department of revenue · 5/2/2019 · the department of revenue is established by section 20.21,...

Sherrill F. Norman, CPA

Auditor General

Report No. 2019-216

May 2019

DEPARTMENT OF REVENUE

Selected Administrative Activities

and Prior Audit Follow-Up

Operational Audit

Executive Director of the Department of Revenue

The Department of Revenue is established by Section 20.21, Florida Statutes. The head of the

Department is the Governor and Cabinet. Pursuant to Section 20.05(1)(g), Florida Statutes, the

Governor and Cabinet are responsible for appointing the Executive Director of the Department.

Leon Biegalski served as Executive Director during the period of our audit.

The team leader was Robin Ralston, CPA, and the audit was supervised by Jacqueline M. Joyner, CPA.

Please address inquiries regarding this report to Kathryn Walker, CPA, Audit Manager, by e-mail at

[email protected] or by telephone at (850) 412-2781.

This report and other reports prepared by the Auditor General are available at:

FLAuditor.gov

Printed copies of our reports may be requested by contacting us at:

State of Florida Auditor General

Claude Pepper Building, Suite G74 · 111 West Madison Street · Tallahassee, FL 32399-1450 · (850) 412-2722

https://flauditor.gov

Report No. 2019-216 May 2019 Page 1

DEPARTMENT OF REVENUE Selected Administrative Activities and Prior Audit Follow-Up

SUMMARY

This operational audit of the Department of Revenue (Department) focused on selected administrative

activities and included a follow-up on applicable findings noted in our report No. 2015-194. Our audit

disclosed the following:

Finding 1: The Department did not always appropriately redact confidential information from contract

documents posted to the Florida Accountability Contract Tracking System or notify the Chief Financial

Officer, as required by State law, upon becoming aware of contract documents posted without proper

redaction.

Finding 2: Department procedures had not been established to ensure that text messages are retained

in accordance with State law.

Finding 3: Some Department users had inappropriate access privileges to the Florida Accounting

Information Resource Subsystem, increasing the risk that unauthorized modification, loss, or disclosure

of Department data may occur.

Finding 4: As similarly noted in our report No. 2015-194, Department procedures for periodically

reviewing Contract Accountability Tracking System (CATS) user access privileges need enhancement to

ensure that access privileges assigned to CATS users are authorized and remain appropriate.

Finding 5: Department motor vehicle record keeping controls need improvement.

Finding 6: Department controls over administration of Florida Single Audit Act requirements continue

to need improvement.

Finding 7: As similarly noted in our report No. 2015-194, Department procedures for recording Child

Support Program customer complaint information need improvement.

Finding 8: In some instances, the Department did not timely deactivate user access privileges to the

Child Support Enforcement Automated Management System upon an employee’s separation from

Department employment. A similar finding was noted in our report No. 2015-194.

BACKGROUND

The three primary functions of the Department of Revenue (Department) are to collect and distribute

various State taxes and fees, oversee the State’s property tax system, and provide child support

enforcement services. To perform these functions, the Legislature appropriated over $572 million to the

Department for the 2017-18 fiscal year and funded 5,058 positions.1

1 Chapter 2017-70, Laws of Florida.

Report No. 2019-216 Page 2 May 2019

FINDINGS AND RECOMMENDATIONS

Finding 1: Disclosure of Confidential Information

Pursuant to State law,2 the Department of Financial Services (DFS) established the Florida Accountability

Contract Tracking System (FACTS), an online tool that provides users and the public access to State

contract and grant financial information. State law requires, within 30 calendar days of executing a

contract,3 State agencies to post to FACTS for each contract specific information related to the contract

and electronic copies of the contract and procurement documents redacted to exclude confidential and

exempt information, such as social security numbers (SSNs), held by an agency.4

If a State agency that is a party to a contract becomes aware that an electronic copy of a contract or

procurement document has been posted without proper redaction, the State agency is to immediately

notify the Chief Financial Officer and immediately remove the contract or procurement document from

FACTS. Within 7 business days, the State agency is to post a properly redacted copy of the contract or

procurement document to FACTS. Additionally, Department policies and procedures5 required contract

managers to redact confidential information from contracts and certify that the contract was suitable for

public view prior to posting the contract to FACTS.

