Background

The Office of Vocational and Educational Services for Individuals with Disabilities (VESID) is responsible for the overall coordination of services to individuals with disabilities (consumers). Vocational rehabilitational goods and services are provided to these consumers so they can be employed in integrated or supported work settings. VESID has over 300 counselors in 25 district and satellite offices serving over 106,000 consumers a year and spends in excess of $120 million a year on support services, maintenance and transportation, and case services. VESID reported that over 15,000 consumers were successfully placed in integrated work settings or supported employment in 2003, which is more than double the number of consumers placed in 1989.

Counselors determine a consumer's eligibility, establish goals with consumer input, determine the goods and services that will be purchased, and obtain the price VESID will pay. Counselors can authorize a wide variety of goods and services to assist the consumers. Goods include items such as clothing, home modifications, vehicle modifications, and equipment such as computers. Services can include counseling and guidance, vocational evaluation, physical restoration, on-the-job training, college training, or a vocationally orientated program. The VESID employees we interviewed are generally hard-working individuals interested in doing things the right way with a commitment to serving the disabled population of New York State.

VESID has developed computerized systems to facilitate processing transactions for its consumers as well as to monitor and report results. The systems establish a unique identification number for each consumer, provide for recording case notes in a computerized format, track the status of each case, and print authorizations and vouchers for payments.

The audit examined internal controls and reviewed practices, records, and documentation for the period January 1, 2000 through June 30, 2004. This was a performance audit and the objective of our audit was to assess the adequacy of internal controls established by VESID for the procurement and payment of vocational rehabilitational goods and services. This audit was requested by the Department’s executive management and VESID’s Deputy Commissioner as a follow-up to an audit of VESID’s Utica district office conducted by the Office of the State Comptroller (OSC). OSC’s audit, issued on September 22, 2003, identified the use of an unlicensed architect, potential conflict of interest transactions, non-compliance with State bidding requirements, and excessive costs for home modifications.

To accomplish the objective, we reviewed applicable laws, regulations, policies and procedures; interviewed VESID management and staff; examined records and supporting documentation; sampled a limited number of transactions on a non-statistical basis; interviewed consumers; obtained invoices from vendors; obtained an understanding of VESID’s computer systems; analyzed data available from the computer systems; and conducted field visits in four offices.

Our audit included examining, on a test basis, evidence supporting transactions recorded in the accounting and operational records, and applying other procedures considered necessary in the circumstances. The audit also included assessing the estimates, judgments, and decisions made by management and staff. We believe that the audit provides a reasonable basis for our findings, conclusions, and recommendations.

The audit was time consuming and difficult to complete for a variety of reasons. The following are some of the challenges we faced:

A lack of documentation hampered the audit. Documents, such as invoices and information showing that consumers received the goods and services, were not required by VESID and generally were not available to support transactions. As a result, the audit contacted vendors to obtain invoices and interviewed consumers to determine whether the goods and services were received.

It took several months for the audit to determine that certain reports generated from the computer systems were not reliable. For example, some of the standard reports are based on service dates and generally did not include back-dated authorizations. We also noted that case service codes, which define goods and services in broad categories, were inconsistently used and could not be relied upon.

The computer systems were difficult to use, to extract data from, and to generate reports. It took several months to gain the knowledge to independently generate and analyze the data. In addition, it took the audit hours to run relatively simple reports and, in many cases, the processing of the reports was terminated prior to completion.

District office managers stated that certain policies, procedures, and controls were in place. During the course of the audit, we found that some were, in fact, not implemented. These instances adversely affected the credibility of the information provided and made us skeptical. The audit looked to additional ways to verify the accuracy of the information.

Our audit concentrated on the internal controls over the procurement and payment of goods and services. We reviewed operations at four offices and analyzed Statewide data. While our findings on specific transactions relate to the operations at the four offices reviewed, our analysis of Statewide data shows the potential for questionable transactions at other offices as well. As part of this audit, we did not follow-up on the questionable transactions at other offices, but any plan to correct the deficiencies identified in this report must take into account all of the district offices.

Based on information that came to our attention, we also identified concerns with maintenance and transportation (M&T) expenses, consumer eligibility, economic need determination, vendor approval, and specialized vocational training schools. These areas were not within the scope of our audit; however, they represent a significant risk that VESID needs to consider in preparing a plan to address the findings in this audit.

Internal controls are the policies, procedures, and practices designed and implemented to provide management with reasonable assurance that resources are safeguarded against waste, loss, and misuse; that operations are efficient and effective; that specific management objectives are achieved; that financial reports are reliable; and that the entity complies with applicable laws and regulations. The internal control systems must be built into the business processes to ensure core activities are accomplished effectively, efficiently, and economically.

An effective internal control system should facilitate stewardship and accountability of resources as well as the accomplishment of goals and objectives. The system should not be looked upon as a separate system within an agency, but rather as an integral part of the daily responsibilities of management and employees. OSC issued guidance on internal controls in a document Standards for Internal Controls in New York State Government (Standards). The Standards specify that there are five interrelated components that form the basis for a good system of internal control and provide detailed information on each of the components. The Standards were used to assess VESID's internal control system.

The interrelated components are control environment, risk assessment, control activities, information and communication, and monitoring. The audit determined that VESID has not established and maintained an effective internal control system. Significant weaknesses were found in each of the five components. The audit found that the lack of controls resulted in some alarming practices related to purchasing goods and services for consumers. Our findings and recommendations are addressed in more detail in the sections that follow. VESID management must give careful consideration to the findings and recommendations to improve their internal control system.

VESID officials agree with the recommendations. Most of these findings were communicated to VESID management throughout the audit. In response to the findings, a cabinet of various Department employees was established to develop a plan to address the weaknesses and begin making the necessary improvements. Several steps have been taken including providing training to district office and business managers, issuing additional fiscal procedures, preparing a request for proposal for a new computerized system, and others. While these are important elements of the changes that are needed, VESID must change its organizational culture so that all employees recognize the need for and importance of internal control systems. While the change will not be easy, it is necessary to ensure the effective stewardship and accountability over the resources entrusted to VESID.

