The URL can be used to link to this page

Backup Documents 01/27/2015 Item #13A oeR Co&A_ 'vlsk Internal Audit Department tt‘ •• .131-ox, 7.11E C kj Audit Report 2015-1 Library Department Library Cash Review Dwight E. Brock Clerk of the Circuit Court 3299 Tamiami Trail East Issued: January 21, 2015 Suite#402 Naples, FL 34112-5746 www.collicrelerk.com 13 A Prepared by: Megan Gaillard, Senior Internal Auditor Report Distribution: Board of County Commissioners(BCC) Leo Ochs,Jr., County Manager Mark Isackson, Director,Corporate Financial &Management Services Steve Carnell,Public Services Administrator Marilyn Matthes, Director, Library Jeff Klatzkow, County Attorney Cc: Dwight E. Brock,Clerk of the Circuit Court Crystal K. Kinzel,Director of Finance &Accounting James D. Molenaar, Internal Audit Manager TABLE OF CONTENTS SUMMARY 2 OBJECTIVES 2 SCOPE 3 BACKGROUND 3 OBSERVATIONS,RECOMMENDATIONS,&MANAGEMENT RESPONSES 4 OTHER OBSERVATIONS,RECOMMENDATIONS,&MANAGEMENT RESPONSES...11 CONCLUSION 14 ADDITIONAL MANAGEMENT COMMENTS 14 The files and draft versions of audit reports remain confidential and protected from ublic records requests during an active audit under Nicolai v. Baldwin (Aug. 28, 1998 DCA of FL, 5" District) and Florida Statute 119.0713. Work-papers supporting the observations noted within this report will become public record and will be made available upon request once the final audit report has been issued. 1 13 A The Draft Audit Report was initially reviewed with the Library Department on November 13, 2014 and was released to the Department for County Management Response on November 22,2014.The Public Services Division provided County Management Responses on December 22,2014. Summary The following audit observations were generated during the review: 1. Funds have not been properly secured or safeguarded. 2. Imprest funds did not balance to the authorized amounts and/or have been split without authorization. 3. Access to the Imprest Funds has not been limited. 4. Deposits have not been reconciled and sealed at the end of the shift and are combined at a different location. 5. Copier/printer revenue has not been properly controlled and recorded. 6. County Staff did not properly document information on the check as required by the Collier County Policy for Check Intake. 7. Library Staff indicated they were unfamiliar with Policies and Procedures. 8. Staff does not have the authority to waive fees,fines,or revenue. 9. Petty cash funds have not been replenished or balanced quarterly,in accordance with policy. The following other audit observations were generated during the review: 1. Confidential and/or personal items have not been properly secured and safeguarded. 2. All staff share the same computer system credentials,including user name and password. 3. Keys have not been properly secured. 4. All donations should be accepted by the BCC. Florida Statute and Policies and Procedures for imprest funds and cash handling(partial review) have not always been adhered to by Library Staff. The Department's cash controls were weak during the period of audit. The Department has been and should continue to work on enhancing policies and procedures and provide staff additional training to strengthen internal controls. Staff should be properly trained to ensure they understand policies and be held accountable for compliance by management. Imprest fund policies and procedures need to be followed to provide the Clerk's Finance Department with accurate information for year-end reporting and to safeguard the County's imprest funds. Objectives The Clerk of the Circuit Court's Internal Audit Department performed an audit of the Library change drawers,petty cash funds, and a partial review of related cash handling processes.The objectives of the audit were to determine: 1)whether the cash funds exist,2)whether internal controls over the cash funds are adequate and if the Department is properly implementing internal controls,3)whether imprest fund data is reliable,and 4)whether custodians,sub- custodians, and cashiers are in compliance with Florida Statute, County policies and procedures (CMA's), and Department policies and procedures,as applicable to the audited processes. 2 1 3 A Scope The review included,but was not limited to,the following tasks: • Review of Florida Statute Chapter 219 County Public Money,Handling by State and County; • Review of the Board of County Commissioner's(BCC)Insurance Policy Coverage; • Review of the Clerk's Finance Department's Accounting Procedures Manual (including policies and procedures); • Review of Library Policies and Procedures Manual; • • Review of the most recent Certificate and Request of Imprest Fund update forms; • Review of the annual confirmations submitted by Library staff; • Comparison of the most recent information provided by Clerk's Finance to the information gathered during field work; • Completion of unannounced cash counts of the change drawers for Library locations(Imprest Fund)between August 2014 and September 2014;and • Interviews of custodian, sub-custodians, and cashiers: inquiring about and observing the procedures used to account for and safeguard their respective funds. The cash count audit is limited to change drawers ($1,000.00 across 10 locations) and petty cash fund ($750.00 across eight locations) for Library locations; 19% of the County's total imprest funds. This does not include a full review of all cash handling operations for the Library Department. Background Imprest fund policies and procedures define the authorized uses of funds providing the structure for how departments establish,modify,spend,replenish,safeguard,and discontinue the use of the funds in accordance with Florida Statute. The Clerk has established authoritative guidelines for the safeguarding of County resources in the Clerk's Finance Accounting Procedures Manual effective October 1,2008. Change drawer funds are used to make change when money is collected for transactions of County business. There are ten Library locations throughout Collier County. Library cards are available at no charge to Collier County residents, Collier County property owners, and Collier County government employees. Library cards are available for a fee to seasonal residents and visitors.The Collier County Libraries provide a collection of print and other materials for the informational,educational,recreational,and cultural needs of the public. Unannounced cash counts serve as an initial risk review for overall department controls. 