The URL can be used to link to this page

2. Follow-Up Review of Customer Service Division Audit (Jun. 2020) ABSTRACT + + Significant process improvements have been made following the recommendations made in the original audit published in December 2018. New processes and policies have been implemented that effectively improve controls MI I over about $268 million in utility revenues. I �1 Internal Audit Department AUDIT OF CUSTOMER SERVICE DIVISION Follow Up Report (I I'1' I DENTON The City of Denton Internal Audit Report June 2020 Audit Follow Up of Customer Service Division Audit (December 2018) Table of Contents FollowUp at a Glance ........................................................................................................................3 Introduction ......................................................................................................................................4 ManagementResponsibility.....................................................................................................................4 Audit Objectives, Scope, and Methodology..............................................................................................4 Recommendation Status Update........................................................................................................5 Safeguardingof Cash ................................................................................................................................5 AccessControl...........................................................................................................................................6 Access to Employees' Accounts................................................................................................................6 Interest and Fees on Delinquent Accounts...............................................................................................7 ManualCheck Processing.........................................................................................................................7 Policies and Procedures............................................................................................................................7 Interdepartmental Cash Deposits.............................................................................................................8 PCICompliance .........................................................................................................................................8 Timeliness of Referral of Delinquent Accounts ........................................................................................9 Collection Agency's Contract Compliance ................................................................................................9 Time to Pay Delinquent Balance...............................................................................................................9 More Efforts Needed to Collect Large Receivables ................................................................................10 N v The City of Denton Internal Audit Report June 2020 Audit Follow Up of Customer Service Division Audit (December 2018) Follow Up at a Glance Why we did this Follow Up: This report is intended to provide information on what changes have been made in response to the Customer Service Division audit report issued in December 2018. The original audit reviewed controls over about$268 million in utility revenues.This follow up was included on the City's fiscal year 2019-20 Audit Plan as approved by the City Council. What we Found: Through the establishment of numerous policies and standard operating procedures, the Customer Service Division has fully implemented all the recommendations of the Customer Service Division audit addressed to it. One outstanding recommendation was addressed to Finance and Legal and is currently in progress. The status of each recommendation is summarized below: Recommendation Mgmt. Response Status 1. Assign key custodian. Concur Implemented 2. Keep all safes and vault locked. Concur Implemented 3. Keep a record of cash dropped in the safe. Concur Implemented 4. Move access control for key systems to Tech. Services. Concur Implemented 5. Prohibit employees from accessing their own accounts. Concur Implemented 6. Comply with legal provisions related to delinquent Concur Implemented account fees and interest. 7. Require two employees to retrieve and process drop box and mail payments. Concur Implemented 8. Compile a formal policies and procedures manual. Concur Implemented 9. Independently forward acknowledgement of deposits Concur Implemented to the relevant department. 10. Require departments depositing cash to reconcile Concur Implemented receipted deposits. 