The control environment sets the tone of an organization, influencing the control consciousness of its people. It is the foundation for all other components of internal control; providing discipline and structure. Control environment factors include integrity and ethical values, commitment to competence, management participation, management philosophy and operating style, organization structure, assignment of authority, and human resource policies and practices.

In a decentralized organization, such as VESID with over 300 counselors in 25 district and satellite offices serving over 106,000 consumers a year, management’s actions help define the organizational culture affecting the design, administration, and monitoring of the other internal control components. Organizational culture determines what actually happens and which rules are obeyed, bent, or ignored. Management must instill a control environment that fosters integrity and ethical values, and a commitment to excellence. This requires clearly communicating expectations to staff, assigning responsibilities and authority to make decisions to the appropriate level, and routinely monitoring performance.

District office managers are responsible for implementing the policies and procedures established by central office and for monitoring the daily activities of their staff. Counselors have the authority to make most fiscal and programmatic decisions but do so with little or no supervisory oversight. Policies and procedures are not complete and the periodic monitoring of counselor activities is not comprehensive. This has created an environment in which inappropriate behavior can occur and not be easily detected.

In the late 1980s, VESID established a goal to "increase the percentage of individuals with disabilities placed in integrated job settings in a cost-effective manner." In an effort to increase the number of placements and reduce the time it takes for those placements to occur, a number of controls were eliminated including the supervisory review of case files and the approval of vendors by central office. In addition, management adopted a hands-off operating style putting the decision-making processes for purchasing, receiving, and payments in the district offices. This created a situation where each of the counselors acted as independent purchasing agents with inadequate guidance and oversight from central office. Not only is VESID not in compliance with State procurement requirements, this situation has contributed to a weak control environment where less emphasis was placed on the finances.

Management must set the appropriate tone at the top and provide leadership by setting and maintaining the organization’s ethical tone and providing guidance for proper behavior. One way to set the tone is to review the fiscal decisions being made by the counselors. The review should be completed using a risk-based system and should be cost-effective. Management developed a case file review system to monitor counselor performance, but it does not include a component to assess the appropriateness of fiscal decisions. Counselors do not routinely receive feedback on fiscal decisions they make in managing consumers’ cases. This could lead a counselor to conclude that the fiscal decisions are not reviewed and are less important than programmatic decisions.

Also contributing to a weak control environment was management permitting staff to inappropriately charge the weekly cost for a consultant to one consumer’s case even though several consumers benefited from the expenditure. This created an impression that the strict accountability for funds is not important. Some consultants worked on numerous cases and performed various services. They were directed by VESID staff to accumulate their hours on a weekly basis. A senior counselor would sign the record of service and authorize the cost to be charged to a different consumer’s case each week. This was a way to "facilitate" payments to the vendors. For example, one consumer’s case was charged $401 for 37.5 hours for job coaching, but the consumer did not receive the services. VESID management indicated that the consultants worked on several cases and performed various services for this fee. We were able to confirm this payment practice occurs in at least four offices but believe it is, in all likelihood, more widespread.

The audit also noted some other questionable practices related to consultants. VESID paid some consultants an hourly rate plus a $20 or $50 bonus for every case they closed successfully. This practice accentuates the emphasis on placements. VESID also hired an agency to provide consultants to assist with the screening of consumers’ eligibility. There is some concern whether the consultants are independent contractors or employees since they meet several of the criteria for classification as an employee.

Also of concern was the practice of a district office to hire an agency to provide on-the-job training and have the training take place in that same district office. The consumers did routine office work that was previously done by VESID employees. The placement of consumers and consultants in district offices raises concerns about the appropriateness of the use of program funds for administrative functions.

Risk assessment is the identification and analysis of factors or conditions that may threaten the achievement of management’s objectives. It involves identifying significant internal and external risks that may impact the effectiveness and efficiency of operations, the reliability of fiscal and programmatic reporting, and compliance with applicable laws and regulations.

Once the risks have been identified, they should be analyzed for their possible effect. Risk assessment generally includes estimating the significance of the risk, assessing the likelihood of its occurrence, and deciding how to manage the risk and what steps should be taken. Risk assessment should be conducted on a periodic basis to ensure any new or changing risks are adequately managed. Such a process can provide management with the opportunity to enhance accountability; improve performance; ensure compliance; detect wrongdoing; and preclude or mitigate injury, damage, or loss. VESID has not routinely assessed risk in each of its district offices.

In 2000, a graduate intern working for the Department assisted the district offices in conducting a risk assessment. The risk assessment identified key functions performed in each district office and the risks associated with each function. For each risk, an assessment was made of its significance, the likelihood that it would occur, and the controls that were in place to reduce or minimize the risks.

If it was determined that district office controls were not adequate, staff prepared a corrective action plan identifying the cause of the risk, the types of control activities that could prevent or reduce it, who would be affected by the new control, and how the information should be communicated to staff. This process identified a number of significant risks that are common to the district offices.

This information was submitted to central office, but management did not take any action nor did it complete any other comprehensive risk assessments. We also noted that, as part of the Department’s annual certification on internal controls to the Division of the Budget, VESID provided information to the Commissioner indicating the existence of controls and a review process; however, this process did not adequately identify the control weaknesses. In response to our audit, VESID has reviewed the risk assessments previously completed by the district offices and has also met with its managers to discuss the risks facing the district offices.