3 13 A Observations 1) hinds have not been )ro)erls secured or safeguarded. Florida Statute 219.02(2)states"It is the duty of each officer to keep safely all the public money collected by him or her.Each officer shall exercise all possible care for the protection of the public money in that officer's custody." The BCC Insurance Policy indicates loss of money(exceeding the deductible)from loss or theft from a locked safe, cash register, or cash drawer is a covered loss. This suggests if the cash register is unlocked or the safe is not properly locked, the insurance policy may not cover the loss. The deductible is paid from taxpayer funds. When employees do not properly secure funds, they may expose the County and/or taxpayers to additional costs and losses. Change Drawer Procedures Item 5 indicates the change drawer fund must be in a secure place (i.e. locked safe or cash register)only accessible to the authorized custodians. Nine of nine (100%) reviewed locations did not properly secure the change drawers when in use for operations. Change drawers were observed in unlocked drawers. All County funds should be properly secured in locked safes or cash registers to prevent pilferage and to comply with the BCC Insurance Policy to allow for indemnification of claims in the event theft occurs. Recommendation: • Employees should properly secure public funds and ensure safes are properly locked. County Management Response: "The Library concurs with the recommendation.All Library staff was retrained on keeping safes locked at all times during a staff meeting on September 10, 2014. Rarely does any single drawer contain over $500, which is the amount of the County insurance deductible. (As noted above, change funds are an aggregate of$1000, split among ten locations.) Risk Management has confirmed with the County's insurance agent that "there is no requirement under the policy that requires the box to be locked."However, all concur that locking drawers is a best practice. The Library's automated circulation system does not provide for integrated cash drawers that open upon completion of a transaction. The Library will replace the current cash drawers with locking drawers. Drawer keys will be kept physically on the person of the staff member manning the check-out station while the Library is open for business." 2) Imprest funds did not balance to the authorized amounts and/or have been split without authorization. Change Drawer Policy Item 6 indicates funds are not allowed to be combined or separated into multiple change drawers. In August 2014 and September 2014, Internal Audit completed unannounced cash counts for the Library Department change drawers and petty cash funds. Six of nine(approximately 67%) reviewed change drawers had been split.Nine unauthorized change drawers were created for a total of 15 change drawers at the six locations. Five of the nine (approximately 56%) reviewed change drawers did not balance to the authorized amount by a miniscule amount. One of eight(approximately 12.5%)petty cash funds did not balance to the authorized amount by a miniscule amount. The East Naples Library safe contained cash that was not recorded and had no supporting documentation.Upon inquiry,it was unclear how the location obtained the funds. 4 13 A Even small overages or shortages indicate a lack of control and attention to detail. Custodians and sub-custodians must exercise care for change drawer funds to prevent overages and shortages. Employees should be properly trained on how to balance a change drawer prior to being given the responsibility of managing cash funds. Recommendations: • If an overage or shortage occurs, the discrepant amount needs to be recorded at the time of deposit in the over/under general ledger account. There should be an explanation for what occurred causing the overage/shortage. • Staff must exercise more careful accounting of County funds to prevent overages/shortages. • Staff should be trained on how to balance change drawers at the beginning and/or end of each shift. • Overages and shortages should be routinely reviewed to determine cause and implement necessary corrective action. • Staff should not split change drawers. • When changes occur to an imprest fund,the appropriate documentation should be submitted to Clerk's Finance. County Management Response: "The Library concurs with the recommendations, with the exception of training staff to balance drawers at the end of each shift. Staff is required to provide documentation to library fiscal staff on shortages and overages. Staff members are counseled on error prevention when errors occur. Circulation staff is used throughout the library as business needs demand. As such, shifts on the circulation desk can last anywhere from minutes to hours. Meeting the demands of patrons and operations throughout