, CPA, CGFM Ivan Dansereau Mike Murphy Mindy Chambers Mary Leider (360) 902-0370 (866) 902-3900
www.sao.wa.gov https://www.sao.wa.gov/applications/subscriptionservices/