The URL can be used to link to this page

1. Audit of Customer Service Division ABSTRACT Controls over $268 Million resources were generally adequate, but improvements were needed. This audit helped ►' administration to make the needed improvements. Umesh Dalal, City Auditor AUDIT OF CUSTOMER SERVICE DIVISION DENTON The City of Denton Internal Audit Report Audit of Customer Service Division December 201S Table of Contents Description Page Executive Summary 2 What Works Well? 3 Opportunities for Improvement Safeguarding of cash 4 Access Control 5 Access to Employee's Accounts 6 Interest and Fees on Delinquent Accounts 7 Manual Check Processing 8 Policies and Procedures 9 Interdepartmental Cash Deposits 10 PCI Compliance 11 Timeliness of Referral of Delinquent Accounts 12 Large Receivable needs follow-up 13 Collection Agency's Contract Compliance 14 Time to Pay Delinquent Balance 15 v The City of Denton Internal Audit Report Audit of Customer Service Division December 201S Executive Summary Honorable Mayor and members of the City Council, The City auditor's office has completed an audit of the Customer Service Division. This operation collects approximately$268 million in City's revenues and bills customers for all City utilities. The objective of the audit was to verify internal controls over City resources and billing procedures, and evaluate efficiencies in the Division's processes. The following are the salient findings of the audit: • Overall, the Division had good operation to effectively process the revenues billed, accounted and collected. The staff was receptive and prompt in addressing discrepancies identified by this audit. The staff must be commended for their diligence. • Value contributed by the audit: o The controls over$32 million in cash and checks were improved due to implementation of better procedures for accessing cash and processing revenues. o The computer access controls were strengthened due to segregation of duties. This change improved controls over the entire $268 million annual collection by the Division. o Formal policies and procedures will be developed that will document processes already working well. This documentation is necessary for consistent and ongoing compliance with management direction. o Compliance with credit card industry requirements was achieved,which was in progress at the beginning of the audit. o Recommendations will improve efficiencies in collection of closed, delinquent accounts by timely referring them to the collection agency. This change will improve efficiency in collection function and free up staff time currently committed to collection. o The audit identified more than $1.4 million owed by five accounts that needed follow-up. Recommendation was made to pursue collection on these accounts, which may result in the City receiving large amount of revenue. The attached detailed report includes additional information. The City Auditor's Office appreciates cooperation of the Division and Technology Services staff. This audit made 14 recommendations. The Division has concurred with all of them. Implementation of 11 recommendations is already completed. Two of the remaining recommendations will be implemented upon the City Council's guidance and approval. The implementation of one recommendation was in progress at the time of issuance of this report. Management responses are included after each set of recommendations. If you have any questions or comments, please contact me at(940) 349-8158 or at umesh.dalal@cityofdenton.com. N v ao Umesh Dalal, City Auditor a The City of Denton Internal Audit Report Audit of Customer Service Division December 201S Introduction The City Auditor's Office has completed an audit of the Customer Service Division of the Finance Department. The objectives of the audit were to evaluate internal controls in the Division's procedures. The audit was conducted in accordance with the Generally Accepted Government Auditing Standards promulgated by the Comptroller General of the United States. Those Standards require that the auditors plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for their findings and conclusions based on the audit objectives. The auditors believe that the evidence obtained during this audit provides a reasonable basis for their findings and conclusions based on the audit objectives. Management Responsibility The City management is responsible for ensuring resources are managed properly and used in compliance with laws and regulations; programs are achieving their objectives; and services are being provided efficiently, effectively, and economically. What Works Well? Overall the controls over billing, recording, and collection of revenues are working well. The auditors found that Division's staff was knowledgeable and had good understanding of the processes they were responsible for handling. They were receptive and willing to make improvements in controls where needed.The auditors found the following: • Current Bank reconciliation process had sound controls. The available procedural guidance was complied with by the Division staff. Accordingly, the reconciliations were up to date and were independently reviewed by another employee for accuracy. All outstanding matters were followed-up in a timely manner. • Billing