Audit Report

Department of Budget and Management Central Collection Unit

March 2006

OFFICE OF LEGISLATIVE AUDITS

DEPARTMENT OF LEGISLATIVE SERVICES MARYLAND GENERAL ASSEMBLY

• This report and any related follow-up correspondence are available to the public through the

Office of Legislative Audits at 301 West Preston Street, Room 1202, Baltimore, Maryland 21201. The Office may be contacted by telephone at 410-946-5900, 301-970-5900, or 1-877-486-9964.

• Electronic copies of our audit reports can be viewed or downloaded from our website at http://www.ola.state.md.us.

• Alternate formats may be requested through the Maryland Relay Service at 1-800-735-2258.

• The Department of Legislative Services – Office of the Executive Director, 90 State Circle, Annapolis, Maryland 21401 can also assist you in obtaining copies of our reports and related correspondence. The Department may be contacted by telephone at 410- 946-5400 or 301- 970-5400.

March 13, 2006

Senator Nathaniel J. McFadden, Co-Chair, Joint Audit Committee Delegate Charles E. Barkley, Co-Chair, Joint Audit Committee Members of Joint Audit Committee Annapolis, Maryland Ladies and Gentlemen: We have audited the Department of Budget and Management – Central Collection Unit (CCU) for the period beginning April 9, 2002 and ending June 30, 2005. Our audit disclosed that accountability and control over collections was not sufficient at the two CCU locations we examined which received $16.4 million of the $25.5 million cash collected by CCU during fiscal year 2005. Our audit also disclosed that CCU did not have a systematic policy or procedures for monitoring, investigating, and resolving collection discrepancies such as deposit shortages. In this regard, CCU experienced several collection and deposit discrepancies during our audit period. Our audit also disclosed that certain collection procedures, such as wage garnishments were not always pursued in a timely manner, and that certain debtor accounts were excluded from the automated tax refund intercept program for extended periods without documented explanation or timely follow-up. In addition, CCU needs to take steps to better monitor the private collection agency it uses to help collect particularly difficult accounts. For example, on-site reviews of the agency’s records (which are permitted by the contract) were not conducted periodically to ensure that the agency had initiated all required collection efforts on referred accounts. Ensuring debt collection efforts are consistently applied and establishing adequate controls over collections is particularly important for CCU since its collections from all sources (for example, lockbox receipts) totaled over $100 million in fiscal year 2005. As of June 30, 2005, outstanding debts which have been referred to CCU are approximately $922 million. Control deficiencies were also noted with regard to accounts receivable adjustments, information systems security, and disbursements.

Respectfully submitted,

Bruce A. Myers, CPA Legislative Auditor

2

Table of Contents Executive Summary 5 Background Information 7

Agency Responsibilities 7 Current Status of Findings From Preceding Audit Report 8

Findings and Recommendations 9 Collections

* Finding 1 – Accountability and Control Were Not Sufficient For 9 Collections at Two Locations Reviewed

Finding 2 – CCU Lacked a Policy and Procedures for Monitoring 11 Adjustments Made by the Bank to Its Deposits

Finding 3 – Certain Critical Reconciliations Were Not Performed 12 Debt Collection Efforts

* Finding 4 – Certain Debt Collection Tools, Such as Wage 12 Garnishments, Were Not Pursued In a Timely Manner

Finding 5 – Debtor Accounts Were Sometimes Excluded From 14 Automated Collection Procedures Without Adequate Documentation or Follow-up

Private Collection Agency

Finding 6 – CCU Did Not Adequately Monitor the Private 15 Collection Agency It Used

Account Adjustments

Finding 7 – Requests From State Agencies to Adjust Debtor Accounts 16 Often Lacked Adequate Supporting Documentation

Information Systems Security and Control

Finding 8 – The Collections Server Was Subject to Improper Internal 17 Network Access

Finding 9 – CCU Did Not Adequately Address Backup of Critical Files 18

* Denotes item repeated in full or part from preceding audit report

3

Disbursements * Finding 10 – Proper Internal Controls Were Not Established Over 18

Disbursement Transactions Audit Scope, Objectives, and Methodology 21 Agency Response Appendix

* Denotes item repeated in full or part from preceding audit report

4

Executive Summary

Legislative Audit Report on the Department of Budget and Management Central Collection Unit (CCU)

March 2006 • Accountability and control over collections at CCU’s headquarters office

and one satellite office we examined were not sufficient to deter or detect errors or other discrepancies in a timely manner. For example, adequate deposit verifications were not performed, and certain employees who handled collections could make critical adjustments to the accounts receivable system. According to CCU’s records, collections of cash and checks at these two locations totaled approximately $16.4 million during fiscal year 2005.