As part of our audit, we examined FACTS records for 28 Department legal services contracts in effect

during the period July 2016 through February 2018 that included SSNs. Our examination disclosed that:

SSNs were not redacted or were legible despite redaction efforts in 16 of the legal services contracts. Although Department personnel indicated that the 16 contracts were immediately and appropriately redacted subsequent to our audit inquiry, we noted that 8 of the contracts still contained legible SSNs 7 business days after our inquiry. Subsequent to our additional inquiry, and 14 business days from initial notification, the other 8 contracts were appropriately redacted in FACTS.

Contrary to State law,6 the Department did not notify the Chief Financial Officer upon becoming aware of the unredacted and improperly redacted contracts.

According to Department management, the legal services contracts were not appropriately redacted prior

to uploading to FACTS due to transition issues from the Department’s internal contract management

system and employee errors. Additionally, Department management was unaware of the statutory

requirement to notify the Chief Financial Officer upon becoming aware of unredacted or improperly

redacted contracts.

Appropriately redacting all confidential and exempt information from contracts and procurement

documents posted to FACTS ensures that such information is adequately protected and demonstrates

Department compliance with State law.

2 Section 215.985(14), Florida Statutes. 3 Section 215.985(2)(b), Florida Statutes, defines a contract to include a written agreement or purchase order for the purchase of goods or services or a written agreement for the receipt of State or Federal financial assistance. 4 Section 119.071(5)5., Florida Statutes. 5 DOR Contract Accountability Tracking System Reference Guide for Contract Managers. 6 Section 215.985(14)(d)2., Florida Statutes.


Recommendation: We recommend that Department management strengthen controls to ensure that confidential and exempt information is appropriately redacted from contract documents before posting to FACTS. We also recommend that Department management ensure that the Chief Financial Officer is immediately notified should the Department become aware that confidential or exempt information has been posted to FACTS.

Finding 2: Retention of Text Messages

State law7 requires the Department to maintain public records in accordance with the records retention

schedule8 established by the Department of State, Division of Library and Information Services. The

schedule specifies that the retention periods for electronic communications, including text messages, are

based on the content, nature, and purpose of the messages. Some of the purposes include

administrative correspondence (3 fiscal years), program and policy development correspondence

(5 fiscal years), and transitory messages, which are to be maintained until obsolete, superseded, or

administrative value is lost.

As part of our audit, we evaluated the effectiveness of Department controls for the assignment and use

of Department mobile devices,9 including cellular telephones. Our audit disclosed that Department

controls for retaining text messages in accordance with the State records retention schedule need

improvement. Specifically, according to Department management, the cellular provider only retained text

messages for 5 days and we noted that the Department had not otherwise established procedures to

retain text messages in accordance with the State records retention schedule. Our examination of

Department records disclosed that, during the period January 19, 2018, through February 18, 2018,

1,829 text messages were sent from 25 Department-owned cellular telephones.

Absent the retention of text messages in accordance with State law, the Department’s ability to provide

access to public records is diminished.

Recommendation: We recommend that Department management establish procedures to ensure that text messages are retained in accordance with State law.

Finding 3: FLAIR Access Controls

Effective access controls include measures that restrict user access privileges to data and IT resources

to only those functions that promote an appropriate separation of duties and are necessary for the user’s

assigned job duties. Additionally, Agency for State Technology (AST) rules10 require all users be granted

access to agency IT resources based on the principles of least privilege and a need to know

determination.

The Department utilizes the Florida Accounting Information Resource Subsystem (FLAIR) to authorize

the payment of Department obligations and to record and report financial transactions. Controls over

employee access to FLAIR are necessary to help prevent and detect any improper or unauthorized use

7 Section 119.021(2)(b), Florida Statutes. 8 State of Florida General Records Schedule GS1-SL for State and Local Government Agencies. 9 Mobile devices are portable devices, such as laptop computers, smartphones, and tablets, that allow storage and transmittal of entity data. 10 AST Rule 74-2.003(1)(d), Florida Administrative Code.


of FLAIR access. Our examination of FLAIR access records for 37 FLAIR user accounts assigned to

32 Department employees and active during the period July 2016 through February 2018 disclosed that

employees performing financial management functions had been granted update capabilities to

incompatible functions in FLAIR and some employees had unnecessary user accounts. Specifically, we

noted that:

All 37 user accounts had update capabilities to both the disbursement and cash receipts functions.