process is well organized and timely. • Billing rates for electric and water utilities in NorthStar computer system comply with the City Council's approved rates. This means, these customers are billed appropriately using correct rates. In addition, penalties and other fees applicable for late payments were assessed and collected appropriately in accordance with the City policies and City ordinances. • End-of-the-day process was working well and had proper controls. • Duties of Cashiering and Collection personnel were properly segregated and well controlled to prevent the risk of misappropriation. • Cash was received and banked regularly. No errors or other discrepancies were found. • Access controls to the NorthStar system were properly configured. However, further C`n improvements were needed in this area as discussed subsequently in this report. The City of Denton Internal Audit Report Audit of Customer Service Division December 201S • The City has proper fidelity insurance to cover risk of losses that can result from: o Employee Dishonesty, o Forgery or Alteration, and o Computer Fraud. Opportunities for Improvement: Safeguarding of Cash The Division Manager took prompt action to enhance controls and improving security of cash. Annually,the Division receives over$8 million (3%of$268 million) in currency. Safeguarding of this cash is critical. Accepted best practices require limiting access to cash to one or two employees. This requirement helps identify responsible individual in the event cash is missing. What we found? Why does it matter? • At Customer Service, the cash is stored in Due to these conditions, in the event cash is safes kept in the vault.The keys to the vault missing from any of the three storage safes, were hung on the wall in front of the vault the employee responsible for the loss will not allowing easy access to anyone who had be identified easily. The City has a security access to the lobby area. Fidelity/Crime policy that will cover a loss • The vault door was kept open during resulting from theft or employee dishonesty. business hours. However, if it is demonstrated that the City did not follow reasonable security • The small safe was also kept open to procedures, the insurance company may facilitate change transactions for cashiers. dispute the claim. • The large safe contained a portable metal The audit did not find any incident where cash box in which cash is stored for other was missing. However, additional controls are departments waiting for transportation to necessary to prevent the possibility of a bank. Internal deposits received from other future incident of cash loss. departments were stored in a basket next to the metal box awaiting pick-up by the armored truck for transportation to the bank. The safe was kept open during business hours. • The vault had another drop safe in which the cashiers periodically dropped cash for safekeeping. A record is created with two v The City of Denton Internal Audit Report Audit of Customer Service Division December 201S cash tapes that are ran during the drop of the deposit. • The keys to the drop safe were hung on the wall within the vault, accessible by all Customer Service employees in lobby area who had access to the vault. • Clearly written policy and procedure for access to safes and keys were not available. Recommendations (High Priority): 1. Assign duties of accessing cash to one employee to be the primary custodian of keys. Assign an alternate or backup custodian for periods of the primary custodian's absence. 2. Keep all the safes and vault locked. 3. Require the cashiers to keep a record of cash dropped in the safe. City management Response: All aforementioned recommendations were addressed effective June 27, 2018. Access Controls System access controls need to be improved to avoid risk of abuses. The auditors reviewed security tables for the NorthStar computer system used by the Division for billing and collection purposes. The security appeared to be properly configured and access was properly controlled for the employee processing cash, having ability to update records and reconciling books. What we found? Why does it matter? The Systems and Operations Administrator had The Division is a very large cash operation. an "Administrator or super user" level access Having ability to change access levels in an and is responsible for allowing and managing operations where a relatively small number of Division employees' access to NorthStar employees work, could lead to a possibility of computer system. She had the ability to collusion. This could be a significant risk that perform all the functions in the system without can be easily avoided by segregating access other employee's involvement. This is an controls for certain key system functionalities acceptable practice provided the Administrator to Technology Services Department. did not have access to cash. However, due to relatively weak controls over safeguarding of It should be noted that the auditors did not observe any indication of actual collusion a The City of Denton Internal Audit Report Audit of Customer Service Division December 201S cash,this situation may represent a weakness in occurring. The control measures are internal controls. necessary for avoiding potential for