CCU should take steps to improve accountability and control over all collections, including adequate verification of collections to deposit, and ensuring that employees who have access to collections cannot alter critical data on the accounts receivable system.

• CCU lacked a systematic policy and procedures for properly monitoring

deposit adjustments processed by the bank. These adjustments may occur, for example, when the bank discovers a deposit shortage.

Since deposit adjustments may be caused by errors, theft, or other discrepancies, CCU should establish a policy and adequate procedures for tracking, investigating, and resolving these occurrences.

• Certain available collection procedures were not always pursued in a

timely manner. For example, CCU had not determined the appropriateness of initiating wage garnishments for all accounts.

CCU should pursue available collection procedures, including wage garnishments on a timely basis. CCU should also pursue on a timely basis employers who fail to remit payments for garnishments already in place.

• Debtor accounts were sometimes excluded from important automated

collection procedures without adequate explanation or follow-up. Specifically, certain accounts were excluded from the automated tax refund intercept program.

5

6

CCU should adequately document the specific reasons for excluding accounts from automated collection procedures, and should periodically follow-up on such accounts to ensure their proper disposition.

• CCU did not adequately monitor the private collection agency it hired to

help collect outstanding debts. Between May 2004 and September 2005, approximately 69,000 accounts totaling approximately $67 million were referred to the agency.

CCU should take steps to adequately monitor the efforts of the private collection agency, including on-site reviews of applicable agency records, and ensuring the receipt of all required reports.

• CCU did not ensure that account adjustments requested by State

agencies were always accompanied by supporting documentation, and that the adjustment forms contained proper authorizing signatures.

CCU should ensure that account adjustments forms from State agencies are accompanied by supporting documentation. In addition, procedures should be developed for ensuring that authorizing signatures on the forms are valid.

• We noted certain security and control deficiencies relating to CCU’s

information systems. For example, CCU’s internal network was not adequately secured against unnecessary access.

CCU should take the recommended actions to improve security and control over its information system.

Background Information Agency Responsibilities The Central Collection Unit (CCU) is a program within the Department of Budget and Management’s Office of the Secretary. CCU’s primary responsibility is to collect all delinquent debts due the State, except those excluded by law (such as taxes and child support). Collections on debt, less CCU’s assessed collection fees, are generally paid to either the State Treasury or the unit of State government where the debt originated. CCU’s operations include its headquarters office and five satellite offices established at selected Motor Vehicle Administration locations to assist primarily in the collection of uninsured motorist penalty fees assessed by the Administration. State law authorizes CCU to assess and collect for each debt a fee sufficient to cover all collection and administrative costs. The fee may not exceed 20% of the outstanding principal and interest. Currently, CCU’s collection fee is 17% which is added to the original debt amount, or 9% of the original debt amount for uninsured motorist penalty fees. Collection fees are deposited to the Central Collection Fund, a continuing, non-lapsing special fund used to pay CCU’s operating expenses. According to CCU’s records, the excess of fees collected over expenses rose from approximately $1.1 million for fiscal year 2002 to $7.4 million for fiscal year 2005. In addition, the balance in the Fund has increased from approximately $3.1 million at June 30, 2002 to $14.4 million at June 30, 2005. These changes have resulted from significant increases in collections over the same period, especially at the satellite offices ($10.8 million to $25.2 million) and those from CCU’s tax refund intercept program ($16.9 million to $39.8 million). The following chart presents certain other financial data as stated in CCU’s records for fiscal years 2002 to 2005:

Outstanding Debts (at June 30) Fiscal Year

Accounts Balance Total

Collections 2002 596,000 $434,212,000 $51,808,000 2003 712,000 $693,267,000 $67,032,000 2004 865,000 $818,083,000 $85,138,000 2005 1,034,000 $922,133,000 $102,156,000

Source: CCU records The increase in outstanding debts in the above chart was primarily due to CCU’s pursuit and collection of uninsured motorist penalty fees.

7

Current Status of Findings From Preceding Audit Report Our audit included a review to determine the current status of the 7 fiscal/compliance findings contained in our preceding audit report dated December 13, 2002. We determined that CCU satisfactorily addressed 4 of these findings. The remaining 3 findings are repeated in this report.

8

Findings and Recommendations Collections Background According to CCU’s records, during fiscal year 2005, CCU’s collections included checks and cash (currency) totaled approximately $25.5 million. Although CCU also received collections in a number of other ways, such as through a lockbox account, checks and cash received directly by any entity are particularly vulnerable to loss. CCU makes collections at its headquarters office and at five satellite offices established at certain Motor Vehicle Administration locations. Finding 1 Accountability and control were not sufficient for collections received at CCU’s headquarters office and at the one satellite office we reviewed. Analysis Accountability and control over collections received at CCU’s headquarters office and the one satellite office we examined were not sufficient. According to CCU’s records, checks and cash received at these two locations during fiscal year 2005 totaled approximately $16.4 million. We noted the following conditions which could result in the failure to deter or detect errors or other discrepancies on a timely basis:

• An independent verification was not performed at either location reviewed to ensure that all collections recorded on initial source documents, such as prenumbered receipt forms and adding machine tapes, were subsequently deposited (agreed to on-line deposit documentation provided by the bank). In addition, prenumbered receipt forms were not accounted for as to issued, voided, or on-hand.

