CHATHAM COUNTY ATTORNEY sonar war segue sTREET PLEASE REPLY To: ev savaanant ze Po.soxaist wana, GEORGIA 31402, SAVANMAH, GEORGIA 32422 JeNNUrE sURNS rezese-7ee1 #912-652.7887 ASSISTANT COUNTY ATTORNEY June 30, 2017 Ms. Kelly Quimby, Reporter Savannah Morning News Re: Open Records Act dated June 27, 2017 Dear Ms. Quimby: Please accept this as our response to your open records request dated June 27, 2017. 1 have attached copies of audits from various county departments. I have redacted information in regard to the ICS audit that relates to computer program malware protection and other information the knowledge of which may weaken the firewall against hackers. County Ayforney RIH/so Attach.Report Date: Prepared for: Audit of: Objective and Scope: Conclusion: 4 Prior Rating: NA Background: 4. Cont Chatham County Internal Audit 0, BOX 8161, 124 Bul street Ste 340 Savannah, GA 31412 912-652-7942 5/16/2017 ‘Stephen Proper, Recreation and Park Services Director Payroll - Parks & Recreation Review the department payroll for July 2014 - July 2016 for compliance with FLSA and agreement of subsidiary timekeeping records. In our opinion, many controls and operating procedures evaluated did not provide reasonable assurance that risks were being effectively mitigated within an acceptable tolerance level. Trends were not favorable for achieving objectives. Prior to our audit, Public Works and Park Services was consolidated as one department under the direction of the Public Works Director. July 2016, the merged departments split and Recreation and Park Services was placed under a separate Director. For that reason, this audit report is issued as a separate report from Public Works. In 2015, discrepancies were reported to HR by some Public Works employees which existed between the compensatory time balances maintained by the Payroll system and the timekeeping system (TimeForee) used in Public Works. Until late in 2015, Publie Works had maintained a separate compensatory time leave record (off-book) from the official payroll system. The two records were not reconcilied and over time the variance beeame significant. ‘The off-book record was not compliant with FLSA limitation on the maximum accrual of 240 hours of compensatory time and some employees had accrued significantly higher balanees. Summary of Control Deficiencies Significant Deficiency(s) Department performs a review (reconciliation) of employee leave (sick, vacation, compensatory time) earned, taken, and balances every six months. Condition, Cause, and Impact Compensatory time balances were incorrect, Human Resources carried leave balances which varied from departmental records. Employees accrued compensatory leave balances greater than 240 hours, in violation of FLSA. Recreation and Park Services used an off-book record of compensatory time balances to‘Audit of Payroll - Parks & Recreation award the leave without being submitted to Payroll. This condition was a result of a control deficieney in monitoring of employce leave earned and taken in complianee with FLSA. Employee leave balances were transmitted to Human Resources incorrectly. Management Corrective Action Parks and Recreation is no longer using the accrual portion of TimeForce. Staff has received additional training from Human Resources / Payroll on correct procedures of recordkeeping, timekeeping and employee accruals, Accrual balances (sick, annual, and compensatory time) are automatically ealculated in. the new timekeeping payroll system (MUNIS). Parks and Reereation Supervisor(s) that compile the time sheets will be given a copy of the accrual report from Human Resources. Control Objective Human Resources has provided FLSA compliance training to departmental payroll liaisons regarding ‘employment classifications, who can or cannot receive compensatory time and/or overtime, and the definition of what constitutes work time. Condition, Cause, and Impact Recreation and Park Services employees had been compensated for working overtime and/or awarded. compensatory time when it had not been earned. Departmental practices were not in compliance with applicable sections of the Fair Labor Standards Act (FLSA). Human Resourees had not provided trai to departmental payroll liaisons regarding the application and interpretation of the Fair Labor Standards Act and the importance of eompliance and possible consequences of non-compliance, This condition put the County at risk of non-compliance with federal labor laws which could result in fines and penalties Training was scheduled but interrupted due to Hurricane Matthew. As of the date of this report, Human Resources has not rescheduled FLSA training with departmental payroll liaisons and its application to departmental polices and procedures. All of management and administrative staff will attend the mandatory FLSA training class provided by Human Resources when Parks and Recreation are offered the opportunity, Page 2 of 3Audit of Payroll - Parks & Recreation Significant Deficiency(s) Control Objective The automated system captures all time worked for the purpose of calculating payroll overtime and leave. The administrative staff records employee time using an automated system and/or manual records. Once approved by supervisor(s), a departmental copy of each timesheet is placed into each employee's departmental payroll file. Condition, Cause, and Impact ‘Timekeeping documentation (TimeForce reports and/or manual timesheets) did not agree with the online payroll time record (FMIS). Although