such occurrence. The System and Operations Administrator indicated that when a Customer Service staff member approaches her to enhance their access, she questions them about the need. If she is satisfied, she uses her discretion to grant additional access. Occasionally, she would consult with the supervisor of the employee requesting additional access about the enhancement. The auditor observed that the Systems and Operations Administrator changed some of the employees'access privileges without consulting any superiors as the access was not necessary forthose employees to perform their respective job duties. This would indicate that the employee access levels are not reviewed periodically for appropriateness. Recommendation (High Priority): 4. The Customer Service Manager, after consulting Technology Services Director, needs to move access control for certain key system functionalities to Technology Services Department. City management response: The aforementioned recommendation was addressed effective July 31, 2018. Access to Employees' Accounts Some Customer Service employees have ability to access their own account. What we found? Why does it matter? The Customer Service employees living in The ability of an employee to access and make Denton have utility accounts with the City. changes to their own account represents a According to the Division personnel, 21 conflict. There is a potential for abuse of this Customer Service employees lived in Denton situation. and have ability to access and make changes to their own account. From the available records, v it appears that at least three employees The City of Denton Internal Audit Report Audit of Customer Service Division December 201S accessed their own account and made changes. However, these changes did not represent any act of misconduct. Recommendation: 5. Customer Service needs to have a formal, written policy for prohibiting employees to access and make changes to their own account. City management response: The aforementioned recommendation was addressed effective July 30, 2018, and Standard Operating Procedure are being created. Interest and Fees on Delinquent Account Interest and fees on delinquent accounts were waived without appropriate authority. According to the City Attorney's Office the Denton City Code Section 26-6 (k) addresses interest charges on past due accounts. It states, "Interest shall be assessed on any past due account balance (excluding late payment charges) that remains unpaid prior to the current month's billing calculation. Interest shall be assessed based on the customer's monthly billing schedule and the due date of the customer's past due bill. The interest charge shall be due and payable on the due date of the current month's billing. The interest charge will be established by the city council and on file in the office of the city secretary." Currently, Ordinance No. 18-332 sets the interest rate on past due account balances at 1%per month on all past due charges and account balances unpaid at the time of the current month's billing calculation. What we found? Why does it matter? • A customer owed $55,809.74 for unpaid According to the City Attorney, "Waiving fees utility bills, accrued interest and late or reducing fees owed constitutes an illegal payment fees. A municipal lien was filed gifting of public funds that violates the Texas against the property to which this account Constitution, specifically Article III, Section belonged for the balance due. The lien was 52. Unless the Legislature has adopted a law released after payment was made for the authorizing it, we cannot waive or reduce principal amount on the utility bills and the fees. In fact, Section 26-12(f) below prohibits Customer Service representative waived the City Manager from releasing a municipal interest in an amount of $26,038.56 and utility lien unless all delinquent charges, late fees of$2,610. penalties, interest and collection costs have been fully paid. If the City Manager is • Customer Service do not assess interest on prohibited from doing this at this stage, it delinquent accounts after they have issued stands to reason that he likewise cannot a final bill on an account. waive or reduce fees prior to imposing a municipal utility lien." v The City of Denton Internal Audit Report Audit of Customer Service Division December 2O1S Accordingly, the City employees do not have an authority to waive either interest or late fees on any account. In addition, the Customer Service does not appear to have authority to stop charging interest on delinquent account until the balance owed on the account is paid. Recommendation: 6. Customer Service needs to comply with the City Code and other legal provisions related to interest and late fees applicable for utility account delinquencies. City management response: Staff plans to discuss this matter with the City Council during the August 21, 2018 meeting in conjunction with the City's Council's review of the related rate ordinance and seek direction. Manual Check Processing: Controls over the processing of collection through mail and drop box need improvement. The auditor observed processing of checks received through mail and those deposited in the drop box located on the premises. The auditor's observations and inquires