• Employees who received and processed collections at both locations also

prepared daily spreadsheets of debtor payments which were subsequently used to post the payments to the automated accounts receivable system. Although the spreadsheets were agreed by an independent employee to corresponding deposit data on the State’s accounting records, they were not verified to on-line deposit documentation provided by the bank.

9

• Employees at both locations who initially received and recorded

collections also had the capability to change the debtor’s billing/mailing address on the automated accounts receivable system. Consequently, receipts could be removed and subsequent notices to the debtor could be diverted. In addition, an employee who handled certain collections also had the capability to post payments directly to the accounts receivable records.

• At the headquarters location, collections were not counted and agreed to

deposit documents simultaneously by two employees before sealing the deposit bag. Doing so would help ensure that funds are better safeguarded and that amounts submitted to the bank agree with the corresponding deposit documents.

The aforementioned conditions could result in the loss of accountability and control over collections. For example, in October 2005, we were advised by management that a theft of receipts occurring over a period of 19 months and totaling approximately $22,000 had been detected at a satellite office, and was under investigation by law enforcement. Similar conditions relating to the verification of deposits and accounting for prenumbered cash receipt forms were commented upon in our preceding audit report. Recommendation 1 We again recommend that an employee independent of CCU’s cash receipts functions verify that all collections are subsequently deposited by agreeing amounts recorded on initial source documents to on-line deposit documentation provided by the bank. We also again recommend that this employee periodically account for prenumbered receipt forms as to issued, voided, or on-hand. In addition, we recommend that daily spreadsheets used to post debtor payments to the accounts receivable records also be independently agreed to on-line deposit documentation. Furthermore, we recommend that employees who have access to collections not have the capability to post payments, or otherwise adjust critical data on the automated accounts receivable system. Finally, we recommend that collections be counted and agreed to the related deposit documents simultaneously by two employees before sealing the deposit bag. We advised CCU on accomplishing the necessary separation of duties using existing personnel.

10

Finding 2 CCU lacked a systematic policy or procedures for tracking, investigating, and resolving deposit adjustments. Analysis Deposit adjustments processed by CCU’s bank were not monitored and investigated in a systematic and timely manner. Such adjustments may be necessary when actual receipts submitted to the bank are less than those indicated on the corresponding deposit documents, or when a particular debtor’s payment is rejected by the bank due to insufficient funds. In these instances, CCU is notified by the State Treasurer’s Office or through on-line deposit documentation posted by the bank that a deposit had to be adjusted. We noted however, that CCU had no systematic policy or procedures for tracking and investigating deposit shortages. In particular, CCU did not maintain complete, formal records of shortages and related follow-up efforts, if any. Since deposit shortages can be caused by error, theft or other discrepancies, CCU should adequately monitor and evaluate such occurrences on an ongoing basis, and investigate as necessary. In this regard, CCU experienced several collection and deposit discrepancies during our audit period. For example, in April and May of 2005, CCU was advised, on three separate occasions, that the actual cash submitted to the bank was less than the corresponding deposit documents by a total of $6,300. Similarly, in June and August of 2005, CCU was notified of 14 such discrepancies totaling approximately $4,400. In addition, we noted that deposit adjustments resulting from rejected debtor payments were not always properly reflected in CCU’s accounts receivable records. Our review of notifications from the bank for 147 adjustments processed in June and August of calendar year 2005 disclosed 13 instances in which debtor payments totaling approximately $15,000 were rejected by the bank, but no corresponding adjustments had been made to the debtors’ accounts as of September 30, 2005. If the necessary account adjustments are not made to add back the amount of the rejected payments, CCU collectors will be unable to take action to collect all amounts due. Recommendation 2 We recommend that CCU develop and implement a systematic policy and procedures for tracking, investigating and resolving deposit adjustments. Specifically, we recommend that such procedures include formally recording