the facility requires a flexibility in staff duties that prevents the possibility of balancing a cash drawer each time a different person works at a circulation station. It should also be noted that daily revenue reports represent monies taken in for a branch location in aggregate without respect to work station or worker, making single-station or single-employee reconciliation unattainable. The Library assumes the minimal liability caused by this practice. The splitting of change funds among the multiple work stations at a single service counter is a practice that has been in place in the Library for many years and previously has drawn no comment. Staff has processed paperwork to create these as individual change funds, thereby eliminating the splitting of cash drawers. Imprest funds forms are completed immediately upon new hire, termination, or other change in employee status for each employee who handles cash. Forms are promptly sent to Finance, with Library retaining a copy. Staff regularly reviews forms to ensure they are accurate." Internal Audit Response to County Management Response: Internal Audit Management Advisory 2004-6 reported the above issues. After the FY 2011 year-end cash counts, Internal Audit provided Library staff with copies of the policies and procedures which state each change drawer must represent one approved request form and each request is one change drawer.Funds are not to be combined or separated. 3) Access to the Imprest funds has not been limited. Best practices limit access to cash to the fewest people necessary. The Library Department allows all employees to access the change drawers at the same time. Employees rotate between change drawers throughout the day and share change drawers.Access has not been limited. In August 2014 and September 2014,Internal Audit completed interviews with cashiers;the cashiers indicated there was no single person responsible for discrepancies because all employees have access to the change drawers at the same time, share change drawers, and share user credentials. Proper controls should be in place to ensure accountability. Access to petty cash funds was not limited to authorized employees. Four of nine (approximately 44%) petty cash funds were accessible by non-authorized employees. By having weak controls for petty cash funds security and access,the County is at risk for theft and/or loss. 5 13A Petty Cash Policy Item 8 requires a new Certificate and Request of Imprest Fund form to be completed and submitted each time there is a change to the custodian, sub-custodian, director, or physical location. Petty cash forms for authorized employees were not accurate at the time of review. Access to County funds and/or change drawers should be limited to the minimum number of employees necessary to establish control over County funds.By allowing all employees to share the same change drawer, it exposes the County to unnecessary risk. If a discrepancy occurs, it may be challenging or impossible to identify the employee responsible for the discrepancy. Weak control of change funds and/or deposits may subject the County to risk of loss through cashiering errors or intentional dishonest acts. Recommendations: • Access should be limited to the fewest people necessary. • Employees should not share change drawers. Each employee should be assigned their own change drawer for their shift. • Certificate and Request of Imprest Fund forms should be updated for each location to comply with policy. • The Department should review all authorized employees and verify that all forms,for all Library locations,are current and accurate. County Management Response: "The Library acknowledges that these recommendations represent a general best practice, but they are not feasible for implementation in the library system. All circulation staff needs access to change drawers when they are working at circulation. As noted above, circulation staff is used throughout the library as business needs demand, and the need for flexibility in staff duties prevents the possibility of balancing a cash drawer each time a different person works at a circulation station.Again, the Library assumes the minimal liability caused by this practice. Imprest funds forms are completed immediately upon new hire, termination, or other change in employee status for each employee who handles cash. Forms are promptly sent to Finance, with Library retaining a copy. Staff regularly reviews forms to ensure they are accurate. The Library has eliminated all of its petty cash funds." Internal Audit Response to County Management Response: By not limiting access to the change drawers, the employees are exposed to accusations of theft,false or otherwise, with lack of recourse and no ability to disprove the allegation. In addition, management may not have the ability to hold employees accountable if an error occurs. 4) Deposits have not been reconciled and sealed at the end of the shift and are combined at a different location. In August 2014 and September 2014, Internal Audit completed unannounced cash counts for the Library Department's change drawers. Staff interviews identified that Library employees do not count and reconcile the deposits at the end of the shift or end of the day. Funds are placed in the safe until the next day where a different employee reconciles the deposit. When deposits are not reconciled by the responsible cashier, accountability is diminished and deposits are delayed. When uncounted cash is left in the safe in unsealed bags and/or transported, revenues are at greater risk of loss and/or theft. All Library locations' collected revenues are not typically deposited daily. The collected revenues are typically maintained in the safe until deposited; however, at Headquarters, revenues collected during the weekend are maintained in the main operating drawer and continue to be used for operations until Monday without proper controls in place. Each location's collected revenues are then sent to Headquarters to be recounted and one cumulative deposit is completed for all locations. Deposit bags are sequentially numbered and should be monitored and tracked by each location.By tracking deposits through the sequential serial numbers, the tracking system could be used to identify the deposit bag through the serial number if a deposit is not completed or a deposit bag is missing. Proper tracking provides a stronger check and balance for controlling deposits. 