indicated the following: What we found? Why does it matter? Customer service receives about 6% or about Checks retrieved from drop box by an $16 million revenue through mail and drop box employee is vulnerable to abuse. Processing a located at the Customer Service.The collection, significant amount of checks by an mainly in the form of checks or cashier's checks, unsupervised, single employee also presents are retrieved from drop box by a single the same threat. The actual processing of employee. In addition, checks received in mail checks by this employee is recorded using a and drop box are delivered to an employee, camera. However, unless someone is who processes the checks without any witness. watching the tapes periodically, it does not represent a good control. If a customer This employee is also responsible for complains about not getting credit for supervising other cashiers and making payment made, the employee processing correcting entries if a payment posting error is these payments has the ability to make found on a customer's account. A complete adjustments to the customer's account. In record of all complaints received from this situation, any misuse of city resources customers is not easily retrievable. may not be detected in a timely manner. 00 v UO The City of Denton Internal Audit Report Audit of Customer Service Division December 2O1S Recommendation: 7. Customer Service needs to require two employees' presence to retrieve payments from drop box and process payments received in mail as well as drop box. City management response: The aforementioned recommendation was addressed effective July 2, 2018. Policies and Procedures An opportunity for improving the Customer Service Division's policies and procedures exists. What we found? Why does it matter? The auditors found the available guidance to be Without properly understanding the purpose desk procedures that provided detailed steps and importance of conducting a task, for performing tasks assigned. However, not all employees'work could become monotonous. procedures provided explanation of purpose of This may also deter meaningful employee performing the relevant tasks. contribution in improving City processes. Also, it is important for employees to have Also, the available procedures did not provide knowledge of management expectations on employees with a clear guidance about the which their work is going to be evaluated. relevant policies and did not have date of issuance or revisions. In this event, employees Currently, it may be difficult to detect if the may not know if the procedures available to current procedures adhere to the relevant them are outdated. City policies. Lack of knowledge of performance expectations may impact The procedures did not have any evidence of employee performance. management review or approval. In addition, the available desk procedures did not have performance expectations. The Customer Service Manager stated that the Division has had plans to compile a formal policies and procedures manual, which she shared with the auditors. However, the Division has yet to compile the manual. Recommendation (High Priority): 8. The Customer Service Manager needs to compile a formal policies and procedures manual and make it available to all employees. The policies and procedures should contain: • The authority such as legal requirements, City policy, etc. C) U The City of Denton Internal Audit Report Audit of Customer Service Division December 201S • Effective and revision dates; • A clear and consistent guide for employees to understand the purpose and method to perform (detailed steps) the assigned tasks, if possible, with examples; • Expectations and performance measurement criteria; • Language that is understandable and accessible by employees; and • Evidence of management's review and approval. City management response: The aforementioned recommendation was addressed and a Standard Operating Procedures manual will be in place effective December 1, 2018. Interdepartmental Cash Deposits Better assurance of delivery of cash deposits to Division is needed. Customer Service has a contract with an armored car company for delivering cash to bank. In order to minimize charges, several departments deliver cash collected by them to Customer Service in sealed envelopes. What we found? Why does it matter? Currently, 41 business units are utilizing the There is a potential for abuse in this interdepartmental deposit service. In FY 17-18, situation. In the event the cash is not the Division received approximately $18 million deposited in the banks account, it will be in deposits from these departments. Therefore, difficult to assign the responsibility for a loss having better controls on these deposits is to a single individual. essential. The Division's procedures require the Cash Operations Specialist to inspect the bag for proper seal and acknowledge the receipt on a specific form. However,this acknowledgement is not given to the department. Therefore, the department delivering the deposit does not have assurance of Division's receiving the deposit until after about three days if they verify the bank statement for deposit. The errors in deposits will be detected only if the departments have good reconciliation processes. Recommendations: 