11

and evaluating deposit shortages and further investigating shortages when warranted. We also recommend that CCU adjust debtor accounts for rejected payments on a timely basis. Finding 3 Critical cash receipt reconciliations were not performed. Analysis CCU did not routinely reconcile collections recorded on its accounts receivable system with the State’s accounting records (FMIS). While the difference in these records for the month we tested was not significant, the potential differences that could accumulate if this procedure is not performed could be very significant since collections for fiscal year 2005 exceeded $100 million. Accordingly, it is imperative that these reconciliations be routinely performed to help ensure the propriety of transactions posted to the accounts receivable system. Recommendation 3 We recommend that CCU perform monthly reconciliations of collections recorded in the accounts receivable system to the corresponding amounts recorded in FMIS. Debt Collection Efforts Finding 4 CCU did not always pursue potential wage garnishments and property liens in a timely manner, and unpaid garnishment payments due from debtors’ employers were not always investigated promptly. Analysis Potential wage garnishments and property liens were not always pursued in a timely manner, and CCU did not always promptly investigate delinquent garnishment payments due from debtors’ employers. Specifically, we noted the following conditions:

• Our test of 10 accounts totaling approximately $229,000 disclosed that, as of August 29, 2005, CCU had not determined the appropriateness of initiating wage garnishments for 8 of the debtors tested owing

12

approximately $141,000 that were identified as wage earners in April 2005, and had not made voluntary payments for over 10 months. A similar condition has been commented upon in several of our preceding audit reports dating back to January 1997.

Debtors with wages are identified through computer matches of CCU’s records with wage data from the Department of Labor, Licensing and Regulation. CCU’s April 2005 match identified 48,000 debtors with wages as of December 31, 2004 that could possibly be subject to garnishment. These individuals had aggregate debt totaling approximately $121 million.

• Our test of 7 garnishments (on accounts totaling $182,000) for which

payments had not been received from the applicable employers for over 7 months, disclosed 3 accounts totaling $22,742, for which no documented action (for example, contact with the employer) had been taken by CCU. A similar condition was commented upon in our preceding audit report. According to CCU’s records, as of October 2005, there were 289 garnished accounts totaling approximately $966,000 for which no payment had been received from the applicable employer for over 5 months.

• Property data matches intended to identify debtors owning property that

might be subject to a lien were not generated or analyzed on a timely basis. These matches are performed using data from the Department of Assessments and Taxation’s property ownership database. Although we were advised by CCU that it was intended that such matches be performed annually, we noted that as of October 2005 the last match performed was in August 2004, while the match before that was in March 2003. Furthermore, our review of 15 debtors owing approximately $48,000 identified in the August 2004 match disclosed that for 8 debtors owing approximately $29,000, obtaining a property lien was no longer an option because the statute of limitations for such action had expired. Timely performance and analysis of the matches is critical since, for some types of debt, judgments for property liens will not be granted after a specified statute of limitations.

Recommendation 4 We again recommend that CCU ensure that timely follow-up collection efforts are made and documented with regard to wage garnishments (for example, initiate wage garnishments, pursue delinquent wage garnishment

13

payments). Similarly, we recommend that property lien matches be performed on a regular basis (at least semiannually) and that the results be pursued on a timely basis. We also again recommend that all debt collection efforts be documented. Finding 5 Certain accounts were excluded from the tax refund intercept program without adequate documentation or follow-up. Analysis Debtor accounts were sometimes excluded from the automated tax refund intercept program (TRIP) without adequate documentation or timely follow-up. TRIP is an automated collection tool which can be used to intercept a debtor’s tax refund and apply it to their account. Our review of five accounts totaling $27,773 that were placed in the “Excluded from TRIP” account status disclosed that for four accounts totaling $21,533 there was no documented explanation as to why the account was placed in that status. In addition, at the time of our review, all five of the accounts had been in that status for over 10 months and there was no documentation of what, if any, action had been taken to follow-up on the accounts, such as determining if that status was still appropriate for the account. There may be legitimate reasons why an account should be excluded from a particular collection process, such as a current payment plan. However, CCU should ensure that such reasons are adequately documented, and that the accounts are reviewed on a timely basis for proper disposition. According to CCU’s records, as of November 7, 2005, there were 2,585 accounts totaling approximately $7.3 million that were in the “Excluded from TRIP” status. Recommendation 5 We recommend that adequate documentation be maintained as to why an account is placed in a status which excludes it from automated collection procedures. We also recommend that CCU periodically follow-up on such accounts to ensure their proper disposition.