Control activities are the policies, procedures, and processes implemented by management to help ensure its directives are carried out. The control activities include written policies and procedures, separation of duties, supervisory review, and others. Management must establish the necessary control activities to effectively and efficiently accomplish the organization's objectives and mission. The audit determined that VESID has not implemented some key control activities for the procurement and payment of goods and services. This has led to serious weaknesses in the purchasing process. Improvements are needed related to written policies and procedures, separation of duties, supervision, documentation, safeguarding assets, verification, and computer controls. Information on each of these areas follows.

Written policies and procedures help ensure employees know what is expected of them and also provide for standardization among district offices. The policies and procedures are particularly important when there are offices in many locations and there is high staff turnover. Policies and procedures are an important internal control that establish responsibilities and accountability, and help ensure consistency among staff.

VESID has policies and procedures online covering areas such as consumer and counselor relationships, key processes in serving consumers, and types of services. However, some of the counselors we interviewed did not appear to be aware of the policies and procedures or did not always follow them. For example, some counselors authorized services in excess of the maximum amount established by policy. Other counselors did not use a required ownership form. VESID policies require that the consumer and counselor complete an ownership form for equipment purchases such as computers. The form acknowledges that the equipment is the property of VESID and must be returned under certain circumstances. However, most files we reviewed did not include a copy of the signed form.

The audit found that the established policies and procedures were not complete. For example, VESID did not have procedures outlining the specific steps staff should follow in purchasing goods and services. Procedures were not available to address vendor approval, vendor selection, the delivery and receipt of goods, the use of quotes and formal bids, counselor authorizations, verification of the delivery of goods and services, reconciliation of the receipt of goods and services with the billings, compliance with State purchasing laws and regulations, and supervisory approvals.

The audit reviewed the process for the delivery and receipt of goods authorized for consumers and found there are no procedures to instruct staff in the appropriate process to follow. Instances were found where goods were delivered to the consumer's home, another location, and district offices. In other cases, consumers picked up the goods directly from vendors. With variations in practice and the lack of documentation, it is very difficult to determine if the consumer received the goods. In fact, eight consumers told us they did not receive over $43,000 in computers and other equipment that were purchased by VESID and charged to the consumer cases.

VESID updated its policy in October 2003 to address conflict of interest transactions. However, the policy does not address conflict of interest transactions between vendors and consumers. In the absence of such a policy to address this situation, a purchase was made from a related party without any justification to show the price was competitive. For example, VESID paid a cousin of a consumer $7,000 for a one month trial employment of the consumer. The cousin was reimbursed without the benefit of a contract or justification for the costs. The services of the consumer were terminated at the end of the month.

Key duties and responsibilities should be divided or separated among different individuals to reduce the risk of errors and misappropriation. No one individual should control all key aspects of a transaction or event and the work of one employee should serve as a check on others. Ideally, for the purchasing process, the initiation, authorization, approval, ordering, receipt, payment, and record keeping should be performed by different employees. Where the duties cannot be adequately separated, there should be increased supervisory review and oversight. The audit determined that VESID has not implemented adequate separation of duties for the purchasing process. As a result, there is less assurance that all purchases are appropriate.

VESID counselors have the authority to initiate, authorize, order, and direct delivery of goods to various locations. This process lacks adequate separation of duties and creates an environment where goods and services could be misappropriated with little or no risk of detection. For example, counselors could order goods and have them delivered to their home or another address. When the vouchers come in, they would in all likelihood be paid.

The finance clerks in four offices had access to issue authorizations to purchase and to also process vouchers to pay for the goods and services. This process lacks adequate separation of duties.

Supervisory review of transactions can help ensure only appropriate activities occur and objectives are achieved. Supervisors should monitor, review, and approve the work of their unit; provide necessary guidance and training; and clearly communicate duties and responsibilities. Given the lack of separation of duties, the need for supervisory review and oversight is heightened. However, the audit determined that VESID did not generally require supervisory review of transactions including purchases.

Many of the counselors interviewed indicated certain issues are discussed with their supervisor and purchases over a specified threshold would require supervisory approval. However, we did not find any evidence of those discussions or approvals by supervisors. In fact, we found a case where a counselor authorized $60,271 for a van modification and there was no evidence of supervisory review or approval even though the expenditure exceeded the $25,000 limit set in VESID’s policy.

The audit noted some changes to dates, quantity, and totals were being made to vouchers after they had been certified and submitted to the district offices by the vendors. Some of the changes included increases to the total. Documentation was not available to show a supervisor approved the changes or the reason for the changes.

The audit also determined that supervisory review and approval are not required to add an individual or company to the approved vendor list. District office staff can add vendors to the system without the review or approval of a supervisor. As a result, there is an increased risk that vendors on the approved list may not be qualified.

All transactions, purchased goods and services, and significant events should be clearly documented in each consumer’s case file. The documentation should be complete, accurate, organized in a standard format, and recorded promptly. The audit found that the consumer files did not contain adequate documentation to support transactions and purchases made on behalf of the consumers.

Documentation was often not available to support certain purchases. In a few cases, the district office could not find the files we requested. In other cases, the files were provided, but did not contain the necessary documentation to support certain expenditures. For example, eight laptop computers were purchased for one consumer over a 17-month period, but documentation, such as the authorizations and invoices, were not available in the case file to support the expenditures.

Documentation is generally not required or maintained to show that the consumer received the goods VESID purchased for them. For example, a counselor authorized the purchases of three camcorders for a consumer in a four-month period, but there was nothing in the file to indicate the consumer received the goods. In fact, the consumer indicated only one camcorder was received. The counselor could not explain the reason for authorizing three camcorders.

Similarly, many files did not contain documentation to show schools provided records of attendance or grade reports for consumers. Nevertheless, VESID authorized payments for these services. In one case, a payment was made for a consumer to attend a driving school, but the consumer withdrew from the school and entered another school. However, VESID paid the second school and did not request a refund from the first school, even though it was entitled to one.