9. Require the Division to forward acknowledgement of the deposit to the relevant department 0 independently of the courier of the deposit. v The City of Denton Internal Audit Report Audit of Customer Service Division December 2O1S 10. Require the departments depositing cash through Customer Service to reconcile the receipted deposits with their records. City management response: The aforementioned recommendations were addressed effective June 27, 2018. PCI Compliance: The City has been diligent but needs to make additional efforts to become fully compliant with data security standards related to credit card payments. Every entity storing, processing, or transmitting credit cardholders' information are required to follow Payment Card Industry Data Security Standards, more commonly known as PCI compliance requirements. These requirements are established to protect the cardholders' information from abuse. Based on the level of credit card transactions activity, the City is required to conduct self- assessment to verify existence of information security infrastructure and procedures. What we found? Why does it matter? The Division accepts credit cards payments The penalties for noncompliance are for utility charges and is a merchant for the significant.The bank processing transaction purposes of the above requirements. can be fined up to $5,000 to $100,000 per The Division and Technology Services are month, which the bank will pass through to aware of the risks and have been working to the merchant. In addition, a merchant can become PCI compliant. Technology Services lose the privilege of accepting card personnel have rectified all of the payment. This is an intolerable risk. discrepancies identified during their assessment, except one. Technology Services is working on rectifying this discrepancy. Based on the information obtained, it appears that the Technology Services has processes in place to address the above risk. Recommendation (High Priority): 11. The Division needs to continue working with Technology Services to become fully compliant with Credit Card Data Security Standards. City management response: The aforementioned recommendation was addressed and PCI compliance was achieved on July 26, 2018. rl v The City of Denton Internal Audit Report Audit of Customer Service Division December 2O1S Timeliness of Referral of Delinquent Accounts to Collection Agency Timely referral of delinquencies for collection may improve collection efficiencies. The City uses a collection agency to collect its delinquent accounts. Generally, the Customer Service procedures require referral of delinquencies to the collection agency after the account is turned off soon after 44"day of it first becoming delinquent. Therefore,the accounts referred to the collection agency most likely belong to former residents of the City. The collection agencies charge 15% and 18% of the amount collected depending on whether the delinquent accounts were under or over 120 days past due. The auditors observed: What we found? Why does it matter? • The Division performs debt collection in- An analysis of the collection agency efforts house averaging for 160 days of an account revealed that they are successful in becoming past due. Subsequently, collecting more recent delinquencies. delinquencies are turned over to the Therefore, referring past due accounts to collection agency. them sooner may result in additional • The delinquent accounts included about collection. In this situation, the City will pay $83,000 belonging to drainage accounts. lower fees only on the amount collected. These accounts are incurring recurring charges but the City is not receiving payment. The City does not have any leverage to compel these accountholders to pay. In this event, efforts made in collecting these accounts could be wasting City resources. • An analysis of all payments received on closed accounts during the first nine months in FY 18 indicated that 70% of the payments were received within 30 to 60 days after the accounts becoming delinquent. The collection effectiveness significantly drops subsequently as depicted below: N v a The City of Denton Internal Audit Report Audit of Customer Service Division December 2O1S Collection on Closed Accounts Delinquency 150000 1 70% Amount 100000 0.5 50000 L129%1. 7% 11% 0 0 30-60 days 60-90 days 90-120 days 120+days Dedicating internal staff resources does not appear to be cost effective for this purpose. Referring these accounts to the collection agency sooner may free up staff time to focus on other Customer Service functions. Please note that the recommendation mostly impacts former City residents. Recommendation: 12. Refer delinquent accounts to the collection agency after they have become at least 60 days past due (90 days from the date of invoice). City management response: Current direction from the City Council is to send delinquent accounts to collection after 120 days from disconnection. Staff will implement whatever change, if any, that the City Council will direct in this process. More Efforts Needed to Collect Large Receivables The auditors noticed that four accounts totaling$452,120 were not being pursued by the Customer Service. The auditors were informed that they have sought the City Attorney's help