14

Private Collection Agency Finding 6 CCU did not adequately monitor the private collection agency used to help collect delinquent debts. Analysis CCU did not adequately monitor the private collection agency used to help collect delinquent debts. Historically, CCU has contracted with a private agency to help collect debts which it has been unsuccessful in collecting. Generally, debts are referred to the agency after six months of unsuccessful collection efforts. According to CCU’s records, during the period May 2004 (when the current contract was issued) to September 2005, approximately 69,000 debts totaling $67 million were referred to the private agency. Collections received by the agency are deposited directly into a State account. CCU pays the agency a commission of 7.9 percent of amounts collected on referred debts. According to CCU’s records, during fiscal year 2005, CCU paid the agency commissions totaling approximately $186,000. Our review of CCU’s monitoring efforts disclosed the following conditions:

• Although the contract states that CCU shall have the right to inspect the contractor’s records relating to all referred accounts, as of September 20, 2005, CCU had not conducted any such examinations of the current contractor. In this regard, the contract specifies that the contractor will implement thorough collection procedures including a reasonable number of telephone calls, direct mailing efforts, and skip tracing procedures (data base searches) when necessary. However, without examining specific records relating to the agency’s collection efforts for referred accounts, CCU was unable to ensure that these procedures were being performed.

• Certain documentation required by the contract was not received. The

contract required the agency to submit a detailed monthly inventory of referred accounts indicating debtor names, account numbers, original and current balances, any payments received during the period, and the current status of all accounts. However, the report was not received.

• CCU did not periodically reconcile its records of the current status of

referred accounts, to those of the agency. Consequently, there was a loss of accountability over referred accounts and a lack of assurance that the contractor’s records accurately reflected the current status of accounts submitted.

15

Recommendation 6 We recommend that CCU ensure, through periodic on-site visits and an examination of a sample of relevant contractor records, that referred accounts are subject to all appropriate and required collection practices. In addition, we recommend that CCU ensure that all required documents and reports are received from the contractor and used to help monitor contractor activity. Specifically, we recommend that CCU periodically reconcile its records of referred accounts to those provided by the contractor. Account Adjustments Finding 7 Account adjustment requests received from State agencies did not always include adequate documentation, and there was a lack of assurance that authorizing signatures were valid. Analysis Adequate documentation did not always accompany account adjustment forms received from State agencies, and there was a lack of assurance that authorizing signatures were valid. Our test of 20 such adjustments requested by agencies totaling approximately $423,000, disclosed 6 adjustments totaling $47,000 that did not have any accompanying documentation, such as a check copy or validated register receipt. Furthermore, although adjustment forms are signed by at least one agency employee, CCU had no means for determining whether the individual was authorized to submit the adjustment form, or if the signature was valid. For example, CCU did not maintain a listing of authorized signatures. Periodically, agencies that have referred debts to CCU will subsequently advise CCU that an account needs to be credited (reduced) on the CCU’s records. This may occur, for example, when the debtor pays the agency directly (rather than paying CCU), or the agency determines that some or all of the debt was not actually owed. When this occurs, the agency submits an adjustment form to CCU specifying all applicable account information, and the amount and reason for the adjustment. Since the adjustment forms can be used to reduce account balances on CCU’s records, CCU should ensure that such forms are properly authorized and adequately supported. According to CCU’s records, approximately 37,000 adjustment forms totaling approximately $36 million were received in fiscal year 2005.

16

Recommendation 7 We recommend that CCU require agencies to submit adequate documentation, such as check copies and validated receipts with debt adjustment forms. We also recommend that CCU develop procedures for ensuring that adjustment forms received have been properly authorized. Information Systems Security and Control Background CCU operated an automated application system to support its collection operation. Functions performed on the system included the maintenance of critical data including delinquent account details, account balances, account collection status and details of collection actions. The application was operated on a server that was maintained by the Department of Budget and Management (DBM) – Office of the Secretary. As of June 30, 2005, the balance of outstanding debts on this system totaled over $922 million. Finding 8 The collections server was subject to improper internal network access. Analysis The collections server was subject to improper internal network access. Specifically, certain other network segments within DBM’s Baltimore network, which did not require access to the collection server, were permitted access to the server using all services. Such segments include, but are not limited to, the Office of Personal Services and Benefits, the Office of Capital Budgeting and contractors working for DBM. Strong network security relies upon a layered approach to prevent, detect, and respond to network security breeches and attacks and employs a “least privilege” security strategy to protect the server from untrusted portions of the internal DBM network. Recommendation 8 We recommend that network access to the collections server be restricted to only those hosts and services as deemed necessary.

17

Finding 9 CCU did not adequately address backup of critical files. Analysis CCU did not adequately address backup of critical files. CCU stored daily backup tapes of critical data at a location in close proximity to the facility that houses the original data. Furthermore, CCU backup procedures provide for monthly backups of this data to be stored at an offsite location in Annapolis. However, our review of Annapolis backup files disclosed that the most recent backup was 73 days old. Accordingly, if the facilities which house both the original data and the daily backup copies were destroyed by the same disaster, it is uncertain if all critical information not retained at the Annapolis location could be recreated. Recommendation 9 We recommend that the CCU backup its critical data at the Annapolis location at least weekly. Disbursements Finding 10 Proper internal controls were not established over the processing of disbursement transactions. Analysis CCU did not fully use the security features of the State’s Financial Management Information System (FMIS) to establish proper internal control over disbursements. As a result, unauthorized transactions could be processed which may not be readily detected. Specifically, two employees had the capability to initiate and record disbursement transactions, which were not subject to independent approval, and release the transactions to the Comptroller of the Treasury’s General Accounting Division for payment. A similar condition has been commented upon in several of our preceding audit reports dating back to January 1997. During fiscal years 2003 through 2005, one of the aforementioned employees used FMIS to process disbursements totaling approximately $2.3 million. According to the State’s accounting records, during fiscal year 2005, CCU used FMIS to process disbursement transmittals totaling approximately $16 million.