11. Become fully compliant with PCI standards. Concur Implemented 12. Refer delinquent accounts to the collection agency Concur Implemented after 60 days past due. 13. Require the collection agency to comply with contractual insurance requirements. Concur Implemented 14. Establish authority related to the time to pay delinquent account balances. Concur Implemented 15. Pursue collection of identified delinquent commercial Concur In Progress accounts. CITY DENTON The City of Denton Internal Audit Report June 2020 Audit Follow Up of Customer Service Division Audit (December 2018) Introduction The City Internal Auditor is responsible for providing: (a) an independent' appraisal of City operations to ensure policies and procedures are in place and complied with, inclusive of purchasing and contracting; (b) information that is accurate and reliable; (c) assurance that assets are properly recorded and safeguarded; (d) assurance that risks are identified and minimized; and (e) assurance that resources are used economically and efficiently and that the City's objectives are being achieved. The City Auditor's Office has completed an audit follow up of the Customer Service Division Audit issued in December 2018. We conducted this follow up review in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. Management Responsibility City management is responsible for ensuring that resources are appropriately managed and used in compliance with laws and regulations; programs are achieving their objectives, and services are being provided efficiently, effectively, and economically. Audit Objectives, Scope, and Methodology This report is intended to provide a progress update on recommendations from the Customer Services Division Audit (December 2018), which verified internal controls over City resources and billing procedures and evaluate efficiencies in the Division's processes. Audit fieldwork was conducted during May 2020. The scope of review varied depending on the procedure being performed. The following list summarizes the major procedures performed: • Reviewed documentation from the issued audit to develop criteria including industry standards, best practices, policies, and procedures; • Reviewed standard operating procedures and policies implemented by the Customer Service Division in response to the recommendations provided in the audit conducted in December 2018; • Examined judgment-based samples of various relevant receipts and forms to determine the implementation status of recommended documentation and process improvements; and • Interviewed Customer Service Division staff and reviewed provided documentation. v 1 The City of Denton's Internal Audit Department is considered structurally independent as defined by generally accepted government auditing standard 3.56. The City of Denton Internal Audit Report June 2020 Audit Follow Up of Customer Service Division Audit (December 2018) Recommendation Status Update This report summarizes the Audit of Customer Service Division's recommendations, management responses, and the Internal Audit Department's follow up findings, which describe to what degree City Management has implemented the Internal Audit Department's recommendations since the publication of the original report (December 2018). Recommendations and their implementation results are grouped as they were in the original report. Safeguarding of Cash 1. Assign duties of accessing cash to one employee to be the primary custodian of keys. Assign an alternate or backup custodian for periods of the primary custodian's absence. Management Response: Concur The recommendation was addressed effective June 27, 2018. Audit Follow Up Finding: Implemented The Customer Services Division formally implemented a Standard Operating Procedure (SOP) ("Vault and Key Access Policies"), which provides guidance on proper use and security of the vault area, including the safes and keys found inside. The SOP was implemented in December 2018 and was further revised in May 2020. The SOP requires that: • A custodian to be assigned over the cash vault area and the safes and keys contained within it; and • Access to the vault and safes is limited to Team Leads, Cash Specialist, Customer Service Supervisors,Assistant Customer Service Manager, and Customer Service Manager by badge access only. 2. Keep all the safes and vault locked. Management Response: Concur The recommendation was addressed effective June 27, 2018. Audit Follow Up Finding: Implemented The SOP "Vault and Key Access Policies" requires that all safes should remain locked unless they are being accessed and the door to the Vault should remain closed when no one is inside. The Auditors could not perform the physical observation testing of this implementation due to the ongoing COVID- 19 Pandemic situation. 3. Require the cashiers to keep a record of cash dropped in the safe. Management Response: Concur The recommendation was addressed effective June 27, 2018. Audit Follow Up Finding: Implemented The SOP ("Vault and Key Access Policies") contains the procedures to be followed for a cash drop2 as well as the manner of keeping records of cash received and given. All thirteen sampled cash drop receipts were duly recorded and maintained, indicating that the procedure was implemented effectively. v 2 A cash drop is an amount of cash removed from the cash drawer and placed in the safe. The City of Denton Internal Audit Report June 2020 Audit Follow Up of Customer Service Division Audit (December 2018) Additionally, the following requirements were added to the SOP ("Vault and Key Access Policies") in May 2020 to make the cash drop procedure clearer and more effective: Each time a cash drawer is balanced, two activities need to be performed: 1) Any$20 bills over 5 should be removed and $50's and $100's should also be dropped; and 2) The bill balance in the drawer should be dropped to $1000 or less. Access Control 4. The Customer Service Manager, after consulting Technology Services Director, needs