WIXLIB

Performance Audit:Accounts Receivable(Atlanta Fire Rescue Departmentand Department of Parks and Recreation)December 2017City Auditor’s OfficeCity of AtlantaFile #15.05

December 2017CITY OF ATLANTACity Auditor’s OfficeLeslie Ward, City Auditor404.330.6452Why We Did This AuditWe undertook this audit because reconcilingaccounting records to receivables is a key control todetect errors, irregularities, and potential fraud. Webecame aware of revenue systems outside of the city’sOracle Financial system. We focused on systems in useby the departments of Parks and Recreation andAtlanta Fire Rescue because the departments areresponsible for both billing and collecting and weidentified risks during preliminary assessments.What We RecommendedWe recommend the Atlanta Fire Rescue Department: enter transactions into Oracle or work with AIM todevelop a report to provide to finance transfer collection of permit fees finance separate job functions so that no single individualcan issue a permit and adjust an invoiceWe recommend the Department of Finance: manage collection of fire safety permit revenueWe recommend the Department of Parks andRecreation: reconcile attendance with enrollment track attendance manually when systemsoutages occur and enter attendance into thesystem strengthen access controls in ActiveNetWe recommend Atlanta Information Management: change password settings in the Fire SafetyPermit System to comply with citywidepassword policy review user access periodically, confirming withmanagement that access privileges areappropriate establish a process to remove terminated usersfrom the Fire Safety Permit System as theyleave city employmentFor more information regarding this report, please use thecontact link on our website at www.atlaudit.org.Performance Audit:Accounts ReceivableAtlanta Fire Rescue Departmentand Department of Parks andRecreationWhat We FoundThe Atlanta Fire Rescue department didnot report all bills issued for collections tothe chief financial officer, as required bycity code. Consequently, not allreceivables were recorded on the city’sbooks, increasing the potential for error orfraud. As of September 2015, receivablesin the Atlanta Fire & Rescue Departmenttotaled 137,000, with most more than 90days past due.Control weaknesses in the departmentcould affect data accuracy. Twoemployees were jointly responsible forcreating and mailing permits and invoices,collecting payments, and recordingpayments. Fraud risk was increasedbecause the department accepted cashpayments and failed to transfercollections promptly.While the Department of Parks andRecreation reported bills issued forcollections to the chief financial officer,as required by city code, controlweaknesses could affect data accuracy.Participants were allowed to attendprograms for which they were notenrolled. Because enrollment triggers thebilling process, these participants may nothave been billed. As of September 2015,receivables in the Department of Parksand Recreation totaled 334,000, withmost more than 90 days past due.Neither of the billing and collectionsystems used in the parks and firedepartments fully complied with citypassword policy nor had the departmentssystematically reviewed user access.Controlling access to records is a keypreventive control for ensuring dataintegrity.

Management Responses to Audit RecommendationsSummary of Management ResponsesRecommendation #1:Response & ProposedAction:Timeframe:Recommendation #2:Response & ProposedAction:Timeframe:Recommendation #3:Response & ProposedAction:Timeframe:Atlanta Fire Rescue should enter transactions into Oracle or work with AIMto develop a report for Finance.AFR is working with AIM and a consultant to addressautomation, records management, and fiscal reporting.March 31, 2018Atlanta Fire Rescue should stop accepting payments for permits andtransfer this function to Finance.AFR is working with AIM and a consultant to implementaccounts receivable processes based on those used byFinance.Atlanta Fire Rescue should separate the functions of issuing a permit andadjusting the invoice.AFR has discontinued inspectors’ collection of revenue,requires more timely submission and posting of revenue, andis working with AIM to improve software security and controlsover user access.Response & ProposedAction:A Recreation Program Supervisor (RPS) will conduct a monthlyreview of a sample of weekly Rosters against attendancerecords in an effort to ensure all children that are participatingin a program are correctly recorded and billed. In addition, thedepartment’s Management Services Office (MSO) will conductan independent review on a quarterly basis of a sample ofweekly rosters.End of February 2016.Response & ProposedAction:Timeframe:Recommendation #6:Response & ProposedAction:Timeframe:Recommendation #7:AgreeMarch 31, 2018Parks and Recreation should reconcile attendance with rosters.Recommendation #5:AgreeMarch 31, 2018Recommendation #4:Timeframe:AgreeAgreeParks and Recreation should track attendance manually when systemoutages occur.AgreeThe department will track attendance manually when thesystem outages occur using a physical sign-in sheet, and enterany attendance information if the system is restored the sameday.End of January 2016.Parks and Recreation should strengthen password settings to compensatefor system limitations.AgreeSystem Administrators have decreased password failed triesfrom 5 to 3. System Users will also be required to changepasswords every 60 days as opposed to 90 days.Completed.Parks and Recreation should remove known terminated users and developa process to continue doing so going forward.

