Internal Audit
About Internal Audit Program
This program provides independent strategic risk-based auditing services. The core function of this program is to improve internal controls and provide reasonable assurance of reliable financial reporting, effective and efficient operations, legal and regulatory compliance, fraud investigation and deterrence, and the safeguarding of County assets.
Below are the list of reports available since September 2009.
Search the reports by entering keyword, or sort the table by clicking the column heads.
Date | Title | Department | Description |
---|---|---|---|
09/22/2009 | DPS Commercial Building Permit Calculation Process Review | DPS | This report summarizes the work performed by MCIA in reviewing the Montgomery County Department of Permitting Services procedures for calculating Commercial Building Permit Fees. It sets out the individuals interviewed, documents reviewed, the results of CBH recalculation of permit fees, and recommendations to the Department of Permitting Services (DPS). |
04/20/2010 | Wage Requirements Law | PROC | Montgomery County's Office of Internal Audit (MCIA) conducted an agreed-upon procedures audit to aid the County in determining compliance with the Wage Requirement Law under several contacts. This report summarizes the results of that review. |
05/12/2010 | County-Wide Risk Assessment and Multi-Year Audit Plan | CAO | This document summarizes the work performed in conducting a County-wide risk assessment of the Montgomery County executive branch departments. The scope of this engagement included all departments of the executive branch and the Capital Improvements Program (CIP) as it relates to executive branch departments. This document sets out details of the approach, methodology and matters considered in assessing areas of risk within Montgomery County and the internal audits to be considered as part of the proposed three-year internal audit plan. |
06/03/2010 | OHR Tuition Assistance Program | OHR | This report summarizes the work performed by MCIA in reviewing the Montgomery County Tuition Assistance Program (TAP) policies and practices. TAP provides Montgomery County employees monetary assistance for various educational courses, seminars, training sessions, etc. The primary objective of the TAP review was to determine the effectiveness of the program's existing internal controls including necessary changes to assure compliance with applicable laws, regulations, policies and procedures; and prevent waste, fraud and abuse. We are making 16 recommendations to improve internal control over TAP and to strengthen needed monitoring and oversight. |
02/17/2011 | Police Overtime | POL | The Montgomery County Police Department (MCPD) is consistently one of the top overtime users within Montgomery County and overtime expense is a significant operating expense. Inherently, MCPD is subject toconsiderable overtime hours due to the department's need tooperate 24 hours a day, 7 days a week. Overtime makes up about 4% or almost $10 million of MCPD's total operating budget of$246.3 million. While the County and MCPD have instituted recent actions to better monitor overtime use, the average overtime expense per employee has remained consistent over the last five years. In a recent Countywide risk assessment, MCIA had designated overtime as a high-risk area. |
05/06/2011 | HHS Contract Monitoring | HHS | Montgomery County Department of Health and Human Services (HHS) manages over 660 contracts with total encumbrances of over $97 million in FY 2010. This represents about 13% of all County procurement funds. Since HHS relies on these contractors to provide a significant portion of the County's HHS Services, accountability over contracts is critical. This report assesses whether the internal control by HHS over the monitoring of cost reimbursement contracts is operating effectively and whether the Department has successfully implemented control changes it made between FY 2009 and FY 2010. We reviewed a sample of contracts from fiscal years 2009 and 2010 in each of the six main HHS Service Areas to determine whether contracts were monitored financially and operationally in accordance with HHS policies and whether such policies need further upgrading. MCIA makes 15 recommendations to improve internal controls at HHS, in such areas as the treatment of indirect cost rates, development of a comprehensive review policy, file documentation, and training. |
06/30/2011 | DLC Point of Sale System | DLC | At a cost of over $1.7 million, the Montgomery County Department of Liquor Control (DLC) implemented the Microsoft Retail Management System (RMS) in 2010 for the purpose of improving the accuracy, timeliness, control, and customer service aspects of Point-of-Sale (POS) processing of customer transactions. The new system is integrated at all 24 DLC stores, the Montgomery County Department of Technology Services (TEBS) and with two third party providers. This was a major implementation of hardware and software which replaced an antiquated, unsupported system that had been in place at the DLC since the 1990s. The DLC employs over 300 County employees and processes over $225 million in annual sales. MCIA is making 15 recommendations to improve the internal control environment at the DLC in such areas as project management, IT training, problem tracking, polices & procedures, security administration, inventory tracking, data restoration and disaster recovery. |
09/14/2011 | DOT & DGS CIP Invoice Controls | DOT DGS |
The Montgomery County FY11-16 Capital Improvements Program (CIP) includes over $4 billion in capital projects. County government departments are allocated $2.1 billion or 52.8% of the program The Department of Transportation (MCDOT) and Department of General Services (DGS) have oversight and administrative responsibilities for approximately $ 1.8 billion or 86% of the county government allocation. The majority of the expenditures under the program are incurred under contracts executed for project design and construction. Both the CIP and contracting were identified as areas of higher risk in the County-wide risk assessment completed by MCIA. We reviewed the policies and procedures for invoice review and approval for CIP projects undertaken by MCDOT and DGS. MCIA is making seven recommendations to improve the performance and enhance the existing internal controls pertaining to invoice approval and payment. |
10/16/2011 | DOT Revenue Processing and Imprest Reconciliation | DOT FIN |
In FY 2011 the Montgomery County Department of Transportation (MCDOT) Revenue Processing Center has processed and deposited approximately $23 million related to parking meter, parking machine and Ride On Bus revenue. This audit was performed in response to claims of possible weaknesses in controls over the storing and counting of cash collections at the Center. Parking district revenue services was identified as an area of moderate risk in the County-wide risk assessment completed by MCIA in FY2010. In addition the management letter associated with the external financial statement audit of Montgomery County for FY2010 indicated that controls over Imprest Funds could be strengthened. MCIA is making nine recommendations to MCDOT and the Department of Finance to improve the security, operation, and reconciliation policies and procedures for MCDOT activity at the Revenue Processing Center. |
02/27/2012 | Finance Purchase Card Program | FIN | The County Government's Purchase Card Program is designed to be a fast and flexible purchasing tool that provides an efficient and effective method for purchasing small dollar items. The cards are similar to personal credit cards except that the County pays the charges. The Purchase Card Program includes over 500 cardholders from 43 County departments. The County has procured over $9 million and $10 million of goods and services using purchase cards in FY 2010 and FY 2011, respectively. The Department of Finance is responsible for oversight and administration of this program. We reviewed policies and procedures related to Purchase Card Program activities. MCIA is making seven recommendations to improve internal controls for adequate support, proper approval, and effective oversight of transactions in the Purchase Card Program. |
06/01/2012 | Correctional Officer Salary Schedule | OHR DOCR |
In July 2007, The Montgomery County Department of Corrections and Rehabilitation (DOCR) transitioned to a new Correctional Officer Salary Schedule. Through subsequent review, it was determined that multiple Correctional Officers were incorrectly converted to the new salary schedule, which ultimately resulted in incorrect pay. In December 2008, the Office of Human Resources (OHR) performed a review of the Correctional Officers converted when DOCR management had concerns that some of the officers were incorrectly converted. OHR concluded, based upon its review, that 130 officers were incorrectly converted and proceeded to recoup overpayments from those employees or true-up underpayment to those employees. The Municipal and County Government Employees Organization (MCGEO) Labor Union expressed concern regarding the correction process. Both MCGEO and OHR agreed to have an independent third party (MCIA) review the conversion to determine if all officers were properly converted and/or corrected. This report is a reissuance of a report we issued in November 2011 MCIA recommends OHR correct the salaries of the 7 officers that we found to still be in error. We also offer several recommendations aimed at improving the planning for and implementation of any future complex County initiatives to avoid the types of problems the County experienced with the conversion of Correctional Officer's pay. |
07/30/2012 | Pension Benefit Payments (Employees' Retirement System) | OHR MCERP |
The County Government has three employee retirement plans: the Employees' Retirement System (ERS), the Retirement Savings Plan (RSP) and the Deferred Compensation Plan (DCP). This audit focused on the ERS plan, which is the largest of the three with 5,516 active participants and 5,712 retirees and beneficiaries receiving benefits as of June 30, 20111. ERS ended fiscal year 2011 with $2.8 billion in net assets and paid out $178.7 million in retirement benefits during the year2. The Office of Human Resources (OHR) was responsible for administering the retirement benefit plans from enrolling plan participants, counseling potential retirees, determining eligibility for retirement, calculating retiree benefit payments, and maintaining retiree records. As of July 1, 2012, the Montgomery County Employee Retirement Plans (MCERP) organization has oversight of the activities previously performed by OHR except for employee enrollment in retirement plans. MCIA is making five recommendations. One recommendation addresses the need to research and correct payment errors we found. The other four are aimed at to improving existing internal controls, including implementing of procedures to review Cost of Living Adjustments (COLA), reinforcing the use of checklist by benefit specialists, developing a documentation archival plan and formalizing procedures for notifying retirees of payment changes. |