Each authorization includes one or more case service codes in broad categories that describe the goods and services being provided. However, the audit found that the case service codes are assigned by the counselors and, in some cases, have no relationship to the goods being purchased. For example, in one of the cases reviewed, we found that the purchase of electronic equipment was coded 420B which is "books and related materials."

Documentation is generally not available to show the specific items purchased. VESID does not require vendors to submit an invoice or a detailed description of the good purchased. The finance clerks in two district offices indicated that payment is made based upon receipt of the signed voucher. For example, a voucher was paid for $1,414 for "equipment/tools" without any information or documentation to indicate what was actually purchased.

The audit found inconsistencies in the documentation maintained in the consumers’ case files. In some instances, copies of authorizations were in the files while others had multiple copies (yellow and white originals), and still others had "reprints" of the authorization. Most files did not include invoices. It does not appear there is a standard as to what documentation should be maintained in the files.

Safeguarding of assets is defined as restricting access to resources and information to help reduce the risk of unauthorized use or loss. Management must secure the organization’s assets, files, documents, and other resources to protect them against loss and misuse. The audit found that VESID did not adequately safeguard some of the assets it purchased for consumers.

Accountability over assets must be established upon receipt and maintained throughout the life of the asset. Adequate records must be maintained to show the receipt, use, and disposition. The audit determined that goods such as computers are delivered to district offices, but there is no procedure to record the receipt or disposition. A list of the items received is not prepared to establish accountability over the assets nor is documentation maintained to show the disposition or transfer of the item to a consumer. This creates a significant risk that the goods could be lost or stolen. Using information obtained from vendors, the audit determined that a VESID employee signed for 33 laptop computers delivered to one of the district offices. The district office did not maintain a record of the receipt or disposition of the computers. In fact, the whereabouts of the computers are unknown.

Verification is determining on a periodic basis the completeness, accuracy, authenticity, and validity of transactions, events, or information. It is management’s responsibility to ensure activities are being conducted in accordance with directives. Management should identify key areas and implement procedures to periodically ensure the transactions or events are processed in accordance with expectations. While VESID has a process to review case service activity, it may not be adequate given the exceptions noted throughout this report.

Computerized information systems are an integral part of most organizations’ operations. The systems are used to facilitate processing transactions as well as to monitor and report results. Controls must be in place to limit access to authorized users; ensure data on the system are complete, accurate, and timely; maintain an audit trail for each transaction; verify the validity of data; and generate reports that effectively monitor performance.

VESID has developed a Case Management System (CAMS) to track services provided to consumers. CAMS establishes a unique identification number for each consumer, requires the use of standardized case service codes to identify goods and services, provides for the recording of case notes in a computerized format, and provides statistical and financial information. Information from CAMS is transferred to another computerized system, the Financial Management (FM) system, to transact with the State Accounting System. The FM system is used to generate authorizations for services and vouchers for payment. While these computer systems facilitate the processing of transactions, adequate controls for these systems have not been established. The lack of controls may have facilitated the processing of some of the questionable transactions identified. While we did not complete a full review of the computer systems’ controls, a number of weaknesses were identified that related to access, data validity, processing, and output controls.

The computer systems were not programmed to restrict individuals’ access to transactions within the scope of their responsibilities. For example, eight individuals in one district office had the ability to authorize a service and to also process the payment for that service on the computer systems. During the course of the audit, VESID restricted the access. It was also noted that most of the staff in the office (counselors, keyboard specialists, finance clerks, and business managers) could issue authorizations to purchase goods and services. Another example identified with access controls was that a counselor could access all consumer records even if the cases were assigned to other counselors.

The computer systems have certain edit and reasonableness checks, but additional checks are needed to ensure the validity of the data. For example, there is no check to ensure the price and quantities entered on the computer systems are within acceptable ranges and comply with established policies. The computer systems allowed counselors to inflate the cost of a training program in order to avoid VESID’s cost containment policy (80 percent limit).

The computer systems allowed authorizations to be back-dated. Statewide, over 11,000 transactions were back-dated over a three-year period and a review of a sample of these transactions showed the files did not have an adequate explanation or documentation to justify the actions. Further, there were cases where multiple authorizations for one consumer were issued to the same company and back-dated for several years without adequate explanations. For example, in a 10-month period, 11 authorizations for one consumer were back-dated by as much as 2.5 years. These authorizations were issued to the same computer vendor for purchases totaling $8,241. In another case, the FM system permitted a counselor to back-date a transaction by over 19,000 days. While the entry was inadvertent, it shows there was no reasonableness edit built into the computer systems’ programming.

The computer systems permitted counselors to issue authorizations against closed cases by simply dating the authorization and date of service to a time when the case was active. For example, nine authorizations for $17,987 were issued on a closed case. Vouchers for eight of those authorizations were subsequently submitted for payments totaling $16,982 for purchases from a computer and camera/photo vendor. In addition, documentation was not available in the case folder to support the purchases.

The computer systems do not establish an adequate audit trail that would permit a review of the history of all transactions for each case. For example, if a consumer’s name and address were changed on CAMS, it does not maintain a record of the prior name and address. This could make it difficult to identify consumers with name changes and also raises other security concerns.

The audit also found that the information maintained for the consumers on CAMS may not include all transactions for a consumer’s case. Certain transactions, such as authorization for services that are entered on the FM system, are excluded from CAMS. In addition, the FM system does not identify the individual who actually entered an authorization on a consumer’s case. Rather, it has been programmed to default to the counselor of record.

As stated in a prior section, authorizations do not include a specific or detailed description of the goods or services authorized or purchased. Counselors select a code and standard text, such as "equipment/tools," is recorded on the computer system. The counselor has the option, but is not required, to enter additional information describing purchased goods or services. If additional information is added, it will appear on the original copy of the printed document, but it is not retained by the computer systems. Monitoring is difficult when the items purchased are not specifically identified on the computer systems.