Recreation and Park Services management signed off on the individual employee timesheets, management was not approving / reviewing the Payroll Summaries, The administrative staff inconsistently interpreted hours worked when transferring those hours to the payroll summaries submitted to Payroll. This praetice ereated the following deficiencies: 1) Overpayments totaled $5,270.20 for 21 % (19 of 90); 2) Underpayments totaled $6,975.82 for 12 % (11 of 90) of employees; 3) £33 % (30 of 90) of employees had compensatory time and/or overtime calculated incorreetly; 4) 60 % (3 (of 5) of exempt employees were granted / received overtime or compensatory time. Management Corrective Action ‘The MUNIS departmental summary reports are reviewed by staff before they are submitted to payroll. Staff will continue to attend County offered training classes as they are provided. Follow-up on corrective actions for significant defictency(e) will occur on or around! "9/13/2017 ternal audit activities are conducted in conformance with the International Standards for the sssional Practice of Internal Auditing, These activities are designed to provide an independent, objective assurance of the reliability and integrity of financial reporting; effectiveness and efficiency of operations to achieve objective nd compliance with laws, regulations, contracts, policies and procedures. Nonna Bas Jeannie Alday, CIA, CISA, CI Director of Internal Audit ., CPCU, CRMA, CFSA. ce: Lee Smith, County Manager Linda Cramer, Assistant County Manager Michael Kaigler, Assistant County Manager Carolyn Smalls, Human Resources Director Ruth Crawford, Adm. IV (Payroll Clerk) Page 3 of 3Chatham County Internal Audit P.O. BOX 8161, 124 Bull Street Ste 240, Savannah, GA 31412 912.652.7942 Report Date: 6/13/2017 Prepared for: Judge Thomas Bordeaux Audit of: Probate Court Objective and The Chatham County Probate Court (Court) requested a review by internal audit to provide assurance the Court has been identifying and managing the risks to Chatham County resources. We utilized information maintained by the Court and policies and procedures followed by the Court to evaluate the control environment adopted by the Court for the 2017 Fiscal Year through March 2017. Conclusion: In our opinion, controls and operating procedures evaluated were generally 34 adequate, appropriate, and effective to provide reasonable assurance that risks ‘were being managed within an acceptable tolerance level and objectives should be met. Trends were favorable for achieving objectives. Prior Rating: N/A Background: The Court serves as the original , exclusive, and general court with jurisdiction over the probate of wills, sale and disposition of property, the appointment and removal of guardianship, licenses and permits, and various other matters concerning mental illness, To enhance financial accountability and establish and maintain appropriate internal controls over court administration, the court adopted an integrated justice software suite from Tyler Technologies called Odyssey. Summary of Control Deficiencie: Significant Deficiency(s) + 1 tive Court records are maintained electronically and backed up daily. Paper documentation is limited and not used as the official record of the court, Condition, Cause, and Impact Duplicate reconciliations, payment requests, printed reports, and physical backups of scanned documents \d maintained in both electronic and physical forms. There is not full confidence in the item yet to completely eliminate the paper documentation. This reliance on paper creates inefficiencies with duplication of efforts and the possibility of version control risks. Management Corrective Action Probate Court is in the process of adopting a paperless documentation system using the Odyssey CaseAudit of Probate Court ‘Manager module. The Court has completed this process for the following: 1) Marriage Licenses; 2) Weapons Carry Licenses / Judge's IDs; 3) Orders to Apprehend Persons alleged to be mentally ill persons in need of involuntary treatment; 4) Notices from the Coroner to Dispose of Unclaimed Corpses Various permits such as Fireworks permits, certificates of resideney, permits for carnivals and roadshows etc...; 6) Condemnation proceedings; and attorney requests for leaves of absence. Further electronic file reliance will be considered for petitions not requiring physical support under Georgia law. ntrol Objecti Departmental policies and procedures require quarterly reconciliation of Odyssey Court controlled custodial bank accounts per the Cash Handling poliey. Condition, Cause, and Impact Quarterly bank reconciliation are not performed on the four existing custodial accounts, Management is only receiving the bank statements and scanning them. No reconciliation is being performed to the Odyssey Financial module. Reconciliation of Odyssey was not assigned and monitored for compliance with the County Cash Handling poliey. The Court had an increased risk of unauthorized bank account usage, and timely discovery and correction, Management Corrective Action Policies and procedures have been established by the Probate Court Judge to assign, complete, and review bank reconciliations on a quarterly basis by the Chief Clerk. The reconciliation will compare the bank balances to the Odyssey Financial balance sheet for all Court controlled custodial accounts. All variances will be investigated and adjusted accordingly on a timely basis. Supervisory review will be documented as part of the reconciliation and all