in pursuing these accounts. These accounts are depicted in the following table: Name Total Company 1 $ 206,299 Company 2 $ 187,639 Company $ 34,132 Company 4 $ 24,050 Total $ 452,120 Company 1 acquired the City of Denton Account from an additional Company 5. The Auditors M noticed that Company 5 owed $977,446 to the City. This amount is written off in the City's financial records. The two companies owed this amount for the charges related to The City of Denton Internal Audit Report Audit of Customer Service Division December 201S attachment of their cables to the poles belonging to the City. Federal regulations determine a minimum charge payable to the City for providing this service. However, the City has not been paid for a total receivable of approximately$1.2 million on this account. During a meeting with Finance and City Attorney's personnel, it was determined that there may have been a dispute related to the amount owed by this company to the City. The first Assistant City Attorney agreed to follow upon this issue. Similar issues exist on the remaining accounts. Recommendation: 15.The City Attorney and Finance Director need to collaborate to pursue collection on the above four accounts and the Company 5 account. City management response: The Finance Director will continue to consult with the City Attorney's Office regarding collection options for these large receivables and follow-up with the Internal Auditor once a collection option is identified. Collection Agency's Contract Compliance Collection agency did not fully comply with their contractual obligation related to insurance requirement. What we found? Why does it matter? The contract with the collection agency required This observation indicates that the vendor performance and insurance requirements. has not fully complied with contractual Evaluating the collection agency's performance requirements. The City's risk may not be was beyond the scope of this audit. covered adequately due to lack of adequate The contract required the following insurance insurance coverage. coverage: • General liability insurance with combined single limit of not less than $1 million. • Commercial automobile liability insurance with combined single limit of not less than$5 million. • Workers compensation insurance which, in addition to meeting the minimum statutory requirements for issuance of such insurance, has Employer's Liability limits of at least $100,000 for each accident, $100,000 per a The City of Denton Internal Audit Report Audit of Customer Service Division December 2O1S each employee, and a $500,000 policy limit for occupational disease. • Professional liability insurance with limits not less than $2,000,000 annual aggregate with respect to negligent acts, errors or omissions in connection with professional services is required under this Agreement. • Coverage for the theft or disappearance of cash or checks, robbery inside/outside the premises, burglary of the premises, and employee fidelity. The employee fidelity portion of this coverage should be written on a "blanket" basis to cover all employees, including new hires. The City Auditor sought the City's Risk Manager's expertise for evaluating the insurance certificate submitted by the collection agency. The Risk Manager opined as follows: • No evidence of workers' compensation was provided; and • No evidence of Commercial Crime/Employee Dishonesty was provided. Recommendation: 13. The Customer Service needs to require the collection agency to fully comply with the contract requirements related to insurance. City management response: City Management worked with Risk Management and the Collection Agency provided the required documents to achieve compliance on August 7, 2018. Time to Pay Delinquent Balance: Customer service staff allows customers more time to pay exceeding the Division's policy. The auditor was informed by the Revenue Assurance Supervisor that the Division has a policy to allow up to six months for customers to pay their delinquent balance. L11 rl v The City of Denton Internal Audit Report Audit of Customer Service Division December 201S What we found? Why does it matter? The auditor found that call center Granting additional time to pay may be representatives and the Internal Credit and beneficial for collection activity. However, Collections Specialist routinely allowed time such action must be reviewed and exceeding six months to pay past due accounts. authorized by appropriate supervisory Nine of the 21 selected payment arrangements personnel prior to granting it. Allowing (43%) confirmed this information. The Customer employees to exceed established policies Service Manager informed the auditors that a could be abused. total of 77 accounts for FY 2016-17 were allowed time to pay exceeding three months for the reasons that include assisting customers going through challenging situations. The records did not indicate authorization of this action by superiors of the employees. Recommendation: 14. Customer Service needs to have a formal policy including establishing necessary authority related to time to pay delinquent balance. City management response: The aforementioned recommendation was addressed and a Standard Operating Procedures manual will be in place effective December 1, 2018. lD v