Information should be recorded and communicated to management and others in a form and within timeframes to allow them to carry out their responsibilities effectively. Reports containing operational, financial, and compliance-related data should be prepared and used to manage and control operations. The reports must contain information that is timely, accurate, complete, and useful. In addition, requirements and expectations must be clearly communicated to staff, consumers, and vendors. Information and communication are critical to the effectiveness of an internal control system. The audit determined that VESID has deficiencies in these areas.

Information should be routinely used to facilitate monitoring performance, support fiscal and programmatic decision-making, and monitor the integrity of the data on the system. Computer systems should provide for standard and ad hoc reports as well as have the capability for online inquiries and data extracts.

VESID has developed computer systems to track and report statistical and financial information. A number of standard reports are generated periodically showing vendor usage; information on the length of time in the various status codes; and activity by counselor, district office, and Statewide. However, some of these reports are not being used effectively, and additional reports and capabilities are needed.

Monthly reports of counselor activities are generated, but these reports are not routinely reviewed to monitor performance. Such a review could identify unusual or questionable transactions. For example, counselors’ codes were used to process transactions after the effective date of the counselors’ retirement. While a report was prepared showing this activity, there was no indication that any manager was aware of it or determined the appropriateness of the transactions.

The reports generated by the system do not include detailed descriptions of the goods or services, transactions that were back-dated, or activities on closed or recently reopened cases.

Reports are not generated in a manner that would facilitate the identification of cases that have high-dollar value transactions or unusual activity. For example, our review identified almost $10,000 in multiple computer purchases for one consumer.

VESID’s computer systems have the capability for online inquiry and ad hoc reports. These features can be used to identify unusual patterns or trends with authorizations and purchases. However, it does not appear these features were routinely used.

Management must inform employees of their duties and responsibilities, provide the information necessary for employees to carry out their responsibilities, and convey the message to employees that internal controls are important. The communication can be via policy manuals, accounting and reporting manuals, and memos. Management must also establish an environment that encourages employees to suggest improvements and report any sensitive matters to management. VESID has developed certain forms, policies, and procedures and has made some of them available online. However, the policies and procedures are not complete and VESID has not effectively communicated its policies to employees, consumers, and vendors. Some examples of the exceptions follow.

VESID issued policies in January 2003 stating that computers can be purchased for consumers as part of a self-employment plan or for students when the consumer is unable to use a college computer center. The policy goes on to state that a senior counselor’s review and approval is required for all computer purchases. We interviewed several counselors and asked about their practices related to computer purchases.

One counselor indicated she would never authorize the purchase of a computer for a consumer since computers are available in public places such as colleges and libraries. Another counselor said she would authorize a computer if the consumer was attending an educational program and provided a letter from the school indicating a computer was necessary. Finally, a third counselor indicated she would authorize a computer if she thought a consumer needed it and that no supervisory approval is required.

A regional coordinator told us that the business manager’s approval is required for any case where the authorizations are expected to exceed $3,000 and central office approval is required where the authorizations are expected to exceed $10,000. The audit did not find any documentation showing supervisory approval of authorizations. For example, authorizations for one consumer totaling $10,500 were issued in a single day without any indication of supervisory approval.

District offices establish certain policies and terms with its vendors such as training schools. However, it does not appear this information is adequately communicated to staff. The audit noted various prices were authorized and paid for the same service. For example, there were three instances of individual consumers attending the same educational program at approximately the same time with VESID paying three different rates.

These examples clearly raise the question of whether requirements and expectations were effectively communicated to counselors, consumers, and vendors.

Monitoring is a process that assesses the quality of an organization's performance over time and, in so doing, determines whether controls are effective. An important part of monitoring is implementation of corrective actions in cases where monitoring identifies a problem area. Monitoring should take place at all levels of an organization. District office managers should monitor the procurement process within their offices, including the performance of staff and vendors. Central office should monitor the performance of the district offices.

VESID does not have a process to monitor the purchasing process. The absence of monitoring precludes managers from identifying problems and taking corrective actions. VESID has a case review process which involves sending a team of reviewers to the district offices. The reviewers examine a sample of each counselor's cases, but counselor purchasing decisions are not part of the review. In addition, there is no formal process to monitor vendor performance.

As shown in the information and communication section of this report, VESID is not effectively using the information and reports it has to monitor performance of district offices. The audit also found VESID does not have an effective process to monitor vendor performance and provide feedback to the vendor. VESID has agreements with certain trade and business schools to provide services to its consumers. These programs have been removed from the oversight of the Department’s Office of Higher Education, but VESID has not developed a process to routinely monitor the schools’ performance. Several counselors indicated they informally monitor vendor performance. If they had a problem with a vendor, they would not use the vendor in the future and would discuss their concerns informally with other counselors or the business manager.

Establish a plan to address the deficiencies identified in this report and improve the control environment to ensure that all employees recognize the importance of and need for internal controls.

Reevaluate the performance standards currently being used and the need for performance standards related to controls.

Ensure staff is aware of the State requirements related to purchasing and adhere to them.

Eliminate the practice of inappropriately charging vendor costs to one consumer's case file when many benefit.

Assess the practices related to the use of certain consultants to ensure they are appropriate.

Reexamine the results of the 2000 risk assessment and implement corrective actions.

Develop a risk assessment methodology that meets VESID's needs and establish a requirement that it is completed annually.

As part of the risk assessment, consider the risks and controls for M&T, consumer eligibility, economic need determination, vendor approval, and specialized vocational training schools.

Implement the necessary control activities to ensure VESID’s objectives and missions are accomplished effectively and efficiently.

Develop specific policies and procedures for the procurement and payment of goods and services, and ensure staff are adequately trained and understand them.

Ensure policies and procedures are kept current.

Redesign district offices’ operations in order to separate incompatible duties in the procurement and payment processes.