documentation maintained according to the record retention guidelines. G Objecti Various reconciliations are performed throughout the cash handling process from cash drawer balancing, daily deposit balancing to Odyssey and Exeel Log to the Odyssey's transaction database. Condition, Cause, and Impact, The Court did not follow the County Cash Handling Policy for reporting cashier outages to Finance. Overages were being held in the safe. Shortages were required to be covered by the clerks from their own funds. The court believed the outages to be an immaterial amount and not necessary to report, Requiring employees to makeup shortages may lead to a violation of Wage and Hour Laws. Outages not being reported violates proper cash handling procedures and creates incorrect financial reporting, Management Correetive Action Probate Court changed the policy concerning cashier outages to include: all outages (over and short) will be reported to the Finance department; the practice of requiring employees to cover shortages will be immediately discontinued; all overages will either be refunded to the customer or adjusted into the deposit; and, chronic out of balance issues by an employee will be handled through the performance discipline process. Page 20f 4Audit of Probate Court Control Deficiency(s) caine oniecat Court invoice and agency payment requests are forwarded to Finance through Munis established workflows. Condition, Cause, and Impact ‘The Deputy Clerk III manually enters into Munis the daily transactional summaries created by Odyssey. At this time, the Court does not desire to establish the electronic interface between Munis and Odyssey to allow for the electronic transfer of financial data. Manual entry of automated data creates an inefficient use of resources and increases the opportunity for errors/irregularities to occur and a greater reliance on reconciling controls is required. Management Corrective Action The Court will set up a meeting with Finance and the Project Manager, Kelvin Lewis to discuss the process necessary to establish an electronic interface between Odyssey and Munis Control Objective Odyssey tracked payment status is used to control the completion of p ions. Condition, Cause, and Impact We identified identical database records on most petition events. Odyssey was populating a large number of events with the duplicate information. The cause of these duplicates could not be determined and will require assistance from Tyler to correct. This duplication may create incorrect or duplicate events causing variance in agency payments and customer charges. We also identified a small number of incorrect payment collections between the Case Management and the Financial Module in Odyssey due to incorrect coding of the event and the amounts being below the outage threshold of $§ per transaction when the modules were reconciled. Management Corrective Action ‘The Clerk of Probate Courts has initiated a Tyler help ticket requesting information and possible correction of Odyssey events. Page 3 of 4Audit of Probate Court Control Deficiency(s) © Control Objective Public is made aware by signage of the s are processed/controlled through the system. Condition, Cause, and Impact The Probate Court did not have public facing signage for additional publ requirements. Including the publie in controls through awareness had not been previously considered by the Court. The lack of awareness may allow the use of unauthorized receipts and the subsequent cur. em receipting they should receive which ensures all applications ion and receipt, wareness of pet misappropriation of funds to 0 Management Corrective Action Initial signs have been created and deployed to ensure public awareness for receipt requirements. Court document examples and additional strategie information is being created, Follow-up on corrective actions for significant deficiency(s) will occur on or around: 10/11/2017 Audit Methodology: Our internal audit activities are conducted in conformance with the International Standards for the Professional Practice of Internal Auditing, These activities are designed to provide an independent, objective assurance of the reliability and integrity of financial reporting; effectiveness and efficiency of operations to achieve objectives; safeguarding of assets; and compliance with laws, regulations, contracts, policies and procedures. Nyon Qe Jeannie Alday, CIA, CISA, CFE, CPCU, CRMA, CFSA Director of Internal Audit Lee Smith, County Manager Roland Racket, Clerk of Probate Court Jennifer Fogle, Deputy Clerk TIT Page 4 of 4Chatham County Internal Audit P.0, 80x 8161, 124 Bul treet Ste 340, Savannah, GA 31432 912-652-7982 Report Date: 4/20/2017 Prepared for: Nick Batey, Director of ICS Audit oft ICS - Identity and Access Management Objective and To provide an assessment of the effectiveness of the Identity and Access Scope: Management (IdM) practices and procedures for protecting the data held on the ‘County Network. Our review focused on standards, guidelines, and procedures as well as on the implementation and governance over network access. Application-specific user access management was not in the scope of this review. Conclusion: In our opinion, most controls and operating procedures evaluated were adequate, 2+ appropriate, and effective to provide reasonable assurance that risks were being managed within an acceptable tolerance level and objectives should be met. ‘Trends were favorable for achieving objectives. Prior Ratings N/A Background: — The