9 user accounts had update capabilities to both the cash receipts and accounts payable functions.

4 user accounts had update capabilities to both the disbursement and vendor employee functions.

1 user account had update capabilities to both the accounts receivable and accounts payable functions.

1 user account had update capabilities to both the fixed assets accounting and fixed assets custodial functions.

3 of the employees had unnecessary second user accounts.

While the Department performed periodic FLAIR access privileges reviews, before June 2018, the

reviews were not designed to assess the assignment of incompatible FLAIR access privileges.

Subsequent to our audit inquiry, Department management indicated that 14 user accounts had some

update capabilities removed and the unnecessary user accounts assigned to the 3 employees were

deleted.

The existence of inappropriate and unnecessary user access privileges increases the risk that

unauthorized modification, loss, or disclosure of FLAIR data may occur.

Recommendation: We recommend that Department management limit user access privileges to FLAIR to promote an appropriate separation of duties and ensure that all user accounts are necessary for the users’ assigned job duties.

Finding 4: Periodic Reviews of CATS Access Privileges

AST rules11 require agency information owners to review access privileges periodically based on system

categorization or assessed risk. Periodic reviews of user access privileges help ensure that only

authorized users have access and that the access provided to each user remains appropriate.

The Department utilizes the Contract Accountability Tracking System (CATS) to manage Department

contracts and upload information to FACTS. The Department, Office of Financial Management –

Purchasing and Facilities (OFM), performed bi-annual CATS user access privilege reviews using the

CATS Access Review and Approval Form (CATS Access Form). The OFM sent CATS Access Forms to

Department supervisors prepopulated with each supervisor’s CATS users, their current access privileges,

and whether the users were currently managing contracts. Supervisors were to complete the CATS

Access Form indicating whether each user’s access privileges should be changed, justify update access

privileges for CATS users that were not currently managing contracts, and sign and date the Form before

returning it to the OFM.

11 AST Rule 74-2.003(1)(a)6., Florida Administrative Code.


As part of our audit, we examined Department records for the January 2018 review of the 80 Department

employees with CATS access privileges and noted that:

The CATS Access Forms provided to 8 of the 9 supervisors responsible for conducting the review included the supervisors as CATS users. Consequently, the supervisors reviewed and verified the appropriateness of their own access privileges, including for 5 supervisors, update access privileges.

The CATS Access Forms did not include justification for the update access privileges assigned to 4 of the 18 CATS users who did not manage contracts. Subsequent to our audit inquiry, Department management provided justification for the users’ update access privileges.

Absent the conduct of independent and complete periodic CATS user access privilege reviews,

Department management’s assurance that the access privileges assigned to CATS users are authorized

and remain appropriate is limited. A similar finding was noted in our report No. 2015-194 (finding No. 7).

Recommendation: We recommend that Department management ensure that CATS user access privileges are independently verified by supervisory personnel and that Department records evidence the appropriateness of all assigned user access privileges.

Finding 5: Motor Vehicle Logs

State law12 and Department of Management Services (DMS) rules13 provide that State-owned motor

vehicles are to be used effectively, efficiently, and for official purposes. As part of its oversight

responsibilities, the DMS developed the Florida Equipment Electronic Tracking (FLEET) system to

manage, report, and maintain information about the condition, utilization, cost, fuel consumption,

maintenance, and assignment of motor vehicles and watercraft owned, leased, or operated by State

agencies.

As of February 28, 2018, the Department maintained 17 State-owned motor vehicles that were available

for assignment and use by Department personnel. To ensure the proper management and control of

Department motor vehicles in accordance with State law and DMS rules, the Department established

policies and procedures14 for the acquisition, assignment, use, and control of State-owned motor

vehicles. According to Department policies and procedures, drivers were to record on a daily travel log

vehicle usage information, including the beginning mileage, date, utilization, driver, and ending mileage,

and record fuel and maintenance information on a Monthly Vehicle Log. Department policies and

procedures specified that each month Program Coordinators were to review and approve all daily travel

logs and the Fleet Manager was to input the approved data into the FLEET system.