6 13A At the end of each shift, the cashier should reconcile revenues and seal their deposit bag. Deposits should be transported to the bank daily. When deposits are left unsealed to complete a single deposit for the location the next day,cash controls are circumvented and the County is exposed to potential losses and higher risk. Recommendations: • All deposits should be reconciled and deposit bags should be sealed at the end of the shift and deposited daily. • Deposit bags should be tracked by the sequential serial numbers. County Management Response: "The Library acknowledges that these recommendations represent a general best practice, but they are not feasible for implementation in this multi-branch library system. Staffing levels and areas of expertise, as well as facility schedules, do not allow for end-of-shift reconciliation or deposit,particularly in locations with only one shift per day. (In these instances, end-of-day reconciliation would require staff members to work overtime daily, counting monies after patrons had left the building.) The Library consulted with other multi-branch systems. Martin and Manatee counties confirm that they also transport monies for centralized review and processing for deposit. Lee County libraries make individual deposits. Charlotte and Sarasota County did not respond. As compensating controls, the Library will implement the following: 1) wherever feasible, two staff members will complete a cash control log, attesting to monies on hand, before securing funds at the end of the day;and 2)a log form will be completed by the branches and the driver attesting to the pick-up and delivery of deposits. The Library assumes the residual risk." Internal Audit Response to County Management Response: When daily deposits are not completed by the department, the County is exposed to unnecessary and increased risk of loss and/or theft.Additionally, delayed deposits delay County interest earnings. With the recent bank conversion, additional options for more frequent deposits are available. 1• 1Misilu iti anasill[mFSf.`11UftiI:Pail1 f aszsuguminumuumnIsiliMOM In August 2014 and September 2014, Internal Audit completed unannounced cash counts for the Library Department's change drawers. Copier/printer revenues for FY 2014 were approximately$44,000 (approximately 8% of revenue). Staff interviews identified that Library employees are inconsistent in methods for controlling, recording,and safeguarding copier/printer revenues. Collected revenues are not typically recorded daily. Most locations collect and record copier/printer revenues a few times per week. When there is a collection machine, revenue has been collected from the copier / printer collection machine and recorded through a manual entry in the Library computer system. When revenue(i.e. cash) is collected from the machine, one person has collected the funds and the funds are not reconciled to machine reports or totals. This process does not provide the County assurance that all revenues have been collected or recorded. If a machine does not have a report option or total to reconcile revenues collected, then two employees should collect money and count money together in order to protect County revenue and reduce risk. The Vanderbilt Beach Library Branch and the Immokalee Library Branch have no machines (i.e. coin boxes) for collecting copier/printer funds. These locations rely on the"honor system."Patrons copy their documents and are responsible for self-reporting the amount due based on number of copies printed and paying at the front counter. There is no process in place to ensure that revenues are being provided by patrons as copies are completed.Controls should be implemented to control operations and prevent loss exposure. Florida Statute Chapter 219.02(1)requires"It shall be the duty of each officer to issue a receipt for each collection of public money made by him or her, a copy of which receipt shall be retained by the officer and shall be made a public record...he or she may use also any other form or method which will record collections of public money in a manner adequate for a proper post audit."Machines with coin boxes do not have the capability to print receipts.The Vanderbilt Beach Library does not issue receipts for copier / printer transactions when funds are collected by a 7 13 A cashier. The Vanderbilt Beach Library accepts funds from patrons for copier/printer transactions and places the revenue in a separate bag which is kept separate of the change drawer. The revenue is not recorded at the time of receipt.This practice is a control deficiency and exposes the County to potential loss and theft. Florida Statute Chapter 219.04 indicates "Each officer as defined in this act, shall keep a cash book, or books, wherein shall be entered daily all receipts and disbursements of public money, either by items or summaries of itemized