18

Recommendation 10 We again recommend that CCU fully use the available FMIS security features by establishing independent on-line approval requirements for all critical disbursement transactions. We advised CCU on accomplishing the necessary separation of duties using existing personnel.

19

20

Audit Scope, Objectives, and Methodology We have audited the Department of Budget and Management – Central Collection Unit (CCU) for the period beginning April 9, 2002 and ending June 30, 2005. The audit was conducted in accordance with generally accepted government auditing standards. As prescribed by the State Government Article, Section 2-1221 of the Annotated Code of Maryland, the objectives of this audit were to examine CCU’s financial transactions, records and internal control, and to evaluate its compliance with applicable State laws, rules, and regulations. We also determined the current status of the findings contained in our preceding audit report. In planning and conducting our audit, we focused on the major financial-related areas of operations based on assessments of materiality and risk. Our audit procedures included inquiries of appropriate personnel, inspections of documents and records, and observations of CCU’s operations. We also tested transactions and performed other auditing procedures that we considered necessary to achieve our objectives. Data provided in this report for background or informational purposes were deemed reasonable, but were not independently verified. Our audit did not include certain support services provided to CCU by the Department of Budget and Management – Office of the Secretary. These support services (such as payroll) are included within the scope of our audit of the Office of the Secretary. Our audit scope was limited with respect to CCU’s cash transactions because the Office of the State Treasurer was unable to reconcile the State’s main bank accounts during the audit period. Due to this condition, we were unable to determine, with reasonable assurance, that all CCU cash transactions were accounted for and properly recorded on the related State accounting records as well as the banks’ records. CCU’s management is responsible for establishing and maintaining effective internal control. Internal control is a process designed to provide reasonable assurance that objectives pertaining to the reliability of financial records, effectiveness and efficiency of operations including safeguarding of assets, and compliance with applicable laws, rules, and regulations are achieved.

21

Because of inherent limitations in internal control, errors or fraud may nevertheless occur and not be detected. Also, projections of any evaluation of internal control to future periods are subject to the risk that conditions may change or compliance with policies and procedures may deteriorate. Our reports are designed to assist the Maryland General Assembly in exercising its legislative oversight function and to provide constructive recommendations for improving State operations. As a result, our reports generally do not address activities we reviewed that are functioning properly. This report includes findings that we consider to be significant deficiencies in the design or operation of internal control that could adversely affect CCU’s ability to maintain reliable financial records, operate effectively and efficiently, and/or comply with applicable laws, rules, and regulations. Our report also includes conditions regarding significant instances of noncompliance with applicable laws, rules, or regulations. Other less significant findings were communicated to CCU that did not warrant inclusion in this report. The Department of Budget and Management’s response, on behalf of CCU, to our findings and recommendations is included as an appendix to this report. As prescribed in the State Government Article, Section 2-1224 of the Annotated Code of Maryland, we will advise the Department regarding the results of our review of its response.

22

Department of Budget and Management Central Collection Unit

Response to Legislative Audit Findings and Recommendations Audit Period: April 9, 2002 to June 30, 2005

Collections Finding 1 Accountability and control were not sufficient for collections received at CCU’s headquarters office and at the one satellite office we reviewed. Recommendation 1 We again recommend that an employee independent of CCU’s cash receipts functions verify that all collections are subsequently deposited by agreeing amounts recorded on initial source documentation to on-line deposit documentation provided by the bank. We also again recommend that this employee periodically account for prenumbered receipt forms as to issued, voided, or on-hand. In addition, we recommend that daily spreadsheets used to post debtor payments to the accounts receivable records also be independently agreed to on-line deposit documentations. Furthermore, we recommend that employees who have access to collections not have the capability to post payments, or otherwise adjust critical data on the automated accounts receivable system. Finally, we recommended that collections be counted and agreed to the related deposit documents simultaneously by two employees before sealing the deposit bag. We advised CCU on accomplishing the necessary separation of duties using existing personnel. Department Response The Department agrees with the audit finding. CCU currently verifies deposits to on-line deposit documentation by a person independent of the cash receipts process. The process will be modified to include a verification to the source document (i.e., prenumbered cash receipts and daily spreadsheets that are used to post debtor payments to the accounts receivable records). CCU’s present practice secures prenumbered receipt form books prior to distribution to collection office staff. A formal log is maintained in the Accounting Unit that shows by date when prenumbered receipt form books are distributed to an office by the beginning and ending receipt number of each book. Procedures will be implemented at each office location to maintain a log for prenumbered receipt forms as to issued, voided and on-hand. During the internal auditor’s periodic visits to each office, the auditor will review the logs and actual prenumbered receipt form books to account for prenumbered receipt forms as to issued, voided or on-hand. When assigning employee duties (including back-up functions), CCU will assure that employees who have access to collections will not have the ability to post payments or adjust critical data on the automated accounts receivable system.

