STATE OF WYOMING
Matthew H. Mead
DEPARTMENT OF AUDIT
Jeffrey C. Vogel
PUBLIC FUNDS DIVISION
Pamela Robinson
(307) 777-7798 Fax (307) 777-5341 Email:
[email protected]
Governor
Director
Administrator
September 9, 2014 Diane Lozano, State Public Defender Office of the State Public Defender 316 West 22nd street Cheyenne, WY 82002
Dear Ms. Lozano: We are issuing this audit report pursuant to the requirements of Wyoming Statutes 28-1-115 and 9-21014. Wyoming Statute 28-1-115(a) (ii) (A) requires every state agency to develop performance measures that provide methods and criteria to measure the agency’s performance in conducting its activities and in achieving its goals and objectives. Wyoming Statute 9-2-1014(a) requires the annual performance report, compiled by the Department of Administration and Information, contain a means of evaluating the outcomes included in the agency’s strategic plan. These measures, as developed by the agency, are to be examined by the Department of Audit. Objective: The audit performed was to determine if the Office of the State Public Defender (OSPD) reported its performance measures accurately and reliably in its 2013 Annual Report. In addition, it was to determine if any potential weaknesses existed in the agency’s processes regarding the performance measures, financial management and the general information technology controls. The objective of the audit did not extend to an evaluation of the appropriateness of performance measures and indicators. Scope and Methodology: We conducted this performance audit in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. The scope of the audit included the period from July 1, 2012 to June 30, 2013. This also included the period’s corresponding annual report. The State Public Defender, Deputy Public Defender, Deputy Director of the Guardians Ad Litem (GAL) program, Fiscal Officer, and the Accountant for GAL were interviewed. Additional tests were performed and are as follows: • • •
Vouched sampled expenditures from the States accounting systems to internal records kept by the Public Defender Vouched revenue receipts to supporting documentation Interviewed key personnel to identify the policies and procedures in place surrounding the general information technology controls HERSCHLER BUILDING, 3rd FLOOR EAST | 122 WEST 25th STREET | CHEYENNE, WY 82002 | WEB SITE http://audit.state.wy.us
Page 1
Office of the State Public Defender September 9, 2014
• • • •
Recalculated key performance measures related to the annual report Obtained information about contractors and their contribution to key performance measures Obtained sufficient, appropriate, relevant, and available supporting documentation for all performance measures Evaluated the Public Defender’s internal controls against the Committee of Sponsoring Organizations internal control framework
Based on the procedures identified above, three possible violations of State Statute were identified. These violations and additional findings are presented in the accompanying summary of findings and recommendations. This report is intended solely for the use of the State Public Defender and the specified users listed below; however, this report is a matter of public record and its distribution is not limited.
©ª Public Funds
cc:
Governor’s Office Secretary of State
Page 2
Office of the State Public Defender September 9, 2014
EXECUTIVE SUMMARY The audit focused on determining the accuracy of the performance measures reported in the 2013 Annual Report and the internal controls in place to help prevent or detect material misstatements in the annual report. In addition to testing the accuracy of the reported measures in the annual report, the audit included a review of management’s financial controls and a review of the policies and procedures in place surrounding general information technology (IT) controls. Accuracy One performance measure had been certified accurate with qualifications. Three performance measures had factors that prevented a certified opinion. Auditors were unable to recalculate the reported figures for the three measures as there was not sufficient supporting documentation. Controls The agency's financial controls appear to be well designed; however, early in the audit period the operation of the controls was intermittent. It was noted, once the new Fiscal Officer was hired, compliance with financial internal controls increased. Weaknesses in the internal controls regarding reporting and performance measures were identified during the audit. The 2013 Annual Report was not submitted to the Wyoming State Library as prescribed by Wyoming Statute 9-2-1014. There were also no written procedures on how to compile the data for the measure, document, calculate, or review the performance measures. Further, there were no written procedures regarding Information Technology or a disaster recovery plan. These weaknesses and others are discussed in the following summary of Audit Findings and Recommendations.
Title
Reported Figures
Certification
Associated Finding
Information Technology Financial Controls Performance Measure #1- The percentage of all represented criminal defendants who were appointed a public defender from FY09 to FY13
N/A N/A 90%
N/A N/A CQ
1 2&3 4
Performance Measure #2a - The percentage of increase in total caseload from FY09 to FY13 Performance Measure #2b - The average caseload per full time equivalent (FTE) attorney Performance Measure #3 - The caseload trends of the GAL since FY09
5.8%
FPC
4
10%
FPC
4
2%
FPC
4
CQ = Certified with Qualifications; FPC = Factors Preventing Certification; N/A = Not Applicable
Page 3
Office of the State Public Defender September 9, 2014
Audit Findings and Recommendations The following recommendations are suggested to assist in enhancing controls over deriving and reporting of all performance measures. Implementing these recommendations should result in increased reliability and validity of the information used to calculate and report on performance measures. Additional recommendations are also included in order to further develop the handling of the financial controls and IT functions. 1. No Written Policies and Procedure The agency did not have written policies and procedures manuals for functions such as fiscal management, Information Technology, disaster recovery, or performance measure reporting. In regards to fiscal management, the agency did not have an accounting policy except for a petty cash policy. Concerning Information Technology, there were no policies or procedures for the agency security contact for how to direct Enterprise Technology Services (ETS) in regards to password requirements, firewall monitoring, security levels, updates, backups, or hardware and software maintenance schedules. ETS acts as a support function to agencies - it is the responsibility of the OSPD to determine the level of security it requires to protect their data and communicate that information to ETS, working together to form adequate control measures. Regarding performance measures, there were no written procedures or policies to document the calculation process to ensure consistency from year to year, or a review of the report prior to publishing to ensure the intended results were conveyed accurately. For example, the use of the term Full Time Equivalent (FTE) without further adjustments disclosed in the Annual Report is misleading. For instance, appellate attorneys, the State Public Defender, and the Deputy State Public Defender were not included in the FTE calculation. In addition, contract attorneys who were not employees were included in the calculation, as they managed caseloads. As these adjustments were not disclosed in the Annual Report, the use of FTE is misleading and could be inconsistent from year to year. Recommendations – It is recommended the OSPD create policy and procedure manuals for each critical function the agency partakes. The manuals should include procedures to address all of the required information needed for each type of expenditure and expenditure transaction, as well as budget monitoring and revenue transaction. They should also include procedures to address annual reporting of performance measures and review. It is also important to include the agencies IT expectations and how to direct ETS in meeting them.