entries in other records, including machine tapes, kept in such office. The book shall be balanced..." Libraries do not record copier / printer revenue on a daily basis and do not record copier/printer revenues as itemized entries. Without a proper audit trail and/or records for cash on hand and transactions,the location is susceptible to theft and potentially uninsured for loss of revenue. The lack of a proper audit trail exposes the County to higher risk, theft, fraud,and/or loss of revenue. Recommendations: • All revenue should be immediately collected and recorded. • The Department should properly issue receipts and retain machine count logs(page count records for machines) for transactions. • A minimal control that could be implemented,as easily as,each location should post a sign encouraging patrons who do not receive a receipt to contact a central phone number. County Management Response: "The Library concurs with these recommendations. A new photocopier with a coin-box attachment has been ordered for the Immokalee branch library.As funds become available, the Library will purchase coin boxes for any other libraries that do not have one. Two staff members at all libraries will empty and count copier and printer money on a daily basis, before opening for the day. The Vanderbilt Beach branch library will key in copier money as received until they get a copier with a coin box. Staff reports page counts to the vendor who is paid for maintenance.However,copiers are also used by staff for internal business purposes, so the count logs are not an accurate reflection of the amount of money that should be in the coin box at any given time. The Library will post signs noting patrons to ask for a receipt if one is not given." 6) County Staff did not Properly document information on the check as required by the Collier County Policy for Check Intake. County Policy for check intake requires cashiers to ensure the following criteria have been met: checks received in person are to have the payor's name, address, driver's license number and state on the check to verify accuracy. Once the criteria are met,the cashier is required to initial the check,endorse the check,and complete a transaction in the point of sale system. In August 2014 and September 2014,when completing unannounced cash counts,checks in the cash registers were not endorsed. Library Management indicated the reason checks are not endorsed at the locations was because the locations do not have endorsement stamps. Checks are endorsed once they are received by Headquarters for the combined deposit. A check should be restrictively endorsed as soon as it is received to prevent manipulation or theft. Without proper information obtained when accepting a check for payment,the County may not be able to submit the check to the State Attorney's Office for prosecution in the event there are insufficient funds in the payor's bank account. This exposes the County to potential lost revenue. Recommendations: • Staff should be trained on the proper methods for accepting checks as payment. 8 1 3 A • Endorsement stamps should be obtained and utilized by all locations or"for deposit only"should be written on the back of the check until the check is endorsed. County Management Response: "The Library concurs with these recommendations. The County Process for Check Intake and Preventing NSFs, issued May 26, 2010, requires that a "receiver" ensures that the necessary information is provided on the check and initials it and that a "cashier" endorses the check and deposits it in a timely manner. Staff has previously interpreted this to mean that the check should be endorsed when the deposit is prepared. Staff now understands that the check should be endorsed at the time of receipt. The Library has ordered endorsement stamps and will implement their use upon receipt of checks at each location as soon as they are received." 7) Library Staff indicated the were unfamiliar with Policies and Procedures. Formal written policies and procedures provide management a tool for measuring and controlling the fiscal environment and afford some assurance of fiscal accountability; however,this is only successful when policies and procedures are uniformly followed.Written procedures promote consistency of cash handling in all County Library locations and provide an authoritative standard and reference when questions arise. Despite the fact that the Library Department has written policies and procedures for cash handling, personnel at multiple locations were unaware of the processes and protocol. In August 2014 and September 2014, three of nine (approximately 33%)cashiers interviewed were unaware of deposit processes.An employee with access to the petty cash fund was unaware of how to complete a petty cash transaction. Cashiers were unaware of processes to complete a"Money Report"for the day's transactions to reconcile the change drawer and deposit at the end of the shift. The East Naples Library has recorded overages as transactions(i.e.manual revenue entry)rather than recording the discrepancy as an overage. When discrepancies occur, they should be properly recorded as an overage or shortage including an explanation. Management has made efforts to have written policies and procedures for cash handling. Procedures should be uniformly and consistently followed at all Library locations. If all employees do not consistently and uniformly acknowledge and maintain accountability prescribed by written standards, the County could lose an unknown amount of revenue through cashiering errors or manipulations. Employees should be provided training when policies and procedures are revised or