to move access control for certain key system functionalities to Technology Services Department. Management Response: Concur The recommendation was addressed effective July 31, 2018. Audit Follow Up Finding: Implemented According to Customer Services Division staff, security access controls for key system functionalities were transitioned to Technology Services. However, during this transition, the Customer Service Division discovered that the low frequency of change requests did not provide Technology Services staff the opportunity to fully understand this process. Instead, change requests would go to Technology Services, but Customer Service Division staff had to be involved to show them how to process the request in a test environment. Therefore, the Customer Service Division implemented an SOP "NS (NorthStar) User Security Management" in May 2020, which provides the process of setting up a new user or group and updating or removing an existing user's access to the NorthStar billing system by the Customer Service Division. As per the requirement set in the SOP, change logs, and a system audit report will be submitted to Technology Services for review every quarter. As no real data is available, the auditors reviewed the SOP along with a demo-based sample of validation requests and audit results. Though the recommendation was not implemented in the suggested manner, adequate compensatory controls have been put in place by the Customer Services Division in partnership with Technology Services. Access to Employees' Accounts 5. Customer Service needs to have a formal, written policy for prohibiting employees to access and make changes to their own account. Management Response: Concur The recommendation was addressed effective July 30, 2018, and Standard Operating Procedures are being created. Audit Follow Up Finding: Implemented An Account Access Policy was formally implemented in April 2020,which prohibited employees from modifying their own accounts or access records for personal use. The policy has been signed and acknowledged by the Customer Service Division staff. "Employee NS (NorthStar) Account Audit Lp Setup" and "Employee NS (North Star) Account Audit" SOPS have also been implemented by the The City of Denton Internal Audit Report June 2020 Audit Follow Up of Customer Service Division Audit (December 2018) Customer Service Division to have control over access rights of employees and their families in the billing systems. Based on a review of the audit results available for April 2020, Customer Service staff identified two exceptions which were appropriately recorded and addressed. Interest and Fees on Delinquent Accounts 6. Customer Service needs to comply with the City Code and other legal provisions related to interest and late fees applicable for utility account delinquencies. Management Response: Concur Staff plans to discuss this matter with the City Council during the August 21, 2018 meeting in conjunction with the City's Council's review of the related rate ordinance and seek direction. Audit Follow Up Finding: Implemented The "Utility Billing Adjustment Policy" was implemented to give the Customer Service Division the authority to make adjustments on interest and penalties for delinquent accounts before a lien has been filed. After a lien has been filed, the Customer Service Division can only reduce or waive off the interest. Utility Billing Adjustment Policy was approved by City Council's via ordinance number 18- 1520 in December 2018. Manual Check Processing 7. Customer Service needs to require two employees' presence to retrieve payments from drop box and process payments received in mail as well as drop box. Management Response: Concur The recommendation was addressed effective July 2, 2018. Audit Follow Up Finding: Implemented An SOP ("Profit Star Process") was implemented in November 2018, which requires that drop box payments are collected and counted under dual control and a Drop Box Payment Count Sheet is signed by both employees. Of the twelve Drop Box Payment Count Sheets reviewed, all but two were dully filled and signed. Customer Service Division staff clarified that the two Count Sheets were not signed because no mail was received those days. In the future, staff will record "No Drop Box Item Received" or "No Mail Received" on the Drop Payment Count Sheet to ensure appropriate records are maintained. Policies and Procedures 8. The Customer Service Manager needs to compile a formal policies and procedures manual and make it available to all employees. The policies and procedures should contain: • The authority such as legal requirements, City policy, etc. • Effective and revision dates; • A clear and consistent guide for employees to understand the purpose and method to perform (detailed steps) the assigned tasks, if possible, with examples; • Expectations and performance measurement criteria; • Language that is understandable and accessible by employees; and • Evidence of management's review and approval. The City of Denton Internal Audit Report June 2020 Audit Follow Up of Customer Service Division Audit (December 2018) Management Response: Concur The recommendation was addressed, and a Standard Operating Procedures manual will be in place effective December 1, 2018. Audit Follow Up Finding: Implemented The Customer Service Division has implemented various