Page 1 of 7

To implement the audit recommendation, the two employees that prepare the cash deposit will simultaneously count the collections placed into the deposit bag and ensure that it agrees to the deposit slip. Finding 2 CCU lacked a systematic policy or procedures for tracking, investigating, and resolving deposit adjustments. Recommendation 2 We recommend that CCU develop and implement a systematic policy and procedures for tracking, investigating and resolving deposit adjustments. Specifically, we recommend that such procedures include formally recording and evaluating deposit shortages and further investigating shortages when warranted. We also recommend that CCU adjust debtor accounts for rejected payments on a timely basis. Department Response The Department agrees with the audit recommendation. CCU has always utilized an informal process for researching shortages. Shortages of more than $100 have always been referred to and reviewed by the CCU Director. In the future, deposit shortages will be noted when verifying the deposit slips to the on-line banking documentation. All shortages will be investigated. These shortages, and the efforts to investigate and follow-up, will be documented and recorded for tracking purposes. For returned checks, CCU must rely on information received from the State Treasurer’s Office in order to properly adjust accounts. The Department typically receives adequate information from the Treasurer’s Office several days to several weeks after deposit. The Department will work with the State Treasurer’s Office to obtain the necessary information in a more timely fashion and will adjust debtor accounts for rejected payments to ensure that there is appropriate follow-up action to collect all amounts due. Finding 3 Critical cash receipt reconciliations were not performed. Recommendation 3 We recommend that CCU perform monthly reconciliations of collections recorded in the accounts receivable system to the corresponding amounts recorded in FMIS.

Page 2 of 7

Department Response The Department agrees with the audit recommendation. The monthly reconciliations performed by CCU to ensure cash receipts in CUBS, the accounts receivable system, agreed to FMIS did not meet certain requirements noted by the auditors. CCU discussed with the auditors the additional work and documentation needed to resolve the finding. To resolve the audit finding, CCU has implemented these additional procedures during their preparation of the monthly reconciliations. Debt Collection Efforts Finding 4 CCU did not always pursue potential wage garnishments and property liens in a timely manner, and unpaid wage garnishment payments due from debtors’ employers were not always investigated promptly. Recommendation 4 We again recommend that CCU ensure that timely follow-up collection efforts are made and documented with regard to wage garnishments (for example, initiate wage garnishments, pursue delinquent wage garnishment payments). Similarly, we recommend that property lien matches be performed on a regular basis (at least semiannually) and that the results be pursued on a timely basis. We also again recommend that all debt collection efforts be documented. Department Response The Department agrees with the audit recommendation. CCU uses all available collection tools, such as wage match reports, wage garnishments, and property data matches when possible. The number of outstanding debt accounts grew by 438,000 or 73% from fiscal year 2002 through fiscal year 2005. CCU recognizes that timely follow-up results in an increase in collections. As a result of increased wage garnishments implemented and an increase in follow-up efforts on delinquent wage garnishments, the number of wage garnishments that have been collected in full has increased from 335 in fiscal year 2004 to 716 in fiscal year 2005 and was 431 in the first six months of fiscal year 2006. CCU will continue its efforts to use wage garnishments and property data matches to positively impact overall collection results. On a quarterly basis, CCU will review wage match reports to ensure wage garnishments are initiated timely and will review delinquent wage garnishments to determine if follow-up collection efforts are needed. CCU will review property data match

Page 3 of 7

reports semi-annually to pursue property liens on a timely basis. All collection efforts will be documented. Finding 5 Certain accounts were excluded from the tax refund intercept program without adequate documentation or follow-up. Recommendation 5 We recommend that adequate documentation be maintained as to why an account is placed in a status which excludes it from automated collection procedures. We also recommend that CCU periodically follow-up on such accounts to ensure their proper disposition. Department Response The Department agrees with the audit recommendations. CCU will ensure that adequate documentation will be maintained as to why an account is placed in a status that excludes it from the automated collection procedures (e.g., TRIP). The accounts excluded from TRIP will be included in the pre-certification review for the calendar year 2006. Confirmation of exclusion from TRIP will occur annually. Private Collection Agency Finding 6 CCU did not adequately monitor the private collection agency used to help collect delinquent debts. Recommendation 6 We recommend that CCU ensure, through periodic on-site visits and an examination of a sample of relevant contractor records, that referred accounts are subject to all appropriate and required collection practices. In addition, we recommend that CCU ensure that all required documents and reports are received from the contractor and used to help monitor contractor activity. Specifically, we recommend that CCU periodically reconcile its records of referred accounts to those provided by the contractor. Department Response The Department agrees with the audit recommendations.