As part of our audit, we examined selected Department records and noted that Department drivers utilized

two different daily travel log templates and that neither template required all necessary vehicle usage

information be recorded. Specifically, the log utilized by Property Tax Oversight (PTO) Program

personnel did not require drivers to record beginning mileage for each trip and the log utilized by all other

Department personnel did not require drivers to record the purpose of each trip or beginning mileage.

Consequently, although according to FLEET records the 17 motor vehicles averaged 663 miles per

12 Section 287.16, Florida Statutes. 13 DMS Rules, Chapter 60B-1, Florida Administrative Code. 14 Department Fleet Management Procedures.


month during the period July 2016 through February 2018, Department records did not consistently

evidence the basis for the FLEET mileage information.

The maintenance of accurate and complete documentation enhances the Department’s ability to

demonstrate that State-owned motor vehicles were used for authorized purposes and that information

recorded in the FLEET system is accurate and properly supported. Also, accurate and complete motor

vehicle information increases Department management’s assurance that State-owned motor vehicle

usage and operations will be effectively monitored and managed.

Recommendation: We recommend that Department management revise the daily travel logs to ensure that all required information regarding motor vehicle usage is accurately recorded for entry into the FLEET system.

Finding 6: Florida Single Audit Act

State Financial Assistance (SFA) is financial assistance provided from State resources to non-State

entities to carry out a State project and is to be administered in accordance with the requirements of the

Florida Single Audit Act (FSAA),15 DFS rules,16 and Rules of the Auditor General.17 The purpose of the

FSAA, among other things, is to establish uniform State audit requirements for non-State entities

receiving SFA; promote sound management of SFA; and ensure State agency monitoring, use, and

follow-up on audits of SFA.

The FSAA requires each non-State entity that expends $750,00018 or more of SFA in any fiscal year to

obtain a State single audit or a project specific audit conducted by an independent auditor. Upon

completion of the audit, an SFA recipient is to provide the State awarding agency and the Auditor General

a copy of the entity’s Financial Reporting Package (FRP).19 Among other things, the FRP is to address

the recipient’s compliance with State project requirements, any deficiencies in internal controls, and the

amount of SFA expended by the recipient in conducting the State project. In addition, the FSAA specifies

that State awarding agencies are to review each recipient’s FRP to determine whether timely and

appropriate corrective action had been taken with respect to any audit findings and recommendations.

According to Department records, the Department provided SFA in excess of $23.2 million to

12 non-State entities subject to the FSAA audit requirement during the period July 2016 through

November 2017. As shown in Chart 1, the SFA consisted of tax credits, tax refunds, and other

distributions that were subject to the provisions of the FSAA.20

15 Section 215.97, Florida Statutes. 16 DFS Rules, Chapter 69I-5, Florida Administrative Code. 17 Chapters 10.550 and 10.650, Rules of the Auditor General. 18 Effective July 1, 2016, Chapter 2016-132, Laws of Florida, increased the expenditure threshold from $500,000 to $750,000. 19 An FRP includes the recipient’s financial statements, Schedule of Expenditures of State Financial Assistance, auditor’s report, management letter, auditee’s written responses or corrective action plan, and correspondence on follow-up on prior corrective actions taken. 20 DFS Rule 69I-5.004(1)(j) and (k), Florida Administrative Code, specifies that financial assistance provided in the form of credits or refunds of State taxes for a public purpose authorized by State law is SFA.


Chart 1 SFA by Type

July 2016 Through November 2017

Source: Department records.

In our report No. 2015-194 (finding No. 8), we noted that the Department did not always follow up on SFA

recipients’ compliance with the FSAA. As part of our follow-up audit procedures, we reviewed

Department FSAA policies and procedures, recipient-submitted FRPs, and other Department records

and again noted that the Department did not always follow up on SFA recipients’ compliance with the

requirements of the FSAA. Specifically, we found that 2 of the 12 non-State entities required to submit

FRPs to the Department and the Auditor General had not submitted the FRPs for the entities’ 2017 fiscal

year. These 2 non-State entities received SFA totaling $2.3 million in the form of tax credits and tax

refunds during the period July 2016 through November 2017.