Center for Internet Security published twenty Critical Security Controls (CSC) for Effective Cyber Defense as an industry standard for the protection of, confidentiality, integrity, availability, authentication, and non-repudiation of data, We evaluated ICS's adoption of the CSC controls within the Identity and Access Management (IdM) process. Control Deficiency(s) 1 ntrol Obiecti ‘Access changes are monitored by security staff, information owners, and department managers. Condition, Cause, and Impact Current policies and procedures directed the Human Resources department to contact ICS when employees were terminated. Department liaisons submitted requests for new user access. ICS was not notified of personnel changes/transfers, These types of transfers without re-evaluation of the access necessary may allow an accumulation of authority not required in the new position. Access to files or other sensitive information from a previous position and not part of the eurrent job requirement could bea risk. Management Correetive ActionAudit of ICS - identity and Access Management ICS is usually notified when an employee's status changes via a User Account Creation or Termination Work Order. ICS will request Human Resources promptly notify us if an employee's status changes. ICS will request Liaisons to notify us if an employee's status changes inside their department. ICS will investigate inclusion in Personal Action workflows for notification on any necessary actions, c Obiccti Network users are required to have strong passwords that must be routinely changed. Condition, Cause, and Impact Strong password selection, verification, and complexity requirements were inconsistently deployed within the County network. Automated resources and priority had not been directed to develop and implement password policies and procedures, Management Correetive Action ICSis currently implementing a Password Policy. It has been implemented in 27 of 47 departments as of 4/13/2017. We expect the Password Policy implementation to be completed by 6/1/2017. Information about password requirements are available on 3+ Control Objective User access permissions are requested by user management, approved by information owners, implemented by designated access control specialists and are the minimum permissions needed by the users to do their jobs. Condition, Cause, and Impact Separate administrative network user accounts were identified for 4 of the 10 administrators. Network administrators utilized a single account for both routine and elevated access activities. Desktop administrative access accounts and administrator permissions were not periodically reviewed. The County ‘computer network had an inereased risk of administrative use of network privileges that are not adequately monitored. Management Corrective Action in the process of reviewing network administrative access, and the feasibility of system istrators using elevated accounts only when the task they are performing requires elevated privileges. ICS is currently working on removing Desktop Admin rights for users who do not require that level of access. Our technicians will use elevated privileges to perform tasks that require administrative rights. New software is anticipated to be acquired in FY18 to improve monitoring of administrative users. Page 2 of 3‘Audit of ICS - Identity and Access Management Audit Methodology: Our internal audit activities are conducted in conformance with the International Standards for the Professional Practice of Internal Auditing. These activities are designed to provide an independent, objective assurance of the reliability and integrity of financial reporting; effectiveness and efficiency of operations to achieve objectives; safeguarding of assets; and compliance with laws, regulations, contracts, policies and procedures. Jeannie Alday, CIA, CISA, CFE, CPCU, CRMA, CFSA Director of Internal Audit ce: Lee Smith, County Manager Linda Cramer, Assistant County Manager Michael Kaigler, Assistant County Manager Andrew Cree, Assistant Director of ICS Carolyn Smalls, Director of Human Resources Page 3 of 3Chatham County Internal Audit 0, 80X 8161, 124 Bul Street Ste 340 ‘Savannah, GA 31412 912-652-7942 Report Date: 4/14/2017 Prepared for: —Tammic Mosley, Clerk of Superior Court Audit of: Clerk of Superior Court 2016 Year End Review Objective and A limited scope audit restricted to the review of controls over collection, Scope: distribution, and reconciliation existing as of December 2016. Included was a review of the rate tables for 2016 and 2017 to ensure they were correctly identified and maintained within the automated accounting system. Conclusion: In our opinion, controls and operating procedures evaluated were generally 3+ adequate, appropriate, and effective to provide reasonable assurance that risks were being managed within an acceptable tolerance level and objectives should be met. Trends were favorable for achieving objectives. Prior Rating: NA Background: The Clerk of Superior Court (Clerk) is a constitutional office mandated by law to meet the requirements set forth in the Official Code of Georgia. Those requirements include accepting, maintaining, and preserving all records pertaining to the Court As of December 31, 2016, the Clerk maintained control over 16 bank accounts for a total of over $5 million. On January 1, 2017, Tammie Mosley was elected as the new Clerk of Superior Court. As she assumed the office in January 2017, the Clerk requested an internal audit be