Assess the need for additional oversight and supervisory review of counselor activities.

Establish documentation requirements outlining the information that should be maintained in each case folder.

Require vendors to submit invoices or detailed descriptions on vouchers submitted for payment.

Consider expanding the description included as standard language for each case service code.

Develop documentation requirements to show consumers received the goods and services purchased for them.

Develop a policy defining when it is appropriate for goods to be shipped to the district offices and establish procedures for maintaining accountability over the goods.

Develop a system to ensure counselors’ fiscal and programmatic decisions are verified on a routine basis.

Limit users’ access to terminals and transactions that are essential for their responsibilities.

Eliminate the ability of any one individual from having the authority to issue authorizations and also pay vouchers.

Develop reasonableness checks on the price and quantity of goods or services being purchased.

Eliminate the back-dating of authorizations and the ability to issue authorizations on closed cases.

Develop an audit trail whereby a record is maintained of all case activity.

Develop an approval process to change consumer information and maintain a permanent record of any such change.

Assess the adequacy of the information and communication systems.

Prepare and review periodic reports of transactions to identify unusual or questionable activity, back-dated authorizations, and activity on closed cases.

Consider the feasibility of facilitating the use of online inquiries and ad hoc reporting.

Clearly communicate requirements and expectations to staff, consumers, and vendors.

Develop policies and procedures to routinely monitor performance related to purchasing, counselors’ tasks, vendors, and other areas as needed.

Contributors to the Report

VESID Internal Controls Over Procurement and Payment

of Vocational Rehabilitational Goods and Services

I would like to express my thanks for the effort of the auditors and investigators. I recognize the tremendous amount of resources that were devoted to this audit and appreciate the professionalism shown by your team.

We agree with the audit report findings, and acknowledge that there have been serious deficiencies in VESID fiscal controls as related to vocational rehabilitation services. VESID is working with its colleagues in the Department to implement all the recommendations contained in the report as quickly as possible.

We would like to clarify that VESID’s policy was never to eliminate or weaken its internal controls. The plan to improve access to services for consumers, which was implemented in the early 1990s, was intended to provide high quality services to individuals as quickly as possible and streamline the process for consumers entering the vocational rehabilitation system. The number of persons VESID had contact with annually had increased by over 54%, from 74,000 consumers in 1989 to 114,000 consumers in 1992. It was clear to VESID’s consumers, advocates, providers and employers that VESID needed to adapt to these changing needs, address the growing demands and improve the quality of services provided. The changes resulted in many more individuals with disabilities being placed into employment. In 2003, VESID placed over 15,000 individuals with disabilities into employment as compared to 9,300 in 1990.

This significant growth in consumers served is a reflection of the tremendous dedication and commitment of the hundreds of hard working individuals who serve as VESID vocational rehabilitation staff. As apparent from the numbers noted above, they have seen their duties and responsibilities steadily expand over the last two decades. The integrity of these honest, caring and highly professional individuals is not diminished by the actions of a few unscrupulous individuals. VESID supports the strongest disciplinary and legal actions against those who may have broken the law and the clear communication to all VESID staff that such actions will not be tolerated.

VESID has reviewed the final audit findings and recommendations in detail, has developed a plan to address control weaknesses and has already begun implementation. As a first step, following the release of the preliminary observations of this audit in February 2004, VESID established a cross-Department "Vocational Rehabilitation (VR) Cabinet." This cabinet, composed of key staff from VESID and other parts of the Department, has been charged with developing and assisting in the implementation of strategies to resolve identified issues, to anticipate future areas of concern, and to evaluate the success of actions taken. The initial meeting of the VR Cabinet resulted in the establishment of three workgroups to address the following key issues:

The Cabinet subgroup on staffing for the VR Business Offices has a twofold charge: to address the staffing needs of the Business Offices, and to recommend an appropriate staffing plan for the Business Offices predicated on an eventual redesign of the Offices to the degree that operations will be localized, regionalized and/or centralized.

The second workgroup is responsible for improving the processing of VR contracts and has overseen the development and recent issuance of the Supported Employment Contracts.

The work group to address the need for a new Fiscal Management System developed a two-phase RFP. The first phase has been approved by the appropriate Department offices as well as the Office for Technology, and will be issued on October 1, 2004, with a project start date of May 1, 2005. The first phase of the RFP will result in a full analysis of business practices and the identification of options for the design of a new fiscal management information technology system. The second phase includes the software development and full integration of the new technology system into our business operations. The successful vendor of Phase One will monitor the second phase.

In July 2004, the VR Cabinet sponsored a retreat, which included Cabinet members and VR leadership from the district offices. The team reviewed the risks identified in the preliminary audit report and identified those areas with the highest risk. A framework to address these priority risk areas and others identified through the audit has been developed. As described below, we are moving forward quickly to establish a control environment, taking actions to address identified control weaknesses, adopting an ongoing process for conducting risk assessment, and establishing monitoring mechanisms.

These workgroups will concentrate on producing results as quickly as possible. As shown below, much has already been done.

The following is VESID’s response to each of the recommendations in the audit report.

VESID agrees with this recommendation. VESID is developing a plan to address the deficiencies identified in this report. VESID had already begun to address many of the deficiencies during the course of this audit.

VESID and other Department leadership will meet with district office managers and regional coordinators as soon as the audit is final to discuss this report, to identify the changes that are immediately necessary to VR operations, and to review all aspects of internal controls.

VESID leadership has made and continues to make significant efforts to stress the importance of internal controls. For example, staff from the OSC provided training to VESID leadership, including district office managers and regional coordinators on internal controls. Commissioner Mills and I met with the VR regional coordinators and district office managers to set the tone at the top for control consciousness when we first received the preliminary audit findings. On July 27, 2004, an intensive session was held for VESID leadership. Assistant Commissioner Placke, and I reemphasized our commitment to and the priority of establishing a sound control environment. These issues are discussed at every meeting of the regional coordinators and district managers. VESID and other Department staff have met with an OSC auditor to discuss how internal control training can be provided to all Department staff, including VESID district office staff. The Department’s Internal Control Officer will assist us in that effort. Further, VESID will include internal control training in all new staff orientation and will add a section on the importance of internal controls to VESID’s Supervisory Manual.