In response to our audit inquiry, Department management indicated that they continued to believe that

tax credits and tax refunds should not be considered SFA and that, in fulfilling their statutory

responsibilities to regulate, control, and administer all revenue laws and perform the duties assigned by

the various tax statutes, adequate accountability for State tax credits and tax refunds is provided. Of the

19 State projects attributed to the Department for the 2016-17 fiscal year, Department management

indicated that the State awarding agency designations should be changed for 11 projects in the Catalog

of SFA.21 Notwithstanding Department management’s responses, under the FSAA,22 it is the DFS’

responsibility, in consultation with the State agencies, to determine the types of State resources that meet

the definition of SFA and to attribute the projects to the appropriate State agency. While Department

management provided documentation demonstrating their communications with the DFS regarding the

Department’s position that they lack administrative authority over certain State projects, the DFS did not

revise the State awarding agency designation in the Catalog of SFA.

Without the receipt and appropriate review of required FRPs, any recipient noncompliance or control

deficiencies noted on audit may not be timely followed up on and resolved.

21 The Catalog of SFA lists State projects by assigned numbers and assists users (e.g., SFA recipients and auditors) in obtaining general information on State projects (e.g., State project title and legal authorization). 22 Section 215.97(2) and (4), Florida Statutes.

Tax Refunds, $1,776,779,

8%

Other Distributions, $20,986,282,

90%

Tax Credits, $532,789,

2%


Recommendation: We continue to recommend that, for all State projects attributed to the Department in the Catalog of SFA, Department management ensure the required FRPs are timely received and properly reviewed and that any instances of recipient noncompliance or other noted deficiencies are timely followed up on and resolved. For those State projects the Department believes the State awarding agency designations should be changed, Department management should continue to consult with the DFS regarding the appropriateness of the designations.

Finding 7: CSP Complaint Data

State law23 designates the Department as the State agency responsible for administration of the State’s

Child Support Program (CSP) under Title IV-D of the Federal Social Security Act. The Department, in

support of the CSP, operates a Child Support Program Customer Contact Center (CSP CCC) to receive

and respond to requests for CSP information from various customers, including custodial and

noncustodial parents, employers, and governmental agencies from other states and countries. As of

February 2018, the CSP CCC had 174 full-time equivalent positions.

The CSP CCC provides assistance through agent-answered and self-help components and, according

to Department records, the CSP CCC had over 22.3 million customer contacts and E-Service users

during the period July 2016 through February 2018.

State law24 specifies that principal administrative units within the executive branch of State government,

including the Department, are to employ a system by which customer complaints and resolutions of those

complaints are tracked. The CSP CCC received customer complaints25 through a variety of means,

including telephone calls, e-mails, Web chats, and in-person contacts at local CSP offices. Additionally,

CSP-related complaints received by the Department’s Office of Inspector General (OIG) were to be

recorded in the OIG’s Complaint Tracking System and forwarded to the CSP CCC for resolution. The

CSP utilized the Child Support Enforcement Automated Management System (CAMS) to process child

support payments, distribute child support funds, and track CSP complaint data.

In our report No. 2015-194 (finding No. 3), we noted that the Department did not track CSP CCC customer

complaints or the resolutions of those complaints as required by State law. As part of our follow-up audit

procedures, we interviewed CSP personnel, reviewed Department policies and procedures, observed

complaint recording activities, analyzed CSP complaint data, and examined records for 9 of the

97 complaints with recorded start and end dates during the period July 2016 through March 2018. Our

audit procedures found that CSP personnel did not consistently or accurately record in CAMS the dates

complaints were received or resolved. For example, the recorded complaint resolution dates for the

9 complaints were 6 to 169 calendar days before the dates indicated in CAMS as the dates the customer

interactions were determined by CSP personnel to be complaints requiring resolution.

According to Department management, CSP personnel fielding customer inquiries and possible

complaints prepare summary notes based on the customer interaction and forward the notes to a

second-level reviewer who reviews the information and either resolves the inquiry or forwards the notes

23 Section 409.2557(1), Florida Statutes. 24 Section 23.30(4)(g), Florida Statutes. 25 CSP procedures defined a complaint as an escalated concern from a customer or third-party about a team member handling of a case, including discourteous behavior and repeat customer contacts about the same concern that were not timely resolved.


to the Service Center Manager for a final review. However, Department policies and procedures did not

require CSP personnel to include in the summary notes the date of the customer interaction or actual

resolution of the matter and the CSP personnel did not record complaints in CAMS until the Service

Center Manager reviewed the summary notes and determined the interaction to be a complaint.