implemented to ensure a proper understanding of requirements. Recommendations: • Employees handling cash should be provided training for the cash policies and procedures. • When policies and procedures are revised or implemented, County staff should be provided training at the time of implementation. • If an overage or shortage occurs, the amount needs to be recorded at the time of deposit in the over/under account.There should be an explanation for what occurred causing the overage/shortage. • Staff should be trained on how to balance change drawers at the beginning and/or end of each shift. County Management Response: "The Library concurs that staff should be provided training on applicable aspects of cash policies and procedures. It should be noted that several of employees who indicated that they were not familiar with the department's cash handling are not in fact handling cash in their current duties or have limited cash handling responsibilities.Library Staff will be re-trained in the aspects of money handling for which they are responsible. Corrective action has been taken to assure that non-custodial employees do not have access to funds for which they are not responsible. The Library has eliminated all of its petty cash funds. The recommendations regarding overages and shortages and the balancing of change drawers are also listed under Observation No. 2 and have been addressed under the management response there." 9 13 4 , 8) Staff does not have the authority to waive fees,fines, or revenue. Florida Statute 125.74(2) states "It is the intent of the Legislature to grant to the county administrator only those powers and duties which are administrative or ministerial in nature and not to delegate any governmental power imbued in the board of county commissioners as the governing body of the county...." . BCC Resolution 2012-181 for Library Fines and Fees does not address the waiver of fees, fines, or revenues and does not provide County staff discretionary authority to waive fees,fines,or revenue. If the BCC provides ministerial authority for waiving fees, fines, and revenue, the County must maintain a proper audit trail. Libraries have been waiving fees, fines, and revenue without proper authority. Libraries have not maintained supporting documentation for waived revenue.In addition,each Library location has a different process and/or threshold for waiving fines. If fees are waived, there should be a proper audit trail including a copy of the receipt,employee's initials,and the reason for the waiver of revenue.Waivers result in lost revenue. Recommendations: • The Department should properly issue and retain records for waived revenue. • The Department should have a written policy to provide guidance to employees for waiving fees, fines, or revenue that is approved by the BCC. County Management Response: "The Library concurs with the recommendations. The Library has surveyed several other Library systems within the state and has found that it is common practice for library staff to exercise discretion in the name of customer service, usually waiving fines without codifying criteria from which to work.Nonetheless, the Library has developed a Fines and Fees Policy that includes specific guidelines for when waiving fines is permissible and the documentation doing so requires. This policy has been approved by the Library Advisory Board and will be placed on an upcoming Board of County Commissioners agenda." 9) Petty cash funds have not been replenished or balanced quarterly, in accordance with olicv. Petty Cash Policy Item 11 states that"Petty Cash accounts should be replenished and balanced quarterly." Eight of nine(approximately 89%)petty cash funds have not been balanced on a quarterly basis and/or supporting documentation of reconciling the fund was unavailable for review. There does not appear to be a schedule for balancing the petty cash funds quarterly. Two of four(50%) petty cash funds have not been replenished on a quarterly basis. Petty cash funds that are no longer necessary should be returned to Clerk's Finance. Submission of petty cash transactions must be timely to ensure costs are reported in the appropriate period. It is important to balance the funds on a quarterly basis to detect and correct any discrepancies in a timely manner. Recommendations: • Custodians should submit Petty Cash Reimbursement Forms, at a minimum, on a quarterly basis for replenishment. • Custodians should reconcile and balance petty cash funds, at a minimum, quarterly. Documentation should be available for review. • Petty cash funds no longer necessary should be returned to Clerk's Finance. County Management Response: "The Library has eliminated all of its petty cash funds." 10 13 A Other Observations 1) Confidential and/or rersonal items have not been rro rerk secured and safe_uarded. Patrons have left personal confidential items and belongings at Library locations.When patrons'items are left at the location,Library staff has the responsibility to safeguard protected/confidential information to ensure the patron is not exposed to identity theft,until the patron is contacted and picks up their belongings. On August 18, 2014, passport information was not properly secured at the East Naples Library. The confidential information was maintained in an unlocked cash drawer. All confidential information should only be maintained and safeguarded in a secure area, such as a safe. Subsequent to Internal Audit's observation,Library staff indicated they have properly disposed of the confidential information and trained staff on how to properly secure confidential information. On August 23, 2014, the Naples Central