By S.E. Williams
Each fiscal year, municipalities around the state are subjected to rigorous external financial audits in alignment with California Government Code Section 25253.
The Government Code (Code) requires each Board of Supervisors to facilitate the preparation and publication of a statistical report that is a ‘full and concise assessment’ of all the financial transactions of the county for the last fiscal year.
Code requires an auditor to review the receipts and expenditures of all courts, offices, boards, commission, institutions and departments. The auditor is also required to classify the principal items of income and expenditure of each in order to show a complete picture of the municipality’s financial transactions and ultimately, the financial condition of the county.
On January 13, Riverside County Auditor- Controller Paul Angulo, submitted the 2015- 16 Comprehensive Annual Financial Report to the Riverside County Board of Supervisors for review and file.
This year’s audit was conducted and submitted by the Certified Public Accounting firm of Brown Armstrong.
In its written communication to the Board of Supervisors, Brown Armstrong affirmed its role was limited to consideration of the county’s internal controls over financial reporting; and designed its audit accordingly. As a result, the auditor expressed opinions on the effectiveness of adherence to the county’s internal controls; however, it did not express an opinion on the effectiveness of those controls. In alignment with these principles, Brown Armstrong did not express any opinions on how effective the county’s internal controls actually are.
The auditor could categorize findings according to one of three categories. Firstly, when the design or operation of a county control does not allow management or employees to identify and correct misstatements in an expeditious manner during the normal course of business, it is identified as a deficiency.
Next, a deficiency or combination of deficiencies that can result in the inability to prevent, detect and correct a material misstatement of the county’s financial statements as quickly as possible is considered a material weakness.
The final assessment category is a significant deficiency. This rating occurs when there is a deficiency or combination of deficiencies in the established county control. Items that fall into this category are less severe than a material weakness but still significant enough to require enhanced attention by those in charge.
After a thorough examination of a myriad of financial records across a range of Riverside County departments, the auditor made two key findings. One finding was identified as a material weakness, while the other was categorized as a significant deficiency.
The auditor identified a material weakness for the county Waste Resources Department’s failure to record post-closure and remediation liabilities for a total of 26 inactive landfill sites in both the previous and the current year. According to the Government Accounting Standards Board, most pollution remediation outlays do not qualify for capitalization and should be accrued as a liability. A failure to do so can result in a misstatement of financials records. Policy calls for post closure liabilities and remediation liabilities be recorded in the year they are identified. Also, according to the Government Accounting Standards Board, the account should be recorded at the current value of the costs the government expects to incur to perform the work.
According to the audit, although county officials were aware there was liability associated with the 26 sites, it was not until recently that a third party consultant and staff engineers quantified the amount of liability. In the future, the county will make the necessary liability adjustments based on the Consumer Price Index.
In an exclusive interview with The Voice, Riverside County Public Information Officer Raymond Smith was asked whether all 26 of the landfills became inactive in the previous two to three years. “No,” he replied and continued, “All of them stopped accepting waste prior to July 1, 1991, before current regulations were established.”
According to Smith, “Liabilities for these sites were not reported in the past.” He further explained. “The department has set aside funds to cover approximately half of the potential liability costs despite the fact that Title 27 regulations do not require that the department set aside any such funds.” Title 27 of the California Integrated Waste Management Board was enacted to establish regulatory standards designed to protect public health and safety and the environment. It was last updated in October 2012.
Smith also provided clarity regarding what might fall into the categories of post-closure and remediation liabilities. “Post-closure work typically consists of activities such as landfill cover repair, drainage maintenance/ improvements, mowing and site security.” Also according to Smith, “Remediation typically includes the operation of a gas collection system or soil-vapor extraction system.”
The next area of concern in the audit was identified by Brown Armstrong as a significant deficiency. According to the auditor, the county does not currently have a process in place to periodically review user access accounts and permissions within its PeopleSoft systems.
PeopleSoft applications are designed to meet complex business requirements. Riverside County’s PeopleSoft team supports both the personnel and fiscal system of record for the county. It provides the means to effectively manage all 22,000 county employees, its budget and accounts for $4.4 billion in annual spending. It also provides transaction logging for auditing purposes.
The auditor also noted the county does not consistently follow procedures for requesting the documented completion of all termination actions for non PeopleSoft systems such as database and operating system accounts. In addition, during an examination of the password requirement settings within several of the county’s information systems, the auditor found they are not in alignment with the Password Policy as stated in the county’s Information Security Standard policy.
The auditor attributed the weakness to the county’s failure to have a process in place to periodically review user access accounts and permissions with the PeopleSoft systems. However, the county does have a procedure to conduct a bi-annual user security audit— however, it was not being followed. As a result, the county stated it would, “Re-engage the process”.
The auditor also noted the county’s failure to consistently follow its own documented procedures for requesting and documenting the completion of all termination actions for non PeopleSoft systems—including both database and operating system accounts. The county does have a policy in this area as well; however, it does not require that the completion of termination related actions be documented. The county has agreed to update and implement changes to its policy to incorporate a documentation procedure when a termination is requested and completed.
The auditor believed the failures in this area are the result of a lack of periodic user access reviews. This can also result in some employees having access to system functions not required under their current job responsibilities. In addition, unauthorized user accounts are not identified and removed or disabled in a timely matter. This vulnerability is especially concerning in light of recent and ongoing cyber attacks that continue to plague the country, especially since terminated employees could have unauthorized access.
The audit noted certain passwords were not up to policy standards and as a result, unauthorized users may be able to access the programs. The combination of all of these concerns can certainly not only impact the fiscal effectiveness but its security as well.