Consequently, the complaint date entered in CAMS was the date the Service Center Manager entered

the interaction information in CAMS and Department records did not always otherwise evidence the

actual complaint receipt or resolution dates.

Absent a process to record the actual dates customer complaints are received and resolved, Department

management cannot demonstrate the extent of compliance with statutory provisions related to the

tracking and resolution of customer complaints.

Recommendation: We recommend that Department management enhance the CSP CCC complaint handling process to track the dates customer complaints are received and resolved.

Finding 8: Timely Deactivation of CAMS Access Privileges

AST rules26 require agency control measures that ensure IT access is removed when access to an

IT resource is no longer required. Accordingly, Department information security procedures required

access authorization to be promptly removed upon a user’s separation from Department employment or

when the access privileges were no longer required. Prompt action to deactivate access privileges when

a user separates from employment or no longer requires access to an IT resource is necessary to help

prevent the misuse of the access privileges.

As part of our audit, we evaluated whether CAMS access privileges were timely deactivated upon a user’s

separation from Department employment. Our examination of Department records disclosed that CAMS

access privileges for 11 of the 736 Department employees with CAMS access privileges who separated

from Department employment during the period July 2016 through February 2018 remained active 2 to

17 business days (an average of 5 business days) after the employees’ separation dates. In response

to our audit inquiry, CSP management indicated that the delays in deactivating CAMS access privileges

were due to supervisors not timely notifying CAMS security personnel of employment separations and

miscommunication between CAMS security personnel and Department IT personnel.

The prompt deactivation of CAMS access privileges upon an employee’s separation from Department

employment reduces the risk that the access privileges may be misused by the former employee or

others. A similar finding was noted in our report No. 2015-194 (finding No. 7).

Recommendation: We again recommend that Department management ensure that CAMS user access privileges are deactivated immediately upon an employee’s separation from Department employment.

26 AST Rule 74-2.003(1)(a)8., Florida Administrative Code.


PRIOR AUDIT FOLLOW-UP

Except as discussed in the preceding paragraphs, the Department had taken corrective actions for the

applicable findings included in our report No. 2015-194.

OBJECTIVES, SCOPE, AND METHODOLOGY

The Auditor General conducts operational audits of governmental entities to provide the Legislature,

Florida’s citizens, public entity management, and other stakeholders unbiased, timely, and relevant

information for use in promoting government accountability and stewardship and improving government

operations.

We conducted this operational audit from February 2018 through September 2018 in accordance with

generally accepted government auditing standards. Those standards require that we plan and perform

the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and

conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable

basis for our findings and conclusions based on our audit objectives.

This operational audit of the Department of Revenue (Department) focused on selected administrative

activities. The overall objectives of the audit were:

To evaluate management’s performance in establishing and maintaining internal controls, including controls designed to prevent and detect fraud, waste, and abuse, and in administering assigned responsibilities in accordance with applicable laws, administrative rules, contracts, grant agreements, and other guidelines.

To examine internal controls designed and placed in operation to promote and encourage the achievement of management’s control objectives in the categories of compliance, economic and efficient operations, the reliability of records and reports, and the safeguarding of assets, and identify weaknesses in those internal controls.

To identify statutory and fiscal changes that may be recommended to the Legislature pursuant to Section 11.45(7)(h), Florida Statutes.

Our audit also included steps to determine whether management had corrected, or was in the process of

correcting, all applicable deficiencies noted in our report No. 2015-194 (finding Nos. 3 through 8).

This audit was designed to identify, for those programs, activities, or functions included within the scope

of the audit, deficiencies in management’s internal controls, instances of noncompliance with applicable

governing laws, rules, or contracts, and instances of inefficient or ineffective operational policies,

procedures, or practices. The focus of this audit was to identify problems so that they may be corrected

in such a way as to improve government accountability and efficiency and the stewardship of

management. Professional judgment has been used in determining significance and audit risk and in

selecting the particular transactions, legal compliance matters, records, and controls considered.