Library's safe was unlocked during Internal Audit's unannounced cash count. The safe contained the following items: wallets, coin purses, cash, identification cards, Florida driver's licenses,credit cards,social security cards,copier/printer machine keys,beach stickers,an iPad,a Lely high school identification card, checkbooks, etc. All items that have been left in Lost and Found by patrons should be properly secured and attempts to return items documented. Safes should always be locked to ensure proper safeguarding of County and non-County items. Confidential information and items should be properly secured and safeguarded to minimize the County's risk of exposure and loss. Forms and/or documentation containing confidential information should be properly secured to protect the information and/or patron's exposure to identity theft. Recommendation: • Personal identification information should be properly safeguarded. • The Department should implement a policy and procedure to provide guidance for how to secure confidential information and sensitive items including how to return"Lost and Found"items to patrons. • The Department should provide staff training on how to secure patron belongings and how to protect confidential information. County Management Response: "The Library concurs with the recommendations. Currently staff maintains a lost and found collection site at each location. The preponderance of items left include eye glasses, clothing, umbrellas, and notebooks, many of which have no identifying marks. Such items are kept for people who return, request, and idents the lost items. Valuable items such as wallets, credit cards, iPads, documents, etc. are kept in a secure area, usually a locked drawer or the safe. If identification is available, staff will attempt to call patrons. No policy has existed for what to do should no one claim left items. A "Lost and Found"policy will be developed in accordance with the recommendations and statute.Staff will be trained on the policy when it is complete." 2) All staff share the same com uter system credentials, including user name and )asswword. User names and passwords act as employee identification and provide a computer audit trail.When employees share user names and passwords, it exposes the employee to potential allegations in the event of an issue and potential misuse. By sharing user names and passwords, it provides an opportunity to commit theft and violates County policies and procedures. The likelihood of errors and omissions increases when credentials are shared with other employees and/or untrained co-workers. Errors and omissions reduce the accuracy of the audit trail and financial records. While sharing credentials may make operations easier, it undermines the internal controls in place and places the employee and County at risk. There is no legitimate reason to share passwords. Sharing credentials severely weakens the security of the system. 11 134 CMA 5405 Computer / Technology Use applies to the Library's system when the system interfaces with the County's internal business network. CMA 5405 Computer/Technology Use states staff are issued credentials(user name and password) for accessing network and network resources. Users are responsible for all transactions made using their credentials, protecting confidentiality of their credentials, and are prohibited from sharing their credentials.No user may access the network or network resources with another user's credentials. Recommendations: • Employees should never share user names and passwords. • The Department should train employees on computer practices and provide each employee with their own credentials. • The Department should monitor and observe employee operations to ensure user names and passwords are properly safeguarded. • The Department should verify the software licensing agreement pertaining to users and shared access. County Management Response: "The Library concurs with and is in compliance with the recommendations for all non-circulation computers. The recommendations are not applicable to the Library circulation computers, which are the only computers that use a shared log-on. The pricing structure of the library's automation system incentivizes the use of shared log-ons, and its reporting system does not report actions or revenues based on station-specific or employee-specific activity. This is an industry-standard practice and the Library assumes any associated risk. Circulation employees do not conduct other library or County business on the circulation computers. The Library circulation computers are not part of the County network." Internal Audit Response to County Management Response: The audit comment and recommendations are specific to computers at the front service counters used for cash intake. Recommendations are best practices for any environment with computers and should be applied to Library computers. The fact that the Library cash intake computers are not part of the County network is an added risk for process,procedure,and control compliance. 