11/16/2012 | DPS Receipts and Financial Instruments Process Controls | DPS | We conducted a limited scope, independent review of the Department of Permitting Services (DPS) with the objective of reviewing the adequacy of controls over receipts associated with the permitting process and the safeguarding of various bonds and letters of credit that are received in connection with permits. The review was initiated because of concerns expressed by the Director, DPS upon assuming responsibility for the Department, including weaknesses in control and safeguarding of assets. MCIA is making five recommendations. One addresses the need to establish a Cashiering Function to serve as a focal point for intake, receipting and securing all receipts. The remaining recommendations address strengthening the reconciliation process, increasing efficiency through the implementation of a check scanning process, and enhancing the safeguarding of financial instruments stored in the Department. |
11/28/2012 | DEP Contract and Grant Monitoring | DEP | The contract and grant monitoring audit of the Department of Environmental Protection (DEP) is the first in a series of five department audits to focus on the $470 million of grant and contract spending unrelated to CIP and HHS. DEP FY12 purchase order spending under contracts was $91 million or 19% of the $470 million, which is the second highest department in Montgomery County overall. MCIA is making three recommendations to DEP in order to improve the performance and enhance the existing internal controls pertaining to contract monitoring. |
04/11/2013 | Radios, Laptops, & Consulting Contracts Purchased Under the PSSM Capital Project | TEBS MCPD |
The Public Safety System Modernization Capital Project (PSSM), which has a current cost estimate of $108 million, has procured $22.7 million in radios and laptops for Police and Fire and Rescue departments. Currently the project team is in the process of issuing procurement solicitations for the design and installation of the public safety first response systems such as Computer Aided Dispatch (CAD), Law Enforcement Records Management (LE RMS) and Voice Radio System are being issued. The Department of Technology Services created the PSSM Program Office to manage the implementation of the capital project. We performed this review of the PSSM Program Office contract administration and monitoring and assets safeguarding procedures for radios and other items as part of our continuous review of contracting by County Departments. MCIA is making two recommendations; one to the Department of Technology Services (TEBS) and the second, a joint recommendation, to the Police Department (MCPD) and TEBS to improve the safeguarding of radios purchased as part of the PSSM project. |
06/05/2013 | Contract and Grant Monitoring by MCFRS | FRS | The contract and grant monitoring audit of the Montgomery County Fire and Rescue Services (MCFRS) is part of a series of five department audits to focus on the $470 million of grant and contract spending unrelated to CIP and HHS. MCFRS FY12 purchase order spending under contracts was $5.6 million or 1.19% of the $470 million, which is the eighth highest department in Montgomery County overall. MCIA is making four recommendations to MCFRS in order to improve the performance and enhance the existing internal controls pertaining to contract monitoring. |
06/20/2013 | Post-Implementation Audit of Montgomery County's ERP | ERP, CEX | We conducted the audit as the County's Enterprise Resource Planning System (ERP) implementation project was identified as a high-risk area during our County-wide risk assessment. The ERP is an integrated system heavily relied upon by all County departments for their financial and operational processes. It is budgeted to cost over $65 million. The objectives of the audit were to review the effectiveness of the implementation effort, assess the adequacy of the key controls implemented for a select number of financial modules, and identify remaining challenges or problems in the implementation and potential solutions. We also reviewed the adequacy of controls to ensure payments to ERP contractors were correct. The audit focused on the design of controls and included limited sampling for testing. The audit sought to verify and confirm if appropriate internal controls are implemented within the system to identify, detect, and prevent errors and/or fraud. This report contains 14 recommendations including, defining adequate roles and responsibilities for business units, core departments, and the ERP Enterprise Service Center team; conducting business process reengineering of its operations including considering centralizing certain financial functions; hiring more skilled and technical full time resources; making reports available through ERP; developing strong user access administration process and conducting thorough segregation of duties analysis; and applying required configurations within the system. |
06/25/2013 | Contract and Grant Monitoring by DGS | DGS | The contract and grant monitoring audit of the Department of General Services (DGS) is one in a series of five department audits to focus on the $470 million of grant and contract spending unrelated to CIP and HHS. DGS FY12 purchase order spending under contracts was $70.5 million or 15% of the $470 million, which is the second highest department in Montgomery County overall. MCIA is making four recommendations to DGS in order to improve the performance and enhance the existing internal controls pertaining to contract monitoring and invoice review. |
07/08/2013 | Contract and Grant Monitoring by MCPD | MCPD | The contract and grant monitoring audit of the Montgomery County Police Department (MCPD) is one in a series of five departmental audits to focus on the $470 million of grant and contract spending unrelated to CIP and HHS. MCPD FY12 purchase order spending under contracts was $18.46 million or 3.93% of the $470 million, which is the sixth highest department in Montgomery County overall. MCIA is making four recommendations to MCPD in order to improve the performance and enhance the existing internal controls pertaining to contract monitoring. |
07/16/2013 | Contract and Grant Monitoring by DOT | DOT | The contract and grant monitoring audit of the Department of Transportation (MCDOT) is the third in a series of five department audits to focus on the $470 million of grant and contract spending unrelated to CIP and HHS. MCDOT FY12 purchase order spending under contracts was $37.6 million or 8% of the $470 million, which is the fourth highest department in Montgomery County overall. Reports regarding the other four departments being audited will be issued separately. MCIA is making three recommendations to MCDOT in order to improve the performance and enhance the existing internal controls pertaining to contract monitoring. |
10/4/2013 | Audit of Wage Requirement Law Compliance | DOT, PROC |
Contractors who provide services to the County are subject to the Montgomery County Code provisions regarding compliance with certain wage requirements payable to the Contractor's employees. The Office of Business Relations and Compliance (OBRC), Department of General Services (DGS) received notice of allegations that a County contractor, CAMCO, LLC, (CAMCO) was not paying employees in accordance with the County's Wage Requirement Law. CAMCO performs cleaning services for the Montgomery County Department of Transportation (MCDOT). County Code Section 11B-33A (h)(2) directs the County to enforce the law and perform random and other audits necessary to do so, and investigate any complaint of a violation. As a result of the allegations received, the Director of DGS requested the Office of Internal Audit (MCIA) to audit CAMCO's compliance with the law. Our audit also included reviewing aspects of the County's monitoring of its contract with CAMCO. MCIA is making two recommendations to DGS dealing with the its determination of the remedy or remedies to seek against the contractor for statutory or contract violations arising from noncompliance with the Wage Law and two recommendations to MCDOT to improve its contract monitoring procedures related to invoice payment. |
10/07/2013 | DGS Implementation of Prior Recommendations on the Wage Law | PROC | This review was a follow-up assessment of management's progress in addressing a prior report's recommendations through direct inquiry with OBRC and Office of Procurement staff and management. Additional validation was performed through review of documents and information on the DGS section of the County's website and correspondence with OBRC and Office of Procurement employees. We found the Office of Procurement and OBRC have made adequate progress in implementing seven of the 10 report recommendations. At the time of this review DGS and OBRC are in the process of implementing two of the three remaining recommendations and the actions taken to date were not reviewed for adequacy. |
10/23/2013 | Disability Benefit Payments | OHR | This audit focused on the disability benefits paid to members of the Employees' Retirement System (ERS), Retirement Savings Plan (RSP) and the Guaranteed Retirement Income Plan (GRIP). As of July 1, 2012 the ERS, RSP and GRIP had 1,077 and 58 individuals receiving benefits, respectively. The Montgomery County Office of Human Resources (OHR) was responsible for administering the retirement benefit plans from enrolling plan participants, counseling potential retirees, determining eligibility for retirement, calculating retiree benefit payments, and maintaining retiree records. As of July 1, 2012 the Montgomery County Employee Retirement Plans (MCERP) organization has oversight of the activities previously performed by OHR except for employee enrollment in retirement plans and health insurance. MCIA is making no recommendations. |
03/05/2014 | Contract and Grant Monitoring by DED | DED | This audit of the Department of Economic Development (DED) is part of a continuing review of contract and grant monitoring; DED is the seventh department we are reporting on. DED FY13 contractual purchase orders totaled approximately $3.4 million or 0.4% of the total $871 million. MCIA is making three recommendations to DED—two to improve the performance and enhance the existing internal controls pertaining to contract and grant monitoring and one to formalize invoice review and approval procedures. |
04/28/2014 | Non-Competitive Procurements | PROC | Under carefully prescribed circumstances, Montgomery County Code allows County departments to procure goods and services without prior public notice or competition ("non-competitive"). In FY13, the County's total value of purchase orders issued under contracts totaled approximately $871 million, of which $68 million or approximately 8% was issued under non-competitive contracts. The mix of non-competitive awards includes approximately $15.6 million of sole source contracts and $52.5 million through Federal and State grants and County Council designations. The Montgomery County Department of General Services (DGS) Office of Procurement has oversight over the County's procurement process. The Contract Review Committee (CRC) or DGS Director reviews and approves non-competitive procurements. In addition to evaluating compliance with contract submission and approval requirement, our audit also included reviewing aspects of County departments' review and approval of invoices for non-competitive contracts. MCIA is making two recommendations to the DGS Director to enhance the existing procedures for non-competitive procurements. |
05/06/2014 | Carryout Bag Tax | FIN, DEP |