conducted as of December 31, 2016 to ensure the accuracy of the transition of funds from the former Clerk, Daniel W Massey. Summary of Control Deficiencies Significant Deficiency(s) 1. Control Objective Bank accounts are reconciled to souree documents to verify collections and disbursements are accurate and authorized. Condition, Cause, and Impact The bank account reconciliations were not reviewed against source documentation (i.e. check register in Excel). The Daily Cash receipts transactions were recorded in the check register by the Assistant Chief Deputy Clerk. The cheek register was then reconciled to the bank statement by the Assistant Chief Deputy Clerk. The Deputy Clerk Accounting Technician was not verifying the accuracy of the check register to theAudit of Clerk of Superior Court 2016 Year End Review Daily Cash receipts reports as part of the reconciliation review. Bank deposits and disbursement errors were allowed to go undetected and not corrected. Management Corrective Action As of April 5, 2017, the Clerk contacted ICS to arrange for Quickbook training for staff. Quickbooks was purchased in March 2017 and installed soon thereafter. ‘The Clerk, Chief Deputy Clerk, and Assistant Chief Deputy Clerk have also met and reassigned duties to existing staff persons to facilitate the review and reconciliation of the statements against the Source Documents as recommended. Specifically to give the Deputy Clerk Accounting Technician employee adequate time and resources to complete proper reconciliations as recommended in Audit, In the 2017-2018 Budget Process, the Clerk submitted an Office Reclassification of job positions and titles to include additional staff. ‘This request includes an additional ‘employee who will support the separation of duties in the financial division. ‘The Clerk is awaiting, Approval of this request from the Chatham County Board. Control Deficiency(s) 2+ Control Objective ‘Separation of duties exists between collection of funds, depositing and disbursement of funds, maintenance the accounting records, preparation of reconciliations, and reviews for accuracy and authority. Condition, Cause, and Impact The Assistant Chief Deputy performs the collection of larger deposits mailed into the court and distribution of all collections to the various funds controlled by the Clerk of Superior Court. The Assistant Chief Deputy also records all collections into the check register. Duties have not been separated to provide a proper level of control between receipt and recording of transactions. Errors/irvegularities could go undetected and not corrected, Management Corrective Action ‘The pending Reorganization and Reclassification of job duties and responsibilities, removes the receipt and handling of large deposits mailed and brought in to the Clerk's Office from the Assistant Chief Deputy. Furthermore, the Assistant Chief Deputy will immediately begin to utilize Quickbooks as a check register. In the re-organization, the Assistant Chiefs collection duties will be divided among three (3) employees with a fourth employee with no daily financial duties to reconcile monthly statements. Page 2 of 3Audit of Cletk of Superior Court 2016 Year End Review as Follow-up on correetive actions for significant deficiency(s) will occur on or around: Audit Methodology: Our internal audit activities are conducted in conformance with the International Standards for the Professional Practice of Internal Auditing. These activities are designed to provide an independent, objective assurance of the reliability and integrity of financial reporting; effectiveness and efficiency of operations to achieve objectives; safeguarding of assets; and compliance with laws, regulations, contracts, policies and procedures. Nyanns Volo. Jeannie Alday, CIA, CISA, CFE, CPCU, CRMA, CFSA Director of Internal Audit Lee Smith, County Manager Linda Cramer, Assistant County Manager Michael Kaigler, Assistant County Manager Cheri Phillips, Assistant Chief Deputy Page 3 of 3Chatham County Internal Audit P.0, 80x 8161, 124 Bul Street Ste 240, Savannah, GA 31412 si2es2.7982 Report Date: 4/19/2017 Prepared for: John T Wilcher, Sheriff Audit of: ICS - Identity and Access Management Objective and To provide an assessment of the effectiveness of the Identity and Access Management Scope: (IdM) practices and procedures for protecting the data held on the County Network, Our review focused on standards, guidelines, and procedures as well as on the implementation and governance over network access. Application-specific user access ‘management was not in the scope of this review. Conclusion: In our opinion, all controls and operating procedures evaluated were adequate, 1+ appropriate, and effective to provide reasonable assurance that risks were being well managed and objectives should be met. udit Methodology: Our internal audit activities are conducted in conformance with the International Standards for the Professional Practice of Internal Auditing. These activities are designed to provide an independent, objective assurance of the reliability and integrity of financial reporting; effectiveness and efficiency of operations to achieve objectives; safeguarding of assets; and compliance with laws, regulations, contracts, policies and procedures. Jeannie Alday, CIA, CISA, CFE, CPCU, CRMA, CFESA Director of Internal Audit ce: Lee Smith, County Manager Linda Cramer, Assistant County Manager Michael Kaigler, Assistant County Manager Nick Batey, Director of ICS William Freeman, Chief Deputy