Page 4
Office of the State Public Defender September 9, 2014
2. Potential Compliance Issues When comparing the OSPDs 2013 Annual Report to the 2013-2017 Strategic Plan it was found there was not a one-to-one correlation in regards to performance measures which is required by W.S. 9-2-1014. The 2011-2012 Strategic Plan appeared to be the plan that had a one-to-one correlation to the 2013 Annual Report. However, the 2011-2012 Strategic Plan did not have data for 2013. Due to the aforementioned conditions auditors tested the four measures presented in the 2013 Annual Report and issued a finding in regards to the 2013-2017 Strategic Plan stating the 2013-2017 Strategic Plan contains performance measures that are not presented in the related 2013 Annual Report. The OSPD also did not present in the Annual Report the amount of monies expended and the amounts of reimbursements from participating counties, as it related to the GAL program, as required by W.S. 7-6-106(d)(iii). Finally, the OSPD did not submit their 2013 Annual Report to the Wyoming State Library as required by statute. Recommendations – It is recommended an annual reporting checklist is created to help ensure all requirements are met. Further, an employee who is not involved in the annual reporting process should review the checklist to ensure the steps have been completed.
3. Lack of Supporting Documentation / Internal Controls Issues During financial controls testing it was noted of 50 tested expenditures, • four did not have signed perjury statements, as required by W.S. 9-1-403(b)(iii). • three were not recorded in a timely manner. • two did not have the agency required Expense Authorization Form. • one did not have an invoice attached as supporting documentation. • one had no support of the approval from an authorized approver in the GAL office available for review. • two had the same creator and approver in the WOLFS system. These transactions occurred during April and May of 2013. As discussed with agency officials, this was the period when the Fiscal Officer had access to create and approve as the agency was limited on fiscal staff. Further, of 40 tested checks made to the OSPD, • five were not entered into the Executive Administrator's log as required by the agency. • two deposits did not have a signature on the WOLFS 101 document to show the approval of the agency. • one transaction regarding GAL did not have proper supporting documentation, as they were unable to provide the log, cash Receipt, or WOLFS 101. • five checks were not deposited in a timely manner. Recommendation – OSPD should ensure the proper supporting documentation is maintained for each transaction. A review process would assist in increasing the accuracy of these issues. Page 5
Office of the State Public Defender September 9, 2014
4. Certification of Performance Measures Performance Measure 1 - OSPD manually summed county cases and subcases to reach the total cases represented by a public defender as the database was not capable of this function. This process lent itself to significant risk of unintentional human error. It was noted human errors were made when totaling the subcase numbers for seven counties. Further, OSPD receives the total number of cases represented by counsel statewide from the Supreme Court via email. Auditors noted the OSPD did not verify the figures received. OSPD is responsible for the data reported in the Annual Report. The calculation for performance measure one included an unverified third party number but was recalculated by auditors with an immaterial difference, therefore found to be certified with qualification. Performance Measure 2a – Data for the calculations of the first two performance measures were retrieved via the OSPD’s Client Database. The auditors tested this database for FY09 and FY13 and determined the database was accurate for FY13 but could not be relied upon for FY09. It was noted there were 31 of 224 or 14% of cases in which the supporting documentation was either missing or insufficient. As performance measure 2a included data from the FY09 database these factors prevented a certified opinion. Performance Measure 2b – There was no supporting documentation that could support the FTE attorney determination, other than the State Public Defender writing down personal knowledge of the agency. As such, the auditors could not recalculate the performance measure. Performance Measure 3 - Performance measure three depicted the number of children represented during FY13, as compared to the number of children represented during FY09. The auditors were unable to verify the accuracy of the database as the auditors could not have access to the childrens' files, due to confidentiality reasons, without a court order. Recommendations – If OSPD used unverified data in the calculation of the measure it is recommended the OSPD explain that unverified data was used and explain why the risk of error is acceptable. Further, OSPD should ensure the proper supporting documentation can be maintained so the measure can be recreated at a later date. Finally, in regards to the GAL measure, it is recommended OSPD reconsider using a measure that requires a court order to obtain the necessary supporting documentation. Without supporting documentation it would not be possible to recalculate the measure.
Page 6