In January 2012, the Montgomery County Carryout Bag Tax went into effect under Bill 8-11. This tax was put into place in response to the increasing amount of litter in the streams and rivers of Montgomery County, specifically plastic bag litter. As a result, retailers charge customers $0.05 on each plastic bag they provide and remit $.04 to the County and retain a penny. The Department of Finance collects the remitted tax from retailers. For calendar year 2012 retailers remitted $2.2 million in taxes. Funds remitted under the tax are deposited into the Water Quality Protection Charge (WQPC) fund. The WQPC funds projects for storm water management, litter control, and water quality improvement. The Department of Environmental Protection (DEP) manages the WQPC fund and monitors established metrics that measure the amount of plastic bags found in County trash and water ways. This audit reviews the internal controls over the tax remittance collection and the monitoring of the tax impact on resident use of plastic bags. MCIA is making four (4) recommendations to the Department of Finance to improve performance and enhance the existing internal controls related to the bag tax collection and monitoring. |
07/09/2014 | DLC Inventory Management | DLC | The Montgomery County Department of Liquor Control (DLC) controls the wholesale distribution of all beverage alcohol in Montgomery County and operates 25 retail outlet stores located throughout Montgomery County. DLC operates from a newly relocated centralized warehouse in Gaithersburg and provides wholesale distribution to licensed retailers including DLC operated retail outlets. The overall objective of this audit was to assess the internal controls related to inventory management for DLC and provide recommendations to facilitate process improvement and enhance internal controls, where necessary. The recommendations in this report cover a range of areas. Overarching recommendations include additions or changes to DLC's organization structure and reporting lines to provide increased segregation of duties and independent oversight, implementation of succession planning activities to ensure the ongoing sustainability of the organization. Additional recommendations include enhancements to physical inventory count procedures, and improvement opportunities for warehouse operations, and retail store operations. |
07/30/2014 | Continuity of Operation Planning | OEMHS | The objective of this audit was to determine how effectively the County government is planning for continuity of operations in the event of a disaster. IT business continuity and disaster recovery was considered a high risk area in the Office of Internal Audit (MCIA) May 2010 Countywide Risk Assessment. A continuity of operation plan (COOP) is a type of documented plan used by the County to facilitate and define their COOP efforts. Each department has developed their own continuity program to detail their business continuity procedures. The County's Office of Emergency Management Homeland Security (OEMHS) provides guidance for, and oversight of, the department's planning efforts so that they may be resilient and better prepared to respond to disruptions. MCIA is offering four recommendations to OEMHS to enhance its planning and oversight of departmental COOP activities. |
08/01/2014 | United Healthcare Claims | OHR | Montgomery County Government (the County) provides healthcare benefits to its employees and retirees primarily using a self-funded, self-insured model. Under this model, the County, through its Office of Human resources (OHR), uses two third party claims administrators (TPAs), Blue Cross Blue Shield and United Healthcare (UHC) to pay claims on behalf of the County. This report covers UHC only. As part of the County-wide risk assessment completed by MCIA, performance of the health care claims administration process was considered high risk due to the nature of outsourcing claims processing and the annual amounts exposed to potential overpayment errors. The claims administration function has not previously been subject to an audit. MCIA is making three (3) recommendations to the OHR regarding reducing exposure to certain costs subject to contract interpretation and in cases where the County's Summary Plan Description and Contact with UHC is silent or vague. |
08/04/2014 | DOCR Escrow Account Funds | DOCR | The Department of Corrections and Rehabilitation (DOCR) operates facilities in which approximately 2,000 individuals are incarcerated in the Montgomery County Detention Center (MCDC), the Montgomery County Correctional Facility (MCCF) or housed in the County's Pre-Release and Re-entry center (PRRC). The PRRC houses and serves individuals that are within 12 months of release from correctional custody. DOCR holds in an escrow account funds from individuals that are of those incarcerated or housed. The individuals have the funds in their possession, earn or received by outside parties. For year ended June 30, 2013 the escrow account balance for MCDC was approximately $132,000 and the escrow account balance for the PRRC was $75,500.This audit was conducted at the request of DOCR management. The overall objective was to assess the adequacy of the design and operational effectiveness of internal controls surrounding escrow cash balances, facility escrow account systems and the debit card program, and management of DOCR's contract with Keefe Commissary Network, LLC (Keefe). The contract with Keefe is for the use of a commissary system, commissary services and the escrow accounting system used for inmate trust fund accounting. The last audit of the accounts for MCDC and MCCF was in 2002 and for PRRC was 2005. MCIA is making six recommendations to improve MCDC and PRRC's review of transactions including associated corrections, enhance documentation supporting PRRC recording of earnings and fee calculations, and reinforce documentation retention procedures. |
09/12/2014 | Contract and Grant Monitoring by Recreation | REC | As part of the County Wide risk assessment completed by MCIA, contract and grant monitoring by departments was identified as a high risk area. In FY13, the County's total value of purchase orders issued under contracts totaled approximately $871 million. This audit of the Department of Recreation (Recreation) is part of a continuing review of contract and grant monitoring; Recreation is the eighth department we are reporting on. Recreation FY13 contractual purchase orders totaled approximately $19.3 million, or 2% of the total $871 million. MCIA is making two recommendations to Recreation to improve the performance and enhance the existing internal controls pertaining to contract monitoring and invoice review and approval. |
10/02/2014 | Wage Requirements Law Compliance: Potomac Disposal, Inc. | PROC | Contractors who provide services to the County are subject to the Montgomery County Code provisions regarding compliance with certain wage requirements payable to the Contractor's employees under the County's Wage Requirements Law ("Wage Law"). The Montgomery County Department of General Services (DGS) Office of Business Relations and Compliance (OBRC) is responsible for monitoring compliance with the Wage Law. The County's Department of Environmental Protection (DEP) has contracts with Potomac Disposal, Inc. ("Potomac Disposal"), to provide residential refuse and recycling collection services. In September 2013, Potomac Disposal workers went on strike, for reasons that included employees claiming that they were not paid the wage amount required by the law. DGS conducted an abbreviated audit in October 2013 and found some violations in the firm's payroll records examined. As a result, DGS requested the Office of Internal Audit (MCIA) to perform a full Wage Law audit of Potomac Disposal covering all of its employees, for all pay periods between May 2011 and November 2013. MCIA is making two recommendations to DGS dealing with the determination of the remedy or remedies to seek against Potomac Disposal for statutory or contract violations arising from noncompliance with the Wage Law. DGS said it will take action to require Potomac Disposal to compensate its employees for underpayments as identified in the report, Potomac Disposal told us it would not comment on the report. |
11/18/2014 | Contract and Grant Monitoring by DHCA | DHCA | As part of the County Wide risk assessment completed by Montgomery County's Office of Internal Audit (MCIA), contract and grant monitoring by departments was identified as a high risk area. In FY13, the County's total value of purchase orders issued under contracts totaled approximately $733 million. This audit of the Department of Housing and Community Affairs (DHCA) is part of a continuing review of contract and grant monitoring; DHCA is the ninth department we are reporting on. DHCA FY13 contractual purchase orders totaled approximately $5.9 million, or roughly 2% of the total $733 million. MCIA is making 2 recommendations to DHCA to improve the performance and enhance the existing internal controls pertaining to contract monitoring and invoice review and approval. |
03/02/2015 | Follow-up Audit of the 2009 Treasury Risk Assessment | FIN | The County's Office of Internal Audit (MCIA) performed a follow-up review of an April 2009 risk assessment that was conducted by MCIA on the Treasury Division of the Department of Finance. The 2009 risk assessment identified weaknesses within 17 process areas with high risk and one process area with medium risk. Based on the procedures performed during the 2009 risk assessment, 18 recommendations were provided to Finance to address these identified risks. The recommendations included the formalization of documented policies and procedures, the cross-training of Treasury employees, the standardization of financial reports, and the implementation of internal controls within several key processes. MCIA is making 17 recommendations to the Department of Finance to strengthen its internal controls and improve overall performance. |
03/12/2015 | Cash Receipts Informational Questionnaire | FIN | As a result of the implementation of the Oracle Enterprise Business System in July 2010, the County has been transitioning from a de-centralized cash receipt processing environment to one with a centralized accounts receivable oversight program, and is in the process of developing enterprise wide policies and procedures. Therefore, the Montgomery County Department of Finance sought to compile certain information about the County's cash receipts processing and identify opportunities to improve and strengthen the process and internal controls. Watkins Meegan was engaged by the Montgomery County Office of Internal Audit (MCIA) to assist in the collection of information about cash receipts through the use of a cash receipts questionnaire. At a high level, MCIA recommends Finance utilize the information gathered to develop a long-term plan, with clear milestones, to continue its efforts to strengthen and enhance the cash receipts process and internal controls across Montgomery County. The plan should include development of County-wide policies to ensure all departments, offices, and programs are implementing and adopting applicable internal controls consistently. |