Page 4 of 7

CCU has actively been engaged with the contractor since the inception of the contract. CCU staff communicates with the contractor’s staff at least weekly. The CCU Director communicates with the contractor’s project manager when required to address operational issues. CCU staff performed an on-site visit and inspection of contractor records on September 26, 2005 to review collection practices and operations. Periodic on-site visits and inspection of contractor records will be performed at least quarterly. CCU is working with the contractor to receive all required documents and reports. CCU will use applicable information provided in the reports to assist their effort in monitoring contractor activity. CCU has implemented procedures to reconcile its records of referred accounts to those provided by the contractor. This reconciliation will be performed on a monthly basis, beginning with the first reconciliation to be performed by March 31, 2006. Account Adjustments Finding 7 Account adjustment requests received from State agencies did not always include adequate documentation, and there was a lack of assurance that authorizing signatures were valid. Recommendation 7 We recommend that CCU require agencies to submit adequate documentation, such as check copies and validated receipts with debt adjustment forms. We also recommend that CCU develop procedures for ensuring that adjustment forms received have been properly authorized. Department Response The Department agrees with the audit finding. CCU’s present and long-term practice requires each agency to submit an adjustment request form containing the signatures of two agency contact persons certifying the appropriateness of the adjustments to the accounts. CCU will request a list of authorized signatures from each agency’s Chief Financial Officer. The agency will be responsible for updating this as needed. At a minimum, CCU will request annual confirmation from each agency’s Chief Financial Officer of authorized individuals. CCU will verify that submitted adjustment request form agrees to the agency’s authorized signatures on file. CCU currently sends out a monthly payment report to agencies. CCU is in the process of developing a similar monthly report that will list all adjustments made to agency accounts held

Page 5 of 7

by CCU. These reports will be sent to each agency’s Chief Financial Officer for confirmation of all adjustments. Information Systems Security and Control Finding 8 The collections server was subject to improper internal network access. Recommendation 8 We recommend that network access to the collections server be restricted to only those hosts and services as deemed necessary. Department Response The Department agrees that implementing the audit recommendation will improve security. The Department has implemented changes that address this finding. It should be noted that no users on the Department’s internal network from these “other network segments” as identified in the audit Analysis (i.e., OPSB, Office of Capital Budgeting, contractors) could actually access or login to the collection server without a valid username and password. Finding 9 CCU did not adequately address backup of critical files. Recommendation 9 We recommend that the CCU backup its critical data at the Annapolis location at least weekly. Department Response The Department disagrees with the audit finding; however, the Department agrees to implement the audit recommendation. Daily and monthly backups are performed on critical data files and programs for the CUBS server. These tapes are stored at the Preston Street location. Quarterly backups are maintained at the Annapolis facility. There is no policy or procedure that mandates a minimum distance from the system or frequency of backup related to off-site storage. The Department believes that current CCU backup procedures are sufficient. However, since the audit recommendation can be implemented without a significant financial or resource burden, the Department agrees to maintain weekly backups at the Annapolis facility.

Page 6 of 7

Disbursements Finding 10 Proper internal controls were not established over the processing of disbursement transactions. Recommendation 10 We again recommend that CCU fully use the available FMIS security features by establishing independent on-line approval requirements for all critical disbursement transactions. We advised CCU on accomplishing the necessary separation of duties using existing personnel. Department Response The Department agrees with the audit recommendation. The Department agrees that there should be independent on-line approval required for all critical disbursement transactions. The Department will establish a separate approval path for such transactions. The Department identified to the auditors individuals who will serve as the independent on-line approvers for such transactions. In addition, the payment authorization release function will be removed from the two employees noted in the finding.

Page 7 of 7

AUDIT TEAM

Paul R. Denz, CPA Audit Manager

A. Jerome Sokol, CPA

Information Systems Audit Manager

Nicholas L. Marrocco, CPA, CFE Senior Auditor

Richard L. Carter, CISA

Information Systems Senior Auditor

Kari S. Harrison, CPA, CFE Jennifer L. Thompson

Staff Auditors