As described in more detail below, for those programs, activities, and functions included within the scope

of our audit, our audit work included, but was not limited to, communicating to management and those

charged with governance the scope, objectives, timing, overall methodology, and reporting of our audit;

obtaining an understanding of the program, activity, or function; exercising professional judgment in


considering significance and audit risk in the design and execution of the research, interviews, tests,

analyses, and other procedures included in the audit methodology; obtaining reasonable assurance of

the overall sufficiency and appropriateness of the evidence gathered in support of our audit’s findings

and conclusions; and reporting on the results of the audit as required by governing laws and auditing

standards.

Our audit included the selection and examination of transactions and records. Unless otherwise indicated

in this report, these transactions and records were not selected with the intent of statistically projecting

the results, although we have presented for perspective, where practicable, information concerning

relevant population value or size and quantifications relative to the items selected for examination.

An audit by its nature, does not include a review of all records and actions of agency management, staff,

and vendors, and as a consequence, cannot be relied upon to identify all instances of noncompliance,

fraud, abuse, or inefficiency.

In conducting our audit, we:

Reviewed applicable laws, rules, Department policies and procedures, and other guidelines, and interviewed Department personnel to obtain an understanding of Department financial management and selected administrative activities controls.

Performed inquiries of Department personnel, examined selected documents and records, and reviewed applicable Office of Financial Management policies and procedures to determine whether the policies and procedures provided adequate guidance to staff.

Performed inquiries of Department personnel, examined selected documents and records, and reviewed applicable Department policies and procedures to determine whether the Department had developed and implemented an effective purchasing process.

From the population of 7,274 contract payments, totaling $77,422,416, made during the period July 2016 through February 2018, examined Department records for 26 selected contract payments, totaling $5,215,922, related to 26 contracts to determine whether the payments were for goods that had been received or services that had been provided, were properly paid and authorized, supported by sufficient documentation, correctly recorded in Department accounting records, and made in accordance with applicable contract terms.

Examined Department records to identify payments made during the period July 2016 through February 2018 to vendors who were also State employees and to determine whether the payments were appropriate, reasonable, and properly documented.

Examined 28 Child Support Program (CSP) legal services contracts available on the Department of Financial Services (DFS) Florida Accountability Contract Tracking System (FACTS) as of April 23 and 24, 2018, to determine whether social security numbers were redacted in accordance with governing laws, Department policies and procedures, and other guidelines.

From the population of 43,718 Department noncontract payments for goods or services, totaling $25,546,109, made during the period July 2016 through February 2018, examined Department records for 25 selected payments, totaling $309,114, to determine whether the Department obtained and documented the appropriate approvals, documented receipt of goods or services, and whether the payments were properly supported, correctly recorded in Department accounting records, and made in accordance with applicable laws, rules, Department policies and procedures, and other guidelines.

Examined Department records for the two expenditures, totaling $1,857, related to a Governor-declared hurricane emergency during the period July 2016 through February 2018 to


determine whether the expenditures were properly authorized, approved, supported, and made in accordance with governing laws, rules, Department policies and procedures, and other guidelines.

Observed, documented, and evaluated the effectiveness of selected Department processes and procedures for the acquisition and management of real property leases in accordance with State law, Department of Management Services (DMS) rules, and other applicable guidelines. Specifically, we:

o Examined Department records for the nine real property leases executed by the Department during the period July 2016 through February 2018 to determine whether the leases were properly procured in accordance with governing laws and rules.

o Compared Department real property lease expenditure information for the period July 2016 through February 2018 to DMS leasing reports to determine whether Department lease information materially agreed with DMS records. As of February 2018, the Department was responsible for 55 real property leases.