03/30/2015 | Audit of Montgomery County Conference Center | DED | The Montgomery County Conference Center (the "Center"), which is owned by the County and operates in conjunction with the Bethesda North Marriott Hotel, owned by JBG. The Center began operations in 2004. In 2013, the combined facility had $33 million in sales and the Center alone had $16.2 million. The revenue and cost for the facilities are split in accordance with the agreement terms. The County and JBG engaged Marriott Hotel Services to manage and operate the properties. Marriott has responsibility for ensuring the revenue and cost are allocated to the respective owners in accordance with the agreement terms. Under the agreement the County has the right to audit the financial records of the property. The Department of Economic Development (DED), which has responsibility for overseeing the County's relationship with Marriott, requested MCIA conduct an audit. DED is designated as the Asset Manager for the management agreement with Marriott and it is the primary recipient of all financial reporting and other information on the Center. MCIA is making four recommendations to the DED to improve internal control weaknesses noted. DED concurred with the recommendations. |
06/05/2015 | Montgomery County Police Department Cash Receipts Internal Controls | MCPD | The Office of Internal Audit (MCIA) performed an independent assessment (audit) of new procedures and controls instituted by the Montgomery County Police Department (MCPD) for its processing of cash receipts and payments. Overall, MCIA and MCPD identified 19 suggested actions to enhance the internal control structure over cash receipts to include payment collection, processing, and recording. The second phase of the audit focused on evaluating (1) MCPD's remediation of the suggestions identified in Phase I, and (2) how successfully MCPD implemented them. MCIA is making four recommendations to MCPD including completing the remaining Phase I action items, testing implemented controls, and coordinating with Finance and other appropriate departments on the controls and functions around cash receipts. |
07/14/2015 | Audit of Wage Requirements Law Compliance – Unity Disposal & Recycling, LLC | PROC | Contractors who provide services to the County are subject to the Montgomery County Code provisions regarding compliance with certain wage requirements payable to the contractor's employees under the County's Wage Requirements Law ("Wage Law"). The Montgomery County Office of Procurement's (Procurement) Office of Business Relations and Compliance (OBRC) is responsible for monitoring compliance with the Wage Law. The County's Department of Environmental Protection (DEP) has contracts with Unity Disposal & Recycling, LLC ("Unity Disposal"), to provide residential refuse and recycling collection services. In May 2014, Procurement requested that the Office of Internal Audit (MCIA) perform a Wage Law audit of Unity Disposal covering all of its employees who perform work in Montgomery County, for a sample of 25% of all pay periods from May 1, 2010 through the start of the audit on May 28, 2014. The audit was conducted by the accounting firm SC&H, under a contract with MCIA. MCIA is making two recommendations to Procurement dealing with the determination of the remedy or remedies to seek against Unity Disposal for statutory or contract violations arising from noncompliance with the Wage Law. MCIA is making one recommendation to Procurement to take action to assure that Unity Disposal complies with all Wage Law requirements. |
10/21/2015 | Audit of Wage Requirements Law Compliance – Securitas USA | PROC | Contractors who provide services to the County are subject to the Montgomery County Code provisions regarding compliance with certain wage requirements payable to the contractor's employees under the County's Wage Requirements Law (Wage Law). The Montgomery County Office of Procurement's (Procurement) Division of Business Relations and Compliance (DBRC) is responsible for monitoring compliance with the Wage Law. The County's Sheriff's Office has a contract with Securitas USA, Inc. (Securitas), to provide security guard services. In February 2015, Procurement requested that the Office of Internal Audit (MCIA) perform a Wage Law audit of Securitas covering all of its employees who perform work in Montgomery County, to include the months of June 2014, July 2014, December 2014, and January 2015. The audit was conducted by the accounting firm SC&H, under a contract with MCIA. MCIA is making three recommendations to Procurement dealing with the determination of the relief to seek against Securitas for statutory or contract violations arising from noncompliance with the Wage Law. |
11/16/2015 | Audit of Wage Requirements Law Compliance – CAMCO, LLC | PROC | Contractors who provide services to the County are subject to the Montgomery County Code provisions regarding compliance with certain wage requirements payable to the contractor's employees under the County's Wage Requirements Law ("Wage Law"). The Montgomery County Office of Procurement's (Procurement) Division of Business Relations and Compliance (DBRC) is responsible for monitoring compliance with the Wage Law. The County's Department of Transportation (MCDOT) has a contract with CAMCO, LLC ("CAMCO"), to provide parking garage cleaning services. In December 2014, Procurement requested that the Office of Internal Audit (MCIA) perform a Wage Law audit of CAMCO. MCIA is making two recommendations to Procurement dealing with the determination of the remedy or remedies to seek against CAMCO for statutory or contract violations arising from noncompliance with the Wage Law. |
01/05/2016 | Program Assessment of the Water Quality Protection Charge (WQPC) Program | DEP | Property owners in the County are subject to the Montgomery County Code provisions regarding the Water Quality Protection Charge (WQPC) under the County's program to design and implement a watershed protection and restoration program. The Montgomery County Department of Environmental Protection (DEP) is responsible for implementation and administration of the WQPC program. In April 2015, DEP requested that the Office of Internal Audit (MCIA) perform a WQPC program assessment of the WQPC program to identify potential improvements needed in the program, using the tax levy year of 2015 as the basis of the assessment. MCIA is making nine recommendations to the DEP to strengthen its internal controls and improve overall performance related to the calculation and assessment of the County's WQPC. |
04/18/2016 | Transfer Station Cashier Operations | DEP | The County's Office of Internal Audit (MCIA), performed an Internal Control Review of the Department of Environmental Protection's (DEP) Transfer Station Cashier operations. Due to the magnitude of the financial transactions processed at the Transfer Station, DEP requested that this review be conducted to assess the adequacy of the enhanced financial management controls and business process changes DEP is implementing to strengthen the control environment at the Transfer Station and mitigate the future potential for fraud or abuse in the Cashier operations. This review included an evaluation and limited testing of the control environment of the Transfer Station Cashier operations, a review of the planned control enhancements to assess the adequacy of controls (in-place and planned) in addressing the inherent risks associated with the Cashier operations, and a determination if additional controls or business operation changes are required to address residual risks. MCIA is making 26 recommendations to the Department of Environmental Protection to further strengthen the internal control environment of the Transfer Station Cashier operations. |
05/02/2016 | County-Wide Risk Assessment and Multi-Year Internal Audit Plan (FY 2017 – 2020) | CAO | This report summarizes work performed by the Montgomery County (County) Office of Internal Audit (MCIA) in support of the County's overall risk management effort. MCIA conducted an assessment of the current risk environment within the County's Executive Branch offices , and used the results to establish a multi-year (Fiscal Years 2017 – 2020) internal audit plan focused on the County's highest risk areas. |
09/02/2016 | Program Assessment of CUPF: Before and After School Childcare Programs in Public Schools | CUPF | In addition to other responsibilities, the County's Community Use of Public Facilities (CUPF) provides community users and public agencies with access to public facilities (including schools and other public facilities) for services, programs, and events; and administers this process while managing the placement of Before and After School Childcare Programs in Montgomery County Public Schools (MCPS) facilities, as defined by Montgomery County Executive Regulation 15-14 AMIII (the Regulation; subsequently revised and approved as 15-14AMV, December 8, 2015). The current report focuses on findings and recommendations related to CUPF's administration of the Before and After School Childcare Programs, consistent with the Regulation. MCIA is making 10 recommendations to CUPF to further improve internal processes, as well as enhancing client service delivery and transparency with stakeholders. |
08/05/2016 | Program Assessment of CUPF – Reservation of Public Facilities Process | CUPF | In addition to other responsibilities, the County's Community Use of Public Facilities (CUPF) provides community users and public agencies with access to public facilities (including schools and other public facilities) for services, programs, and events; and administers this process while managing the placement of Before and After School Childcare Programs in Montgomery County Public Schools (MCPS) facilities, as defined by Montgomery County Executive Regulation 15-14 AMIII (the Regulation; subsequently revised and approved as 15-14 AMV, December 8, 2015). The current report focuses on findings and recommendations related to CUPF's responsibilities for the scheduling of community use in public schools, regional centers, libraries, and other public spaces. MCIA is making 12 recommendations to CUPF to further improve internal processes, enhance customer service and community outreach, and improve transparency. |
11/15/2016 | 9-1-1 Service Interruption: Investigative Services | FRS, DGS, CAO |
In the wake of a 9-1-1 service interruption (July 10, 2016) at the County's Emergency Communications Center (ECC), Montgomery County Executive Isiah Leggett directed the conduct of an investigation into the incident to understand what happened and to identify steps that need to be taken to ensure that 9-1-1 services are not interrupted in the future. The review was conducted by the County's Office of Internal Audit (MCIA) with assistance from the National Emergency Number Association (NENA). MCIA is making 19 recommendations to the County and the five departments that played a role in either the events leading up to the incident, the County's efforts to restore 9-1-1 service; or for actions designed to enhance the County's management of its programs or similar situations in the future. |
12/09/2016 | Silver Spring Apartment Fire: County Response/Recovery Effort and Lessons Learned | OEMHS, HHS, REC, PIO |