SOPS under its area of operations under different categories viz. Call Center, Billing, Cash & Lobby, Collection, Reconciliation, Reporting, Administration, and General. The SOPS have a standard format and are clearly understandable. SOPS are in effect and have been posted on the employees' shared network and are accessible to respective division teams for their reference and use. Interdepartmental Cash Deposits 9. Require the Division to forward acknowledgment of the deposit to the relevant department independently of the courier of the deposit. Management Response: Concur The recommendation was addressed effective June 27, 2018. Audit Follow Up Finding: Implemented Customer Service Division implemented an SOP ("Process Interdepartmental Deposits") in September 2018, which prescribes the process for logging and forwarding the acknowledgment of deposits to the relevant department. Of a sample of twelve interdepartmental logs,all were recorded and correctly maintained. 10. Require the departments depositing cash through Customer Service to reconcile the receipted deposits with their records Management Response: Concur The recommendation was addressed effective June 27, 2018. Audit Follow Up Finding: Implemented Customer Service Division issued a memorandum in June 2018, directing other departments to provide a receipt for interdepartmental deposit. This requirement was formally implemented through the adoption of an SOP ("Process Interdepartmental Deposits") in September 2018. Additionally, Customer Service Division staff stated that these receipts are provided in the same manner as payment receipts are provided to public customers. Copies of customer receipts are not kept by Customer Service as it keeps all the logs. Instead, each department is responsible for reconciling and maintaining records of its receipts. PCI Compliance 11. The Division needs to continue working with Technology Services to become fully compliant with Credit Card Data Security Standards. Management Response: Concur The recommendation was addressed, and PCI compliance was achieved on July 26, 2018. Audit Follow Up Finding: Implemented The Customer Service Division, in collaboration with Technology Services, has become Payment Card on 00 Industry(PCI) compliant through a valid PCI Certification which expires on July 19, 2021. The City of Denton Internal Audit Report June 2020 Audit Follow Up of Customer Service Division Audit (December 2018) Timeliness of Referral of Delinquent Accounts 12. Refer delinquent accounts to the collection agency after they have become at least 60 days past due (90 days from the date of invoice). Management Response: Concur Current direction from the City Council is to send delinquent accounts to collection after 120 days from disconnection. Staff will implement whatever change, if any, that the City Council will direct in this process. Audit Follow Up Finding: Implemented The Customer Services Division implemented an SOP("CSII Account Placement") in August 2018.This requires accounts aged 90 days or more with a balance over $25 to be placed with the City's collection agency monthly. (CSII). All accounts placed with the collection agency between February and April 2020 meet the applicable requirements. Collection Agency's Contract Compliance 13. The Customer Service needs to require the collection agency to fully comply with the contract requirements related to insurance. Management Response: Concur City Management worked with Risk Management and the Collection Agency provided the required documents to achieve compliance on August 7, 2018. Audit Follow Up Finding: Implemented The recommendation was implemented and reported to the Internal Audit Department in August 2018. As of April 2020, the terms and conditions of the City's new collection agency contract do not stipulate any insurance requirements for the collection agency.According to the Purchasing Division, the City no longer contractually requires its collection agency to have insurance since they do not perform work on-site. Time to Pay Delinquent Balance 14. Customer Service needs to have a formal policy including establishing necessary authority related to time to pay delinquent balance. Management Response: Concur The recommendation was addressed, and a Standard Operating Procedures manual will be in place effective December 1, 2018. Audit Follow Up Finding: Implemented Customer Service Division implemented an SOP "Setting Up Balance Payment" in November 2018. The SOP provides for authority and guidance for setting up a monthly payment arrangement for customers with a large balance. Ol v The City of Denton Internal Audit Report June 2020 Audit Follow Up of Customer Service Division Audit (December 2018) More Efforts Needed to Collect Large Receivables 15. The City Attorney and Finance Director need to collaborate to pursue collection on the above four accounts and the Verizon account. Management Response: Concur The Finance Director will continue to consult with the City Attorney's Office regarding collection options for these large receivables and follow-up with the Internal Auditor once a collection option is identified. Audit Follow Up Finding: In Progress The City has begun pursuing collection on these accounts. A more detailed progress update on this recommendation will be presented to the City Council at a later date. O v U0