Response & ProposedAction:Timeframe:Recommendation #8:Response & ProposedAction:Timeframe:Recommendation #9:Response & ProposedAction:Timeframe:Recommendation #10:Response & ProposedAction:Timeframe:Recommendation #11:Response & ProposedAction:Timeframe:AgreeTerminated users who were identified have already beenremoved. The System Administrator will periodically reconcilebetween list of current employees and active system users toremove any individuals that may have been missed by thecurrent control method (See Comments).End of January 2016.Parks and Recreation should periodically review user access and roles toensure that system permissions are appropriate.The department will conduct reviews of user access and roleson a periodic basis to ensure appropriate users have properaccess and roles.End of February 2016.AgreeFinance should take over the collection of fire safety permit revenue.Atlanta Fire & Rescue and DOF-Revenue have been workingcollaboratively since the 1st quarter of 2016 to implement acashiering module through Infor (Hansen) to grant access tothe Department of Finance to accept and post permit paymentsdirectly to the new Hansen cashiering module, which willinterface with Oracle.End of December 2017AgreeAIM should ensure that password settings in the Fire Safety Permit Systemcomply with the citywide password policy.AgreePassword parameters for the Fire Safety Permit System weremodified to satisfy complexity and password reuse prior toDecember 11th, 2015. The same is reviewed biannually toverify compliance.December 2015AIM should periodically review the Fire Safety Permit System to ensureappropriate access privileges and to remove terminated users.As of Q3 2016, application administrator reviews currentaccounts against the biweekly termination list originated fromOracle. Starting Q2 FY17 biannual and quarterly reviews will beconducted for the Fire Safety Permit System to confirmassigned users are currently employed and are assignedaccess commensurate with their duties. Passwordconfiguration will also be checked for compliance.Q3 2016Agree

CITY OF ATLANTALESLIE WARDCity Auditorlward1@atlantaga.govAMANDA NOBLEDeputy City Auditoranoble@atlantaga.govCITY AUDITOR’S OFFICE68 MITCHELL STREET SW, SUITE 12100ATLANTA, GEORGIA 30303-0312http://www.atlaudit.org(404) 330-6452FAX: (404) 658-6077AUDIT COMMITTEEMarion Cameron, CPA, ChairCheryl Allen, PhD, CPADaniel EbersoleDecember 7, 2017Honorable Mayor and Members of the City Council:We undertook this audit of receivables in the departments of Atlanta Fire Rescue andParks and Recreation because the departments were both billing and collecting fees usingrevenue systems that are not interfaced with the city’s Oracle financial system.Reconciling accounting records to receivables is a key control to detect errors,irregularities, and potential fraud. We completed fieldwork on this audit in late 2015, butfailed to release the report due to staff turnover and lack of coordination in solicitingdepartment responses to recommendations. We are releasing it now to facilitate trackingrecommendations. The Department of Parks and Recreation and AIM have implemented allrecommendations addressed to them; Atlanta Fire Rescue and the Department of Financeare on track to complete implementation of recommendations in early 2018.The Audit Committee has reviewed this report and is releasing it in accordance withArticle 2, Chapter 6 of the City Charter. We appreciate the courtesy and cooperation ofcity staff throughout the audit. The team for this project was Michael Schroth andChristopher Armstead.forLeslie WardCity AuditorMarion Cameron, CPAAudit Committee Chair

Accounts ReceivableTable of ContentsIntroduction . 1Background . 1Audit Objectives . 2Scope and Methodology . 3Findings and Analysis . 5Departments Should Strengthen Controls Over Accounts Receivable . 5The Atlanta Fire Rescue Department Should Comply with City Code ReportingRequirements and Strengthen Controls over Billings and Collections . 5Parks and Recreation Should Strengthen Controls over Accounts Receivable . 7Recommendations . 11Appendix: Management Review and Response to Audit Recommendations . 13List of ExhibitsExhibit 1 Selected Invoice Billing Systems for Review . 2Exhibit 2 Age of Outstanding Fiscal Year 2015 Fire Permit Invoices . 6Exhibit 3 ActiveNet Accounts Receivable Aging . 9

IntroductionWe undertook this audit to examine accounts receivable as part ofour 2015 audit plan. Based on our initial review, we decided to focuson billings and collections in the Department of Parks andRecreation and the Atlanta Fire & Rescue Department. Thesedepartments have billing and collection processes and systemsoutside of Oracle, the city’s main financial system. The manualprocesses associated with these outside systems create a potentialfor inaccuracies in account receivables reporting and revenuecollection. The financial statement auditor conducts limited testingaround accounts receivable in these systems.BackgroundAccounts receivable represent money owed by entities or individualsto the city for the sale of products or services on credit. Accountsreceivable are usually due within a relatively short period. At theclose of fiscal year 2015, the city’s general fund had an accountsreceivable balance of 26.3 million.Under city code, all bills for the collection of the city's revenue shallbe made out by the head of the department in which they originate.Money submitted to the Department of Finance by variousdepartments shall be accompanied by a cash report. For citydepartments that collect their own revenue, city code requires that“[t]he head of the department issuing a bill for collections shall onthe same day report the fact to the chief financial officer with thenumber, name and amount of the bill.”We identified 12 systems that city departments use to generateinvoices and process payments, including Oracle, the city’s financialmanagement system. While Oracle interfaces with large applicationssuch as PropWorks and EnQuesta, four of the revenue systems arenot interfaced with Oracle and have not previously been audited(see Exhibit 1). These systems are used by the followingdepartments: The Mayor’s Office of Entertainment/Film uses Film App toprocess permits and track requirements for film productionswithin the city.Accounts Receivable1