Montgomery County's Office of Internal Audit (MCIA) conducted this review to identify lessons learned from the County's response and recovery effort in addressing the human and social service needs following the fire that occurred at the Flower Branch Apartment complex in Silver Spring on August 10, 2016. These lessons learned are designed to assist and strengthen the County's response to future similar incidents. The explosion and fire directly impacted 63 families (168 individuals). Beyond the immediate response by Montgomery County Fire and Rescue Service and Police Department personnel to the incident, the human and social service response and recovery effort by the County, in coordination with non-profits and other organizations who assisted, was unprecedented for the County. This was the largest such incident Montgomery County ever had dealt with and posed unique challenges in meeting the immediate and longer-term needs of the impacted residents. One related challenge was managing expectations from among various community organizations and public officials regarding the scope of services to be provided during the response/recovery effort. MCIA is making fourteen recommendations to the County for actions designed to enhance the County's management of similar (i.e., involving large numbers of impacted residents and extended sheltering operations) emergencies in the future. |
03/20/2017 | Assessment of 9-1-1 Consolidated Emergency Communications Center Transition Plan | FRS | Based on a recent a recent 9-1-1 incident review that recommended that the County conduct additional focused assessments of 9-1-1 Operations, the accounting firm of SC&H, under contract with the County's Office of Internal Audit (MCIA) and with assistance from Winbourne Consulting, LLC (Winbourne), performed an assessment of the implementation of the County's plan to transition the Emergency Communication Center (ECC) to a consolidated operations model – creating a singular point of contact for public safety and the community. The ECC is the primary link between a citizen, who reports an emergency via 9-1-1, and the police, fire and rescue personnel and equipment, who respond to an incident scene. The plan will achieve an organizational model that will transition from an ECC separately staffed and managed by Fire & Rescue Service (MCFRS) personnel and Police Department (MCPD) personnel, to an ECC that is staffed by certified MCPD ECC personnel cross-trained in MCFRS and emergency medical services call-taking and dispatching. MCIA is making eight recommendations to the County, MCFRS and MCPD related to the following areas: Staffing and Training, the ECC Consolidation Project Charter, ECC Governance and Structure, and the ECC Facilities. The recommendations are intended to ensure successful and timely transition to consolidated 9-1-1 operations. |
5/30/2017 | Assessment of County's Implementation Plan for Minimum Wage Law for Tipped Employees (Bill 24-15) | HumRights | Following enactment of the County's Minimum Wage Law for Tipped Employees (Bill 24-15; enacted June 23, 2015, effective July 1, 2015), the accounting firm of SC&H, under contract with the County's Office of Internal Audit (MCIA), performed a program assessment of the County's implementation plan for this program. The County's Office of Human Rights (OHR) has responsibility for implementation and administration of the provisions in Bill 24-15. MCIA has identified four barriers that OHR faces in successfully implementing Bill 24-15, and identifies improvement actions that MCIA believes would assist OHR's implementation plan. |
05/30/2017 | HIPAA Compliance – Phase 1 Risk Assessment | ACAO | Montgomery County sought to assess current compliance with Health Insurance Portability and Accountability Act of 1996 (HIPAA) regulations and to identify risks that the department(s) and the County should address to safeguard personal health information (PHI) and improve its HIPAA compliance level. CohnReznick was engaged by the Montgomery County Office of Internal Audit (MCIA) to conduct the initial phase of the work. MCIA recommends that the County finalize County-wide HIPAA Policies that are currently in draft form, and ensure that Procedures are comprehensively developed by the Departments that are Covered Components, where required. Additionally, the County should perform a comprehensive assessment of the status of Business Associate Agreements across all Covered Components to ensure that all Business Associates within the County are properly identified and have an agreement in place. |
11/08/2017 | Internal Control Review of DLC Retail Store Operations | DLC | The Department of Liquor Control (DLC) was established by Montgomery County to regulate the distribution and sale of alcoholic beverages to consumers Countywide. The DLC currently manages and operates 27 retail store locations. Each location is responsible for managing its inventory, sales, cash operations, and store personnel, with support from the DLC Management and the Department of Finance. MCIA is making 26 recommendations to the DLC to strengthen its internal controls, reduce risk, and improve overall performance related to the oversight, management, and performance of the retail stores. |
11/17/2017 | Internal Control Review of Fleet Asset Management Operations | DGS | The Department of General Services (DGS) was established by the Montgomery County Government (County) to consolidate functions that provide essential services in support of other County departments. Within the DGS, the Division of Fleet Management Services (Fleet) is responsible for a comprehensive fleet management program for County vehicles. Fleet Management operates five shops in four main facilities throughout the County. MCIA is making 23 recommendations to the DGS to strengthen its internal controls, reduce risk, and improve overall performance related to management of inventory operations. |
05/09/2018 | Internal Control Review: Procure to Pay – Specific Functions | PROC, FIN |
The Office of Procurement (Procurement) and the Department of Finance (Finance) are responsible for the oversight of activities within the Procure to Pay function that are performed by each department within Montgomery County (the County). As such, their role is critical to ensuring that the departments adhere to the policies and requirements related to the use of public funds. MCIA is making five recommendations to the County to strengthen internal controls, reduce risk, and improve overall oversight and performance. The recommendations are related to specific aspects of the County's Procure to Pay operations, and agreements for purchases or programs deemed to be exempt from, or not subject to, procurement regulations. |
01/15/2019 | Review of Procurement Exempt County Programs | FIN, DHCA, DOT, REC, DEP | As a follow-on to the "Procure to Pay - Specific Functions" review, MCIA conducted a review related to six (6) additional County programs where the County had outsourced to a vendor responsibility for the disbursement of County funds during calendar years 2013 through 2017. The review did not identify instances in which a lack of segregation of duties and/or oversight by County personnel resulted in inappropriate payments of County funds to vendors. MCIA made one recommendation to the Department of Finance to ensure adherence to recently-updated (2018) Accounts Payable policies/procedures. |
02/25/2019 | Program Assessment of the Access ID Card Program | MCPD | The Security Services Division (SSD) of the Montgomery County Police Department (MCPD) is responsible for granting and monitoring physical access to County facilities through its administration of Access ID cards, which are issued to employees, contractors, sworn police officers, and non-employees including board/committee members, volunteers, and interns. The County’s Office of Internal Audit (MCIA) initiated a program assessment of the Access ID card program. The review found an absence of standardized operating procedures, proper oversight, and training of the Access ID card program. It was noted that SSD is currently in the process of updating the formal policy for the Access ID card program and revising related procedures. MCIA identified 10 control deficiencies that indicate the need for improved Access ID card program management related to: policies, processes, and procedures; data quality; record retention; access oversight and segregation of duties; and SSD personnel training. |
05/07/2019 | Performance Audit of the Department of Finance Cashiering Operations | FIN | The County’s Office of Internal Audit (MCIA) conducted a performance audit of the Department of Finance Cashiering Operations (Cashiering). The performance audit was a result of a countywide risk assessment completed in 2016; and a follow-up audit of the 2009 Treasury Risk Assessment conducted in 2015 that identified prior unresolved Cashiering findings and new findings. The performance audit, which focused on Cashiering transactions processed between July 1, 2017 and June 30, 2018, reviewed the following Cashiering functions: cash handling/ cash receipts, credit card transactions, lockbox payment processing, and ACH payment processing. MCIA determined that overall the Cashiering processes are operating as intended. MCIA identified the following opportunities to further strengthen internal controls to mitigate the risk of a process deficiency: completeness of information documented in the Cashiering Section Operations Manual, segregation of duties in the processing of rejected lockbox payments, and data security controls over fully outsourced vendors. |
05/20/2019 | Program Assessment of the Department of General Services’ Use of Change Orders and Field Orders in Facility Construction Projects | DGS, PROC | The County’s Office of Internal Audit (MCIA) conducted a a program assessment of the current practices and procedures followed by the Department of General Services (DGS) in the use of field orders and change orders. The focus was to determine if the field order and change order practices comply with the County Procurement Regulations and support effective management practices for facility construction/renovation projects. The assessment identified what appears to be a large disparity between the number of field orders used to facilitate additional project work, and the number of change orders used, which may result in decreased County oversight outside of DGS. MCIA identified opportunities for the County to improve the oversight of construction project spending, specifically with respect to the use of change orders and field orders to modify construction requirements and costs. |
06/19/2019 | Performance Audit of the Department of Health and Human Services' Grant Operations | HHS, FIN | The County’s Office of Internal Audit (MCIA) conducted a performance audit of the Department of Health and Human Services’ (DHHS) grant operations. In fiscal year 2018, DHHS service areas and offices managed over 120 grant programs totaling more than $80 million in federal and state funding. The focus of the audit was to determine the existence of consistent grant management practices within DHHS service areas, and to evaluate whether current practices comply with DHHS and County requirements. The audit found that DHHS offices and service areas appear to be competently monitoring their programs as there were no material findings noted during testing. MCIA identified opportunities for DHHS to improve the oversight of grants management related to: Development of standardized grant management guidelines; Coordination and communication between DHHS and the Department of Finance; and Centralized audit finding and remediation tracking, and improved management oversight process. |
