Audit of the Norfolk Sheriff’s Office Objectives, Scope, and Methodology (2019)

In accordance with Section 12 of Chapter 11 of the Massachusetts General Laws, the Office of the State Auditor (OSA) has conducted a performance audit of certain activities of the Norfolk Sheriff’s Office (NSO) for the period July 1, 2015 through December 31, 2017.

We conducted this performance audit in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives.

Below is a list of our audit objectives, indicating each question we intended our audit to answer and the conclusion we reached regarding each objective.

To achieve our audit objectives, we gained an understanding of the internal control environment we determined to be relevant to our audit objectives by reviewing NSO’s internal control plan (ICP) and applicable laws, regulations, and agency policies and procedures, as well as conducting interviews with NSO staff members and managers. We tested the design and effectiveness of controls over non-payroll expenses, the contracting process for goods and services, and the administration of employee overtime.

Additionally, we performed the following procedures.

To gain an understanding of the process of coordinating, submitting, and approving non-payroll expenses, we reviewed NSO’s ICP; the “Commonwealth of Massachusetts Office of the Sheriff, Policy Governing the Procurement of Commodities and/or Services”; and relevant laws and regulations. NSO uses the Aestiva procurement application to coordinate and approve all purchase orders (POs). The Aestiva application automates the PO process and has a structured internal approval workflow that is used to segregate multiple levels of approval. NSO’s director of finance is responsible for the final approval of all purchases in Aestiva.

To ensure that non-payroll expenses for amounts over $10,000 that NSO incurred were authorized in accordance with its policies and procedures, we extracted the total population of 2,605 POs (totaling $6,195,763) from Aestiva that were generated during the audit period. Of the total population of POs, 57 (totaling $1,809,814) were for amounts over $10,000. From this population of 57 POs, we selected a nonstatistical judgmental sample of 19 (totaling $456,818).

According to NSO’s ICP, purchases below $10,000 are considered incidental purchases and therefore do not require competitive procurement. For purchases of $10,000 or more, NSO can choose to use statewide contracts established by the Operational Services Division instead of competitive procurement. These contracts are accessible online through COMMBUYS.³ Statewide contracts take advantage of bulk purchase pricing and offer other advantages, including reduced administrative costs and discounts for prompt payment. NSO may also use individual departmental contracts established by other state agencies, though it needs permission from a host agency to take advantage of that agency’s contract and may need to enter into its own contract with the vendor. The individual departmental contracts also reside on COMMBUYS. The “Commonwealth of Massachusetts Office of the Sheriff, Policy Governing the Procurement of Commodities and/or Services” also outlines a number of competitive procurement exceptions that allow NSO to purchase certain commodities and/or services without competitive procurement. In these instances, a Competitive Procurement Exception Explanation Form (see Appendix) must be filled out and included in the vendor procurement file.

NSO’s ICP outlines the minimum requirements the office must follow when competitively procuring goods and services; the requirements vary based on the monetary amount of each procurement. The three tiers of general procurement requirements that are relevant to our sample of 19 POs are described in Section 24(2) of the “Commonwealth of Massachusetts Norfolk Sheriff’s Office CSD 302 Internal Control Plan Policy and Procedure”:

iii)   Small Procurements for $10,000 to $50,000

Purchases from $10,000 to $50,000 must be made based on at least three (3) written quotes or solicitations, unless the procurement falls under state contract. In addition, a standard state contract and terms and conditions are required.

iv)  Small Procurements for $50,000 to $150,000

Purchases from $50,000 to $150,000 will have an RFR [Request for Response] distributed in to at least three (3) potential qualified bidders. Written responses back in writing, fax, mail, email, or personal delivery unless the procurement falls under state contract.

v)   Large Procurements for $150,000 to $500,000

Purchases from $150,000 to $500,000 will require the RFR sealed bid process and require it be advertised as appropriate on Comm-Buys (recommended), in newspaper, Goods and Services Bulletin, Central Register, or as required by statute unless already on state contract.

We tested our sample of 19 POs for their compliance with NSO policies and procedures to ensure that the purchases were supported by statewide or departmental contracts when applicable or, if not, that the appropriate exemptions were documented. Additionally, we assessed whether the items purchased were applicable to NSO’s mission and whether the proper approvals were obtained.

To gain an understanding of NSO’s contracting process for goods and services, we reviewed NSO’s ICP; the “Commonwealth of Massachusetts Office of the Sheriff, Policy Governing the Procurement of Commodities and/or Services”; guidelines in the Commonwealth’s Standard Contract Form; and relevant laws and regulations. NSO uses the Standard Contract Form for most contractors that are hired. This form is intended to ensure accountability by clearly defining the roles of signatories, expectations for service delivery, the duration of the contract, and rates of compensation.