VESID agrees with this recommendation. Staff performance agreements for the 2004-05 year, including standards related to internal control issues, are being developed and discussed with regional coordinators and district office managers. In turn, these managers will reexamine performance agreements for all district office staff and will include standards related to internal controls.

VESID agrees with this recommendation. VESID does need to ensure it has appropriate staff who are aware of the State requirements related to purchasing and who can ensure all VESID procurement meets those requirements. The Cabinet subgroup currently reviewing all district office business functions will determine the appropriate staffing needs for these functions, including the procurement function. In the meantime, VESID brought together its district office business managers this past spring and summer for quarterly training and information sharing, and these business managers also recently attended a two-day procurement-training program hosted by OGS.

VESID has also instituted a new policy whereby all authorizations for goods and services must be approved in writing by district office staff designated by Assistant Commissioner Placke.

VESID agrees with these recommendations. Effective immediately, VESID is discontinuing the practice of inappropriately charging vendor costs to one consumer's case file when many benefit. The VR Cabinet will assist VESID in a review of the manner in which VESID uses consultants for case services to ensure these practices are appropriate.

VESID agrees with this recommendation. The 2000 Risk Assessment was discussed with regional coordinators and district managers in the spring of 2004. Subsequently, each district office reviewed its own 2000 risk assessment and provided comments, which serve as an inventory of controls. VESID leadership identified the six highest risks that VESID’s VR program is currently facing. Cross-office teams are being formed to develop strategies to address those risks, with the greatest risks given priority.

VESID agrees with this recommendation. VESID will establish a cycle to coincide with the Department’s annual internal controls certification.

VESID agrees with this recommendation. We recognize the risks in these areas and will incorporate those in our risk assessment and internal controls development. Given the extensive and complex nature of the Maintenance and Transportation (M&T) system, at this time VESID requests that the Office of Audit Services conduct an audit of the Maintenance and Transportation program.

VESID agrees with this recommendation. VESID has reassessed all of its policies, procedures and administrative memos. VESID’s first priority was to establish policies and procedures to effect immediate changes to the business and fiscal practices used for purchasing goods and services in the district offices, and to standardize and communicate those changes to all VR district office staff.

VESID has instituted an on-line manual of financial procedures. All financial procedures, as revised or developed, must meet all procurement requirements and support strong internal controls. The procedures are in a standardized format, codified, and contain the information required for staff to complete the functions addressed in the procedures. Central Office staff will make periodic visits to the local offices to ensure proper practices are being carried out.

To date, the following fiscal procedures have been approved, included in the on-line manual and communicated to staff:

FIS-04-01: Urgent Requirements Quotes and Bids

FIS-04-02: Fee Increase for Psychological Evaluation

FIS-04-03: Process for Purchasing Transportation Services

FIS-04-04: Strategies for Quality Cost Effective Services

FIS-04-05: Child Care Services Form

FIS-04-06: Requirement for Architect on Certain Renovations

FIS-04-07: Contracting for Vehicle and Van Modifications

FIS-04-11: Backdating Authorizations for Goods and Services

FIS-04-12: Separation of Duties for Financial Transactions

The following fiscal procedures are currently under development:

FIS-04-09: Documentation Requirements for Vendor Payments

FIS-04-10: Use of Credit Cards

Additional fiscal policies and procedures will be developed to ensure our practices meet all procurement requirements and support strong internal controls.

VESID agrees with this recommendation. VESID will be issuing a Request for Proposals (RFP) by October 1, 2004 to procure the services of a consultant to define business processes reengineering and apply appropriate technology to meet the fiscal management goals of VESID’s VR program, especially in terms of procurement and payment functions. The goal for this system is to improve the way VESID purchases, pays for and reports on vocational rehabilitation services. The financial system will be designed to:

Until this new fiscal management system is fully operational, VESID is taking interim steps to define a procurement process that complies with State law, supports strong internal controls and meets the needs of the consumers. For example, VESID has changed its process for procuring home and vehicle modifications and is currently redesigning its two largest categories of service (supported employment and unified contract services). VESID is defining an appropriate procurement process for each type of good or service procured for consumers.

VESID agrees with this recommendation. Refer to responses to recommendations #9 and #10.

VESID agrees with this recommendation. VESID has issued fiscal directive, FIS-04-12: Separation of Duties for Financial Transactions, which defines incompatible fiscal-related functions, including authorization of services (procurement), payment of services, and approval of vendors. A VR Cabinet subgroup is analyzing all business office functions.

VESID has instituted a new policy, effective immediately, whereby all authorizations for goods and services must be approved in writing by district office staff specifically designated by Assistant Commissioner Placke. Also, effective immediately, all high-risk equipment purchases must be approved at the Central Office for payment.

VESID agrees with this recommendation. Effective immediately, all procurement decisions in the district offices are now being reviewed by a supervisor or other individual designated by Assistant Commissioner Placke. Further, high-risk equipment procurement is now being reviewed in the Central Office prior to payment.

VESID agrees with this recommendation. VESID is developing fiscal directive, FIS-04-09: Documentation Requirements for Vendor Payments, which defines fiscal related documentation requirements. VESID has assigned a workgroup of Central Office VR and Fiscal staff and district office representatives to develop this directive and to present a final version for approval, by the end of September.

Recommendation 15: Require vendors to submit invoices or detailed descriptions on vouchers submitted for payment.