11/15/2019 | Internal Control Review of Alcohol Beverage Services’ Warehouse Inventory Management | ABS | The Montgomery County Office of Internal Audit (MCIA) conducted an internal control review of Alcohol Beverage Services’ (ABS; previously named the Department of Liquor Control) warehouse inventory management operations. ABS services customers at 25 retail locations and 1,074 licensees across the County. Total sales for fiscal year 2018 totaled $294.86 million dollars. The focus of the review was to evaluate the current internal control environment of the warehouse, and ensure that the recommended enhancements to controls and processes have been implemented and are working as intended. MCIA makes 12 recommendations to strengthen ABS’ internal controls over the management of inventory. The review identified that ABS has implemented improvements to its warehouse inventory management operations. The review identified additional opportunities to mitigate risks related to the following: 1. Accurately reflecting the quantities and locations of all items in the inventory records; 2. Ensuring that periodic inventory counts performed are independent and blind, and that variances are investigated; 3. Safeguarding all inventory items against misappropriation. |
12/9/2019 | Procure-to-Pay (P2P) Fraud Risk Assessment | FIN, PROC, OCA | The County’s Office of Internal Audit (MCIA) conducted a fraud risk assessment of the County’s P2P operation. The assessment focused on identifying inherent fraud risks and the presence of internal controls to mitigate those risks in the P2P operation; it did not include detailed testing of internal controls. Detailed testing of internal controls and processes will be conducted by MCIA (Step Two) using the results of this assessment. The report provides an overview of the assessment methodology followed in identifying and assessing these fraud risks. Given the sensitive and confidential nature of residual fraud risks identified as a result of this assessment, the details of the specific residual high-risk fraud scenarios are not provided as part of this report. The assessment concluded that while the County has a complex P2P operation, there does appear to be an established control environment with preventive and detective control activities designed to mitigate fraud risks, with multiple controls identified that are designed to mitigate inherent fraud risks within the P2P operation. In addition, the County is working to further enhance its P2P control environment through the implementation of numerous policies and enhanced processes, and has personnel in the core business groups that are focused on and committed to addressing inherent and residual risks. |
12/20/2019 | Financial Compliance Review of BusPatrol America, LLC | MCPS | Montgomery County Public Schools (MCPS) operates a School Bus Safety Camera Program (Program) with the assistance of a contractor, BusPatrol America, LLC (BusPatrol), with an overall goal to reduce the incidence of possible injuries to MCPS students. The Program is designed to implement a system including the installation, maintenance, and operation of cameras on school buses that record images of vehicles overtaking or passing stopped school buses. When the images of a vehicle overtaking or passing a stopped school bus are adjudicated, the violator is issued a citation. The County and MCPS entered into a memorandum of understanding (MOU) regarding the Program; the MOU detailed the respective roles and responsibilities of the two parties. Montgomery County Internal Audit (MCIA) conducted a financial compliance review of BusPatrol for transactions occurring from July 1, 2016 through August 31, 2019, with the following objectives: 1. Obtain supporting documentation and verify the validity of charges billed to the County; 2. Calculate the total amount of payments made to BusPatrol and compare to the “Cost of Investment” reconciliation prepared by BusPatrol defined in the Agreement; 3. Confirm if (or when anticipated) the break-even point would be reached; 4. Perform analysis of any payments owed by the County to BusPatrol. This report summarizes the review performed. Portions of this report have been redacted because they contain confidential commercial information that is not subject to disclosure under the Maryland Public Information Act (MPIA). |
12/30/2019 | Contractor Compliance Monitoring -- Compliance Reviewe | PROC | The Montgomery County Office of Internal Audit (MCIA) conducted a review of selected County departments’ contractor compliance monitoring processes applicable to procurement-exempt Agreements, or Agreements that are not subject to Chapter 11B of the County Code (Agreements). In FY2018, these types of Agreements accounted for approximately $113 million in County spending. The overall focus of this review was to assess County-wide performance and compliance monitoring processes applicable to procurement-exempt Agreements to ensure terms and conditions set forth in Agreements such as MOUs/MOAs, are compliant with expected deliverables from the vendor and fees the County incurs. While no improper or non-compliant payments were identified during the course of this review, we found an overall lack of formally documented procedures, and the specific activities performed varied by department and by Agreement. Opportunities for the County to strengthen its management and oversight of procurement-exempt Agreements were identified in the following areas: 1. County-level oversight of procurement-exempt Agreement monitoring; 2. Standardized guidance for monitoring of Agreements; and 3. Defined training requirements and qualifications for contract administrators |
02/19/2020 | Information Technology Risk Assessment | TEBS | The County’s Office of Internal Audit (MCIA) conducted a risk assessment of the County’s information technology (IT) environment, both within the Department of Technology Services (TEBS) and operating departments. TEBS provides certain information technology services and communication services necessary supporting the daily operation of Montgomery County departments. Further, each individual department functions as a complete information technology entity providing evaluation and implementation of advanced data, applications, teleprocessing, and radio systems. Department Information Technology teams are responsible for identifying and managing these advanced approaches for the ongoing operation and growth of Montgomery County departments. This assessment was not conducted as an assurance audit, therefore it did not include detailed testing of internal controls. Rather, the intent of this assessment is to inform senior management of high-level risks within the County's IT environment, and to assess the perceived maturity of the current control environment designed to address and mitigate associated risks. The assessment leveraged a tailored methodology, combining National Institute of Standards and Technology (“NIST”) 800-53 and the Federal Information Security Modernization Act of 2014 (FISMA) security frameworks as a benchmark to determine areas of risk and best practice objectives. |
11/5/2020 | Purchasing Card Program Review - Internal Controls | FIN | The County’s Office of Internal Audit (MCIA) conducted a a review of the Montgomery County Government’s (County) Purchasing Card (P-Card) Program. The County’s Department of Finance (Finance) is responsible for administering the Program as well as providing training, policies, guidance, and periodic monitoring of transactions to County departments using the P-Card to purchase and/or pay for small dollar goods and/or services. As of June 2020, the County has 655 cardholders in 41 departments. In fiscal year 2020, there were approximately 37,881 transactions totaling $17,605,831 in spending. This review included conducting a fraud risk assessment followed by an internal control review based on the results of the risk assessment. The review was conducted by the accounting firm SC&H Group, Inc., under contract with MCIA, and identified four recommendations to strengthen controls and mitigate risks within the P-Card Program: (1)Establishing automated monitoring processes for P-Card transactions to prevent/detect fraud, waste, and abuse; (2) Implementing periodic monitoring and oversight of the P-Card Administrator function; (3)Improving the transactional audit trail, and data and reporting availability for certain P-Card related activities; (4) Updating the P-Card Manual to document current and updated P-Card processes. |
12/11/2020 | Information Technology Audit: Change Management | TEBS | The Montgomery County Office of Internal Audit (MCIA) conducted an Information Technology (IT) audit of change management processes within selected departments of Montgomery County. The County’s IT functions are both centralized and de-centralized. Therefore, each department reviewed has unique change management responsibilities with varying amounts of assistance from the Department of Technology Services (TEBS). The audit assessed departmental policies and procedures surrounding the change management process, documented baseline configurations, maturity of the change management process, security impact analysis, and access restrictions for executing changes to critical systems. The audit, conducted by the accounting firm SC&H Group, Inc., under contract with MCIA, identified identified four findings and recommendations to strengthen controls and mitigate risks within the enterprise and selected departments’ change management processes, including: (1) Developing and/or enhancing detailed procedural documents; (2) Implementing a quality assurance process to ensure change management requirements are being achieved; (3) Developing configuration baseline and checklist documents; and (4) Implementing periodic user access reviews of administrative access. |
01/31/2021 | Information Technology Audit: Patch Management | TEBS | The Montgomery County Office of Internal Audit (MCIA) conducted an Information Technology (IT) audit of patch management processes within the County's Department of Technology Services (TEBS). Established patch management processes and controls reduce the likelihood of critical systems and applications being vulnerable to bugs, malware, and functionality issues. Failure to follow sufficient processes and controls could result in successful attacks from threat actors and other internal or outside forces, increased downtime in critical information systems, and the breach of sensitive information. The audit, conducted by the accounting firm SC&H Group, Inc., under contract with MCIA, identified identified six findings and recommendations to strengthen controls and mitigate risks within the County's patch management processes, including: (1) Developing and/or enhancing detailed procedural documents; (2) Implementing periodic user access reviews of administrative and service accounts; (3) Enhancing the monitoring of exemption tickets; (4) Developing and implementing a defined frequency of security reviews on devices; (5) Developing and implementing a defined frequency of patching for exempt devices; (6) Developing and implementing a device monitoring program. |
