New Accounting System

Finding 2013-001: Complete implementation of a comprehensive fully-integrated Enterprise Resource Planning (ERP) system.

The Rhode Island Financial and Accounting Network System (RIFANS) was intended as a comprehensive, integrated ERP system for the State.  

The audit states "while RIFANS is largely effective and reliable for the functionalities that are operational, there is substantial opportunity for further efficiencies to be accomplished through completion of RIFANS."

Specific Areas Where Control Deficiencies Exist

• Federal Grants Management and Cost Allocation
• Segregation of Duties Between Treasury and Accounting Functions
• Accounting Controls over Capital Projects
• Achieving the Efficiencies and Control Benefits of a Fully-Integrated ERP System

Recommendations

• 2013-001a Develop a strategic plan to either continue the installation of Oracle modules necessary to complete and fully realize the benefits of RIFANS as a comprehensive fully-integrated ERP system or meet those ERP system objectives through other means.
• 2013-001b Ensure that the plan developed addresses the control deficiencies identified within the current RIFANS system.
• 2013-001c Ensure that the plan specifically identifies the amount of resources (both State and/or contracted personnel) needed to either a) support a fully-integrated State ERP system

Accounting Controls

Finding 2013-002: Accounting controls over federal revenue and expenditures

The report states Rhode Island "needs to improve controls over recording federal revenue to ensure (1) amounts are consistent with the limitations of grant awards from the federal government and (2) claimed expenditures on federal reports are consistent with amounts recorded in the State’s accounting system." 

Federal revenue within the governmental activities totaled $2.6 billion for fiscal 2013.

Recommendations

• 2013-002a Improve functionality with the RIFANS accounting system to facilitate federal grant administration (grants management, cash management, and cost allocation).
• 2013-002b Build statewide processes over federal grant administration within the newly formed Office of Management and Budget to supplement accounting controls within the RIFANS accounting system.

Lack of Medical Controls

Finding 2013-003: Medical Assistance Program – program oversight and monitoring

The Executive Office of Health and Human Services (EOHHS) is responsible for the administration and oversight of the State’s Medicaid program.

The report states that "The state does not have sufficient personnel dedicated to the consideration and documentation of internal controls, including related monitoring procedures performed to ensure the proper administration of significant program areas."

Significant control deficiencies caused by insufficient personnel resources

• Contracted Program Functions
• Program operations administered by other State departments and agencies
• Long-term Care Facility Audits
• Controls over Recipient and Provider Eligibility
• Surveillance Utilization Review Services (SURS)

Medicaid expenditures reached about $2.1 billion in fiscal year 2013.

Recommendations

• 2013-003a Address personnel resource deficiencies in critical program areas to ensure proper administration of and control over the Medicaid program.
• 2013-003b Consider dedicating additional personnel resources responsible for the consideration, documentation, and monitoring of significant program operations and related controls to ensure compliance with federal and program regulations.

Info Systems Security

Finding 2013-004: Comprehensive Information Systems security policies and procedures

The report states that "The State has still not ensured that all of its critical information systems are compliant with these formalized policies and procedures. Due to the number, type, and complexity of systems within state government, the task is challenging and has not been adequately staffed. Consequently, a risk-based approach should be implemented where those systems deemed most critical or most at risk are prioritized for assessment."

Recommendations

• 2013-004a Complete an initial assessment of compliance with systems security standards for the State’s mission critical systems.
• 2013-004b Consider contracting for the performance of IT security compliance reviews and accumulate and make use of available Service Organization Control reports, whenever available, to extend IT security monitoring of critical systems.
• 2013-004c Prepare a corrective action plan that prioritizes significant system security risks with the goal of achieving compliance of all significant State systems with DoIT’s formalized system security standards.
• 2013-004d Require systems security certification procedures to be performed by DoIT

Inefficient IT Systems

Finding 2013-005: Information Technology Systems - program change controls

Procedural Issues- "Strong change management controls are needed to ensure that standardized methods and procedures are used for efficient handling of all application specific changes and are a required component within formal departmental level IT policies and procedures."

Policy Directives- “programmer managers must ensure any request for application development be documented in writing, tracked, understood and approved prior to putting any new or changes to existing applications into production” and “programming teams must take care to ensure best practices regarding product quality have been utilized prior to putting any new (or changes to existing) systems into production”

Enterprise-Wide- "A proper change management process should be in place to ensure that authorized, tested and accepted changes be implemented in a timely and efficient manner. The process should be a standardized, repeatable process that documents all movement of code, changes made, testing, acceptance, and implementation and provides management with a tracking history."