3) Keys bane not been pro erly secured. In August 2014 and September 2014, during unannounced cash counts, Internal Audit observed three of nine (approximately 33%) locations with unsecured keys that accessed cash intake points. The Naples Central Library had a box of keys displayed on the reference counter in an unlocked box containing keys for the printer by-pass (cash access), meeting rooms, desk drawers, cash drawer, display cases, microfilm coin box, and metal cabinets. The Golden Gate Estates Library had keys for Library machines and rooms hanging at the main counter accessible by anyone who walked up to the counter. The Golden Gate Branch Library had the copier/printer machine (cash access)keys at the main counter where all cashiers have access to the keys. On August 24, 2014, Internal Audit observed front door key in the main door at the Library Headquarters during operations. By having keys accessible for machine securing cash collections and Library rooms, it exposes the County to theft, loss of revenue,and access by unauthorized people. Recommendation: • Keys should be properly secured and access limited. County Management Response: "The Library concurs with the recommendation. Keys will be removed from public areas and secured for appropriate staff access only." 12 • 13A 4) Ml donations should be acce)ted by the BCC. In August 2014 and September 2014, during unannounced cash counts, it came to Internal Audit's attention that several donations had been made to the Libraries without proper recognition,recording,or BCC approval. A policy should be developed to consistently address all donations including, but not limited to, cash, books, etc. Donations should be recorded and transparent with BCC acceptance. Recommendation: • A policy and procedure should be developed and implemented to address donations. • Donations should be recognized by the BCC. County Management Response: "The Library concurs with the recommendations. A donation acceptance policy will be developed and presented to the Board of County Commissioners. Staff will be trained on the policy when it is approved by the Board." 13 13A Conclusion The Library Department's internal controls for cash handling and imprest funds were weak during the period of review. The Department has been working to enhance policies and procedures and provide additional training to staff to ensure compliance. The Department should continue to work on enhancing controls to safeguard County revenue and limit unnecessary risk. The Department has improved on providing timely information and properly completed annual confirmations on a yearly basis. The Department's effort to improve controls over operations has begun to correct some of the Internal Audit concerns and findings. Florida Statute and Policies and Procedures for imprest funds and cash handling (partial review) have not always been adhered to by Library staff. Staff should be properly trained to ensure they understand policies and be held accountable for compliance by management. The Department should ensure the proper controls, policies, and procedures are in place to limit risk and error. Imprest fund policies and procedures need to be followed to provide the Clerk's Finance Department with accurate information for year-end reporting and to safeguard the County's imprest funds. Audits do not relieve management of their responsibilities. It is the responsibility of County Management to understand and implement the proper procedural controls in order to reduce and limit the risk of fraud, error, and misappropriation of County assets. Internal Audit may recommend improvements in audit reports,but ultimately it is the duty and decision of County Management to formulate processes and controls that ensure compliance with Federal Regulations,Florida Statutes,County Ordinance,and County Policies. Additional Recommendations: • The Director or an independent employee (not a custodian, sub-custodian, or cashier of the fund) should perform periodic cash counts of the Department's imprest funds on a non-routine basis to ensure that the custodian, sub-custodians, and/or cashiers are complying with the County's policies and procedures and adequate documentation exists for audit purposes. • Additionally,Internal Audit will continue to perform unannounced cash counts. • Training should be provided to all custodians, sub-custodians, and cashiers to ensure they understand the policies,procedures,and forms governing the imprest funds. • Management should review all revenue related policies and procedures to ensure there are proper internal controls and protection of County revenue. Additional County Management Comments: "The Library concurs with the recommendations. The Library will implement a periodic cash count on a non- routine basis. Training will be reinforced at least annually with appropriate staff Fiscal policy reviews will be added to annual training." Library Staff Audit Comment: The Library recognizes the value of an unannounced cash counts, but requests future visits are not made on weekends or late in the day when libraries are busiest and/or operating with reduced staff. During the Sunday audit, in particular, it was difficult for staff to attend to audit personnel due to minimal staffing on that day.Audits also need to be completed prior to scheduled end-of-shift times, so that staff does not need to stay more than their scheduled workday. Despite these inconveniences, the Library welcomes the Internal Audit evaluation and comments. We appreciate the outside look at our unique processes and responsibilities and look forward to making appropriate changes to improve our procedures. 14 13A Internal Audit Comments: Internal Audit would like to acknowledge the cooperation and assistance from County staff for addressing and implementing additional controls based on Internal Audit recommendations. The assistance and responses provided by the Library Department greatly assisted in the audit process. Internal Audit attempts to minimize inconvenience to County employees when completing unannounced cash counts. Internal Audit will continue to attempt to minimize inconvenience, but cannot limit or sped the times not to be audited.Limiting times of audit would decrease the effectiveness of the audit process. 15