04/14/2021 | Targeted Internal Control Review - Procure to Pay: Receiving, Invoicing, and Payments | FIN | The Montgomery County Office of Internal Audit (MCIA) conducted a targeted internal control review (review) of the Montgomery County Government’s (County) receiving, invoicing, and payment processes (collectively, the “payment process” review). The County has established an internal control environment for the receiving, invoicing, and payment sub-processes; executing internal controls related to vendor payments; and communicating related policies, procedures, and guidance to County departments. Each County department is responsible for the execution of internal controls related to receiving and reviewing/approving invoices. The overall focus of this review was to test the operational effectiveness of payment process internal controls identified during the Procure-to-Pay fraud risk assessment. We identified four recommendations to strengthen the County’s control environment and mitigate risks within the receiving and invoicing sub-processes of the P2P operation, including: 1. Enhance the invoice summary sheet to document evidence of internal controls performed by the County departments. 2. Reinforce documentation requirements and update policies to provide additional guidance for exempt transactions. 3. Require County departments to store receiving documentation in a centralized file location. 4. Evaluate departmental segregation of duties requirements and procedures to strengthen the internal controls. |
06/25/2021 | Targeted Internal Control Review - Procure to Pay: Needs Assessment, Solicitation, and Contracting | PROC OCA | The Montgomery County Office of Internal Audit (MCIA) conducted an internal control review of the County Government’s (County) needs assessment, solicitation, and contracting processes (collectively, the “contracting process”). The review determined that there is an established control environment with preventive and detective control activities designed to mitigate fraud risks associated with these. The review also identified opportunities to improve the effectiveness and oversight of these processes. Specifically, for the Office of Procurement to improve efficiency and transparency associated with processes for Procurement Contracts, including: updating procurement guidance to reflect the current systems, practices, and requirements; and automating and integrating procurement processes to reduce manual processes. Additionally, the review identified two recommendations for the Office of the County Attorney (OCA) to improve controls and processes for Agreements, including: ensuring the OCA Agreements Database contains required data for the County to effectively manage these Agreements; and ensuring documentation required from departments to demonstrate due-diligence requirements have been met is obtained and maintained by OCA. |
06/28/2021 | Information Technology Audit: Vendor and Contractor Management | TEBS | The Montgomery County Office of Internal Audit (MCIA) conducted an information technology (IT) audit of vendor and contractor management processes within the Montgomery County Department of Technology and Enterprise Business Services (TEBS). The audit assessed the applicable TEBS policies and procedures surrounding the County’s IT vendor and contractor management processes and identified several opportunities to better manage processes, strengthen internal controls, and mitigate risks, specifically in four areas: 1. Ensuring all vendor documentation including, but not limited to solicitation documents, contracts and amendments, and contract notifications are retained. 2. Implementing periodic reviews of user access to County systems to ensure only authorized vendors have access. 3. Requiring formal documentation to support the need for contractor assistance and the decision to address the need through a contractor versus a County employee. 4. Establishing requirements for formally documenting the basis for selecting a contractor, particularly when a lower scoring contractor is recommended for selection over a higher scoring contractor. |
08/31/2021 | Review of Compliance with County Policies on COVID Front Facing Onsite Differential Pay | MCG | The Montgomery County Office of Internal Audit (MCIA) conducted a County-wide government review of compliance with County policies associated with payment to employees of COVID Front Facing Onsite differential pay. The review found widespread compliance with County policies concerning eligibility for and payment of COVID Front Facing Onsite differential pay, with no issues being identified in 16 of the 27 departments/offices. Instances were identified in the remaining 11 departments of timecard entries that resulted in payments to employees in excess of what they were entitled to under County policy, totaling 0.6% of the total Front Facing Onsite differential payments made by the County. These entries were the result of either (1) individual employees’ apparent errors in entering data on their timecard, or misunderstanding/ misinterpretation of County policies regarding eligibility for Front Facing Onsite differential pay; or (2) initial guidance issued by a department’s management that may have caused employees to report time in the County’s timekeeping system as Front Facing Onsite in excess of what they were entitled to under County policy. Although not a specific focus of this review, no instances of apparent employee fraud or abuse were identified. September 3, 2021 Memorandum from the Chief Administrative Officer to County Council. |
01/21/2022 | Information Technology Audit: IT Asset Management | TEBS | The Montgomery County Office of Internal Audit (MCIA) conducted an information technology (IT) audit of certain asset management functions within the Department of Technology and Enterprise Business Solutions (TEBS). The audit included a review of policies and procedures applicable to the County’s asset management processes and assessed effectiveness of the County’s IT asset management function within TEBS, specifically the Device Client Management (DCM) program. Within TEBS, DCM is responsible for full lifecycle management of all approved endpoint devices, such as laptops, desktops, tablets, workstations, and hardware, authorized for use by County employees, contractors, and business associates. This report includes results specific to IT assets managed by DCM and TEBS. Findings with respect to mobile devices are discussed in a separate MCIA report. The audit identified several opportunities to better manage processes, strengthen internal controls, and mitigate risks, including the following: 1. Improved enforcement countywide of IT asset purchase policies and procedures; 2. Strengthened asset inventory internal processes and procedures, including asset inventory sweeps appropriate for a remote working environment; and 3. Enhanced document retention. |
01/25/2022 | Information Technology Audit: IT Asset Management - Mobile Devices | TEBS | The Montgomery County Office of Internal Audit (MCIA) conducted an information technology (IT) audit of asset management functions applicable to mobile device within the Department of Technology and Enterprise Business Solutions (TEBS) and select departments. The audit included a review of policies and procedures applicable to the County’s mobile device acquisition and disposal processes, and found that County departments are managing mobile devices (tablets and smartphones) in an informal and decentralized manner and that departments included in the review have insufficient formalized policies, procedures, inventories, and documentation related to mobile devices. The report notes that TEBS does not currently play a direct role in the management, procurement, and maintenance of other departments' county-issued mobile devices. The audit identified several recommendations for enhanced cross-department collaboration under TEBS leadership to strengthen controls and enhance efficiencies: 1. Develop and implement a formal County-wide mobile device management policy; 2. Establish a mobile device working group of the various departmental Verizon Wireless contract managers to discuss current practices and identify best practices related to mobile device acquisition, approval, management, and disposal; 3. Develop and communicate formal County-wide mobile device procedures based on the working group’s identified best practices; and 4. Establish an internal standard for managing mobile device inventory across all departments with mobile devices. |
02/09/2022 | Information Technology Audit: IT Access Management | TEBS | The Montgomery County Office of Internal Audit (MCIA) conducted an information technology (IT) audit of access management processes within selected departments of Montgomery County and divisions within the Department of Technology and Enterprise Business Solutions (TEBS). The County’s IT functions are both centralized and de-centralized. Therefore, each department reviewed has unique access management responsibilities with varying amounts of assistance from TEBS. The audit determined that established IT access management processes and controls reduce the risk of inappropriate access to systems, applications, and data; minimize segregation of duties conflicts; and secure access to critical and sensitive data. Seven sets of recommendations were identified to strengthen controls and mitigate risks within the County’s IT access management processes, including the following: more timely processing of access removal and transfer requests, enhanced background check processes for sensitive positions, and compliance with County authentication guidelines, |
08/01/2022 | Cash Management Targeted Internal Control Review - Department of Transportation | DOT | The Montgomery County Office of Internal Audit (MCIA) conducted a targeted internal control review of the Montgomery County Government’s Department of Transportation’s Division of Parking Management (MCDOT Parking) cash management function. MCDOT Parking is responsible for receiving, processing, and depositing parking related transactions. It helps the County achieve its economic development and transportation management goals by creating and managing public parking in commercial areas, with fiscal year 2020 cash receipts of approximately $8 million. While MCDOT Parking's cash management program includes functions and internal controls to mitigate fraud risks, opportunities exist to further strengthen controls, specifically in the following five areas: 1. Segregation of duties related to cash management responsibilities; 2. Formalized review procedures and improved documentation retention; 3. Documentation for manual permit transactions; 4. Retention of access management review documentation; 5. Alignment with County cash management policies and procedures. |
08/31/2022 | Internal Control Review - Vendor Administration | FIN | The Montgomery County Office of Internal Audit (MCIA) conducted a targeted internal control review of the Montgomery County Government’s vendor administration process. The County’s Accounts Payable Section within the Department of Finance (Finance) is responsible for the vendor administration process which includes creating, maintaining, and inactivating the County’s current and future vendors. As of December 2021, the County had 49,684 active vendors. The County’s vendor administration process includes functions and internal controls, while operating with limited resources. The review identified five areas of improvement to strengthen internal controls, including: 1. Increasing segregation of duties related to access rights and reviews. 2. Enhancing system functionality within the County's ERP and vendor registration systems. 3. Increasing Dun & Bradstreet reporting usage. 4. Enhancing maintenance of documentation and ensuring consistent performance of vendor maintenance procedures. 5. Performing consistent periodic ethics review procedures. |