To ensure that NSO properly administered its contracting process for goods and services, we randomly selected a nonstatistical sample of 25 contracts from a population of 260 contracts supplied to us by NSO that were in effect during our audit period, July 1, 2015 through December 31, 2017. In some instances, the procurement process for the sampled contracts was initiated before July 1, 2015, so we expanded the scope of our examination to include the sampled contracts that were initiated during the period November 1, 2014 through December 31, 2017. The contracts we examined included, among other things, legal, medical, and consulting services.

We tested our sample of 25 contracts for compliance with NSO policies and procedures as well as terms and conditions in the Standard Contract Form. Specifically, we tested to ensure that contracts were competitively sought in accordance with NSO’s general procurement requirements and were supported by statewide or departmental contracts when applicable or, if not, that the appropriate exemptions were documented. We also tested to ensure that all corporations NSO hired as contractors were registered as such with the Secretary of the Commonwealth, as required by the Standard Contract Form, and we examined the contracts to determine whether they were reviewed and signed by NSO’s Legal Department, the Special Sheriff / Superintendent of Jail Operations, and the director of finance.

To gain an understanding of NSO’s administration of overtime, we reviewed its “Time and Attendance Policy and Procedure,” its union contract with the County Correctional Officers Association, its contract with the National Association of Government Employees, the federal Fair Labor Standards Act, and relevant laws and regulations.

According to NSO, the use of overtime for uniformed officers is dictated by the staffing levels required to manage each of three daily shifts, including inmate transportation and hospital details (i.e., guarding hospitalized inmates). Each day, before each of the shifts, the required staffing level is checked against the number of staff members assigned on the daily schedule. If the assigned staffing number is lower than what is required, the officer in charge contacts the time and attendance coordinator to schedule the proper number of employees.

To distribute available overtime fairly and equitably, the time and attendance coordinator seeks to assign overtime to employees with the lowest number of charged⁴ overtime hours first. If an employee is called and offered overtime, overtime hours are charged whether the overtime is accepted or refused, unless the employee is on authorized leave or is already scheduled to work that shift. NSO uses an internal database to keep a running total of charged overtime hours for uniformed officers. The charged overtime hours are reset quarterly. Overtime for employees who are not uniformed officers (e.g., medical or administrative staff members) is administered by NSO managers, as needed.

To determine whether NSO properly administered overtime for its employees, we randomly selected a nonstatistical sample of 35 of the 915 days in our audit period. We extracted from the Commonwealth’s Human Resource Compensation Management System (HR/CMS) all 830 instances of overtime hours paid for the days in our sample.  

We tested this sample of days to ensure that the overtime NSO administered was authorized in accordance with its policies and procedures. Approvals for overtime come in many forms at NSO, depending on the division in which an employee works. The Security Division shift commander holds a roll call at the NSO Correctional Center campus before the start of each of the three shifts (11:00 p.m.–7:00 a.m., 7:00 a.m.–3:00 p.m., and 3:00 p.m.–11:00 p.m.). The shift commander is responsible for documenting all uniformed officers in the Security Division who were designated to work overtime for the shift and the number of hours they were approved to work. This information is documented on an internal report called the Daily Shift Event Log and is submitted to the Payroll Department electronically at the end of each shift. All other divisions use overtime authorization sheets or submit overtime approvals by management via email to the Payroll Department to document approval for the overtime work performed.

In 2014, OSA performed a data-reliability assessment of the Massachusetts Management Accounting and Reporting System (MMARS). As part of this assessment, we tested general information-technology controls for system design and effectiveness. We tested for accessibility of programs and data, as well as system change management policies and procedures for applications, configurations, jobs, and infrastructure. Based on the 2014 data-reliability assessment and our current comparison of source documentation with MMARS information, we determined that the information obtained from MMARS for our audit period was sufficiently reliable for the purposes of our audit work.

We determined the reliability of the Aestiva data by performing interviews and testing certain information technology controls over account management, security training and identification, and authentication policies and procedures. Further, we reconciled invoice data from POs in Aestiva to expense data in MMARS. We determined that the data from Aestiva were sufficiently reliable for the purposes of this audit.

We determined the reliability of the contracts in our sample by performing interviews with management. We ensured the completeness and accuracy of our contract data by judgmentally selecting 12 contracts from binders containing the original source documents maintained at the Braintree Public Safety Office and verifying that these contracts were originally supplied to us when we first requested all contracts for goods and services. We then reconciled maximum obligation⁵ dollar amounts documented in these contracts to actual expenses in MMARS for the duration of the contracts. We determined the NSO contract data to be sufficiently reliable for the purposes of this audit.

Finally, we determined the reliability of NSO daily payroll data extracted from HR/CMS by comparing the daily pay data entered in the state’s Self-Service Time and Attendance system with original source documents. We determined that the data from HR/CMS were sufficiently reliable for the purposes of this audit.

Whenever sampling was used, we applied a nonstatistical sampling approach, and as a result, we could not project our results to the entire population.