VESID agrees with this recommendation. VESID is developing fiscal directive, FIS-04-09: Documentation Requirements for Vendor Payments, which defines fiscal related documentation requirements. We will finalize this directive by the end of the September. These documentation requirements will be clearly communicated to vendors.

Effective immediately, all high-risk procurement must be approved at the Central Office for payment.

VESID has specific reporting requirements for its two largest contract programs, the Supported Employment and UCS programs. As part of our efforts to improve these contract systems, we have imbedded vendor reporting and documentation requirements into the contracts.

VESID agrees with this recommendation. Software constraints of the current systems do not allow us to fully implement this recommendation, as the descriptor fields have limited character space. The entire case service code structure will be rewritten as part of the process of developing a new fiscal system for case services.

VESID agrees with this recommendation. The VR Cabinet is developing procedures to ensure the receipt, use and disposition of all goods purchased for consumer use are properly documented and tracked.

VESID agrees with this recommendation. VESID will develop a policy defining limited circumstances when it is appropriate for goods to be shipped to a district office. VESID will also develop procedures that will cover separation of duties, documentation of receipt of those items, and tracking and documentation of disposition.

VESID agrees with this recommendation. VESID will work with the VR Cabinet to develop a comprehensive monitoring system that will include:

VESID has instituted a new process, effective immediately, whereby all authorizations for goods and services must be approved in writing by district office staff specifically designated by Assistant Commissioner Placke. Also, effective immediately, all high-risk equipment procurement must be approved at the Central Office for payment.

VESID agrees with these recommendations. VESID has eliminated the ability for individual staff members to perform more than one of the following functions: authorize services, approve voucher payments, and approve vendors. Central Office must approve any and all changes in access rights.

VESID has also limited the authority and the ability for staff to authorize services directly on the fiscal management system. Any exceptions are monitored at the Central Office level. VESID is strengthening controls to allow for timely review and monitoring, by the end of September. Managers and supervisors will also monitor staff to ensure access is protected.

VESID agrees with this recommendation. VESID will produce periodic reports to identify unusual or questionable activity in order to permit quality checks. Management and staff will be trained on how to use these reports for monitoring purposes.

VESID agrees with this recommendation. As an interim step, VESID issued fiscal directive FIS-04-11: Backdating Authorizations for Goods and Services severely limiting the authority to backdate authorizations.

Certain authorizations have been dated subsequent to the date services started for a number of reasons. For example, when a consumer goes to college with VESID assistance, the amount of financial aid and thus the amount to be authorized are often not known before the beginning of a term. Once the final amount is known, the authorization is made for this amount, effective with the beginning of the school term. Currently, the computer system cannot accommodate this type of transaction without backdating the authorization.

VESID recognizes that a system that allows any authorizations to be backdated is open to inappropriate manipulation. Therefore, we are reviewing the reasons backdating occurs and will make the appropriate changes to our systems to accommodate those types of situations without the need for backdating. Effective immediately, all back-dated items must be approved in writing by the District Office Manager.

VESID agrees with these recommendations. Currently, neither CaMS nor the fiscal management system will permit implementation of this recommendation. The issue will be addressed through the design of the new fiscal management system.

VESID agrees with this recommendation. VESID has worked with the Department’s Office of Information Technology staff to identify a software package that will better support VESID’s On-Line Policy and Procedure Manual. Limited copies of the chosen software have been purchased by the Department and are under review for converting our current manual to this new software. VESID has instituted an on-line manual of fiscal procedures, allowing easy access for staff. Plans have also been developed to reengineer our business processes.

VESID agrees with this recommendation. VESID will produce periodic reports to identify unusual or questionable activity, backdated authorizations and activity on closed cases, and will require district office managers and their designees to regularly review those reports. VESID is also working with the VR Cabinet to develop a comprehensive monitoring system. Review of these reports will be part of this system.

VESID agrees with this recommendation. VESID is developing standard queries and several have been distributed during the past few months. These queries and reports can be run as is, modified or used as a source for other queries or reports depending on need and level of expertise. VESID staff provide training and are available to assist others in the use of these standard queries and reports. As the need develops, additional reports and queries will be developed.

VESID agrees with this recommendation. Performance programs for all VESID staff are being reviewed and revised as appropriate. All staff members have been provided informaiton on Department expectations for ethical practices. VESID leadership has been provided training on internal controls and this training will be provided to all VESID staff. Business managers have received procurement and other fiscal-related training. Specific fiscal procedures have been developed and shared with staff. New procedures will be shared as soon as they become available. VESID will ensure that all VESID staff members have the information they need to do their jobs.

Counseling staff communicate expectations and requirements to consumers on a regular basis, and this will continue, especially as new fiscal requirements are developed. VESID has regular communication with the two largest categories of providers, Supported Employment and UCS, providing training, instructions, and information on requirements for working with VESID consumers. VESID is continuing to develop a strategy to communicate with major VESID stakeholders and vendor groups as needed. As we improve our procurement system, VESID staff are in regular communication with various vendor groups, advising them of changes in our practices as they continue to work with VESID consumers.

VESID agrees with this recommendation. The fiscal and programmatic decisions at all levels need to be monitored on a routine basis. A centralized case review process is in place in which individual cases are reviewed on a sample basis to monitor counselor performance for programmatic decisions. We also have a process to review the performance of Supported Employment providers, also on a sample basis, to ensure those providers have provided the appropriate services as authorized. VESID has policies and procedures which require the review of certain fiscal decisions at different levels, and district office managers are responsible for ensuring those reviews take place.

VESID will work with the VR Cabinet to develop a comprehensive monitoring system. See response to #19.

We recognize the seriousness of these findings and accept the report’s recommendations, a number of which have already been implemented. VESID has and will continue to improve its vocational rehabilitation fiscal and internal control operations for the benefit of the many individuals with disabilities who depend upon us and who are served and placed in employment every day.

cc: Commissioner Mills