Operational Issues- "DoIT should implement a standardized formal enterprise program change control process for the application systems it supports. The program change process should provide a comprehensive, standard method and process-to-process application system changes throughout the enterprise. To assist this process, DoIT should evaluate enterprise software solutions to complement their program change process. The evaluation process should determine the appropriate combination of operational, procedural and/or technical adjustments required to use the package in a manner that results in adequate and repeatable program change control across the entire enterprise."

Recommendations

• 2013-005a Reassess the use of a standard software package to determine the appropriate combination of operational, procedural and/or technical adjustments required to use the package in a manner that results in adequate program change control for the entire enterprise.
• 2013-005b Design, develop, formalize and implement procedural guidance manuals detailing specific requirements for program change control and disseminate and train DoIT support staff in its proper execution.

RIFANS Access Privileges

Finding 2013-006: Monitoring RIFANS access privileges and agency approval hierarchies

3 distinct but interrelated areas where the State can improve its monitoring of RIFANS access privileges

• RIFANS “Super Users”
• Agency Hierarchies
• RIFANS Delegated Authority

Recommendations

• 2013-006a Review activities of privileged users (system administrators) on a scheduled basis to ensure that additions, modifications, and deletions initiated by them are appropriate.
• 2013-006b Improve controls over RIFANS access by developing the reporting functionality necessary to allow for periodic monitoring of user access for instances of unauthorized changes to user access and/or noncompliance with policies relating to delegated user access.

Unprotected Tax Payments

Finding 2013-007: Department of Revenue – controls over electronic transmission of tax payments and other information

About 92% of the State's tax revenue is received electronically.

The files reside in an unprotected network folder prior to and after upload.

These electronic files should be in a file format that is secure and configured to facilitate an efficient upload to Taxation’s systems without need for manual intervention.

"Electronic data received by Taxation should be encrypted and then be uploaded to Taxation’s systems through automated processes which do not require manual intervention or present an opportunity for manipulation. If changes are required to data files, tracking of the specific changes and the individual performing the changes should be controlled and documented."

Recommendations

• 2013-007a Perform a “data classification” review consistent with DoIT policy to ensure the proper level of data protection (e.g. encryption) is in place.
• 2013-007b Secure all electronic files containing taxpayer information residing on the Division of Taxation’s network to ensure data integrity.
• 2013-007c Control all electronic files that contain taxpayer information by requiring the file format to be secure and configured to the computer system in order to allow automatic transmission without any manual intervention.
• 2013-007d Develop monitoring and reporting procedures to ensure the proper upload of data files.

State Tax Forms Backlog

Finding 2013-008: Department of Revenue – personal income tax administration

There has been a significant backlog in posting/processing W-3 reconciliation returns.

Recommendation

• 2013-008a Process W-3 reconciliation returns timely to identify any underpayment of employer withholding taxes.

The lack of a "Management Refund Report" when a taxpayer elects to apply the refund to next year’s tax liability rather than request a refund could result in an unidentified overstatement of the refund/carry-forward amount.

Recommendation

• 2013-008b Include refund carry-forward returns within the management refund review control procedures.

Tax Receipts to RIFANS

Finding 2013-009: Department of Revenue – reconciliation of taxation receipts to RIFANS

"Controls would be improved if receipts reported within the mainframe system were reconciled to RIFANS."

Recommendation

• 2013-009 Develop the reporting capability to facilitate reconciliation of receipts reported by Taxation’s systems with RIFANS.

Income Tax- Confidential

Finding 2013-010: Department of Revenue – personal income tax - confidential communication

A finding concerning the administration of the personal income tax system was communicated confidentially due to the potential impact on taxpayer compliance.

IT- Confidential

Finding 2013-011: Department of Revenue – Information Technology governance and security - confidential communication

A finding concerning the IT governance and security of the Division of Taxation’s information systems was communicated confidentially due to the potential impact on taxpayer compliance.

DOT Doubles the Trouble

Finding 2013-012: Financial Reporting – intermodal surface transportation fund – use of RI Department of Transportation FMS and RIFANS accounting systems

"Recording transactions in two accounting systems is inherently duplicative, this would be less problematic if the configuration and accounting conventions were the same."

An analysis should be performed to determine whether continued use of the two accounting systems in the current configuration is the best way to accomplish financial reporting for the IST Fund.

Recommendations

• 2013-012a Reevaluate the continued operation of two separate accounting systems to support financial reporting for the IST Fund. Establish short and long-term goals to ensure reliable information is available to support timely financial reporting.
• 2013-012b Ensure the reconciliation process includes the reconciliation of fund balance. At a minimum, modify the reconciliation report or process so the department can accurately identify any variances that exist in the two accounting systems.