10/14/2022 | Cash Management Targeted Internal Control Review - Department of Recreation | REC | The Montgomery County Office of Internal Audit (MCIA) conducted an internal control review of the County’s Department of Recreation’s cash management functions. Recreation helps the County by providing high quality, diverse, and accessible programs, services, and facilities that enhance the quality of life for all ages, cultures, and abilities. Recreation’s cash management function includes receiving, processing, and depositing recreation-related cash receipts, from such transactions as pool passes and daily admissions, program classes, clinics, workshops, and facility rentals. In calendar year 2021, Recreation recorded approximately $545,000 of cash receipts. While Recreation's cash management program includes functions and internal controls to mitigate fraud risks, opportunities exist to further strengthen controls, specifically in the following five areas: 1. Enhanced segregation of duties related to cash management responsibilities; 2. Enhanced formalized review procedures; 3. Improved access management review documentation; 4. Enhanced County cash management policies and procedures; and 5. Improved physical cash security measures. |
08/28/2023 | Marriott Conference Center Management Agreement Cost and Revenue Sharing Audit | CEX | The Office of Internal Audit conducted an audit of the Cost and Revenue Sharing Agreement and related terms specified in Exhibit F of the Management Agreement (Agreement) between Montgomery County and Marriott Hotel Services, Inc., effective January 29, 2003, as amended. Montgomery County Government (the County) is the leasehold owner of land where the Montgomery County Conference Center (Conference Center) and Bethesda North Marriott Hotel (Hotel) are located. Both the Hotel and Conference Center are intricately adjoined. The County maintains ownership of the Conference Center while Brookfield Properties (Brookfield), a Real Estate Investment Trust, is the designated owner of the Hotel. Brookfield is also responsible for paying a monthly land lease fee to the County as owner of the Hotel. Marriott International is responsible for managing both the Hotel and Conference Center operations. Marriott’s management and oversight of the Agreement includes tasks focused on adhering to contractual terms. Opportunities exist to improve Marriott’s internal processes to mitigate risks and improve compliance in the following areas: (1) Enhanced garage revenue reporting; (2) Enhanced event revenue reporting; and (3) Enhanced cost allocation reporting. |
08/30/2023 | Cash Management – Targeted Internal Control Review, Alcohol Beverage Services | ABS | The Office of Internal Audit conducted a targeted internal control review (review) of the Montgomery County Alcohol Beverage Services’ (ABS) cash management function. ABS is the alcohol wholesaler of beer, wine, and spirits for Montgomery County and operates 26 retail stores throughout the County and one warehouse. ABS’ cash management function includes receiving, processing, and depositing related receipts, from such transactions as retail sales and vendor bulk purchases. Alcohol Beverage Services’ cash management operations includes processes and internal controls to mitigate fraud risks. Opportunities exist to enhance internal control design and operational effectiveness to more effectively mitigate those risks, specifically in the following areas: (1) Established and enhanced cash management policies and procedures; (2)Improved segregation of duties related to cash management responsibilities; (3) Enhanced formalized review procedures and document retention; (4) Improved physical cash security measures; (5) Improved access management review documentation. |
08/28/2023 | Cash Management – Targeted Internal Control Review, Montgomery County Police Department, Vehicle Recovery Section | MCPD | The Office of Internal Audit conducted a targeted internal control review (review) of the Montgomery County Police Department (MCPD), Vehicle Recovery Section (VRS) cash management function. MCPD VRS stores and maintains vehicles that have been towed at the direction of MCPD and cash receipts include fees from towing, storage, and administrative costs as well as the proceeds from vehicles sold at auction. VRS’ cash management function includes receiving, processing, and depositing cash receipts from fees paid by customers picking up their vehicles or by customers buying vehicles at auction. MCPD’s VRS cash management operations include processes and internal controls to mitigate fraud risks. Opportunities exist to enhance internal control design and operational effectiveness to more effectively mitigate those risks, specifically in the following areas: (1) Enhanced cash management policies and procedures; (2) Enhanced formalized review procedures; (3) Improved access management review procedures. |
09/29/2023 | Information Technology Governance Evaluation | TEBS | The Office of Internal Audit conducted an evaluation of the County's IT governance program. The County’s IT functions are both centralized and de-centralized. Therefore, each department reviewed has unique IT governance responsibilities with varying amounts of assistance and oversight from the Department of Technology and Enterprise Business Solutions (TEBS). This evaluation assessed the policies and procedures surrounding the County's IT governance program, its alignment with organizational objectives, the identification and management of risks, the optimization of IT investments, the identification of IT performance metrics, and the effective management of IT resources. Opportunities exist to further enhance the existing IT governance process and structure, by enhancing or implementing processes within the IT governance program in coordination with TEBS and departmental IT functions, specifically in the following areas: (1) Implementation of risk assessment framework to evaluate the adequacy of internal controls across departmental IT functions; (2) Enhanced communication between TEBS and departmental IT functions regarding major changes to the IT management framework and IT-related systems; (3) Enhanced focus on IT-related positions and hiring process within IT functions; (4) Enhanced management of responsibility matrix between TEBS and departmental IT functions; (5) Implementation of a formalized IT strategic planning template and process; (6) Strengthening the management of innovation, quality, and technology within departmental IT functions; (7) Integration of business continuity and continuity of operations planning across departmental IT functions; (8) Enhanced tracking and review processes for assets managed by departmental IT functions; and (9) Enhanced standards for IT project intake and management processes. |
05/31/2024 | Procurement Card Targeted Internal Control Review - Department of General Services | FIN, DGS | The Office of Internal Audit conducted a targeted internal control review of the Department of General Services (DGS) purchasing card (PCard) and employee expense functions. The County’s PCard and employee expense programs are administered through Accounts Payable within the Controller Division of the Department of Finance. Each County department is responsible for administration of these programs within their department. DGS’s PCard functions include processes and internal controls to mitigate fraud risks. Opportunities exist to improve control design and operational effectiveness to mitigate those risks more effectively in the following areas: (1) PCard management and operations; (2) PaymentNet information retention; (3) Departmental PCard and employee expense policies and procedures; (4) PCard and employee transactional analyses. |
05/31/2024 | Contract Management Audit | DGS, DOT, FRS | The Office of Internal Audit conducted an audit of the County's contract management processes related to three contracts between the County and a Contractor. The Contractor has three active contracts with the County, each managed and administered by a contracting department: Department of General Services, Division of Facilities Management; Montgomery County Department of Transportation, Division of Parking Management; and Montgomery County Fire and Rescue Service, Support Services Division. Each contracting department is responsible for contract management duties including ensuring goods, services, or construction are received, and the contractor adheres to the specifications, terms, conditions, and price documented in the contract. The contracting departments contract administration operations include processes and internal controls to mitigate risks, and procedures aimed to comply with contractual terms, scopes of service, and County requirements. Opportunities were identified for the contracting departments to improve internal controls and compliance efforts in the following areas: (1) Alignment with contractual scope of services; (2) Adherence to contract terms and administration requirements; (3) Adherence to County Accounts Payable policy requirements; (4) Enhanced work order and invoice documentation procedures; and (5) Formalized contract management procedures. |
07/31/2024 | Procurement Card Targeted Internal Control Review - Community Engagement Cluster | CEC, FIN | The Office of Internal Audit conducted a targeted internal control review of the Community Engagement Cluster's (CEC) purchasing card (PCard) and employee expense functions. The County’s PCard and employee expense programs are administered through Accounts Payable within the Controller Division of the Department of Finance. Each County department is responsible for administration of these programs within their department. CEC’s PCard functions include processes and internal controls to mitigate fraud risks. Opportunities exist to improve control design and operational effectiveness to mitigate those risks more effectively in the following areas: (1) PCard management and operations; (2) Employee expense management and operations; (3) PaymentNet information retention; (4) Departmental PCard and employee expense policies and procedures; (5) PCard and employee transactional analyses. |
09/30/2024 | Data Security and Governance Audit | TEBS | The Office of Internal Audit conducted a data security and governance audit across selected departments of Montgomery County (the County). The County’s IT functions are both centralized and de-centralized. Therefore, each department reviewed has unique Data Security and Governance responsibilities with varying amounts of assistance from Technology and Enterprise Business Solutions (TEBS). The audit assessed data governance policies, procedures, training, awareness, privacy impact assessment, business management of data, data use and retention, electronic and physical record management, transfer of data, data at rest, third-party interaction with data, and applicable incident response considerations. Opportunities exist to improve control design and operational effectiveness to mitigate those risks more effectively in the following areas: (1) Data classification policy and procedure management; (2) Security awareness training; (3) Data privacy policy and procedure management; (4) Third-party contract management respective to expectations for management and treatment of PII; and (5) Third-party system periodic review. |