Evaluated Department actions to correct finding Nos. 3 through 8 noted in our report No. 2015-194. Specifically, we:

o Interviewed Child Support Program (CSP) personnel, reviewed Department policies and procedures, observed customer complaint recording activities, analyzed CSP complaint data, and selected and examined CSP records for 9 of the 97 complaints with recorded start and end dates during the period July 2016 through March 2018 to determine whether the CSP Customer Contact Center (CCC) tracked and resolved customer complaints in accordance with State law.

o Performed inquiries of Department personnel, examined statistical data from the Interactive Voice Response (IVR) system satisfaction survey for the period January 2017 through February 2018, and reviewed Department strategic planning documents to determine whether the deployed survey and IVR reporting capabilities ensured that statistical data on CSP CCC customer complaints could be provided to Department management in accordance with Section 23.30, Florida Statutes, and whether the statistical data was used to conduct management and budget planning activities.

o Analyzed CSP CCC monitoring data for all CSP CCC Revenue Specialists IIs and Revenue Specialist IIIs (RS IIs and RS IIIs) to determine whether monitoring data demonstrated that the RS IIs and RS IIIs each received five monitorings per month of active employment.

o From the population of 200 RS IIs and RS IIIs actively employed at least 3 months during the period July 2016 through February 2018, examined 2 months of CSP monitoring records for 5 selected employees to determine whether the monitoring records were accurate, CSP CCC management documented that RS IIs and RS IIIs were monitored five times a month in accordance with CSP procedures, and whether monitoring records were appropriately prepared and maintained.

o Examined Department, DMS, and Project Management Professional records for the 31 Department contract managers during the period July 2016 through February 2018 to determine whether the contract managers completed required Department and DMS training in contracts and grants management.

o Selected and examined Department training records for 10 of the 116 full-time CSP CCC employees employed during the period from July 2016 through February 2018 to determine whether the employees had completed required training.


o Examined Department policies and procedures to determine whether the policies and procedures included provisions for the conduct of periodic comprehensive reviews of information technology access privileges.

o From the population of 42 Contract Accountability Tracking System (CATS) users with “update” or “super” access privileges as of May 16, 2018, examined Department records for 5 selected CATS users to determine whether the level of CATS access was appropriate for each employee and whether the access records appropriately documented the access privileges requested, approved, and granted.

o Examined Department records related to the CATS access privileges assigned to 80 Department employees and included in the Department’s January 2018 CATS user access privilege review to determine whether CATS access privileges were appropriate and properly authorized.

o Examined Department records for the 736 Child Support Enforcement Automated Management System (CAMS) users who separated from Department employment during the period July 2016 through February 2018 to determine whether CAMS access privileges were timely deactivated upon a user’s separation from Department employment.

o Observed, documented, and evaluated the effectiveness of selected Department processes and procedures for administration of Florida Single Audit Act (FSAA) requirements. During the period July 2016 through November 2017, the Department provided State Financial Assistance in excess of $23.2 million to 12 non-State entities subject to the FSAA audit requirement.

Reviewed applicable laws, rules, and other State guidelines to obtain an understanding of the legal framework governing Department operations.

Interviewed Department management, examined Department forms, and evaluated Department compliance with applicable statutory requirements for collecting and utilizing individuals’ social security numbers.

Observed, documented, and evaluated the effectiveness of selected Department processes and procedures for:

o Managing FLAIR access privileges, settlement agreements, fixed capital outlay, and financial reconciliations.

o The administration of tangible personal property in accordance with applicable guidelines. As of January 2018, the Department was responsible for tangible personal property with acquisition costs totaling $33,519,881.

o The assignment and use of motor vehicles. As of February 2018, the Department was responsible for 17 motor vehicles with acquisition costs totaling $431,740.

o The assignment and use of mobile devices with related costs totaling $141,055 during the period July 2016 through February 2018.

Communicated on an interim basis with applicable officials to ensure the timely resolution of issues involving controls and noncompliance.

Performed various other auditing procedures, including analytical procedures, as necessary, to accomplish the objectives of the audit.

Prepared and submitted for management response the findings and recommendations that are included in this report and which describe the matters requiring corrective actions. Management’s response is included in this report under the heading MANAGEMENT’S RESPONSE.


AUTHORITY

Section 11.45, Florida Statutes, requires that the Auditor General conduct an operational audit of each

State agency on a periodic basis. Pursuant to the provisions of Section 11.45, Florida Statutes, I have

directed that this report be prepared to present the results of our operational audit.

Sherrill F. Norman, CPA

Auditor General


MANAGEMENT’S RESPONSE

department of revenue · 5/2/2019 · the department of revenue is established by section 20.21,...

Documents