IST Fund Reporting

Finding 2013-013: Intermodal Surface Transportation Fund - Financial Reporting

"Controls can be improved over the preparation of financial statements to ensure consistent and accurate reporting of fund activity in accordance with generally accepted accounting principles"

Recommendations

• 2013-013a Strengthen control procedures over financial reporting to ensure accurate identification of accounts payable, amounts due from the federal government, and classification of fund balance categories.
• 2013-013b Improve controls over the Accounts Payable journal entry process by documenting the policies and procedures for estimating and recording the pollution remediation liability at year-end and maintaining documentation supporting the liability.
• 2013-013c Improve controls over financial reporting by updating the RIFANS hierarchy to include RIDOT in all journals posted to the IST Fund and lower the dollar threshold requiring journal entries to be reviewed and approved to an amount that could not materially misstate the financial statements. Ensure RIFANS is requiring review and approval of journal entries in accordance with established hierarchies.
• 2013-013d Improve controls over operating transfers by modifying the Oracle financial statement generator to net the operating transfers between the RIFANS funds reported in the IST fund for financial statement purposes.
• 2013-013e Improve controls over financial reporting by documenting the department’s policies, procedures and controls over the Mission 360 loan program.
• 2013-013f Analyze each activity and/or funding source within the IST Fund to ensure activity is accurately recorded and to improve controls over the categorization and reporting of fund balance components. Perform the analysis periodically throughout the fiscal year.

Infrastructure Errors

Finding 2013-014: Transportation Infrastructure Reporting

"Controls should be improved over the process used to accumulate reported transportation infrastructure amounts to ensure accurate reporting of such investments."

"We noted misstatements relating to the infrastructure balances initially reported for fiscal 2013."

"We also determined that RIDOT had not included internal payroll costs related to construction projects as infrastructure costs since fiscal year 2006."

Recommendations

• 2013-014a Develop controls over the identification of project expenditures (to include construction costs, design costs, internal payroll, subtotaling of project expenditures, categorization of projects and reconciling between RIDOT FMS and RIFANS) to be recorded as infrastructure investment in the State’s financial statements.
• 2013-014b Improve controls and the methodology for determining when infrastructure assets are placed in service.
• 2013-014c Explore ways that capitalized infrastructure outlays could be accumulated through an automated systems approach rather than the inefficient and error-prone spreadsheet approach currently used.
• 2013-014d Develop and document controls, policies and procedures to ensure inclusion of internal construction payroll costs in infrastructure investment in the State’s financial statements.
• 2013-014e Evaluate and document the consideration of whether any of the State’s transportation infrastructure has been impaired consistent with the criteria outlined in generally accepted accounting principles applicable to governmental entities.

Data Integrity Issues

Finding 2013-015: Intermodal Surface Transportation – controls over key data files

"Controls should be enhanced to ensure that data integrity is maintained over key data files used to process vendor payments and to draw federal funds for the IST Fund."

"RIDOT should improve its controls and processes over the FMS and the drawdown file to ensure accuracy and completeness of data transmitted to the FMIS."

Recommendations

• 2013-015a Review the progress payment file transfer process to identify critical points where automated controls could be implemented to eliminate the need for manual intervention.
• 2013-015b Create and implement appropriate approval hierarchies. Automatically identify RIFANS/FMS payment discrepancies for review.
• 2013-015c Improve controls over the RIDOT federal billing process to include transferring files without modification.
• 2013-015d Modify the Financial Management System to allow for multiple funding source award numbers (FSAN) to be linked to one Federal Aid Project.

Employment Security Fund

Finding 2013-016: Employment Security Fund - program change control process within the Department of Labor and Training

There is no automated control system that can be queried to report pertinent information regarding changes made to the various DLT applications.

"An automated system could improve controls over the change management process by providing:
• Change request initiation, documentation, authorization, and acceptance status;
• Tracking of change request status and authorizations;
• Approvals required for change package;
• Program check-in/check-out information;
• Release management information;
• Program documentation;
• Program change history;
• Audit trails/standard audit reports;
• Emergency change process; and
• Review and acceptance of test results."

"DLT’s lack of an automated system to control, track, and report on all application program changes made by the DLT programming staff is a control weakness in financial reporting for the Employment Security Fund."

Recommendation

• 2013-016 Implement an automated program change management process over DLT computer applications. Coordinate with DoIT to implement the approved and supported State Enterprise Change Management solution.

Investment Accounting

Finding 2013-017: Employees’ Retirement System - investment accounting

The Employees’ Retirement System’s (System’s) investments are held by an independent custodian who also maintains all the accounting records related to those investments including the reporting of investment income and expenses.

"We observed that the review and reconciliation of such information to the custodian’s records could be improved with the goal, among others, of providing enhanced documentation for financial reporting purposes."

Recommendations

• 2013-017a Enhance the understanding and monitoring of the accounting and reporting activities performed by the System’s investment custodian.
• 2013-017b Enhance controls over financial reporting by better integrating responsibility for the investment cycle with all other System activities.