FOR IMMEDIATE RELEASE
RubinBrown Certified Public Accountants & Business Consultants presented audits of Springfield Art Museum’s operations, loan programs and grant processing internal controls and the Springfield-Greene County Health Department’s internal controls for protected health information at the Aug. 21 Finance and Administration Committee meeting. In addition to the audits, RubinBrown provided a document detailing the status of recommendation completion from audits performed from 2015 through February 2018.
All City of Springfield audits can be viewed at springfieldmo.gov/opendata.
Springfield Art Museum Operations
The audit was completed in December 2018 and includes transactions from Jan. 1, 2018 through Aug. 31, 2018.
- The museum has a multi-layered security system that is alarmed. The museum also contracts with a third-party security service provider to perform random security checks of the building outside business hours.
- The vaults that store collections at the museum building have object IDs that separate loaned items from permanent collections, and also include the years and order number of the items received. Collection items also have specific locations, such as a vault number, shelf number, and shelf level that allow items to be located more quickly by the registrar.
Observations and Recommendations
- RubinBrown tested 20 daily cash receipts and found that we were unable to trace 15 receipts to daily deposits on bank statements at the City Finance due to the way the receipts were reconciled.
- An examination of refund and void transaction receipts found the following:
- No evidence of management review and approval as required by the financial control procedures for three of 10 sampled refunds/voids;
- No supporting documentation was retained regarding the reason for three of seven online refunds.
- RubinBrown sampled 20 permanent and loaned artwork inventory items. They found a discrepancy between the location of one piece of art as recorded in the system and the actual location of the piece.
Loan Programs and Grants Processing Internal Audit
The audit was completed in March 2019 and includes transactions from Jan. 1, 2018 through Dec. 31, 2018.
- The Planning & Development department performs a monthly reconciliation for all loans provided by the department. We noted that reconciliations are performed timely and variances are investigated and resolved.
- Each grant is entered into Oracle and allocated an identifiable program and grant code and the allocations of general costs are tracked in Oracle in accordance with the cost allocation plan.
Observations and Recommendations
- The Planning and Development department performs loan aging manually via an Excel spreadsheet. The City’s loan portfolio averaged approximately $40M during FY18.
- The Health department does not maintain formal policies and procedures for grant processing.
Process Improvement Opportunities
RubinBrown noted the following process improvement opportunities during its review. The observations are not considered an internal control weakness; however, the firm recommends City management consider the observations and take action where appropriate.
- Document the steps completed for each part of Planning and Development three-way reconciliation so that a back-up staff member can perform the reconciliation without one-on-one guidance from a current reconciler.
- Ensure that participants in the Missouri Work Assistance program at the Missouri Job Center check the box on the TRE form acknowledging that the gas card will be deducted from their next TRE benefit.
“We are appreciative of the auditor’s thorough review of our loan program and have already begun drafting the process improvements to assist in staff succession,” said Planning and Development Assistant Director Brendan Griesemer.
Health Department Health Insurance Portability and Accountability Act (HIPAA) Internal Controls Assessment
The audit was completed in March 2019.
- The department obtains accreditation from the Public Heath Accreditation Board every five years. The most recent accreditation date was October, 2018. This accreditation requires that the department demonstrate and evidence commitment to quality improvement, performance management, accountability, transparency, and the capacity to deliver the 10 Essential Public Health Services.
Observations and Recommendations
- There are five policy documents that refer to or require HIPAA compliance, including Administrative Memo #5, which is the department’s HIPAA policy. The department does not maintain a single comprehensive HIPAA compliance policy.
- RubinBrown performed a user access review of Patagonia and found three former employees with active accounts, 26 accounts with passwords that don’t expire, three generic accounts, and seven accounts with six or more roles.
- The administrator for Patagonia does not have personnel that could act as a true back-up to perform the required responsibilities.
- RubinBrown reviewed HIPAA training records for five employees who have access to Patagonia and found that two of five did not have a record of training within the last year.
- Although the HIPAA compliance officer is performing internal audits of user access to Patagonia, the audits are not documented as required by Administrative Memo #5. Additionally, internal audits of observations of clinical procedures were not documented or retained.
- The divisions within the department maintain separate confidentiality release forms. These forms do not have uniform legal language for the release and use of protected health information (PHI).
Process Improvement Opportunity
RubinBrown noted the following process improvement opportunity during its review. The observation is not considered an internal control weakness; however, the firm recommends City management consider the observation and take action where appropriate.
- Obtain the System and Organization Controls (SOC) report from Patagonia Health Services.
“The Springfield-Greene County Health Department takes our responsibility to ensure patient privacy and confidentiality very seriously, which is why we asked for this audit to ensure we are following current best practices. Our staff have already begun to implement these recommendations,” said Director of Health Clay Goddard.
Zone 3 Councilman Mike Schilling is the chair of City Council’s Finance and Administration Committee, which reviewed the audits.
“Internal audits provide important information to the City’s leadership team, as well as accountability to the taxpayers,” Schilling said.
The other members of the committee are general councilmen Craig Hosmer and Richard Ollis and Zone 4 Councilman Matthew Simpson.
For more information contact: Melissa Haase, Assistant Director of Public Information & Civic Engagement, 417-864-1003 (office) | 417-536-7648 (cell), [email protected].